Data Brokers Face Regulatory Crackdown: CFPB and FTC Take Action

Privacy Law richtfirm December 5, 2024

Contents show

The data broker legal compliance landscape continues to undergo significant changes as regulatory bodies in the United States intensify their scrutiny of companies selling or sharing personal information and particularly sensitive consumer information. Two major developments highlight this shift: a proposed rule by the Consumer Financial Protection Bureau (CFPB) and a lawsuit filed by the Federal Trade Commission (FTC) against prominent data brokers.

CFPB’s Proposed Rule on Data Brokers

The CFPB has put forward a proposal that would classify certain data brokers as Consumer Reporting Agencies, subjecting them to the regulations outlined in the Fair Credit Reporting Act (FCRA). This move aims to curtail the unrestricted sale of sensitive personal data, including Social Security numbers and financial information.

Key aspects of the proposed rule include:

Treating data brokers like credit bureaus and background check companies.
Protecting consumers’ personal identifiers from misuse.
Requiring explicit consumer consent for data sharing.

The CFPB is accepting public comments on this proposal until March 3, 2025, allowing stakeholders to provide input on these potential changes.

FTC’s Legal Action Against Gravy Analytics and Venntel

Simultaneously, the FTC has taken legal action against Gravy Analytics Inc. and its subsidiary Venntel Inc. for allegedly selling sensitive location data without proper consumer consent. The complaint accuses these companies of violating the FTC Act by unfairly selling data related to consumers’ visits to health-related locations and places of worship.

The proposed settlement includes:

Prohibiting the sale, disclosure, or use of sensitive location data.
Establishing a sensitive data location program.
Deleting previously collected sensitive data that doesn’t comply with the new order.

Impact on the Data Broker Sector

These regulatory actions signal a significant shift in the data brokerage industry, with far-reaching implications:

Increased Scrutiny: Companies dealing with consumer data will face heightened oversight regarding consent and transparency practices.
Stricter Data Policies: Firms may need to implement more rigorous data retention and deletion policies to comply with new regulations.
Robust Safeguards: The need for comprehensive safeguards to manage sensitive data will become paramount.
Legal Compliance: Companies must prioritize adherence to evolving regulatory expectations to avoid potential fines and legal action.

State-Specific Data Broker Compliance Implications

Beyond the CFPB’s proposed rule and the FTC’s legal actions, data brokers face a complex landscape of state-specific regulations. California’s Delete Act, signed into law in October 2023, represents a significant shift in data broker regulation. It enables California residents to request the deletion of their personal information from all registered data brokers through a single mechanism managed by the California Privacy Protection Agency (CPPA). The Act also imposes new disclosure requirements and mandates triennial third-party audits for compliance. Other states, including Vermont, Texas, and Oregon, have enacted their own data broker laws, each with unique registration requirements, fees, and compliance obligations. For instance, Texas requires data brokers to implement a comprehensive information security program, while Oregon’s law focuses on registration and consumer opt-out rights. These state-level regulations create a patchwork of compliance requirements, forcing data brokers to navigate varying definitions, registration processes and associated costs, and consumer rights across different jurisdictions. As more states consider similar legislation, data brokers must remain vigilant and adaptable to an evolving regulatory environment.

Comprehensive State Privacy Laws

In addition to data broker-specific laws, comprehensive state privacy laws significantly impact data broker operations. These laws, such as the California Consumer Privacy Act (CCPA), Virginia’s Consumer Data Protection Act (VCDPA), and Colorado’s Privacy Act (CPA), introduce broad privacy rights and compliance requirements that directly affect data brokers. Key provisions include:

Opt-out rights: Consumers can opt out of the sale or sharing of their personal information or object to certain data processing activities.
Opt-in requirements: Some laws mandate obtaining explicit consent before processing sensitive data categories or for specific use cases.
Data subject access rights: Individuals can request access to, correction of, or deletion of their personal data.
Transparency obligations: Data brokers must provide clear privacy notices detailing their data collection, use, and sharing practices.
Data protection assessments: Certain high-risk processing activities require formal risk evaluations.

These comprehensive privacy laws create additional layers of compliance for data brokers, often intersecting with and complementing data broker-specific regulations. As more states enact similar legislation, data brokers must navigate an increasingly complex regulatory landscape, adapting their practices to meet varying requirements across different jurisdictions.

Broader Implications

The actions by the CFPB and FTC reflect growing concerns about privacy and data protection in the digital age. As Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated, “Surreptitious surveillance by data brokers undermines our civil liberties and puts servicemembers, union workers, religious minorities, and others at risk.” These regulatory moves aim to address the potential harms associated with unrestricted data brokerage, including risks of discrimination, stalking, and unauthorized surveillance. By enforcing stricter controls on the collection, use, and sale of sensitive data, authorities hope to protect consumers from privacy violations and potential abuses of their personal information.

As the regulatory landscape evolves, companies in the data sector must adapt quickly. This may involve reassessing business models, enhancing data protection measures, and fostering a culture of privacy and transparency. The ability to navigate these changes while maintaining consumer trust will likely become a key differentiator in the industry. Regardless, the actions taken by the CFPB and FTC mark a significant turning point in the regulation of data brokers and the protection of consumer privacy.

Tags: Data Brokers

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Insights