July 17, 2023 PRESS RELEASE:
WASHINGTON, DC – The Electronic Privacy Information Center (EPIC) is calling on the Consumer Financial Protection Bureau (CFPB) to take decisive regulatory action to protect consumers from the predatory business practices of data brokers.
In response to the CFPB’s inquiry into the shadowy data broker industry, EPIC filed extensive comments highlighting the vast range of personal data collected and sold by brokers, the harms that widespread data trafficking inflicts on consumers, and the failure of existing safeguards and enforcement to protect consumers. As EPIC writes:
Everyday activities like purchasing groceries, watching television, and posting on social media produce data that data brokers compile into extensive accounts of who we are. And even when someone tries to protect their data, many data-extractive technologies have become indispensable for modern life. Education, work, banking, checking one’s voter registration, and so much more all rely on data-extractive tools and online services that force people to surrender their data for access.
These examples highlight one inescapable truth: the average person cannot effectively avoid data collection, even if they want to. Extensive and persistent data collection is an integral part of the systems that enable consumers to browse websites, access online services, and interact with mobile applications.
To address the privacy threats and other risks posed by data brokers, EPIC is urging the CFPB to tap into unused regulatory and enforcement authority under the Fair Credit Reporting Act (FCRA). Enacted in 1970, FCRA protects consumers by regulating the collection, sharing, accuracy, retention, and disposal of personal data by companies that produce consumer reports. But as EPIC explains, far more can be done under FCRA to rein in data brokers and their harmful business practices.
“Data brokers are the hidden engine of the surveillance economy,” EPIC Director of Litigation John Davisson said. “These companies collect, process, package, and sell our personal data at industrial scale with minimal oversight, transparency, or accountability. The CFPB has the opportunity to change that by breathing new life into the Fair Credit Reporting Act and cracking down on the data broker industry.”
EPIC’s comments call on the CFPB to use its FCRA authority to protect the rights of consumers, impose data minimization requirements, and ensure the security of consumers’ personal information held by data brokers. Specifically, EPIC urges the CFPB to confirm the broad scope of FCRA; clarify that FCRA presumptively applies to data brokers, fraud detection companies, and identity verification companies; underscore the limited purposes for which consumer reports may be sold; clearly establish that FCRA-covered entities are liable for both inadvertent and unauthorized disclosures of personal data; incorporate the principle of data minimization into the Bureau’s regulations concerning secure disposal of data; and ban the use of credit reports in tenant screening and the use of pre-conviction data in credit reports.
EPIC is also calling on the CFPB to rein in data brokers using the Consumer Financial Protection Act (CFPA), which prohibits deceptive, unfair, or abusive acts or practices in connection with consumer financial products. Among other steps, EPIC urges the CFPB to ban secret scoring, prohibit the disclosure and purchase of certain sensitive categories of data, take steps to prevent data brokers from facilitating discrimination, and regulate non-FCRA-covered fraud scoring.
EPIC has long fought for restrictions on the data broker industry and protections for the consumers whose data is commercially exploited by brokers. Earlier this year, EPIC and a coalition of civil society organizations asked the CFPB to issue an advisory opinion clarifying that credit header data is not exempt from the FCRA and called on the Bureau to use its enforcement and rulemaking authority to rein in data brokers. EPIC also contributed to Fight for the Future’s Stop Data Brokers campaign, which helped members of the public file comments with CFPB about their interactions with data brokers. In November, EPIC filed lengthy comments with the FTC calling on the Commission to crack down on data brokers through a data minimization trade rule.