[Federal Register Volume 88, Number 54 (Tuesday, March 21, 2023)]
[Notices]
[Pages 16951-16954]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-05670]


-----------------------------------------------------------------------

BUREAU OF CONSUMER FINANCIAL PROTECTION

[Docket No. CFPB-2023-0020]


Request for Information Regarding Data Brokers and Other Business 
Practices Involving the Collection and Sale of Consumer Information

AGENCY: Bureau of Consumer Financial Protection.

ACTION: Request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Consumer Financial Protection Bureau (CFPB) is seeking 
comments from the public related to data brokers. The submissions in 
response to this request for information will serve to assist the CFPB 
and policymakers in understanding the current state of business 
practices in exercising enforcement, supervision, regulatory, and other 
authorities.

DATES: Comments must be received on or before June 13, 2023.

ADDRESSES: You may submit comments, identified by Docket No. CFPB-2023-
0020, by any of the following methods:

[[Page 16952]]

     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments.
     Email: [email protected]. Include the document 
title and Docket No. CFPB-2023-0020 in the subject line of the message.
     Mail/Hand Delivery/Courier: Comment Intake, Request for 
Information Regarding Data Brokers, Consumer Financial Protection 
Bureau, c/o Legal Division Docket Manager, 1700 G Street NW, 
Washington, DC 20552. Because paper mail in the Washington, DC area and 
at the CFPB is subject to delay, commenters are encouraged to submit 
comments electronically.
    Instructions: The CFPB encourages the early submission of comments. 
All submissions should include the agency name and docket number for 
this request for information. Please note the number of the topic on 
which you are commenting at the top of each response (you do not need 
to address all topics.) In general, all comments received will be 
posted without change to https://www.regulations.gov. All comments, 
including attachments and other supporting materials, will become part 
of the public record and subject to public disclosure. Sensitive 
personal information, such as account numbers or Social Security 
numbers, should not be included. Comments generally will not be edited 
to remove any identifying or contact information.

FOR FURTHER INFORMATION CONTACT: Erie Meyer, Chief Technologist and 
Senior Advisor, Office of the Director; Davida Farrar, Counsel, Office 
of Consumer Populations at 202-435-7700. If you require this document 
in an alternative electronic format, please contact 
[email protected].

SUPPLEMENTARY INFORMATION:

I. Background

    In 1970, Congress enacted the Fair Credit Reporting Act (FCRA),\1\ 
one of the first data privacy laws in the world. The primary sponsor of 
the legislation, Senator William Proxmire, at the time publicly 
described an emerging consumer reporting market involving the 
dissemination of a wide range of information about Americans, including 
financial status, bill paying records, public records including 
arrests, suits, and judgments, dossiers, information on drinking, 
marital discords, adulterous behavior, general reputation, habits, and 
morals. The Senator stressed that ``while the growth of this 
information network is somewhat alarming, what is even more alarming is 
the fact that the system has been built with virtually no public 
regulation or supervision.'' \2\
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 1681 et seq.
    \2\ 115 Cong. Rec. 2410 (1969).
---------------------------------------------------------------------------

    Before voting on the FCRA, Congress held a series of investigative 
hearings and uncovered a wide variety of abuses in the industry. For 
example, Congress found that many consumers were unaware of the 
existence of the industry because non-disclosure agreements between 
consumer reporting agencies and users hid the arrangement behind a 
shroud of secrecy.\3\ In addition, the hearings revealed the practice 
of including disclaimers of accuracy in agreements between consumer 
reporting agencies and creditors; before the FCRA, consumer reporting 
agencies purported to be mere transmitters of information who were not 
responsible for accuracy.\4\ Congress also criticized the fact that 
consumers were not given access to their credit reports,\5\ and that 
credit reports often included obsolete or irrelevant information.\6\
---------------------------------------------------------------------------

    \3\ Robert M. McNamara Jr., The Fair Credit Reporting Act: A 
Legislative Overview, 22 J. Pub. L. 67, 80 (1973).
    \4\ Hearing on Retail Credit Co. of Atlanta, Ga., Before a 
Subcomm. on Invasion of Privacy of the House Comm. on Government 
Operations, 90th Cong., 2d Sess. 47 (1968).
    \5\ Hearings on Commercial Credit Bureaus Before a Subcomm. on 
Invasion of Privacy of the House Comm. on Government Operations, 
90th Cong., 2d Sess. 10 (1968).
    \6\ See S. Rep. No. 517, 91st Cong., 1st Sess. 4 (1969).
---------------------------------------------------------------------------

    Ultimately, Congress found that consumer reporting agencies assumed 
a vital role in assembling and evaluating consumer credit and other 
information on consumers to meet the needs of commerce, but that rules 
were necessary to ensure they handed information fairly and equitably 
with regard to confidentiality, accuracy, relevancy, and proper use.\7\ 
The FCRA established comprehensive rules to govern the practices of 
consumer reporting agencies, including four key features: (1) a 
prohibition on using or disseminating certain personal data outside 
prescribed permissible purposes selected by Congress,\8\ (2) a 
requirement that consumer reporting agencies ``follow reasonable 
procedures to assure maximum possible accuracy'' of consumer 
reports,\9\ (3) a right of consumers to inspect data about 
themselves,\10\ and (4) due process to challenge false data.\11\
---------------------------------------------------------------------------

    \7\ 15 U.S.C. 1681 (Congressional findings and statement of 
purpose for FCRA).
    \8\ 15 U.S.C. 1681b.
    \9\ 15 U.S.C. 1681e(b).
    \10\ 15 U.S.C. 1681g.
    \11\ 15 U.S.C. 1681i, 1681s-2.
---------------------------------------------------------------------------

    The FCRA still remains on the books and has been amended from time 
to time.\12\ But since the enactment of the FCRA, companies using 
business models that sell consumer data have emerged and evolved with 
the growth of the internet and advanced technology. Many companies 
whose business models rely on newer technologies and novel methods 
purport not to be covered by the FCRA. These companies are sometimes 
labeled ``data brokers,'' ``data aggregators,'' or ``platforms,'' but 
they all share a fundamental characteristic with consumer reporting 
agencies--they collect and sell personal data.
---------------------------------------------------------------------------

    \12\ Consumer Credit Reporting Reform Act of 1996, Pub. L. 104-
208 (1996).
---------------------------------------------------------------------------

    With the passage of the Consumer Financial Protection Act (CFPA), 
Congress transferred rulemaking authority for most provisions of the 
FCRA from the Federal Trade Commission to the CFPB. The CFPA granted 
the CFPB the authority to enforce the FCRA along with other Federal 
regulators.\13\ The CFPA also granted the CFPB various additional 
authorities that may be applicable to companies that collect and sell 
personal data, including, for example, authorities pursuant to the 
Gramm-Leach Bliley Act's privacy provisions.\14\ The CFPB has used its 
authority to address unfair or deceptive acts or practices related to 
the handling of consumer data.\15\
---------------------------------------------------------------------------

    \13\ See 15 U.S.C. 1681s.
    \14\ See, e.g., 12 U.S.C. 5481(12)(J) (specifying provisions of 
the Gramm-Leach-Bliley Act that qualify as ``enumerated consumer 
laws'' over which the Bureau has jurisdiction).
    \15\ See, e.g., Consumer Financial Protection Circular 2022-04, 
Insufficient data protection or security for sensitive consumer 
information, https://www.consumerfinance.gov/compliance/circulars/circular-2022-04-insufficient-data-protection-or-security-for-sensitive-consumer-information/.
---------------------------------------------------------------------------

    This request for information is seeking information to (1) help 
inform the CFPB about new business models that sell consumer data, 
including information relevant to assessments of whether companies 
using these new business models are covered by the FCRA, given the 
FCRA's broad definitions of ``consumer report'' and ``consumer 
reporting agency,'' \16\ or other statutory authorities, and (2) 
collect information on consumer harm and any market abuses, including 
those that resemble harms Congress originally identified in 1970 in 
passing the FCRA.
---------------------------------------------------------------------------

    \16\ See 15 U.S.C. 1681a(d), (f).
---------------------------------------------------------------------------

II. Overview

    Data brokers is an umbrella term to describe firms that collect, 
aggregate, sell, resell, license, or otherwise share consumers' 
personal information with other parties. Data brokers encompass actors 
such as first-party data brokers

[[Page 16953]]

that interact with consumers directly, as well as third-party data 
brokers with whom the consumer does not have a direct relationship. 
Data brokers include firms that specialize in preparing employment 
background screening reports and credit reports. Data brokers collect 
information from public and private sources for purposes including 
marketing and advertising, building and refining proprietary 
algorithms, credit and insurance underwriting, consumer-authorized data 
porting, fraud detection, criminal background checks, identity 
verification, and people search databases.\17\
---------------------------------------------------------------------------

    \17\ Data Brokers: A Call for Transparency and Accountability at 
i-v, Federal Trade Commission (May 2014), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.
---------------------------------------------------------------------------

    As part of the CFPB's statutory mandate to promote fair, 
transparent, and competitive markets for consumer financial products 
and services, this request for information is part of a series of 
efforts to examine data collection and use. In addition to supervision 
of consumer reporting agencies, including the three largest nationwide 
consumer reporting agencies, the CFPB endeavors to gain insight into 
the full scope of the data broker industry. The data broker industry is 
growing and expanding its reach into new spheres of consumers' personal 
lives, as more sophisticated computerization has increased the power of 
these companies to track and predict consumer behavior. Yet, many 
people lack an understanding of the scope and breadth of data brokers' 
business practices and the impact of those practices on the marketplace 
and peoples' daily lives.
    The CFPB seeks to better understand the heterogeneity of these 
firms and to assist firms in understanding any compliance obligations 
under the FCRA and other laws as appropriate.
    Data brokers collect or share a vast range of information, often 
building profiles of individuals by delving into the details of 
consumers' everyday interactions, including credit card purchases and 
web browsing activity. Data brokers also collect other types of 
sensitive and intimate personal information such as genetic and health 
information, religious affiliation, financial records, and geolocation 
data.\18\
---------------------------------------------------------------------------

    \18\ Data Brokers: A Call for Transparency and Accountability at 
app. B, Federal Trade Commission (May 2014), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.
---------------------------------------------------------------------------

    Government agencies, technology and privacy experts, financial 
institutions, consumer advocates, and others have identified numerous 
consumer harms and abuses related to the operation of data brokers, 
including significant privacy and security risks, the facilitation of 
harassment and fraud, the lack of consumer knowledge and consent, and 
the spread of inaccurate information.\19\
---------------------------------------------------------------------------

    \19\ See, e.g., Justin Sherman, Data Brokers and Sensitive Data 
on U.S. Individuals: Threats to American Civil Rights, National 
Security, and Democracy, Duke Sanford Cyber Policy Program (Aug. 
2021), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2021/08/Data-Brokers-and-Sensitive-Data-on-US-Individuals-Sherman-2021.pdf.
---------------------------------------------------------------------------

    People should be able to expect companies to safeguard their most 
personal and intimate information, and should be able to have knowledge 
and control over how companies obtain and use their data. Surveys have 
found that people are concerned about being tracked and surveilled by 
companies, and express concern about the lack of control over how data 
collected about them is used.\20\
---------------------------------------------------------------------------

    \20\ Americans and Privacy: Concerned, Confused and Feeling Lack 
of Control Over Their Personal Information, Pew Research Center 
(Nov. 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/.
---------------------------------------------------------------------------

    While observers have documented the increasing role of data brokers 
in the economy, there is still relatively limited public understanding 
of their operations and other impacts.

III. Request for Information

    This request for information seeks comments from the public on data 
brokers. The CFPB welcomes stakeholders to submit data, analysis, 
research, and other information about data brokers. The CFPB also 
requests input from individuals who have interacted with or have been 
affected by data broker business practices. To assist commenters in 
developing responses, the CFPB has crafted the below questions that 
commenters may answer. However, the CFPB is interested in receiving any 
comments relating to data brokers.

Market-Level Inquiries

    1. What types of data do data brokers collect, aggregate, sell, 
resell, license, derive marketable insights from, or otherwise share?
    a. What do data brokers do with the data they collect other than 
the aggregation, selling, reselling, or licensing of data?
    b. Please provide information about specific types of data that are 
financial in nature, such as information about salary, income sources, 
spending, investments, assets, use of financial products or services, 
investments, signals of financial distress, etc.
    2. What sources do data brokers rely on to collect information? 
What collection methods do data brokers use to source information?
    a. What specific types of information do data brokers obtain from 
public records databases? Which public records sources do data brokers 
use?
    b. Are people unknowingly deceived or manipulated into supplying 
data to data brokers? Describe the nature of such deception or 
manipulation.
    c. What technological components facilitate brokers' collection of 
data, including but not limited to: tracking scripts, web-based plug-
ins, pixels, or software development kits (SDKs) in Apps?
    3. What specific types of information do data brokers receive from 
financial institutions? Do financial institutions place any 
restrictions on the use of this data? Under what circumstances do 
consumers consent to this data sharing or receive an opportunity to 
opt-out of this sharing?
    4. What specific entities and types of entities have relationships 
(e.g., partnerships, vendor relationships, investor relationships, 
joint ventures, retail arrangements, data share agreements, third-party 
pixel usage) with data brokers? Describe the nature of those 
relationships and any relevant financial arrangements pursuant to such 
relationships.
    5. Which specific entities and types of entities collect, 
aggregate, sell, resell, license, or otherwise share consumers' 
personal information with other parties?
    6. Does the granular nature of data brokers' collection of 
information related to consumer preferences and behaviors influence 
consumer purchasing patterns or levels of indebtedness? Describe the 
nature of such collection and how it may influence purchasing patterns.
    7. How do companies collect consumer data to create, build, or 
refine proprietary algorithms?
    8. Does consumer data collected by data brokers facilitate a less 
competitive marketplace or more expensive financial products for 
consumers, and if so, how?
    9. Can people avoid having their data collected?
    a. Are there certain special populations that are less likely to be 
able to exercise control over the collection, aggregation, sale, 
resale, licensing, or other sharing of their data?
    b. If so, which special populations and why?
    10. Under what circumstances is deidentified, ``anonymized,'' or

[[Page 16954]]

aggregated data reidentified or disaggregated?
    11. Can people reasonably avoid adverse consequences resulting from 
data collection across different contexts (e.g., cross-device tracking, 
re-identification, mobile fingerprint matching)?
    12. Which specific entities and types of entities purchase data 
from data brokers? How do these entities use the purchased data?
    a. What specific uses concern marketing, decisioning, fraud 
detection, or servicing related to consumer financial products and 
services?
    b. What, if any, restrictions do data brokers impose on the use of 
such data?
    13. What data broker practices cause harms to people? What are 
those harms and types of harms?
    a. Are there certain special populations that are more likely to 
experience harms? If so, which special populations and why?
    b. Are data brokers selling, reselling, or licensing information 
about particular groups, including certain protected classes? If so, 
what are examples of this behavior?
    c. What harms do people experience if they are unable to remove 
their information from data broker repositories?
    14. What data broker practices provide benefits to people? What are 
those benefits?
    15. What actions can people take to gain knowledge or control over 
data, or correct data that is collected, aggregated, sold, resold, 
licensed, or otherwise shared about them?
    16. How can and does the activity of data brokers and their clients 
impact consumers beyond those whose data were collected or used by that 
data broker? How, if at all, can consumers reasonably avoid being 
targeted or influenced based on the activities of data brokers and 
their clients, even if they are able to avoid or opt-out of having 
their own data collected?
    17. What information do State-level data broker registries provide? 
How is this information made available and used? Are State-level data 
broker registries adequate to prevent harm? How could they be improved?
    18. What controls do data brokers implement in order to protect 
people's data and safeguard the privacy and security of the public? Are 
these controls adequate?
    a. What controls exist related to who can purchase or obtain 
information from data brokers?
    b. Are these controls adequate?
    19. What controls do data brokers implement to ensure the quality 
and accuracy of data they have collected?
    a. What controls exist related to ensuring the quality and accuracy 
of public records data, including court records?
    b. Are these controls adequate?
    20. How have data broker practices evolved due to new technological 
developments, including machine learning or other advanced 
computational methods?
    21. Are there companies or other entities that help consumers 
understand and manage their relationship to, and rights with respect 
to, data brokers? If not, why not? What factors could further help such 
consumer-assisting companies and entities?
    22. How might the CFPB use its supervision, enforcement, research, 
rulemaking, or consumer complaint functions with respect to data 
brokers and related harms?

Individual Inquiries

    1. Have you experienced data broker harms, including financial 
harms? What are those harms?
    2. Have you experienced data broker benefits? What are those 
benefits?
    3. Are you able to detect whether harms or benefits are tied to a 
specific data broker? Are existing methods of detection adequate?
    4. Have you ever attempted to remove your data from a specific data 
broker's repository for privacy purposes? If so,
    a. Describe your experience engaging with the data broker in 
question.
    b. What steps were you required to take to request the removal of 
your data? Did you face any hurdles in filing the data removal request? 
Did the data broker honor your request?
    c. Was your information removed immediately, and if not, how long 
did the removal take?
    d. Were you asked to share additional information with the data 
broker to have your data removed?
    e. Were you charged a fee by the data broker to have your data 
removed?
    f. Did you spend money on another service to help you get your data 
removed? Was it helpful?
    g. If your data removal request was successful, did you receive 
advertising to remove your data from other sites?
    h. When you found your information on data broker websites, how did 
that make you feel?
    5. Have you ever attempted to view or inspect the data maintained 
about you? If so, describe your experience.
    a. What steps were you required to take to view or inspect your 
data?
    b. Did you face any hurdles in filing the request to view or 
inspect your data?
    c. Did the data broker honor your request?
    6. Have you ever attempted to correct your data? If so, describe 
your experience.
    a. What steps were you required to take to request correcting your 
data?
    b. Did you face any hurdles in filing the data correction request?
    c. Did the data broker honor your request?
    7. Have you taken any other steps to protect your privacy or 
security as a result of data broker harms? Were these steps adequate?

Rohit Chopra,
Director, Consumer Financial Protection Bureau.
[FR Doc. 2023-05670 Filed 3-20-23; 8:45 am]
BILLING CODE 4810-AM-P