Prepared Remarks of CFPB Director Rohit Chopra on Protecting Americans from Harmful Data Broker Practices

Last month, hackers linked to the Chinese government targeted our telecommunications infrastructure - just the latest in a series of attacks on Americans' personal data. But often, our adversaries don't need to hack anything. Data brokers - the outfits that collect and sell detailed information about our personal and financial lives - are making this data available to anyone willing to pay. Today, the Consumer Financial Protection Bureau is proposing action to stop data brokers from enabling scammers, stalkers, and spies, undermining our personal safety and America's national security.

The dangers of unfettered data brokering have become painfully clear in recent months. Last week, an investigation revealed how easily data brokers can track U.S. military personnel stationed in Germany, including their movements around sensitive facilities like nuclear storage sites and intelligence centers. In September, researchers demonstrated how they could purchase location data to track federal law enforcement as they conducted confidential investigations. This summer, we learned that hackers had accessed nearly 3 billion records of Americans' sensitive data, including Social Security numbers, from a single data broker. These aren't isolated incidents - they represent a systemic vulnerability in how our personal data is bought and sold.

The scale of this problem is staggering. Duke University researchers recently demonstrated how easy it is to purchase financial information about active-duty servicemembers, including their income, net worth, and credit ratings. Data brokers explicitly advertise lists targeting "decision makers at government organizations primarily engaged in national security." Some even allow buyers to combine categories - identifying military personnel or intelligence officials who might be struggling with debt or substance use, creating perfect targets for blackmail or exploitation.

When we talk about data privacy, it can often sound abstract or hypothetical. But the consequences are real and devastating. In 2020, a federal judge's son was murdered by an attacker who purchased her home address from a data broker. Law enforcement officers like cops face similar risks when their personal information is available for sale. Particularly concerning are the risks to survivors of domestic violence and stalking - when abusers can easily purchase their victims' new addresses, phone numbers, and financial details, it becomes nearly impossible for survivors to escape dangerous situations.

Meanwhile, identity thieves and scammers purchase detailed dossiers to target vulnerable consumers, particularly seniors and people in financial distress. The problem grows more urgent each day.

Congress recognized the risks of data brokers more than fifty years ago and passed one of the world's first privacy laws: the Fair Credit Reporting Act. The law established crucial guardrails for companies monetizing Americans' personal information, including limiting data sharing to legitimate purposes like credit checks for loans. Other commercial exploitation of this data was deliberately restricted.

But over time, many data brokers devised ways to evade these protections. Companies routinely sidestep the FCRA by claiming they aren't subject to its requirements - even while selling the very types of sensitive personal and financial information Congress intended the law to protect.

Today's proposal would crack down on a range of misuses of our data, while preserving the legitimate uses:

First, the proposed rule would curtail this widespread evasion of longstanding law. Many data brokers want to pretend that they are somehow different. The proposed rule makes it clear that many of these data brokers, just like credit bureaus and background check companies, are subject to federal protections under the FCRA. Any company selling data about income, financial tier, credit history, credit scores, or debt payments would trigger the requirements. This means they could no longer dodge their obligations and would need to follow the same consumer protection rules as major credit bureaus - including accuracy requirements and providing consumers access to their information.

Second, the rule would ban misuse of our sensitive personal identifiers. While this data can be used to detect fraud, it can also be used to perpetrate it. The proposal would specifically restrict the sale of our personal identifiers, sometimes described by industry insiders as "credit header" data. This would make it substantially harder for bad actors to improperly obtain sensitive information like Social Security numbers and home addresses that could be used for stalking, harassment, or foreign surveillance. The proposed rule would make clear that lenders and other companies could still use this data to stop identity theft and fraud.

Third, the proposal would preserve legally established pathways for law enforcement, counterterrorism, and counterintelligence purposes. Congress crafted the FCRA to ensure that law enforcement personnel have the data they need to work criminal investigations and pursue those at home and abroad who break the law. This includes accessing personal identifiers for homing in on suspects, locating witnesses, and other beneficial uses that serve the public interest.

The need for reform has united a remarkable coalition of voices. National security officials warn about risks to military and intelligence personnel, while veterans' organizations highlight threats to servicemembers transitioning to civilian life. Law enforcement and judicial organizations have spoken out after seeing their members targeted. Domestic violence prevention groups have raised concerns about how data brokers can help abusers track down their victims. Others have shown how vulnerable Americans, particularly seniors, become targets for scammers and fraudsters who purchase their financial data. These changes reflect a growing bipartisan consensus that current privacy protections are inadequate.

Today's proposal is a major step forward to ensure that companies trafficking in Americans' most sensitive information face real consequences for putting people at risk.

Thank you.

Public link

Please use the above public link if you want to share this noodl on another website.