CFPB Looks To Restrict The Sleazy Link Between Credit Reporting Agencies And Data Brokers
from the finally-got-around-to-doing-the-bare-minimum dept
For a long while now, we’ve pointed out how the privacy hyperventilation over singular threats like TikTok are a huge distraction from the fact Congress is simply too corrupt to pass even a baseline privacy law for the internet era. Or regulate the massive number of dodgy data brokers that buy, sell, and trade in vast troves of consumer data without much in the way of competent oversight.
Not everybody in Washington is quite so corrupt and feckless, however.
Back in March, the Consumer Financial Protection Bureau (CFPB) announced that it would be taking a long overdue look at the way credit reporting agencies share sensitive consumer financial data with data brokers.
This week, the agency stated it would be crafting new rules that would extend the Fair Credit Reporting Act to cover the data broker and credit reporting agency interchange, restricting precisely how and where such data can be collected, traded, or sold:
The push could also see new restrictions on the sale of personal information such as Social Security numbers, names and addresses, which the CFPB said data brokers often buy from the major credit reporting bureaus to create their own profiles on individual consumers.
Issued under the Fair Credit Reporting Act, the regulations would seek to ensure that data brokers selling that sensitive information do so only for valid financial purposes such as employment background checks or credit decisions, and not for unrelated purposes that may allow third parties to use the data to, for example, train AI algorithms or chatbots.
New rules are one thing. Embattled, understaffed, and underfunded consumer protection agencies enforcing them at scale will be something else entirely. Still, progress is progress.
According to Politico, comments by CFPB boss Rohit Chopra will be the first time the Biden administration has directly addressed data brokers, which is pretty wild given the post-Roe concerns on this front:
DC has spent the last three years hyperventilating about a single app — TikTok — over supposed concerns that the data could be abused by the Chinese government. At the same time we’ve done absolutely fuck all about the vast, privacy-stomping data broker industry that collects huge troves of sensitive U.S. consumer data, then sells “anonymized” (a completely meaningless term) access to any idiot with a nickel.
Including Chinese intelligence.
Despite a lot of rhetoric about how “regulating privacy is hard,” or doing too much could have unforeseen consequences, the reality is the U.S. government hasn’t even done the bare minimum on privacy for two reasons. One, the dysfunction is immensely profitable. Two, the entire mess has provided the government with a handy way to avoid having to get warrants (especially on the location data front).
While industry and the “my relentless, unethical greed should face absolutely no restrictions from government” folks would very much like to see the 12-year old CFPB demolished, the agency clearly has a very beneficial purpose, and their actions here are very much overdue. Now, if it wouldn’t be too much trouble for Congress to get off its ass and pass a meaningful, simple, internet-era privacy law.
Filed Under: cfpb, consumer protection, credit reporting, data brokers, fcra, privacy, security
Comments on “CFPB Looks To Restrict The Sleazy Link Between Credit Reporting Agencies And Data Brokers”
Swing and a miss on that last paragraph. Care to try again?
Re:
How is that a swing and a miss? Who’s on first, What’s on second, and I don’t know who’s that on third?
Re:
No detail on the hair up yer butt, care to try again?
“Fair Credit Reporting Act”
Perhaps use of the word fair is inappropriate in the title of a bill that simply addresses the reporting, not whether it is “fair” to report such things as being related to your “credit” worthiness.
The so called credit score (in the us) is being used to create some sort of dystopian societal control function, this will not be good for anyone including those who think it is a great idea.
/rant
Can we just start a kickstarter to have a group of black hats legally obtain everything the data brokers are selling about members of Congress & start publishing details until they decide maybe we need better piracy laws for everyone?
Re:
Still thinking about those recent RIAA stories?
Re: Re:
Ahoy, matey! it been a very ‘onest mistake.
Re:
You don’t need DefCon Black Hats (technically I’m a Gray Hat, but I digress).
All you need is that Kickstarter account and a phone.
And boy-howdy Congress Critters would absolutely lose their shit if presented with Their personal information (de-anonomized, for extra flavor). It’d be Great!
This Tik-tok privacy idiocy kind of amuses me. I mean, law enforcement buys themselves into Constitution-defying-privacy-violating data from citizens all the time but nobody stopped to ask themselves a very simple question: if I can do it at will as long as I have money, what stops bad actors (China the least problematic of them in my opinion) from doing EXACTLY the same?
¯_(ツ)_/¯
That makes it sound like they’re two different groups. Credit report agencies are a type of data broker, possibly the original type. If you’re a landlord, you just go buy a report on your prospective tenant. And if you’re a prospective or actual tenant, you’ve got no say about them accessing or providing such data; nobody’s ever meaningfully consented to this, and I’m not sure even the E.U. requires that.
The credit reporting agencies aren’t getting this data from thin air. It’s handed to them by the people we do business with (landlords, banks, utility companies), and that’s something that really ought to be regulated too. Anyone getting data from or providing data to any broker, including credit agencies, should need to have a signed consent form first; and consent to provide this data should always be optional, not some fine print one has to agree to if they want electricity.
Re:
I’m pretty sure the GDPR would require consent. Given that some of the data a credit agency would collect on you would definitely fall under biometric data, they’d need consent for that. What we need is a simple privacy law that says “you can’t collect anything other than IP addresses or user agents without explicit, unambiguous, and voluntary consent from the end-user, and you mustn’t make anything your company offers conditional on that consent, nor can you make differing services based on how much data the user provides” [i.e. You can’t make a lower-quality service if the user provides you a small amount of data and a super-ultra high-quality service if the user provides a lot of data] “; and silence, pre-ticked boxes, inactivity, and the mere act of using a service, doesn’t count as consent”. The consent also shouldn’t be all-encompassing, nor should it be in language that is difficult for the average consumer to understand. Now that’s a good privacy law.
This might not cover all eventualities, but this is what privacy should be: do your best to collect no data by default. The user should (explicitly) opt-in to every single data collection activity that you do, and should be required to give consent to each activity. This might be onerous for some companies (Google, much?), but I say that’s their problem, and not the end-user’s problem.
Re: Re:
Does it actually work that way in practice? Like, let’s say a kid was 13 years old when GDPR was passed, is 18 now, and has never given voluntary consent for anyone to send their data to a credit agency. Does that mean the agency would have no record of this person? Can Europeans sign up for credit cards, utilities, etc., which will not provide any data to those agencies (including stuff required for lookups, such as name, address, date of birth)?
Re: Re:
You do realize what your intended law would mean for States that are attempting to remake the internet over in their personally favored image, don’t you?
IOW, “think of the children” will become a keyword in identifying those who are obviously trying to scuttle any such new law. I doubt the phrase will ever descend into a ‘dirty word’ category, but sending it down that road would be a good start….
And while there’s no the other way to say “The internet routes around damage”, I think that in this case, the internet would enfold this non-damaging law into its very heart.
Even if Congress could get off its ass and pass some privacy law, it would probably be ignored or circumvented. We have such a law for medical data, the “Healthcare Insurance Privacy and Portability Act, passed in 1996. Last year there were a reported 524 breeches involving 51 million people. As of August 1 of this year there were 371 breeches reported covering 44 million people (and that doesn’t include a recent HCA breech of as many as 11 million people). HHS fines the culprits, but the fine is apparently too small to result in an investment in competent information security. HIPAA doesn’t include a private cause of action, so we can’t individually sue for our loss of medical privacy.
Re:
Which is why we need to increase the maximum fines for these to be at least 80 percent of the companies global turnover, if not complete dissolvement of the company with regards to health data, if not worse (something like “either comply with our data privacy laws or you can’t operate here, and if you do, you’ll receive a fine so big we’ll put you in debt for decades”).
Re:
HIPAA gets breached far more often than that. But few know you can report, let alone how, and that only applies to those who find out. And many many things are not covered under HIPAA that you think it is. For instance, employers are not covered, if you tell your employer about a medical issue requiring accommodation there is no legal requirement to keep it private.
The fact that they can even “sell” SSNs is beyond the pale. What a farce the whole credit bureau thing is, and the bastardization of SSNs in general.
If I can have ‘personal image rights’ under copyright law, why can’t I have ‘personal data protection rights’ in the same manner?
The “crafting new rules” link is broken.
As long as
Consumers still have the option to willingly share info, good.
In such a case “pro privacy” regulation would be good, I simply so the majority shut up about it and remove their tin foil hats.