Skip to main content
Menu Icon

InfoBytes Blog

Financial Services Law Insights and Observations


Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • CPPA releases NPRM for data broker registration

    Agency Rule-Making & Guidance

    On July 5, the California Privacy Protection Agency (CPPA) issued an NPRM for adopting new regulations for data broker registration to implement and enforce SB 362, known as the Delete Act (covered by InfoBytes here).

    The proposed regulations aim to clarify issues that data brokers faced after the CPPA administered the data broker registration process for the first time this past January by (i) specifying the registration fee details, (ii) defining terms in the Delete Act such as “minor” and “direct relationship” to clarify what businesses are data brokers, (iii) detailing the registration requirements for data brokers’ employees or agents, and (iv) clarifying that each data broker business is required to register, regardless of status as a parent company or subsidiary, among other things.

    Public comments on the proposed regulations must be received by August 20. Additionally, a virtual public hearing will be held on the same date.

    Agency Rule-Making & Guidance State Issues Privacy, Cyber Risk & Data Security CPPA California Data Brokers Licensing Registration

  • CFPB Director speaks on new and proposed rules for data brokers

    Agency Rule-Making & Guidance

    On April 2, the Director of the CFPB, Rohit Chopra, delivered a speech at the White House Office of Science and Technology Policy highlighting President Biden’s recent Executive Order (EO) to Protect Americans’ Sensitive Personal Data and how the CFPB will plan to develop rules to regulate “data brokers” under FCRA. As previously covered by InfoBytes, the EO ordered several agencies, including the CFPB, to better protect Americans’ data. Chopra highlighted how the EO not only covered data breaches but also regulated “data brokers” that ingest and sell data. According to the EO, “Commercial data brokers… can sell [data] to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments.”

    Consistent with the EO, the CFPB will plan to propose rules this year that will regulate “data brokers,” as per its authority under FCRA. Specifically, the proposed rules would include data brokers within the definition of “consumer reporting agency”; further, a company’s sale of consumer payment or income data would be considered a “consumer report” subject to requirements, like accuracy, customer disputes, and other provisions prohibiting misuse of the data.

    Agency Rule-Making & Guidance Federal Issues CFPB Privacy, Cyber Risk & Data Security Executive Order Data Brokers

  • FTC alleges data broker company mishandled consumer location data

    Federal Issues

    On January 9, the FTC released a proposed order and complaint against a data broker that sells consumer location data to companies. According to the complaint, which alleges seven violations of the FTC Act, the data broker company had no policies or procedures in place to remove any of the raw data from the location data sets that it sold, which could be used to identify sensitive personal information. The FTC alleges that because of this, the data broker company failed to provide “necessary technical safeguards” to ensure that consumers’ privacy choices were honored. The FTC also alleges that the data broker’s contracts with entities to purchase the data were “insufficient to protect consumers from the substantial injury caused by the collection, transfer, and use of the consumers’ location data” as they visit sensitive locations, such as churches, healthcare facilities, and schools.

    The data broker company collected 10 billion location data points daily worldwide throughout its apps, but it failed to inform its consumers that it sold this data to advertisers, employers, or government contractors. The FTC further alleges that the data broker’s business practices are likely to cause substantial injury to consumers due to its lack of reasonable data security measures.

    According to the proposed order, the company must comply with FTC mandates that include requiring it to prohibit misrepresentations using the data, prohibit the use, sale, or disclosure of sensitive location data, and implement a sensitive location data program. The data broker neither admits nor denies any wrongdoing and the FTC did not levy a money judgment.

    Federal Issues Data Brokers Consumer Data FTC Act Privacy, Cyber Risk & Data Security

  • California enacts new data broker regulations

    State Issues

    The California governor recently signed SB 362 (the “Act”), which will impose regulations on data brokers by allowing consumers to request the deletion of their personal data that was collected. The Act will allow the California Privacy Protection Agency (CPPA) to create an “accessible deletion mechanism” to make a streamlined method for consumers to delete their collected information available by January 1, 2026.

    Among other amendments, businesses that meet the definition of a data broker will be required to register every year with the CPPA, instead of with the attorney general. Additionally, the Act requires data brokers to provide more information during its yearly registration, including: (i) if they collect the personal information of minors; (ii) if the data broker collects consumers’ precise geolocation; (iii) if they collect consumers’ reproductive health care data; (iv) “[b]eginning January 1, 2029, whether the data broker has undergone an audit as described in subdivision (e) of Section 1798.99.86, and, if so, the most recent year that the data broker has submitted a report resulting from the audit and any related materials to the California Privacy Protection Agency”; and (v) a link on its website with details on how consumers may delete their personal information, correct inaccurate personal information, learn what personal information is collected and how it is being used, learn how to opt out of the sale or sharing of personal information, learn how to access their collected personal information, and learn how to limit the use and disclosure of their sensitive personal information. Moreover, administrative fines for violations of the Act, payable to the CPPA, have increased from $100 to $200, and data brokers that fail to delete information for each deletion request face a penalty of $200 per day the information is not deleted.

    The Act further requires that data brokers submit a yearly report of the number of requests received for consumer information deletion, and the number of requests denied. The yearly report must also include the median and mean number of days in which the data broker responded to those requests.


    State Issues Privacy, Cyber Risk & Data Security State Legislation California CPPA Data Brokers Consumer Protection

  • Chopra announces rulemaking for data brokers

    Federal Issues

    On August 15, CFPB Director Rohit Chopra delivered remarks at the White House Roundtable on the harms of data broker practices. Referencing the prevalence of artificial intelligence in data surveillance, Chopra highlighted a common practice employed by companies: the gathering, leveraging, and sharing of data concerning consumers, including individual pieces of data or consumer profiles, without consumers’ awareness with third parties that employ AI to formulate forecasts and decisions. These detailed data sets can also easily be exploited by bad actors, Chopra warned. Chopra announced that after conducting an inquiry into data broker practices, the Bureau will endeavor to make rules regulating data broker surveillance to ensure sensitive data is not misused and on par with FCRA requirements.

    Two proposals are being considered: the first proposal would define the term “consumer reporting agency” to include a data broker that sells certain types of consumer data, thereby triggering requirements to ensure accuracy and to govern disputes concerning the reporting of inaccurate information. The second proposal will address existing confusion by clarifying the existing confusion concerning “the extent to which credit header data constitutes a consumer report, [and] reducing the ability of credit reporting companies to impermissibly disclose sensitive contact information that can be used to identify people who don’t wish to be contacted, such as domestic violence survivors.” The rulemaking will also complement efforts put forth by the FTC.

    Federal Issues CFPB Consumer Protection Data Brokers Artificial Intelligence FCRA

  • Oregon enacts registration requirements for data brokers

    State Issues

    On July 27, the governor of Oregon signed HB 2052 (the “Act”) into law, effective upon passage. The Act provides that a “data broker” cannot collect, sell or license brokered personal data within Oregon unless they first register with the Department of Consumer and Business Services. Brokered personal data includes, among other things, name (or the name of a member of the individual’s immediate family or household), data or place of birth, maiden name of the individual’s mother, biometric information, social security or other government-issued identification number, or other information that can “reasonably be associated” with the individual. A data broker does not include consumer reporting agencies, financial institutions, and affiliates or nonaffiliated third parties of financial institutions that are subject to Title V of the Gramm-Leach-Bliley Act, among others.  There are certain exceptions to the requirement, including, among others, selling the assets of a business entity a single time, The Act stipulates a civil penalty in an amount less than or equal to $500 for each violation of Act or for each day in which violation continues. Civil money penalties are capped at $10,000 per calendar year.

    Licensing State Issues Data Brokers Consumer Data Consumer Protection State Legislation Oregon

  • Texas enacts data broker requirements

    State Issues

    The Texas governor recently signed SB 2105 (the “Act”) to regulate data brokers operating in the state. The Act defines a “data broker” as “a business entity whose principal source of revenue is derived from the collecting, processing, or transferring of personal data that the entity did not collect directly from the individual linked or linkable to the data.” The Act’s provisions apply to data brokers that derive, in a 12-month period, (i) more than 50 percent of their revenue from processing or transferring personal data, or (ii) revenue from processing or transferring the personal data of more than 50,000 individuals, that was not collected directly from the individuals to whom the data pertains. Among other things, the Act requires covered entities to post conspicuous notices on websites or mobile applications disclosing that they are a data broker. Data brokers must also register annually with the secretary of state and pay required fees. Additionally, data brokers must implement a comprehensive information security program to protect personal data under their control and conduct ongoing employee and contractor education and training. Data brokers are required to take measures to ensure third-party service providers maintain appropriate security measures as well.

    The Act does not apply to deidentified data (provided certain conditions are met), employee data, publicly available information, inferences that do not reveal sensitive data that is derived from multiple independent sources of publicly available information, and data subject to the Gramm-Leach-Bliley Act. Additionally, the Act does not apply to service providers that process employee data for a third-party employer, persons or entities that collect personal data from another person or entity to which they are related by common ownership or control where it is assumed a reasonable consumer would expect the data to be shared, governmental entities, nonprofits, consumer reporting agencies, and financial institutions.

    The Texas attorney general has authority to bring an action against a data broker that violates the Act and impose a civil penalty in an amount not less than the total of “$100 for each day the entity is in violation,” as well as the amount of unpaid registration fees for each year an entity fails to register. Penalties may not exceed $10,000 in a 12-month period. By December 1, the secretary of state is required to promulgate rules necessary to implement the Act. The Act is effective September 1.

    State Issues Privacy, Cyber Risk & Data Security State Legislation Texas Data Brokers Third-Party

  • CFPB looking at privacy implications of worker surveillance

    Agency Rule-Making & Guidance

    On June 20, the CFPB released a statement announcing it will be “embarking on an inquiry into the data broker industry and issues raised by new technological developments.” The Bureau requested information in March about entities that purchase information from data brokers, the negative impacts of data broker practices, and the issues consumers face when they wish to see or correct their personal information. (Covered by InfoBytes here.) The findings from this inquiry will help the Bureau understand how employees’ personal information can find its way into the data broker market.

    With similar intentions, the White House Office of Science and Technology Policy (OSTP) released a request for information (RFI) to learn more about the automated tools employers use to monitor, screen, surveil, and manage their employees. The OSTP blog post cited to an increase in the use of technologies that handle employees’ sensitive information and data. The OSTP also highlighted the Biden administration’s Blueprint for an AI Bill of Rights (covered by InfoBytes here), which underscored the importance of building in protections when developing new technologies and understanding associated risks. Responses to the RFI will be used to “inform new policy responses, share relevant research, data, and findings with the public, and amplify best practices among employers, worker organizations, technology vendors, developers, and others in civil society,” the OSTP said.

    The CFPB’s response to the RFI described the agency’s concerns regarding risks to employees’ privacy, noting that it has long received complaints from the public about the lack of transparency and inaccuracies in the employment screening industry. Specifically mentioned are FCRA protections for consumers and guidelines around the sale of personal data. The Bureau also commented that employees may not be at liberty to determine how their information is used, or sold, and have no opportunity for recourse when inaccurately reported information affects their earnings, access to credit, ability to rent a home or buy a car, and more.

    Agency Rule-Making & Guidance Federal Issues Privacy, Cyber Risk & Data Security CFPB Consumer Finance Consumer Protection Privacy Data Brokers Biden FCRA

  • District Court dismisses FTC’s privacy claims in geolocation action

    Federal Issues

    On May 4, the U.S. District Court for the District of Ohio issued two separate rulings in a pair of related disputes between the FTC and a data broker. The disputes center around accusations made by the FTC last August that the data broker violated Section 5 of the FTC Act by unfairly selling precise geolocation data from hundreds of millions of mobile devices which can be used to trace individuals’ movements to and from sensitive locations (covered by InfoBytes here). The FTC sought a permanent injunction to stop the data broker’s practices, as well as additional relief. The data broker, upon learning that the FTC planned to filed a lawsuit against it, filed a preemptive lawsuit challenging the agency’s authority.

    The court first dismissed the data broker’s preemptive bid to block the FTC’s enforcement action, ruling that the data broker has not identified any “viable cause of action” to support its request for injunctive relief. The court explained that injunctive relief is a “drastic remedy” that is only available if no other legal remedy is available. However, the data broker possesses an “adequate remedy at law,” the court said, “because it can seek dismissal of, and otherwise directly defend against, the FTC’s enforcement action.”

    With respect to the FTC’s action, the court granted the data broker’s motion to dismiss the FTC’s complaint, but gave the agency leave to amend. The court agreed with the data broker that the FTC’s complaint lacks sufficient allegations to support its unfairness claim under Section 5 of the FTC Act. While the court disagreed with the data broker’s assertion that it did not have “fair notice that its sale of geolocation data without restrictions near sensitive locations could violate Section 5(a) of the FTC Act” or that the FTC had to allege a predicate violation of law or policy to state a claim, the court determined that the FTC failed to adequately allege that the data broker’s practices created “a ‘significant risk’ of concrete harm.” Moreover, the court found that “the purported privacy intrusion is not severe enough to constitute ‘substantial injury’ under Section 5(n).” The court noted, however that some of the deficiencies may be cured through additional factual allegations in an amended complaint.

    Federal Issues Courts Privacy, Cyber Risk & Data Security FTC Enforcement Data Brokers FTC Act UDAP Unfair

  • CFPB seeks input on data broker businesses

    Federal Issues

    On March 15, the CFPB issued a Request for Information (RFI) seeking public input on data broker business practices in order to inform planned rulemaking under the FCRA and help the agency understand the current state of the industry. “Modern data surveillance practices have allowed companies to hover over our digital lives and monetize our most sensitive data,” CFPB Director Rohit Chopra said in the announcement. He added, “[o]ur inquiry will inform whether rules under the [FCRA] reflect these market realities.” The Bureau explained that the FCRA—which covers data brokers such as credit reporting companies and background screening firms, as well as parties who report information to these firms—provides several protections, including accuracy standards, dispute rights, and restrictions on how data can be used. The RFI seeks feedback on business models and practices used by the data broker market, including information about the types of data being collected and sold and the sources data brokers rely upon. In particular, the Bureau seeks information on consumer harm and market abuses, and wants to understand “whether companies using these new business models are covered by the FCRA, given the FCRA’s broad definitions of ‘consumer report’ and ‘consumer reporting agency.’” The Bureau stated it is also interested in learning about consumers’ direct experiences with data brokers, including when consumers try to remove, correct, or regain control of their data. Comments on the RFI are due by June 13.

    Federal Issues Agency Rule-Making & Guidance CFPB Consumer Finance Data Brokers FCRA Credit Report


Upcoming Events