In the wake of high-profile hacks affecting hundreds of millions of Americans, the Consumer Financial Protection Bureau (CFPB) is proposing a rule limiting data brokers’ ability to sell Americans’ sensitive personal and financial information.

Under the proposed rule, data brokers that sell information about consumers’ income, credit history, credit score, or debt payments would be considered consumer reporting agencies. As such, they’d be required to comply with the Fair Credit Reporting Act (FCRA), a law limiting how these agencies can obtain and use the information provided in consumer reports. In other words, they’d be treated like credit bureaus and background check companies, which already have to comply with the FCRA.

During a Monday press call, CFPB director Rohit Chopra referenced the massive National Public Data breach earlier this year that leaked more than 200 million Social Security numbers that were offered for sale on the dark web. “These aren’t just isolated incidents: they represent a systemic vulnerability in how our personal data is bought and sold,” Chopra said.

Foreign countries have gone to great lengths to obtain that data, as federal prosecutors alleged that four members of China’s military carried out the 2017 Equifax breach, similar to the Office of Personnel Management breach a few years earlier. Still, “our adversaries don’t need to hack anything” to get Americans’ most sensitive data, Chopra said on the press call. “Data brokers—the outfits that collect and sell detailed information about our personal and financial lives—are making this data available to anyone willing to pay a price,” Chopra said.

“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” said Chopra.

In addition to requiring data brokers to comply with the FCRA, the new rule would require consumers to provide clear consent for data sharing. Data brokers would be required to get explicit permission to sell a consumer’s sensitive personal or financial information.

The regulation is targeting private companies, not government operations. During a Monday press call, a CFPB spokesperson said the agency is requesting comment on how to ensure government agencies continue to have “appropriate access” to this information. The CFPB will be accepting comments on the proposed rule until March 3rd, 2025 — but it’s possible that Trump and his allies, who are reportedly looking at ways to rein in the agency’s powers, will defang the CFPB before then.

During the Monday press call, a CFPB spokesperson declined to comment on “what a future administration may do” but pointed to “broad bipartisan recognition that data brokers pose real dangers both to Americans’ privacy and to national security.” But some government agencies, including Immigration and Customs Enforcement and the FBI also rely on data brokers to get around surveillance restrictions. 

In the wake of high-profile hacks affecting hundreds of millions of Americans, the Consumer Financial Protection Bureau (CFPB) is proposing a rule limiting data brokers’ ability to sell Americans’ sensitive personal and financial information.

Under the proposed rule, data brokers that sell information about consumers’ income, credit history, credit score, or debt payments would be considered consumer reporting agencies. As such, they’d be required to comply with the Fair Credit Reporting Act (FCRA), a law limiting how these agencies can obtain and use the information provided in consumer reports. In other words, they’d be treated like credit bureaus and background check companies, which already have to comply with the FCRA.

During a Monday press call, CFPB director Rohit Chopra referenced the massive National Public Data breach earlier this year that leaked more than 200 million Social Security numbers that were offered for sale on the dark web. “These aren’t just isolated incidents: they represent a systemic vulnerability in how our personal data is bought and sold,” Chopra said.

Foreign countries have gone to great lengths to obtain that data, as federal prosecutors alleged that four members of China’s military carried out the 2017 Equifax breach, similar to the Office of Personnel Management breach a few years earlier. Still, “our adversaries don’t need to hack anything” to get Americans’ most sensitive data, Chopra said on the press call. “Data brokers—the outfits that collect and sell detailed information about our personal and financial lives—are making this data available to anyone willing to pay a price,” Chopra said.

“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” said Chopra.

In addition to requiring data brokers to comply with the FCRA, the new rule would require consumers to provide clear consent for data sharing. Data brokers would be required to get explicit permission to sell a consumer’s sensitive personal or financial information.

The regulation is targeting private companies, not government operations. During a Monday press call, a CFPB spokesperson said the agency is requesting comment on how to ensure government agencies continue to have “appropriate access” to this information. The CFPB will be accepting comments on the proposed rule until March 3rd, 2025 — but it’s possible that Trump and his allies, who are reportedly looking at ways to rein in the agency’s powers, will defang the CFPB before then.

During the Monday press call, a CFPB spokesperson declined to comment on “what a future administration may do” but pointed to “broad bipartisan recognition that data brokers pose real dangers both to Americans’ privacy and to national security.” But some government agencies, including Immigration and Customs Enforcement and the FBI also rely on data brokers to get around surveillance restrictions.