Understand how a recent decision by the Consumer Financial Protection Bureau (CFPB) to cancel its plans to regulate data brokers under the Fair Credit Reporting Act could impact both consumers and employers.
Every time you use an application or connect to the internet on a device, your personal information may be collected. Your location, your preferences, your shopping cart, the links you click—all that data may be catalogued and stored.
That personal data is a valuable commodity that can be bought by companies, criminals, and anyone who wants more information about you. And who is selling this information? Entities known as data brokers.
Data brokers are a favorite among hackers as they provide a means to attain the information they need to launch schemes like phishing and ransomware attacks. Though the United States government had previously made plans to regulate data brokers and protect Americans from them, a recent decision from the Consumer Financial Protection Bureau (CFPB) to cancel their plans to more tightly regulate data brokers could have a huge impact on Americans—and their employers.
Data brokers, explained
Data brokers are companies or individuals that collect, analyze, and sell or license personal information about individuals to third parties. This information can include public records like addresses, phone numbers, property records, current employers, online activities, and much more.
And the data broker business is only getting bigger—in fact, in 2024, the global data broker market is expected to reach over $616 billion in value by 2030.
The information collected by data brokers is gathered using a range of sources. This includes court records, commercial resources like retailers and credit card providers, online tracking data like cookies, online surveys, and more. With this information, data brokers can paint a very accurate picture of who you are, including your interests, your political views, and other personal information.
Data brokers often sell to third parties like marketing and advertising companies, businesses, and more. This is to help these organizations better target their marketing materials, increase sales, and predict your preferences.
However, they can also sell to anyone willing to pay them for their data— that includes scammers, spammers, and foreign actors that may use the information for nefarious purposes. Scammers can use this information to create more convincing and effective scams and identity theft schemes by making the scammers seem like legitimate parties like technical support members, government agencies, and more.
The Consumer Financial Protection Bureau and data brokers
In December 2024, the CFPB proposed a new rule that would allow regulators to police data brokers under the Fair Credit Reporting Act. The Fair Credit Reporting Act requires credit reporting agencies to adhere to standards of accuracy and privacy when dealing with people’s financial information like credit scores and other related data. This new rule would limit data brokers’ ability to sell sensitive personal information, including financial data and credit scores, phone numbers, and addresses.
The proposal would’ve treated data brokers like credit reporting agencies, requiring them to obtain separate, explicit authorization before getting or sharing people’s sensitive information.
According to Rohit Chopra, the director of the CFPB at the time of the rule's proposal, “By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying.”
By policing data brokers more strictly, the CFPB would help ensure that consumers’ data doesn’t end up in the wrong hands and prevent scammers, foreign actors, and fraudsters from easily accessing personal information that make it easier for them to steal identities and make their scams more convincing.
However, a change of plans by the CFPB has potentially put Americans at the mercy of data brokers.
The recent CFPB decision: What it means for consumers and employers
In May, the CFPB decided to cancel its plans to limit the ability of US data brokers to sell the sensitive information they’ve collected about consumers, deeming the rulemaking as “not necessary or appropriate”.
While this change of plans keeps us at status quo, this decision has far-reaching implications for both consumers and employers, especially as Americans are increasingly expanding their presence in the digital world, and by extension, the amount of data available within it.
What this means for consumers
For consumers, this change of plans means that data brokers will generally retain the ability to sell sensitive information like online history and more. This continues to put millions of Americans at greater risk of falling victim to scams and identity theft schemes as it gives scammers and fraudsters the information they need to craft more effective scams.
It also increases the likelihood that their data will be breached—if more companies and entities have their sensitive data on file, there’s a greater chance of those companies being hacked and consumers data being exposed.
It also puts people like domestic abuse victims, as well as military and government officials and organizations, in greater danger as foreign actors, criminals, and domestic abusers are in a better position to access information like location data and addresses.
What this means for employers
With scammers, hackers, and foreign actors having greater access to sensitive data, it also increases the risk employers face when it comes to data breaches. Cybercriminals often start their attacks by compromising an employee’s personal accounts such as emails, social media accounts, and more.
With access to accounts like email, cybercriminals can use that access to acquire an employee’s login information and more easily breach a company’s defenses, gaining access to restricted systems and extracting financial statements, business accounts, proprietary information, or other confidential data they can use to launch further attacks.
How to stay secure in a world of data brokers
To further secure their organizations against cyberattacks and protect their employees from data breaches and potential violence, employers need to ensure that their employees have the tools and training they need to protect their personal information.
Employers can mitigate their risk of data breaches by providing data privacy training for employees. This includes educating them on the risks of sharing personal information on the internet, how to protect their data, how to recognize signs of identity theft and account takeovers, and more.
Another essential tool in the fight against data brokers is an effective identity protection solution. By helping employees protect their identity and personal information, organizations can reduce their risk of falling victim to cybercrime and data breaches. A reliable identity protection solution provides several benefits to employers by helping employees secure their personal data, including:
Helping employees avoid account takeovers by alerting them when their login credentials have been compromised
Data management tools to help employees understand which companies and data brokers have access to their data and enable them to request to have it removed
Expert assistance in restoring their identities in the event of identity theft, reducing the amount of lost work hours needed to address the situation and emotional turmoil
Providing employees with updates and education on the latest scams and identity theft schemes
To learn how Allstate Identity Protection can help your organization reduce its risk of data breaches and protect its employees from scams and identity theft, contact our team today.
