CFPB Opens Inquiry into Data Brokers as Part of FCRA Rulemaking

The Consumer Financial Protection Bureau yesterday announced it had opened an inquiry into the companies that “track and collect information on people’s personal lives,” more commonly known as data brokers.

A copy of the Request for Information can be accessed by clicking here.

Data brokers is a broad term that is being used to describe companies that “collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties” either on a first-party basis by interacting with consumers directly, or a third-party basis. The types of companies covered under this definition include those that prepare employment background screening reports and the credit bureaus.

The inquiry, through which interested parties can submit comments until June 13, is intended to help the CFPB formulate a planned rulemaking related to the Fair Credit Reporting Act. Among the questions asked in the RFI are:

Market-level inquiries

1. What types of data do data brokers collect, aggregate, sell, resell, license, derive marketable insights from, or otherwise share?
   • What do data brokers do with the data they collect other than the aggregation, selling, reselling, or licensing of data?
   • Please provide information about specific types of data that are financial in nature, such as information about salary, income sources, spending, investments, assets, use of financial products or services, investments, signals of financial distress, etc.
2. What sources do data brokers rely on to collect information? What collection methods do data brokers use to source information?
   • What specific types of information do data brokers obtain from public records databases? Which public records sources do data brokers use?
   • Are people unknowingly deceived or manipulated into supplying data to data brokers? Describe the nature of such deception or manipulation.
   • What technological components facilitate brokers’ collection of data, including but not limited to: tracking scripts, web-based plug-ins, pixels, or software development kits (SDKs) in Apps?
3. What specific types of information do data brokers receive from financial institutions? Do financial institutions place any restrictions on the use of this data? Under what circumstances do consumers consent to this data sharing or receive an opportunity to opt-out of this sharing?
4. What specific entities and types of entities have relationships (e.g., partnerships, vendor relationships, investor relationships, joint ventures, retail arrangements, data share agreements, third-party pixel usage) with data brokers? Describe the nature of those relationships and any relevant financial arrangements pursuant to such relationships.
5. Which specific entities and types of entities collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties?
6. Does the granular nature of data brokers’ collection of information related to consumer preferences and behaviors influence consumer purchasing patterns or levels of indebtedness? Describe the nature of such collection and how it may influence purchasing patterns.
7. How do companies collect consumer data to create, build, or refine proprietary algorithms?
8. Does consumer data collected by data brokers facilitate a less competitive marketplace or more expensive financial products for consumers, and if so, how?
9. Can people avoid having their data collected? a. Are there certain special populations that are less likely to be able to exercise control over the collection, aggregation, sale, resale, licensing, or other sharing of their data? b. If so, which special populations and why?
10. Under what circumstances is deidentified, “anonymized,” or aggregated data reidentified or disaggregated?
11. Can people reasonably avoid adverse consequencesresulting from data collection across different contexts (e.g., cross-device tracking, reidentification, mobile fingerprint matching)?
12. Which specific entities and types of entities purchase data from data brokers? How do these entities use the purchased data?
    • What specific uses concern marketing, decisioning, fraud detection, or servicing related to consumer financial products and services?
    • What, if any, restrictions do data brokers impose on the use of such data?
13. What data broker practices cause harms to people? What are those harms and types of harms?
    • Are there certain special populations that are more likely to experience harms? If so, which special populations and why?
    • Are data brokers selling, reselling, or licensing information about particular groups, including certain protected classes? If so, what are examples of this behavior?
    • What harms do people experience if they are unable to remove their information from data broker repositories?
14. What data broker practices provide benefits to people? What are those benefits?
15. What actions can people take to gain knowledge or control over data, or correct data that is collected, aggregated, sold, resold, licensed, or otherwise shared about them?
16. How can and does the activity of data brokers and their clients impact consumers beyond those whose data were collected or used by that data broker? How, if at all, can consumers reasonably avoid being targeted or influenced based on the activities of data brokers and their clients, even if they are able to avoid or opt-out of having their own data collected?
17. What information do State-level data broker registries provide? How is this information made available and used? Are State-level data broker registries adequate to prevent harm? How could they be improved?
18. What controls do data brokers implement in order to protect people’s data and safeguard the privacy and security of the public? Are these controls adequate?
    • What controls exist related to who can purchase or obtain information from data brokers?
    • Are these controls adequate?
19. What controls do data brokers implement to ensure the quality and accuracy of data they have collected?
    • What controls exist related to ensuring the quality and accuracy of public records data, including court records?
    • Are these controls adequate?
20. How have data broker practices evolved due to new technological developments, including machine learning or other advanced computational methods?
21. Are there companies or other entities that help consumers understand and manage their relationship to, and rights with respect to, data brokers? If not, why not? What factors could further help such consumer-assisting companies and entities?
22. How might the CFPB use its supervision, enforcement, research, rulemaking, or consumer complaint functions with respect to data brokers and related harms?

Individual inquiries

1. Have you experienced data broker harms, including financial harms? What are those harms?
2. Have you experienced data broker benefits? What are those benefits?
3. Are you able to detect whether harms or benefits are tied to a specific data broker? Are existing methods of detection adequate?
4. Have you ever attempted to remove your data from a specific data broker’s repository for privacy purposes? If so,
   • Describe your experience engaging with the data broker in question.
   • What steps were you required to take to request the removal of your data? Did you face any hurdles in filing the data removal request? Did the data broker honor your request?
   • Was your information removed immediately, and if not, how long did the removal take?
   • Were you asked to share additional information with the data broker to have your data removed?
   • Were you charged a fee by the data broker to have your data removed?
   • Did you spend money on another service to help you get your data removed? Was it helpful?
   • If your data removal request was successful, did you receive advertising to remove your data from other sites?
   • When you found your information on data broker websites, how did that make you feel?
5. Have you ever attempted to view or inspect the data maintained about you? If so, describe your experience.
   • What steps were you required to take to view or inspect your data?
   • Did you face any hurdles in filing the request to view or inspect your data?
   • Did the data broker honor your request?
6. Have you ever attempted to correct your data? If so, describe your experience.
   • What steps were you required to take to request correcting your data?
   • Did you face any hurdles in filing the data correction request?
   • Did the data broker honor your request?
7. Have you taken any other steps to protect your privacy or security as a result of data broker harms? Were these steps adequate?