The Consumer Financial Protection Bureau (CFPB) – the government agency responsible for protecting consumers in financial matters – has withdrawn a rule proposed during the waning days of the Biden administration that would have expanded federal oversight of data brokers. These are the companies you’ve likely never heard of that collect, package, and sell detailed information about you, often without your knowledge.
The rule, called “Protecting Americans From Harmful Data Broker Practices,” would have forced data brokers to follow the same consumer protection law that governs credit reporting agencies – the Fair Credit Reporting Act (FCRA). If you’ve ever checked your credit report or disputed an error with Equifax or Experian, that process is governed by the FCRA. It gives you the right to know what’s being said about you, to correct falsehoods, and to limit how your data is used.
This proposed rule would have extended those rights to the vast ecosystem of companies that profit by buying and selling your data. But now, the Bureau under the Trump administration has killed the proposal, saying the rule is “not necessary or appropriate at this time.”
Why the Proposed Rule Was a Big Deal
The original rule was designed to modernize the FCRA by pulling data brokers into its scope. That would have dramatically reshaped how businesses could collect and use personal information, particularly when that information is used to make decisions about credit, employment, housing, or insurance.
Here’s what the rule would have done:
- Redefined who qualifies as a consumer reporting agency, potentially including hundreds of data brokers and analytics firms.
- Classified personal identifiers – like name, address, age, Social Security number, and email – as part of a “consumer report” if they were used to evaluate someone’s eligibility for services like a loan or job.
- Required clear, written consumer consent before personal data could be collected or shared for these purposes.
- Extended protections even to “de-identified” data, if there was a reasonable chance it could be linked back to an individual.
Had it gone into effect, the rule would have made it harder for companies to use personal data for micro-targeted advertising, background checks, or risk scoring without proper consent. It would also have given individuals more visibility into how their data was being used – and the legal right to challenge it.
Why It Matters
Data brokers collect vast amounts of personal information – sometimes from public records, sometimes from apps and websites, and often through opaque partnerships with other businesses. This data can include income, purchasing habits, religious beliefs, political affiliations, geolocation history, and even health concerns. Much of it is bundled into detailed profiles and sold to marketers, insurers, employers, and other third parties.
Read more: How to Claim Your Share of Apple’s $95M Siri Lawsuit Settlement
The problem? There’s little transparency, and almost no recourse if your data is wrong or misused. Most people don’t even know these companies exist, let alone that they’re profiting off deeply personal information.
As Wired reported, even data that’s been “anonymized” can often be re-identified and traced back to individuals with minimal effort. And while some state laws and FTC enforcement actions have chipped away at the most egregious practices, the U.S. still lacks a comprehensive federal law that protects people from this kind of exploitation.
National Security Risks: Military and Police Data for Sale
The consequences aren’t just personal – they can be national. A 2023 study by Duke University’s Sanford School of Public Policy found that data brokers were openly selling sensitive information about U.S. military personnel, veterans, and law enforcement officers. For as little as 12 cents per record, researchers were able to purchase data that included health conditions, financial stress, religious affiliation, and even specific military roles.
Some brokers bypassed identity checks entirely when researchers paid by wire instead of a credit card. That kind of data, linked to service members and their families, could be exploited by foreign adversaries, hostile governments, or scam operations to target individuals or compromise security. Yet no law currently prevents this from happening.
What You Can Do to Protect Yourself
You can’t opt out of the entire $389 billion data broker economy, but you can take steps to reduce how much of your personal information is out there.
- Use data removal services: Companies like DeleteMe and Incogni work on your behalf to send opt-out requests to hundreds of data brokers. Having used these services, I can recommend them. They're not a silver bullet, but they provide a solid start if you want to reclaim some control.
- Request your data: Major brokers like LexisNexis, Experian, and Acxiom allow consumers to request copies of the data they hold. It takes time, but it’s free.
- Be selective about app permissions: Do not grant apps access to your contacts, location, or microphone unless absolutely necessary. If you find that you’re unable to use features that you want to use that require access, you can always grant access later.
- Monitor your identity: If you're concerned about identity theft, check your credit reports regularly and consider placing fraud alerts or credit freezes. I highly recommend adding a credit freeze, which stops identity thieves from opening new accounts under your name. Check out our story “The Best Way to Prevent Identity Theft” for more details on adding a credit freeze or fraud alert.
The Bottom Line
The “Protecting Americans From Harmful Data Broker Practices” rule would have made it easier for regular people to see, control, and protect their personal information. By scrapping it, the CFPB has left consumers to continue navigating an unregulated data economy on their own.
[Image credit: DALL-E]
