Data on sale: Trump administration withdraws data broker oversight proposal

The US Consumer Financial Protection Bureau has withdrawn a proposed rule that would have restricted data brokers from selling US citizens’ personal and financial information.  

The decision, announced Wednesday in the Federal Register, marks a significant reversal in consumer privacy protection efforts and raises serious concerns about the security of sensitive personal data. 

“With the CFPB stepping back from regulating data brokers, American consumers face intensified risks of identity theft, behavioural profiling, and discriminatory targeting,” said Sanchit Gogia, chief analyst and CEO at Greyhound Research. “This regulatory withdrawal significantly undermines public trust in the digital economy.” 

The withdrawn proposal, titled “Protecting Americans from Harmful Data Broker Practices,” would have implemented certain provisions of the Fair Credit Reporting Act regarding when consumer reporting agencies may furnish consumer reports and when users may obtain them. 

“The Bureau is withdrawing this NPRM in light of updates to Bureau policies,” the CFPB stated in its official notice. The agency cited that the proposal “did so in a manner not aligned with the Bureau’s current interpretation of the FCRA” and its “changed policy objectives.” 

Concerns over legal authority 

The CFPB cited concerns raised during the comment period as a factor in its decision. “At least one commenter raised concerns related to the proposed rule’s propriety under the plain text of the FCRA, and there were similar questions as to the Bureau’s statutory authority,” the notice stated. 

The agency concluded it would be “inappropriate to proceed to a final rule” based on these concerns. 

Originally published in the Federal Register on December 13, 2024, the rule sought to address what former CFPB Director Rohit Chopra had described as a “staggering” problem of data brokers selling Americans’ private information without proper oversight.  

“Data brokers – the outfits that collect and sell detailed information about our personal and financial lives – are making this data available to anyone willing to pay,” Chopra wrote in a blog in 2024, informing about the proposed rule. 

Data brokers are companies that collect and sell vast amounts of personal and financial information.  

“The vulnerabilities include targeted scams, discrimination, and exploitation by obtaining sensitive information for specific demographics,” explained Neil Shah, VP for research and partner at Counterpoint Research. “Data brokers can collect data without any transparency, control, or consent.” 

The proposed regulation would have closed a loophole in the Fair Credit Reporting Act by treating data brokers like other consumer reporting agencies, requiring them to comply with the same privacy rules. 

The withdrawal comes amid broader changes at the CFPB under the Trump administration. The agency has moved to withdraw scores of guidance documents issued since 2011 and has scrapped other consumer protection proposals. 

However, the CFPB has left the possibility of future action open, stating: “When and if the Bureau determines it necessary to issue a rule implementing the relevant definitions and provisions of the FCRA, it will propose a new rule and seek public comment thereon.” 

Privacy concerns escalate 

Without these protections, data brokers can continue collecting and selling Americans’ sensitive personal information with minimal oversight. This data often includes Social Security numbers, financial records, location histories, and purchase patterns, leaving consumers vulnerable to identity theft and fraud. 

“Demographic groups already underserved by mainstream financial services—low-income earners, elderly individuals, and racial minorities—are now most exposed to data misuse,” Gogia said. “The most vulnerable demographics could be minorities, seniors, children, or families of military,” Shah added. 

Security breaches at data broker companies have already demonstrated these risks. In the past year alone, major data breaches exposed millions of Social Security numbers and location data tracking people’s movements. 

Privacy advocates argue that the collection and sale of personal data without explicit consent violates fundamental privacy rights. The absence of federal regulations means consumers often have no way to know who has their data or how it’s being used. 

Impact on businesses and consumers 

The data broker industry, valued at billions of dollars, has faced increasing scrutiny. The Federal Trade Commission has taken action against several data brokers in 2024, banning some from collecting and sharing data without permission. 

With the federal rule withdrawn, attention shifts to state-level regulations, creating new challenges for businesses. “Without a national standard, the compliance landscape is fractured, exposing enterprises to both reputational and legal harm across state lines,” Gogia explained. 

Shah echoed these concerns: “The lack of strong federal regulation will increase the burden of protecting sensitive information for enterprises. This will increase compliance costs, especially for companies operating across different states.” 

Several states have already developed their own frameworks for data privacy protection. “Some states with more solid privacy laws, such as California, Colorado, and Utah, will remain somewhat protected,” Shah noted. However, he added that “consumers need to be cognizant of those laws and their rights.” 

For consumers, the withdrawal shifts the burden of protection to individuals. “Until the CFPB revisits data broker regulation, consumers remain the last line of defence against identity exploitation,” said Gogia. “Digital literacy is no longer optional—it’s survival infrastructure in today’s data economy.”