Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information, 16951-16954 [2023-05670]
Download as PDF
Federal Register / Vol. 88, No. 54 / Tuesday, March 21, 2023 / Notices
Specifically, the proposed rule would
lower the immunity provision for late
fees to $8 for a missed payment and end
the automatic annual inflation
adjustment. The proposed rule would
also ban late fee amounts above 25% of
the consumer’s required payment.
3.1.2 CFPB Issued Circular on
Unanticipated Overdraft Fee
Assessment Practices
On October 26, 2022, the CFPB issued
guidance indicating that overdraft fees
may constitute an unfair act or practice
under the CFPA, even if the entity
complies with the Truth in Lending Act
(TILA) and Regulation Z, and the
Electronic Fund Transfer Act (EFTA)
and Regulation E.22 As detailed in the
circular, when financial institutions
charge surprise overdraft fees,
sometimes as much as $36, they may be
breaking the law. The circular provides
some examples of potentially unlawful
surprise overdraft fees, including
charging fees on purchases made with a
positive balance. These overdraft fees
occur when a bank displays that a
customer has sufficient available funds
to complete a debit card purchase at the
time of the transaction, but the
consumer is later charged an overdraft
fee. Often, the financial institution relies
on complex back-office practices to
justify charging the fee. For instance,
after the bank allows one debit card
transaction when there is sufficient
money in the account, it nonetheless
charges a fee on that transaction later
because of intervening transactions.
3.1.3 CFPB Issued Bulletin on Unfair
Returned Deposited Item Fee
Assessment Practices
ddrumheller on DSK120RN23PROD with NOTICES1
On October 26, 2022, the CFPB issued
a bulletin 23 stating that blanket policies
of charging returned deposited item fees
to consumers for all returned
transactions irrespective of the
circumstances or patterns of behavior on
the account are likely unfair under the
CFPA.
22 Consumer Financial Protection Circular 2022–
06, Unanticipated Overdraft Fee Assessment
Practices (Oct. 26, 2022), available at: https://
files.consumerfinance.gov/f/documents/cfpb_
unanticipated-overdraft-fee-assessment-practices_
circular_2022-10.pdf.
23 Bulletin 2022–06: Unfair Returned Deposited
Item Fee Assessment Practices, available at: https://
files.consumerfinance.gov/f/documents/cfpb_
returned-deposited-item-fee-assessment-practice_
compliance-bulletin_2022-10.pdf.
VerDate Sep<11>2014
19:23 Mar 20, 2023
Jkt 259001
3.1.4 CFPB Issued Advisory Opinion
on Debt Collectors’ Collection of Pay-toPay Fees
On June 29, 2022, the CFPB issued an
advisory opinion 24 affirming that
Federal law often prohibits debt
collectors from charging ‘‘pay-to-pay’’
fees. These charges, commonly
described by debt collectors as
‘‘convenience fees,’’ are imposed on
consumers who want to make a
payment in a particular way, such as
online or by phone.
4. Remedial Actions
4.1 Public Enforcement Actions
The Bureau’s supervisory activities
resulted in and supported the following
enforcement action.
4.1.1 Wells Fargo
On December 20, 2022, the CFPB and
Wells Fargo entered into a consent order
in which Wells Fargo will pay more
than $2 billion in redress to consumers
and a $1.7 billion civil penalty for legal
violations across several of its largest
product lines.25 The bank’s illegal
conduct led to billions of dollars in
financial harm to its customers and, for
thousands of customers, the loss of their
vehicles and homes. Consumers were
illegally assessed fees and interest
charges on auto and mortgage loans, had
their cars wrongly repossessed, and had
payments to auto and mortgage loans
misapplied by the bank. Wells Fargo
also improperly froze or closed
customer deposit accounts, charged
consumers unlawful surprise overdraft
fees, and did not always waive monthly
account service fees consistent with its
disclosures. Under the terms of the
order, Wells Fargo will pay redress to
the over 16 million affected consumer
accounts, and pay a $1.7 billion fine,
which will go to the CFPB’s Civil
Penalty Fund, where it will be used to
provide relief to victims of consumer
financial law violations.
4.1.2 Regions Bank
On September 28, 2022, the CFPB
ordered Regions Bank to pay $50
million into the CFPB’s victims relief
fund and to refund at least $141 million
to customers harmed by its illegal
surprise overdraft fees.26 Until July
24 Advisory Opinion on Debt Collectors’
Collection of Pay-to-Pay Fees, available at: https://
files.consumerfinance.gov/f/documents/cfpb_
convenience-fees_advisory-opinion_2022-06.pdf.
25 CFPB Consent Order 2022–CFPB–0011, In the
Matter of Wells Fargo Bank (Dec. 20, 2022),
available at: https://files.consumerfinance.gov/f/
documents/cfpb_wells-fargo-na-2022_consentorder_2022-12.pdf.
26 CFPB Consent Order 2022–CFPB–0008, In the
Matter of Regions Bank (Sept. 28, 2022), available
PO 00000
Frm 00014
Fmt 4703
Sfmt 4703
16951
2021, Regions charged customers
surprise overdraft fees on certain ATM
withdrawals and debit card purchases.
The bank charged overdraft fees even
after telling consumers they had
sufficient funds at the time of the
transactions. The CFPB also found that
Regions Bank leadership knew about
and could have discontinued its
surprise overdraft fee practices years
earlier, but they chose to wait while
Regions pursued changes that would
generate new fee revenue to make up for
ending the illegal fees.
This is not the first time Regions Bank
has been caught engaging in illegal
overdraft abuses. In 2015, the CFPB
found that Regions had charged $49
million in unlawful overdraft fees and
ordered Regions to make sure that the
fees had been fully refunded and pay a
$7.5 million penalty for charging
overdraft fees to consumers who had not
opted into overdraft protection and to
consumers who had been told they
would not be charged overdraft fees.27
Rohit Chopra,
Director, Consumer Financial Protection
Bureau.
[FR Doc. 2023–05667 Filed 3–20–23; 8:45 am]
BILLING CODE 4810–AM–P
BUREAU OF CONSUMER FINANCIAL
PROTECTION
[Docket No. CFPB–2023–0020]
Request for Information Regarding
Data Brokers and Other Business
Practices Involving the Collection and
Sale of Consumer Information
Bureau of Consumer Financial
Protection.
ACTION: Request for public comment.
AGENCY:
The Consumer Financial
Protection Bureau (CFPB) is seeking
comments from the public related to
data brokers. The submissions in
response to this request for information
will serve to assist the CFPB and
policymakers in understanding the
current state of business practices in
exercising enforcement, supervision,
regulatory, and other authorities.
DATES: Comments must be received on
or before June 13, 2023.
ADDRESSES: You may submit comments,
identified by Docket No. CFPB–2023–
0020, by any of the following methods:
SUMMARY:
at: https://files.consumerfinance.gov/f/documents/
cfpb_Regions_Bank-_Consent-Order_2022-09.pdf.
27 CFPB Consent Order 2015–CFPB–0009, In the
Matter of Regions Bank (Apr. 28, 2015), available
at: https://files.consumerfinance.gov/f/201504_
cfpb_consent-order_regions-bank.pdf.
E:\FR\FM\21MRN1.SGM
21MRN1
16952
Federal Register / Vol. 88, No. 54 / Tuesday, March 21, 2023 / Notices
• Federal eRulemaking Portal:
https://www.regulations.gov. Follow the
instructions for submitting comments.
• Email: DataBrokersRFI_2023@
cfpb.gov. Include the document title and
Docket No. CFPB–2023–0020 in the
subject line of the message.
• Mail/Hand Delivery/Courier:
Comment Intake, Request for
Information Regarding Data Brokers,
Consumer Financial Protection Bureau,
c/o Legal Division Docket Manager,
1700 G Street NW, Washington, DC
20552. Because paper mail in the
Washington, DC area and at the CFPB is
subject to delay, commenters are
encouraged to submit comments
electronically.
Instructions: The CFPB encourages
the early submission of comments. All
submissions should include the agency
name and docket number for this
request for information. Please note the
number of the topic on which you are
commenting at the top of each response
(you do not need to address all topics.)
In general, all comments received will
be posted without change to https://
www.regulations.gov. All comments,
including attachments and other
supporting materials, will become part
of the public record and subject to
public disclosure. Sensitive personal
information, such as account numbers
or Social Security numbers, should not
be included. Comments generally will
not be edited to remove any identifying
or contact information.
FOR FURTHER INFORMATION CONTACT: Erie
Meyer, Chief Technologist and Senior
Advisor, Office of the Director; Davida
Farrar, Counsel, Office of Consumer
Populations at 202–435–7700. If you
require this document in an alternative
electronic format, please contact CFPB_
Accessibility@cfpb.gov.
SUPPLEMENTARY INFORMATION:
ddrumheller on DSK120RN23PROD with NOTICES1
I. Background
In 1970, Congress enacted the Fair
Credit Reporting Act (FCRA),1 one of
the first data privacy laws in the world.
The primary sponsor of the legislation,
Senator William Proxmire, at the time
publicly described an emerging
consumer reporting market involving
the dissemination of a wide range of
information about Americans, including
financial status, bill paying records,
public records including arrests, suits,
and judgments, dossiers, information on
drinking, marital discords, adulterous
behavior, general reputation, habits, and
morals. The Senator stressed that ‘‘while
the growth of this information network
is somewhat alarming, what is even
1 15
U.S.C. 1681 et seq.
VerDate Sep<11>2014
20:48 Mar 20, 2023
Jkt 259001
more alarming is the fact that the system
has been built with virtually no public
regulation or supervision.’’ 2
Before voting on the FCRA, Congress
held a series of investigative hearings
and uncovered a wide variety of abuses
in the industry. For example, Congress
found that many consumers were
unaware of the existence of the industry
because non-disclosure agreements
between consumer reporting agencies
and users hid the arrangement behind a
shroud of secrecy.3 In addition, the
hearings revealed the practice of
including disclaimers of accuracy in
agreements between consumer reporting
agencies and creditors; before the FCRA,
consumer reporting agencies purported
to be mere transmitters of information
who were not responsible for accuracy.4
Congress also criticized the fact that
consumers were not given access to
their credit reports,5 and that credit
reports often included obsolete or
irrelevant information.6
Ultimately, Congress found that
consumer reporting agencies assumed a
vital role in assembling and evaluating
consumer credit and other information
on consumers to meet the needs of
commerce, but that rules were necessary
to ensure they handed information fairly
and equitably with regard to
confidentiality, accuracy, relevancy, and
proper use.7 The FCRA established
comprehensive rules to govern the
practices of consumer reporting
agencies, including four key features: (1)
a prohibition on using or disseminating
certain personal data outside prescribed
permissible purposes selected by
Congress,8 (2) a requirement that
consumer reporting agencies ‘‘follow
reasonable procedures to assure
maximum possible accuracy’’ of
consumer reports,9 (3) a right of
consumers to inspect data about
themselves,10 and (4) due process to
challenge false data.11
The FCRA still remains on the books
and has been amended from time to
2 115
Cong. Rec. 2410 (1969).
M. McNamara Jr., The Fair Credit
Reporting Act: A Legislative Overview, 22 J. Pub. L.
67, 80 (1973).
4 Hearing on Retail Credit Co. of Atlanta, Ga.,
Before a Subcomm. on Invasion of Privacy of the
House Comm. on Government Operations, 90th
Cong., 2d Sess. 47 (1968).
5 Hearings on Commercial Credit Bureaus Before
a Subcomm. on Invasion of Privacy of the House
Comm. on Government Operations, 90th Cong., 2d
Sess. 10 (1968).
6 See S. Rep. No. 517, 91st Cong., 1st Sess. 4
(1969).
7 15 U.S.C. 1681 (Congressional findings and
statement of purpose for FCRA).
8 15 U.S.C. 1681b.
9 15 U.S.C. 1681e(b).
10 15 U.S.C. 1681g.
11 15 U.S.C. 1681i, 1681s–2.
3 Robert
PO 00000
Frm 00015
Fmt 4703
Sfmt 4703
time.12 But since the enactment of the
FCRA, companies using business
models that sell consumer data have
emerged and evolved with the growth of
the internet and advanced technology.
Many companies whose business
models rely on newer technologies and
novel methods purport not to be
covered by the FCRA. These companies
are sometimes labeled ‘‘data brokers,’’
‘‘data aggregators,’’ or ‘‘platforms,’’ but
they all share a fundamental
characteristic with consumer reporting
agencies—they collect and sell personal
data.
With the passage of the Consumer
Financial Protection Act (CFPA),
Congress transferred rulemaking
authority for most provisions of the
FCRA from the Federal Trade
Commission to the CFPB. The CFPA
granted the CFPB the authority to
enforce the FCRA along with other
Federal regulators.13 The CFPA also
granted the CFPB various additional
authorities that may be applicable to
companies that collect and sell personal
data, including, for example, authorities
pursuant to the Gramm-Leach Bliley
Act’s privacy provisions.14 The CFPB
has used its authority to address unfair
or deceptive acts or practices related to
the handling of consumer data.15
This request for information is
seeking information to (1) help inform
the CFPB about new business models
that sell consumer data, including
information relevant to assessments of
whether companies using these new
business models are covered by the
FCRA, given the FCRA’s broad
definitions of ‘‘consumer report’’ and
‘‘consumer reporting agency,’’ 16 or
other statutory authorities, and (2)
collect information on consumer harm
and any market abuses, including those
that resemble harms Congress originally
identified in 1970 in passing the FCRA.
II. Overview
Data brokers is an umbrella term to
describe firms that collect, aggregate,
sell, resell, license, or otherwise share
consumers’ personal information with
other parties. Data brokers encompass
actors such as first-party data brokers
12 Consumer Credit Reporting Reform Act of
1996, Pub. L. 104–208 (1996).
13 See 15 U.S.C. 1681s.
14 See, e.g., 12 U.S.C. 5481(12)(J) (specifying
provisions of the Gramm-Leach-Bliley Act that
qualify as ‘‘enumerated consumer laws’’ over which
the Bureau has jurisdiction).
15 See, e.g., Consumer Financial Protection
Circular 2022–04, Insufficient data protection or
security for sensitive consumer information, https://
www.consumerfinance.gov/compliance/circulars/
circular-2022-04-insufficient-data-protection-orsecurity-for-sensitive-consumer-information/.
16 See 15 U.S.C. 1681a(d), (f).
E:\FR\FM\21MRN1.SGM
21MRN1
Federal Register / Vol. 88, No. 54 / Tuesday, March 21, 2023 / Notices
ddrumheller on DSK120RN23PROD with NOTICES1
that interact with consumers directly, as
well as third-party data brokers with
whom the consumer does not have a
direct relationship. Data brokers include
firms that specialize in preparing
employment background screening
reports and credit reports. Data brokers
collect information from public and
private sources for purposes including
marketing and advertising, building and
refining proprietary algorithms, credit
and insurance underwriting, consumerauthorized data porting, fraud detection,
criminal background checks, identity
verification, and people search
databases.17
As part of the CFPB’s statutory
mandate to promote fair, transparent,
and competitive markets for consumer
financial products and services, this
request for information is part of a series
of efforts to examine data collection and
use. In addition to supervision of
consumer reporting agencies, including
the three largest nationwide consumer
reporting agencies, the CFPB endeavors
to gain insight into the full scope of the
data broker industry. The data broker
industry is growing and expanding its
reach into new spheres of consumers’
personal lives, as more sophisticated
computerization has increased the
power of these companies to track and
predict consumer behavior. Yet, many
people lack an understanding of the
scope and breadth of data brokers’
business practices and the impact of
those practices on the marketplace and
peoples’ daily lives.
The CFPB seeks to better understand
the heterogeneity of these firms and to
assist firms in understanding any
compliance obligations under the FCRA
and other laws as appropriate.
Data brokers collect or share a vast
range of information, often building
profiles of individuals by delving into
the details of consumers’ everyday
interactions, including credit card
purchases and web browsing activity.
Data brokers also collect other types of
sensitive and intimate personal
information such as genetic and health
information, religious affiliation,
financial records, and geolocation
data.18
Government agencies, technology and
privacy experts, financial institutions,
17 Data Brokers: A Call for Transparency and
Accountability at i–v, Federal Trade Commission
(May 2014), https://www.ftc.gov/system/files/
documents/reports/data-brokers-call-transparencyaccountability-report-federal-trade-commissionmay-2014/140527databrokerreport.pdf.
18 Data Brokers: A Call for Transparency and
Accountability at app. B, Federal Trade
Commission (May 2014), https://www.ftc.gov/
system/files/documents/reports/data-brokers-calltransparency-accountability-report-federal-tradecommission-may-2014/140527databrokerreport.pdf.
VerDate Sep<11>2014
19:23 Mar 20, 2023
Jkt 259001
consumer advocates, and others have
identified numerous consumer harms
and abuses related to the operation of
data brokers, including significant
privacy and security risks, the
facilitation of harassment and fraud, the
lack of consumer knowledge and
consent, and the spread of inaccurate
information.19
People should be able to expect
companies to safeguard their most
personal and intimate information, and
should be able to have knowledge and
control over how companies obtain and
use their data. Surveys have found that
people are concerned about being
tracked and surveilled by companies,
and express concern about the lack of
control over how data collected about
them is used.20
While observers have documented the
increasing role of data brokers in the
economy, there is still relatively limited
public understanding of their operations
and other impacts.
III. Request for Information
This request for information seeks
comments from the public on data
brokers. The CFPB welcomes
stakeholders to submit data, analysis,
research, and other information about
data brokers. The CFPB also requests
input from individuals who have
interacted with or have been affected by
data broker business practices. To assist
commenters in developing responses,
the CFPB has crafted the below
questions that commenters may answer.
However, the CFPB is interested in
receiving any comments relating to data
brokers.
Market-Level Inquiries
1. What types of data do data brokers
collect, aggregate, sell, resell, license,
derive marketable insights from, or
otherwise share?
a. What do data brokers do with the
data they collect other than the
aggregation, selling, reselling, or
licensing of data?
b. Please provide information about
specific types of data that are financial
in nature, such as information about
salary, income sources, spending,
19 See, e.g., Justin Sherman, Data Brokers and
Sensitive Data on U.S. Individuals: Threats to
American Civil Rights, National Security, and
Democracy, Duke Sanford Cyber Policy Program
(Aug. 2021), https://techpolicy.sanford.duke.edu/
wp-content/uploads/sites/4/2021/08/Data-Brokersand-Sensitive-Data-on-US-Individuals-Sherman2021.pdf.
20 Americans and Privacy: Concerned, Confused
and Feeling Lack of Control Over Their Personal
Information, Pew Research Center (Nov. 2019),
https://www.pewresearch.org/internet/2019/11/15/
americans-and-privacy-concerned-confused-andfeeling-lack-of-control-over-their-personalinformation/.
PO 00000
Frm 00016
Fmt 4703
Sfmt 4703
16953
investments, assets, use of financial
products or services, investments,
signals of financial distress, etc.
2. What sources do data brokers rely
on to collect information? What
collection methods do data brokers use
to source information?
a. What specific types of information
do data brokers obtain from public
records databases? Which public
records sources do data brokers use?
b. Are people unknowingly deceived
or manipulated into supplying data to
data brokers? Describe the nature of
such deception or manipulation.
c. What technological components
facilitate brokers’ collection of data,
including but not limited to: tracking
scripts, web-based plug-ins, pixels, or
software development kits (SDKs) in
Apps?
3. What specific types of information
do data brokers receive from financial
institutions? Do financial institutions
place any restrictions on the use of this
data? Under what circumstances do
consumers consent to this data sharing
or receive an opportunity to opt-out of
this sharing?
4. What specific entities and types of
entities have relationships (e.g.,
partnerships, vendor relationships,
investor relationships, joint ventures,
retail arrangements, data share
agreements, third-party pixel usage)
with data brokers? Describe the nature
of those relationships and any relevant
financial arrangements pursuant to such
relationships.
5. Which specific entities and types of
entities collect, aggregate, sell, resell,
license, or otherwise share consumers’
personal information with other parties?
6. Does the granular nature of data
brokers’ collection of information
related to consumer preferences and
behaviors influence consumer
purchasing patterns or levels of
indebtedness? Describe the nature of
such collection and how it may
influence purchasing patterns.
7. How do companies collect
consumer data to create, build, or refine
proprietary algorithms?
8. Does consumer data collected by
data brokers facilitate a less competitive
marketplace or more expensive financial
products for consumers, and if so, how?
9. Can people avoid having their data
collected?
a. Are there certain special
populations that are less likely to be
able to exercise control over the
collection, aggregation, sale, resale,
licensing, or other sharing of their data?
b. If so, which special populations
and why?
10. Under what circumstances is
deidentified, ‘‘anonymized,’’ or
E:\FR\FM\21MRN1.SGM
21MRN1
ddrumheller on DSK120RN23PROD with NOTICES1
16954
Federal Register / Vol. 88, No. 54 / Tuesday, March 21, 2023 / Notices
aggregated data reidentified or
disaggregated?
11. Can people reasonably avoid
adverse consequences resulting from
data collection across different contexts
(e.g., cross-device tracking, reidentification, mobile fingerprint
matching)?
12. Which specific entities and types
of entities purchase data from data
brokers? How do these entities use the
purchased data?
a. What specific uses concern
marketing, decisioning, fraud detection,
or servicing related to consumer
financial products and services?
b. What, if any, restrictions do data
brokers impose on the use of such data?
13. What data broker practices cause
harms to people? What are those harms
and types of harms?
a. Are there certain special
populations that are more likely to
experience harms? If so, which special
populations and why?
b. Are data brokers selling, reselling,
or licensing information about
particular groups, including certain
protected classes? If so, what are
examples of this behavior?
c. What harms do people experience
if they are unable to remove their
information from data broker
repositories?
14. What data broker practices
provide benefits to people? What are
those benefits?
15. What actions can people take to
gain knowledge or control over data, or
correct data that is collected, aggregated,
sold, resold, licensed, or otherwise
shared about them?
16. How can and does the activity of
data brokers and their clients impact
consumers beyond those whose data
were collected or used by that data
broker? How, if at all, can consumers
reasonably avoid being targeted or
influenced based on the activities of
data brokers and their clients, even if
they are able to avoid or opt-out of
having their own data collected?
17. What information do State-level
data broker registries provide? How is
this information made available and
used? Are State-level data broker
registries adequate to prevent harm?
How could they be improved?
18. What controls do data brokers
implement in order to protect people’s
data and safeguard the privacy and
security of the public? Are these
controls adequate?
a. What controls exist related to who
can purchase or obtain information from
data brokers?
b. Are these controls adequate?
19. What controls do data brokers
implement to ensure the quality and
accuracy of data they have collected?
VerDate Sep<11>2014
19:23 Mar 20, 2023
Jkt 259001
a. What controls exist related to
ensuring the quality and accuracy of
public records data, including court
records?
b. Are these controls adequate?
20. How have data broker practices
evolved due to new technological
developments, including machine
learning or other advanced
computational methods?
21. Are there companies or other
entities that help consumers understand
and manage their relationship to, and
rights with respect to, data brokers? If
not, why not? What factors could further
help such consumer-assisting
companies and entities?
22. How might the CFPB use its
supervision, enforcement, research,
rulemaking, or consumer complaint
functions with respect to data brokers
and related harms?
Individual Inquiries
Frm 00017
Fmt 4703
Rohit Chopra,
Director, Consumer Financial Protection
Bureau.
[FR Doc. 2023–05670 Filed 3–20–23; 8:45 am]
BILLING CODE 4810–AM–P
BUREAU OF CONSUMER FINANCIAL
PROTECTION
[Docket No. CFPB–2023–0022]
1. Have you experienced data broker
harms, including financial harms? What
are those harms?
2. Have you experienced data broker
benefits? What are those benefits?
3. Are you able to detect whether
harms or benefits are tied to a specific
data broker? Are existing methods of
detection adequate?
4. Have you ever attempted to remove
your data from a specific data broker’s
repository for privacy purposes? If so,
a. Describe your experience engaging
with the data broker in question.
b. What steps were you required to
take to request the removal of your data?
Did you face any hurdles in filing the
data removal request? Did the data
broker honor your request?
c. Was your information removed
immediately, and if not, how long did
the removal take?
d. Were you asked to share additional
information with the data broker to have
your data removed?
e. Were you charged a fee by the data
broker to have your data removed?
f. Did you spend money on another
service to help you get your data
removed? Was it helpful?
g. If your data removal request was
successful, did you receive advertising
to remove your data from other sites?
h. When you found your information
on data broker websites, how did that
make you feel?
5. Have you ever attempted to view or
inspect the data maintained about you?
If so, describe your experience.
a. What steps were you required to
take to view or inspect your data?
b. Did you face any hurdles in filing
the request to view or inspect your data?
c. Did the data broker honor your
request?
PO 00000
6. Have you ever attempted to correct
your data? If so, describe your
experience.
a. What steps were you required to
take to request correcting your data?
b. Did you face any hurdles in filing
the data correction request?
c. Did the data broker honor your
request?
7. Have you taken any other steps to
protect your privacy or security as a
result of data broker harms? Were these
steps adequate?
Sfmt 4703
Agency Information Collection
Activities: Comment Request
Bureau of Consumer Financial
Protection.
ACTION: Notice and request for comment.
AGENCY:
In accordance with the
Paperwork Reduction Act of 1995
(PRA), the Consumer Financial
Protection Bureau (Bureau or CFPB)
requests the extension of the Office of
Management and Budget’s (OMB’s)
approval of an existing information
collection titled ‘‘Truth in Lending Act
(Regulation Z)’’ approved under OMB
Number 3170–0015.
DATES: Written comments are
encouraged and must be received on or
before April 20, 2023 to be assured of
consideration.
ADDRESSES: Written comments and
recommendations for the proposed
information collection should be sent
within 30 days of publication of this
notice to www.reginfo.gov/public/do/
PRAMain. Find this particular
information collection by selecting
‘‘Currently under 30-day Review—Open
for Public Comments’’ or by using the
search function. In general, all
comments received will become public
records, including any personal
information provided. Sensitive
personal information, such as account
numbers or Social Security numbers,
should not be included.
FOR FURTHER INFORMATION CONTACT:
Requests for additional information
should be directed to Anthony May,
Paperwork Reduction Act Officer, at
(202) 435–7278, or email: CFPB_PRA@
cfpb.gov. If you require this document
in an alternative electronic format,
SUMMARY:
E:\FR\FM\21MRN1.SGM
21MRN1
Agencies
[Federal Register Volume 88, Number 54 (Tuesday, March 21, 2023)]
[Notices]
[Pages 16951-16954]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-05670]
-----------------------------------------------------------------------
BUREAU OF CONSUMER FINANCIAL PROTECTION
[Docket No. CFPB-2023-0020]
Request for Information Regarding Data Brokers and Other Business
Practices Involving the Collection and Sale of Consumer Information
AGENCY: Bureau of Consumer Financial Protection.
ACTION: Request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Consumer Financial Protection Bureau (CFPB) is seeking
comments from the public related to data brokers. The submissions in
response to this request for information will serve to assist the CFPB
and policymakers in understanding the current state of business
practices in exercising enforcement, supervision, regulatory, and other
authorities.
DATES: Comments must be received on or before June 13, 2023.
ADDRESSES: You may submit comments, identified by Docket No. CFPB-2023-
0020, by any of the following methods:
[[Page 16952]]
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments.
Email: [email protected]. Include the document
title and Docket No. CFPB-2023-0020 in the subject line of the message.
Mail/Hand Delivery/Courier: Comment Intake, Request for
Information Regarding Data Brokers, Consumer Financial Protection
Bureau, c/o Legal Division Docket Manager, 1700 G Street NW,
Washington, DC 20552. Because paper mail in the Washington, DC area and
at the CFPB is subject to delay, commenters are encouraged to submit
comments electronically.
Instructions: The CFPB encourages the early submission of comments.
All submissions should include the agency name and docket number for
this request for information. Please note the number of the topic on
which you are commenting at the top of each response (you do not need
to address all topics.) In general, all comments received will be
posted without change to https://www.regulations.gov. All comments,
including attachments and other supporting materials, will become part
of the public record and subject to public disclosure. Sensitive
personal information, such as account numbers or Social Security
numbers, should not be included. Comments generally will not be edited
to remove any identifying or contact information.
FOR FURTHER INFORMATION CONTACT: Erie Meyer, Chief Technologist and
Senior Advisor, Office of the Director; Davida Farrar, Counsel, Office
of Consumer Populations at 202-435-7700. If you require this document
in an alternative electronic format, please contact
[email protected].
SUPPLEMENTARY INFORMATION:
I. Background
In 1970, Congress enacted the Fair Credit Reporting Act (FCRA),\1\
one of the first data privacy laws in the world. The primary sponsor of
the legislation, Senator William Proxmire, at the time publicly
described an emerging consumer reporting market involving the
dissemination of a wide range of information about Americans, including
financial status, bill paying records, public records including
arrests, suits, and judgments, dossiers, information on drinking,
marital discords, adulterous behavior, general reputation, habits, and
morals. The Senator stressed that ``while the growth of this
information network is somewhat alarming, what is even more alarming is
the fact that the system has been built with virtually no public
regulation or supervision.'' \2\
---------------------------------------------------------------------------
\1\ 15 U.S.C. 1681 et seq.
\2\ 115 Cong. Rec. 2410 (1969).
---------------------------------------------------------------------------
Before voting on the FCRA, Congress held a series of investigative
hearings and uncovered a wide variety of abuses in the industry. For
example, Congress found that many consumers were unaware of the
existence of the industry because non-disclosure agreements between
consumer reporting agencies and users hid the arrangement behind a
shroud of secrecy.\3\ In addition, the hearings revealed the practice
of including disclaimers of accuracy in agreements between consumer
reporting agencies and creditors; before the FCRA, consumer reporting
agencies purported to be mere transmitters of information who were not
responsible for accuracy.\4\ Congress also criticized the fact that
consumers were not given access to their credit reports,\5\ and that
credit reports often included obsolete or irrelevant information.\6\
---------------------------------------------------------------------------
\3\ Robert M. McNamara Jr., The Fair Credit Reporting Act: A
Legislative Overview, 22 J. Pub. L. 67, 80 (1973).
\4\ Hearing on Retail Credit Co. of Atlanta, Ga., Before a
Subcomm. on Invasion of Privacy of the House Comm. on Government
Operations, 90th Cong., 2d Sess. 47 (1968).
\5\ Hearings on Commercial Credit Bureaus Before a Subcomm. on
Invasion of Privacy of the House Comm. on Government Operations,
90th Cong., 2d Sess. 10 (1968).
\6\ See S. Rep. No. 517, 91st Cong., 1st Sess. 4 (1969).
---------------------------------------------------------------------------
Ultimately, Congress found that consumer reporting agencies assumed
a vital role in assembling and evaluating consumer credit and other
information on consumers to meet the needs of commerce, but that rules
were necessary to ensure they handed information fairly and equitably
with regard to confidentiality, accuracy, relevancy, and proper use.\7\
The FCRA established comprehensive rules to govern the practices of
consumer reporting agencies, including four key features: (1) a
prohibition on using or disseminating certain personal data outside
prescribed permissible purposes selected by Congress,\8\ (2) a
requirement that consumer reporting agencies ``follow reasonable
procedures to assure maximum possible accuracy'' of consumer
reports,\9\ (3) a right of consumers to inspect data about
themselves,\10\ and (4) due process to challenge false data.\11\
---------------------------------------------------------------------------
\7\ 15 U.S.C. 1681 (Congressional findings and statement of
purpose for FCRA).
\8\ 15 U.S.C. 1681b.
\9\ 15 U.S.C. 1681e(b).
\10\ 15 U.S.C. 1681g.
\11\ 15 U.S.C. 1681i, 1681s-2.
---------------------------------------------------------------------------
The FCRA still remains on the books and has been amended from time
to time.\12\ But since the enactment of the FCRA, companies using
business models that sell consumer data have emerged and evolved with
the growth of the internet and advanced technology. Many companies
whose business models rely on newer technologies and novel methods
purport not to be covered by the FCRA. These companies are sometimes
labeled ``data brokers,'' ``data aggregators,'' or ``platforms,'' but
they all share a fundamental characteristic with consumer reporting
agencies--they collect and sell personal data.
---------------------------------------------------------------------------
\12\ Consumer Credit Reporting Reform Act of 1996, Pub. L. 104-
208 (1996).
---------------------------------------------------------------------------
With the passage of the Consumer Financial Protection Act (CFPA),
Congress transferred rulemaking authority for most provisions of the
FCRA from the Federal Trade Commission to the CFPB. The CFPA granted
the CFPB the authority to enforce the FCRA along with other Federal
regulators.\13\ The CFPA also granted the CFPB various additional
authorities that may be applicable to companies that collect and sell
personal data, including, for example, authorities pursuant to the
Gramm-Leach Bliley Act's privacy provisions.\14\ The CFPB has used its
authority to address unfair or deceptive acts or practices related to
the handling of consumer data.\15\
---------------------------------------------------------------------------
\13\ See 15 U.S.C. 1681s.
\14\ See, e.g., 12 U.S.C. 5481(12)(J) (specifying provisions of
the Gramm-Leach-Bliley Act that qualify as ``enumerated consumer
laws'' over which the Bureau has jurisdiction).
\15\ See, e.g., Consumer Financial Protection Circular 2022-04,
Insufficient data protection or security for sensitive consumer
information, https://www.consumerfinance.gov/compliance/circulars/circular-2022-04-insufficient-data-protection-or-security-for-sensitive-consumer-information/.
---------------------------------------------------------------------------
This request for information is seeking information to (1) help
inform the CFPB about new business models that sell consumer data,
including information relevant to assessments of whether companies
using these new business models are covered by the FCRA, given the
FCRA's broad definitions of ``consumer report'' and ``consumer
reporting agency,'' \16\ or other statutory authorities, and (2)
collect information on consumer harm and any market abuses, including
those that resemble harms Congress originally identified in 1970 in
passing the FCRA.
---------------------------------------------------------------------------
\16\ See 15 U.S.C. 1681a(d), (f).
---------------------------------------------------------------------------
II. Overview
Data brokers is an umbrella term to describe firms that collect,
aggregate, sell, resell, license, or otherwise share consumers'
personal information with other parties. Data brokers encompass actors
such as first-party data brokers
[[Page 16953]]
that interact with consumers directly, as well as third-party data
brokers with whom the consumer does not have a direct relationship.
Data brokers include firms that specialize in preparing employment
background screening reports and credit reports. Data brokers collect
information from public and private sources for purposes including
marketing and advertising, building and refining proprietary
algorithms, credit and insurance underwriting, consumer-authorized data
porting, fraud detection, criminal background checks, identity
verification, and people search databases.\17\
---------------------------------------------------------------------------
\17\ Data Brokers: A Call for Transparency and Accountability at
i-v, Federal Trade Commission (May 2014), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.
---------------------------------------------------------------------------
As part of the CFPB's statutory mandate to promote fair,
transparent, and competitive markets for consumer financial products
and services, this request for information is part of a series of
efforts to examine data collection and use. In addition to supervision
of consumer reporting agencies, including the three largest nationwide
consumer reporting agencies, the CFPB endeavors to gain insight into
the full scope of the data broker industry. The data broker industry is
growing and expanding its reach into new spheres of consumers' personal
lives, as more sophisticated computerization has increased the power of
these companies to track and predict consumer behavior. Yet, many
people lack an understanding of the scope and breadth of data brokers'
business practices and the impact of those practices on the marketplace
and peoples' daily lives.
The CFPB seeks to better understand the heterogeneity of these
firms and to assist firms in understanding any compliance obligations
under the FCRA and other laws as appropriate.
Data brokers collect or share a vast range of information, often
building profiles of individuals by delving into the details of
consumers' everyday interactions, including credit card purchases and
web browsing activity. Data brokers also collect other types of
sensitive and intimate personal information such as genetic and health
information, religious affiliation, financial records, and geolocation
data.\18\
---------------------------------------------------------------------------
\18\ Data Brokers: A Call for Transparency and Accountability at
app. B, Federal Trade Commission (May 2014), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.
---------------------------------------------------------------------------
Government agencies, technology and privacy experts, financial
institutions, consumer advocates, and others have identified numerous
consumer harms and abuses related to the operation of data brokers,
including significant privacy and security risks, the facilitation of
harassment and fraud, the lack of consumer knowledge and consent, and
the spread of inaccurate information.\19\
---------------------------------------------------------------------------
\19\ See, e.g., Justin Sherman, Data Brokers and Sensitive Data
on U.S. Individuals: Threats to American Civil Rights, National
Security, and Democracy, Duke Sanford Cyber Policy Program (Aug.
2021), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2021/08/Data-Brokers-and-Sensitive-Data-on-US-Individuals-Sherman-2021.pdf.
---------------------------------------------------------------------------
People should be able to expect companies to safeguard their most
personal and intimate information, and should be able to have knowledge
and control over how companies obtain and use their data. Surveys have
found that people are concerned about being tracked and surveilled by
companies, and express concern about the lack of control over how data
collected about them is used.\20\
---------------------------------------------------------------------------
\20\ Americans and Privacy: Concerned, Confused and Feeling Lack
of Control Over Their Personal Information, Pew Research Center
(Nov. 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/.
---------------------------------------------------------------------------
While observers have documented the increasing role of data brokers
in the economy, there is still relatively limited public understanding
of their operations and other impacts.
III. Request for Information
This request for information seeks comments from the public on data
brokers. The CFPB welcomes stakeholders to submit data, analysis,
research, and other information about data brokers. The CFPB also
requests input from individuals who have interacted with or have been
affected by data broker business practices. To assist commenters in
developing responses, the CFPB has crafted the below questions that
commenters may answer. However, the CFPB is interested in receiving any
comments relating to data brokers.
Market-Level Inquiries
1. What types of data do data brokers collect, aggregate, sell,
resell, license, derive marketable insights from, or otherwise share?
a. What do data brokers do with the data they collect other than
the aggregation, selling, reselling, or licensing of data?
b. Please provide information about specific types of data that are
financial in nature, such as information about salary, income sources,
spending, investments, assets, use of financial products or services,
investments, signals of financial distress, etc.
2. What sources do data brokers rely on to collect information?
What collection methods do data brokers use to source information?
a. What specific types of information do data brokers obtain from
public records databases? Which public records sources do data brokers
use?
b. Are people unknowingly deceived or manipulated into supplying
data to data brokers? Describe the nature of such deception or
manipulation.
c. What technological components facilitate brokers' collection of
data, including but not limited to: tracking scripts, web-based plug-
ins, pixels, or software development kits (SDKs) in Apps?
3. What specific types of information do data brokers receive from
financial institutions? Do financial institutions place any
restrictions on the use of this data? Under what circumstances do
consumers consent to this data sharing or receive an opportunity to
opt-out of this sharing?
4. What specific entities and types of entities have relationships
(e.g., partnerships, vendor relationships, investor relationships,
joint ventures, retail arrangements, data share agreements, third-party
pixel usage) with data brokers? Describe the nature of those
relationships and any relevant financial arrangements pursuant to such
relationships.
5. Which specific entities and types of entities collect,
aggregate, sell, resell, license, or otherwise share consumers'
personal information with other parties?
6. Does the granular nature of data brokers' collection of
information related to consumer preferences and behaviors influence
consumer purchasing patterns or levels of indebtedness? Describe the
nature of such collection and how it may influence purchasing patterns.
7. How do companies collect consumer data to create, build, or
refine proprietary algorithms?
8. Does consumer data collected by data brokers facilitate a less
competitive marketplace or more expensive financial products for
consumers, and if so, how?
9. Can people avoid having their data collected?
a. Are there certain special populations that are less likely to be
able to exercise control over the collection, aggregation, sale,
resale, licensing, or other sharing of their data?
b. If so, which special populations and why?
10. Under what circumstances is deidentified, ``anonymized,'' or
[[Page 16954]]
aggregated data reidentified or disaggregated?
11. Can people reasonably avoid adverse consequences resulting from
data collection across different contexts (e.g., cross-device tracking,
re-identification, mobile fingerprint matching)?
12. Which specific entities and types of entities purchase data
from data brokers? How do these entities use the purchased data?
a. What specific uses concern marketing, decisioning, fraud
detection, or servicing related to consumer financial products and
services?
b. What, if any, restrictions do data brokers impose on the use of
such data?
13. What data broker practices cause harms to people? What are
those harms and types of harms?
a. Are there certain special populations that are more likely to
experience harms? If so, which special populations and why?
b. Are data brokers selling, reselling, or licensing information
about particular groups, including certain protected classes? If so,
what are examples of this behavior?
c. What harms do people experience if they are unable to remove
their information from data broker repositories?
14. What data broker practices provide benefits to people? What are
those benefits?
15. What actions can people take to gain knowledge or control over
data, or correct data that is collected, aggregated, sold, resold,
licensed, or otherwise shared about them?
16. How can and does the activity of data brokers and their clients
impact consumers beyond those whose data were collected or used by that
data broker? How, if at all, can consumers reasonably avoid being
targeted or influenced based on the activities of data brokers and
their clients, even if they are able to avoid or opt-out of having
their own data collected?
17. What information do State-level data broker registries provide?
How is this information made available and used? Are State-level data
broker registries adequate to prevent harm? How could they be improved?
18. What controls do data brokers implement in order to protect
people's data and safeguard the privacy and security of the public? Are
these controls adequate?
a. What controls exist related to who can purchase or obtain
information from data brokers?
b. Are these controls adequate?
19. What controls do data brokers implement to ensure the quality
and accuracy of data they have collected?
a. What controls exist related to ensuring the quality and accuracy
of public records data, including court records?
b. Are these controls adequate?
20. How have data broker practices evolved due to new technological
developments, including machine learning or other advanced
computational methods?
21. Are there companies or other entities that help consumers
understand and manage their relationship to, and rights with respect
to, data brokers? If not, why not? What factors could further help such
consumer-assisting companies and entities?
22. How might the CFPB use its supervision, enforcement, research,
rulemaking, or consumer complaint functions with respect to data
brokers and related harms?
Individual Inquiries
1. Have you experienced data broker harms, including financial
harms? What are those harms?
2. Have you experienced data broker benefits? What are those
benefits?
3. Are you able to detect whether harms or benefits are tied to a
specific data broker? Are existing methods of detection adequate?
4. Have you ever attempted to remove your data from a specific data
broker's repository for privacy purposes? If so,
a. Describe your experience engaging with the data broker in
question.
b. What steps were you required to take to request the removal of
your data? Did you face any hurdles in filing the data removal request?
Did the data broker honor your request?
c. Was your information removed immediately, and if not, how long
did the removal take?
d. Were you asked to share additional information with the data
broker to have your data removed?
e. Were you charged a fee by the data broker to have your data
removed?
f. Did you spend money on another service to help you get your data
removed? Was it helpful?
g. If your data removal request was successful, did you receive
advertising to remove your data from other sites?
h. When you found your information on data broker websites, how did
that make you feel?
5. Have you ever attempted to view or inspect the data maintained
about you? If so, describe your experience.
a. What steps were you required to take to view or inspect your
data?
b. Did you face any hurdles in filing the request to view or
inspect your data?
c. Did the data broker honor your request?
6. Have you ever attempted to correct your data? If so, describe
your experience.
a. What steps were you required to take to request correcting your
data?
b. Did you face any hurdles in filing the data correction request?
c. Did the data broker honor your request?
7. Have you taken any other steps to protect your privacy or
security as a result of data broker harms? Were these steps adequate?
Rohit Chopra,
Director, Consumer Financial Protection Bureau.
[FR Doc. 2023-05670 Filed 3-20-23; 8:45 am]
BILLING CODE 4810-AM-P