Regulatory Crackdown on Sensitive Data Sharing: CFPB Proposes Rule to Regulate Data Brokers; FTC Sues Data Analytics Co’s for Allegedly Selling Location Data Tracking Consumers to Sensitive Sites

Yesterday, we saw two regulators take action to enhance consumer privacy, reflecting a growing government focus on protecting personal data and consumer rights.

1. CFPB Proposes to Regulate Data Brokers

The Consumer Financial Protection Bureau (CFPB) has proposed a new rule aimed at regulating data brokers who sell sensitive personal and financial information. By proposing this rule, the CFPB seeks to strengthen accountability for data brokers, making sure that certain financial data, like consumers’ income, is only shared for legitimate purposes and restricting credit bureaus from selling people’s sensitive information, like Social Security numbers and phone numbers. This initiative seeks to protect Americans from crimes such as identity theft, stalking, and illegal foreign surveillance. Comments must be received on or before March 3, 2025.

Key Aspects of the Proposed Rule

• Classification of Certain Data Brokers as Consumer Reporting Agencies: Data brokers selling information related to income, financial tiers, credit history, or debt payments would be classified as consumer reporting agencies. This classification mandates compliance with the Fair Credit Reporting Act (FCRA), including accuracy requirements and consumer access to information.

The FCRA, one of the first data privacy laws in the world, was passed by Congress in 1970 to address the growing data surveillance industry. Credit reporting companies were largely unchecked, and consumers were often powerless to protect themselves from harms. Congress enacted the FCRA to protect consumers’ privacy by restricting the communication of personal information by consumer reporting agencies (CRAs).

• Protection of Personal Identifiers: The rule aims to prevent the misuse of personal identifiers such as Social Security Numbers and phone numbers. It would ensure that these identifiers are only shared for legitimate purposes, such as mortgage approvals, rather than being sold to potential scammers or shared with foreign countries of concern.
• Consumer Consent for Data Sharing: Companies would be required to obtain clear and explicit consent from consumers before sharing their credit report information. This measure seeks to prevent unauthorized data sharing often hidden in fine print.

Implications for Data Brokers

If the rule is enacted, data brokers will face increased regulatory scrutiny and must adhere to FCRA requirements. This includes:

• Implementing safeguards against data misuse.
• Ensuring the accuracy of consumer data.
• Allowing consumers access to their information.

Impact on Privacy and Safety, National Security, and Consumer Protection

The CFPB’s proposal addresses significant national security concerns by limiting foreign entities’ access to sensitive data. It also aims to protect vulnerable populations from criminal exploitation by reducing the availability of detailed financial profiles used in fraud schemes.

The proposed rule is designed to enhance privacy protections for individuals, particularly those at risk of violence or harassment, such as law enforcement personnel and domestic violence survivors. By restricting the sale of sensitive contact information, the rule seeks to mitigate risks associated with doxing and stalking.

Compliance and Next Steps

Data brokers should begin reviewing their data handling practices in anticipation of potential changes. Legal counsel can assist in assessing compliance with FCRA requirements and preparing for increased regulatory oversight. Stakeholders may also consider submitting comments during the public consultation period for the proposed rule.

2. FTC Sues Data Analytics Companies for Allegedly Selling Location Data Tracking Consumers to Sensitive Sites

The Federal Trade Commission (FTC) has initiated legal action against Gravy Analytics Inc. and its subsidiary Venntel Inc. for allegedly unlawful practices related to the collection and sale of sensitive consumer location data.

Key Points of the FTC’s Complaint

1. Allegations: The FTC alleges that Gravy Analytics and Venntel violated the FTC Act by:
   • Unfairly selling sensitive consumer location data
   • Collecting and using consumers’ location data without obtaining verifiable user consent
   • Continuing to use location data after learning of lack of informed consent
   • Selling sensitive characteristics derived from location data, including health decisions, political activities, and religious viewpoints
2. Scale of Data Collection: The companies allegedly processed over 17 billion signals daily from approximately one billion mobile devices.
3. Methods Used: Gravy Analytics reportedly employed geofencing techniques to identify and sell lists of consumers who attended specific events or visited sensitive locations.

Proposed Settlement

The FTC’s proposed order includes several key provisions:

1. Prohibition on Data Use: Gravy Analytics and Venntel will be prohibited from selling, disclosing, or using sensitive location data, except in limited circumstances involving national security or law enforcement.
2. Sensitive Location Data Program: The companies must establish a program to identify sensitive locations and prevent the use or disclosure of data related to these locations.
3. Data Deletion: All historic location data and related data products must be deleted.
4. Customer Notification: Customers who received historic location data within the last three years must be informed of the requirement to delete, de-identify, or render non-sensitive such data.
5. Supplier Assessment Program: The companies must implement a program to ensure consumer consent for data collection and use.
6. Misrepresentation Ban: The order prohibits misrepresentations about data handling practices and de-identification.

Implications for Businesses

This enforcement action has several important implications for businesses operating in the data analytics and location data sectors:

1. Increased Scrutiny: The FTC is actively targeting companies that collect and sell sensitive location data, with this being the fifth such action in recent years.
2. Consent and Transparency: There is a clear emphasis on obtaining verifiable user consent and providing transparent disclosures about data collection and use practices.
3. Sensitive Data Handling: Companies must be extremely cautious when dealing with data that could reveal sensitive information about individuals, such as health conditions, religious beliefs, or political activities.
4. Data Retention and Deletion: Businesses should review their data retention policies and be prepared to delete or de-identify historical data if required.
5. Supply Chain Due Diligence: Companies acquiring data from third-party suppliers should implement robust assessment programs to ensure proper consent has been obtained.

Recommendations for Businesses

1. Review and update privacy policies and consent mechanisms to ensure they are clear, comprehensive, and obtain verifiable user consent.
2. Implement or enhance data classification systems to identify and protect sensitive location data.
3. Develop and maintain a list of sensitive locations and implement safeguards to prevent the collection or use of data associated with these locations.
4. Establish rigorous supplier assessment programs to verify the legitimacy and consent practices of data sources.
5. Review and potentially limit data retention periods, particularly for sensitive location data.
6. Ensure that any de-identification processes for data are robust and meet regulatory standards.
7. Stay informed about ongoing FTC actions and guidance in this area, as the regulatory landscape continues to evolve.
8. Seek legal advice on your particular data use.

Conclusion

Yesterday’s actions reflect a broader government effort to safeguard Americans’ personal data against emerging threats. Businesses operating in the data analytics space should take immediate steps to review and, if necessary, revise their practices to align with these heightened regulatory expectations. Companies handling personal data should consider proactive measures to align with the latest developments in the regulatory landscape and enforcement trends.

NEED HELP WITH DATA PRIVACY AND SECURITY LAW COMPLIANCE?

The CommLaw Group Can Help!

If your company has questions about its data privacy obligations under state and federal laws and FCC rules, would like our help preparing and submitting its comments to the proposed CFPB Rule, or would like to reassess its data collection and processing practices in compliance with applicable law, please contact us:

Susan Duarte – Tel: 703-714-1318 / E-mail: sfd@commlawgroup.com
Diana James – Tel: 703-663-6757 / E-mail: daj@commlawgroup.com