The Consumer Financial Protection Bureau (CFPB), the main US agency tasked with consumer protection, announced on Tuesday that it would begin the process of regulating companies that collect and sell personal data. The announcement was made in remarks at the White House from Director Rohit Chopra as part of an “all-of-government effort” to address personal data security and risks associated with AI.
“To ensure that modern-day data companies assembling profiles about us are meeting the requirements under the Fair Credit Reporting Act, the CFPB will be developing rules to prevent misuse and abuse by these data brokers,” said Chopra. The Fair Credit Reporting Act regulates when “consumer reporting agencies” can share a person’s information.
Chopra highlighted two actions the CFPB plans to take. The first would define any company that sells personal data as a consumer reporting agency. This would trigger the enforcement of higher standards for accuracy, disputes and misuse. The second would clarify questions around “credit heading data,” which is the data used by credit reporting companies such as Equifax, Experian and TransUnion. “Credit heading data” often includes sensitive personal information like Social Security numbers. The CFPB aims to tighten disclosures of this information, particularly to protect the exposure of information that could identify people such as domestic violence victims.
The formal rulemaking process to create a regulation can take some time, as it must include research, the posting of a notice and public comment. Although Chopra only specified two actions, he indicated that the CFPB plans to take further action after additional policy research.
The announcement comes following years of heated questions surrounding personal data security in the US, especially around major controversies like Cambridge Analytica accessing Facebook data and other breaches. China and the EU both have stricter data privacy regulations than the US, which has raised questions about US policy and led to some changes to accommodate US trade with the EU. Congress has also paid more attention to data privacy issues, with TikTok’s CEO recently testifying before the US House Committee on Energy and Commerce, though Congress has yet to pass major data security legislation.