Close-up of keyboard under UV light
Protecting the personal data of U.S. citizens has been a central theme in recent months. For the Consumer Financial Protection Bureau (CFPB), the new initiative isn't just about personal privacy. The CFPB believes that data brokers that collect and share consumer data are a threat to national security.
Congress is similarly concerned. The American Privacy Rights Act (APRA) is a newly announced bipartisan undertaking aimed at regulating the buying and selling of personal data collected from consumers, with or without the consumer's consent. The goal is to establish national data security standards that give consumers control over their information.
Earlier this month, CFPB Director Rohit Chopra said data brokers fall within the scope of the Fair Credit Reporting Act (FCRA), and the law prohibits them from sharing sensitive data, such as credit reports, with anyone other than themselves. He claimed that it was prohibited. A specific, well-defined legal reason for having it.
Data under attack
Chopra went on to point to the prevalence of data breaches. Among the major breaches he cited was the 2018 Marriott incident in which foreign bad actors hacked into the hotel giant's database. Hackers accessed 327 million of his records, including personal data ranging from date of birth to phone number.
Data brokers do not require a breach to obtain consumer data and are usually easy to purchase. Once they have the data, they can sell it to anyone, including foreign intelligence agencies.
Chopra said data brokers create lists that select individuals based on multiple criteria. For example, a broker might cross-reference a list of U.S. intelligence officials with terms like “drug abuser,” “heavy drinker,” or even “delinquent on bills.” These lists may be used to target these individuals for extortion schemes and other attacks.
do not collect
One of APRA's main goals is for data brokers to clearly identify themselves and clearly inform consumers of their motives. Brokers need to tell people exactly what data they're collecting and where they're transferring it.
APRA also tasked the Federal Trade Commission with creating a database to track brokers that handle data on more than 5,000 individuals. This allows consumers to submit a “do not collect” request to all registered data to their brokers to protect their information.
too little, too late
For some critics, the recent push by lawmakers, including APRA, is too little, too late. The global data broker industry is expected to exceed $460 billion by 2031. Although this industry is highly profitable, it remains largely unregulated and poses an urgent and significant threat to consumers.
“It stands to reason that when Americans' health information, financial information, and even their travel destinations are compiled into detailed documents, there are heightened risks when it comes to safety and security,” Chopra said.