CFPB Takes Aim at Data Brokers in Proposed Rule Amending FCRA

On December 3, the CFPB announced a proposed rule to enhance oversight of data brokers that handle consumers’ sensitive personal and financial information. The proposed rule would amend Regulation V, which implements the Fair Credit Reporting Act (FCRA), to require data brokers to comply with credit bureau-style regulations under FCRA if they sell income data or certain other financial information on consumers, regardless of its end use.

Should this rule be finalized, the CFPB would be empowered to enforce the FCRA’s privacy protections and consumer safeguards in connection with data brokers who leverage emerging technologies that became prevalent after FCRA’s enactment.

What are some of the implications of the new rule?

  • Data Brokers are Now Considered CRAs. The proposed rule defines the circumstances under which companies handling consumer data would be considered CRAs by clarifying the definition of “consumer reports.” The rule specifies that data brokers selling any of four types of consumer information—credit history, credit score, debt payments, or income/financial tier data—would generally be considered to be selling a consumer report.
  • Assembling Information About Consumers Means You are a CRA. Under the rule, an entity is a CRA if it assembles or evaluates information about consumers, including by collecting, gathering, or retaining; assessing, verifying, validating; or contributing to or altering the content of such information. This view is in step with the Bureau’s recent Circular on AI-based background dossiers of employees. (See our prior discussion here.)
  • Header Information is Now a Consumer Report. Under the proposed rule, communications from consumer reporting agencies of certain personal identifiers that they collect—such as name, addresses, date of birth, Social Security numbers, and phone numbers—would be consumer reports. This would mean that consumer reporting agencies could only sell such information (typically referred to as “credit header” data) if the user had a permissible purpose under the FCRA.
  • Marketing is Not a Legitimate Business Need. The proposed rule emphasizes that marketing is not a “legitimate business need” under the FCRA. Accordingly, CRAs could not use consumer reports to decide for an advertiser which consumers should receive ads and would not be able to send ads to consumers on an advertiser’s behalf.
  • Enhanced Disclosure and Consent Requirements. Under the FCRA, consumers can give their consent to share data. Under the proposed rule, the Bureau clarified that consumers must be provided a clear and conspicuous disclosure stating how their consumer report will be used. It would also require data brokers to acknowledge a consumer’s right to revoke their consent. Finally, the proposed rule requires a new and separate consumer authorization for each product or service authorized by the consumer. The Bureau is focused on instances where a customer signs up for a specific product or service, such as credit monitoring, but then receives targeted marketing for a completely different product.

Comments on the rule must be received on or before March 3, 2025.

Putting It Into Practice: With the release of the rule so close to the end of Director Chopra’s term, it will be interesting to see what a new administration does with it. We expect a new CFPB director to scale back and rescind much of the informal regulatory guidance that was issued by the Biden administration. However, some aspects of the data broker rule have bipartisan support so we may see parts of it finalized in 2025.

Privacy-on-the-Go: California Attorney General and Major Mobile Application Platforms Agree to Privacy Principles for Mobile Applications

Recently The National Law Review featured an article written by Cynthia J. Larose and Jake Romero of Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. regarding Mobile Apps and Privacy:

Application developers have been put on notice by the State of California. It is time to pay attention to user privacy and collection of information from user devices.

In an effort led by the office of California Attorney General Kamala D. Harris, the state has reached an agreement committing the six largest companies offering platforms for mobile applications (commonly referred to as “apps”) to a set of principles designed to ensure compliance with California’s Online Privacy Protection Act. The agreement with Apple Inc., Google Inc., Microsoft Corp., Amazon.com Inc., Hewlett-Packard Co., and Research In Motion Ltd., who collectively represent over 95% of the mobile application market, is significant for two reasons. First, it operates as an acknowledgement that California’s Online Privacy Protection Act applies to app developers as well as platform providers. Second, the agreement may effectively create a minimum standard for disclosures and transparency with regard to the collection of personal information by mobile applications. Because of the global nature of the Internet, the law will apply to every mobile app provided through the six firms’ app stores even though it is a state law.

This alert includes a description of the principles underlying this agreement, as well as certain best practices to help mobile app developers ensure compliance. The full text of the agreement, as well as comments from the Office of the Attorney General, can be accessed online at http://ag.ca.gov/newsalerts/print_release.php?id=2630.

Mobile Applications and Data Privacy

The most recent data from the Pew Research Center shows that 50% of all adult cell phone owners have apps on their mobile phones, a percentage that has nearly doubled over the past two years. This same survey also indicated that approximately 43% of those surveyed purchased a phone on which apps were already installed. Many of these mobile applications, in order to facilitate the functionality of the app, allow the app developer broad access to data held on the user’s mobile device. However, as noted by Attorney General Harris in a press conference announcing the agreement, many mobile applications, including twenty-two of the thirty most popular apps, lack a privacy policy to explain how much of the user’s data is accessible by the developer, and how and with whom that data is shared.

California’s Online Privacy Protection Act provides that “[a]n operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site,” or in the case of an operator of an online service, make that policy reasonably accessible to those consumers. In entering into this agreement, the six major platform providers have acknowledged that this requirement applies equally to mobile app developers (as “online services”) and the platform providers have agreed to, among other things, implement a means for users to report apps that do not comply with this requirement and a process for investigating and responding to those reports.

The New Privacy Standard and Ensuring Compliance

A likely outcome of this agreement is that compliance with California’s Online Privacy Protection Act will become a minimum standard for the mobile application industry, because even those developers located outside the state of California will likely conclude that it is easier to have a single policy that meets California’s requirements, rather than risk inadvertent non-compliance.

To ensure compliance, developers or providers of mobile apps that collect personal data from users’ mobile devices will be required to have a privacy policy that meets the requirements set forth in Section 22575(b) of California’s Business and Professions Code (as an incorporated portion of the Online Privacy Protection Act, Section 22575(b) can be accessed in full by following the link provided above). Specifically, the privacy policy must:

·         Identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information.

·         If the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, provide a description of that process.

·         Describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator’s privacy policy for that Web site or online service.

·         Identify its effective date.

In establishing a compliant privacy policy, an app developer or provider should take great care to ensure that the descriptions and processes contained therein match the actual operations of the company and the information it collects, and the policy should be reviewed periodically by both legal counsel and the app developer’s technical experts so that it can be updated as necessary. The policy should be clear and easy to understand, especially with regard to the collection and sharing of personal data. For those companies who may be affected by this agreement and already have a privacy policy in place, that policy should be reviewed to determine whether it should be updated. Developers and platform providers that do not comply with the law can be prosecuted under California’sUnfair Competition Law and/or False Advertising Law, which has penalties of up to $500,000 per use of the app in violation, Harris said. “If developers do not follow the privacy policies we will sue,” she added.

Anticipated Developments

Per their agreement with Attorney General Harris, the six major mobile app platforms will commence working with app developers to ensure compliance and provide education regarding privacy and data sharing. To increase awareness and promote transparency, mobile app developers will be required, as part of the application submitting an app to the platform, to provide either a link to that developer’s privacy policy, a statement describing the policy, or the full text of the policy itself. In each case, a user who is considering downloading the developer’s app will be provided access to the privacy policy associated with that app prior to downloading it.

The six major platforms have agreed to reconvene within six months to further evaluate any required changes), but no specific timeline has been stated with regard to implementing the changes described above. However, for mobile app developers who hope to continue to be a part of this quickly growing and highly lucrative market, there may not be a more opportune time to take advantage of the resources being provided on both a state and industry level.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.