The CFPB’s idea of using existing US law to regulate data brokers is not novel. In February 2023, a group of consumer-focused nonprofits urged Chopra to enforce the powers the FCRA gives regulators to prevent data brokers from engaging in these potentially harmful practices.
“Protecting the personal information of everyone in the United States is increasingly urgent in our current political climate,” says Laura Rivera, an attorney with Just Futures Law, a nonprofit that supports grassroots activists. “The stakes are too high to continue allowing the data broker industry to sell our information at its discretion, where the status quo has made it ripe for abuse and attack by harmful actors.”
In a briefing with WIRED on Monday, CFPB officials declined to comment on whether they believe the regulatory action will be short-lived as President-elect Donald Trump plans to empower several Silicon Valley figures to reorganize the federal government with the objective of attacking “waste and fraud.”
Elon Musk, who co-heads an office named after a meme currency (the Department of Government Efficiency or DOGE),directly attacked the CFPB’s work last week, calling for the agency to be “eliminated.” Musk’s comments followed an attack on the agency’s work by Marc Andreessen, a venture capitalist, who claimed a recent episode of Joe Rogan’s podcast that the agency is “terrorizing” new banking companies.
The CFBP was founded in 2011 with the goal of protecting consumers from the types of fraud and abuse that sparked the 2008 financial crisis.
A CFPB official tells WIRED that the agency is also concerned that data is being transmitted in ways that companies claim protect people’s identities but can actually be “de-anonymized” in simple ways, such as studies have repeatedly demonstrated. “As technology advances, we assume it will become even easier to unmask supposedly unidentified data,” one official said. Therefore, the proposed rule includes a variety of guidelines for credit reporting agencies involved in the sale of supposedly de-identified data.
Asked whether the proposal would extend to U.S. government agencies, one official said U.S. law sets out “very clear pathways” for the government to purchase personally identifiable data for law enforcement and intelligence purposes. In a recent case, U.S. Immigration and Customs Enforcement was discovered by journalists having purchased access to Americans’ personal data in an attempt to vet immigrants – data acquired by media conglomerate Thomson Reuters, which it provided to customs in contracts the company revealed was worth more than $100 million . (ThomsonReuters previously denied that the purpose of the data is to track undocumented immigrants and has emphasized that its database does not contain information that would normally require a search warrant to access).
“We’re not disrupting any of those avenues,” says a CFPB official. However, the agency requests comment on the potential impacts of such government purchases to ensure access is “appropriate.”
Emily Peterson-Cassin, director of corporate power at the nonprofit advocacy group Demand Progress’s Education Fund, praised the CFPB’s proposal and urged the incoming Trump administration to pursue it.
“The CFPB is doing something important that will resonate with all Americans. Anyone you pick up on the street can tell you about the scam texts, emails and calls they receive daily from scammers who easily buy our contact information from shady and unaccountable data brokers,” says Peterson-Cassin. “Finally, someone, specifically the CFPB, has stepped in to stop this daily plague that affects hundreds of millions of people by applying real standards to the sale of our confidential information.”