The protection of U.S. citizens’ personal data has taken center stage over the past few months. For the Consumer Financial Protection Bureau (CFPB), the new initiatives aren’t just about personal privacy. The CFPB considers data brokers, which harvest and share consumer data, to be a threat to national security.
Congress is just as concerned. The American Privacy Rights Act (APRA) is a newly unveiled bipartisan venture designed to regulate the buying and selling of personal data collected from consumers, both with and without their consent. The goal is to establish a national data security standard that gives consumers control of their information.
Earlier this month, Rohit Chopra, Director of the CFPB, asserted that data brokers fall under the scope of the Fair Credit Reporting Act (FCRA)—and that legislation prohibits the sharing of vital data, such as credit reports, with anyone unless that have a specific, clearly-defined legal reason to have it.
Data Under Fire
Chopra went on to cite the growing prevalence of data breaches. Among the major breaches he mentioned was the 2018 Marriott incident, where foreign bad actors hacked the hotel giant’s database. Hackers got access to 327 million records that included personal data ranging from birth dates to phone numbers.
Data brokers don’t need breaches to obtain consumer data, it’s typically readily available to purchase. Once it’s in their hands, the data can then be sold to anyone, including foreign intelligence agencies.
According to Chopra, data brokers are compiling lists that can single out individuals based on multiple criteria. For example, brokers could cross-reference a list of U.S. intelligence personnel with terms like “substance abuse,” “heavy drinker,” or even “behind on bills.” Those lists could then be used to target those individuals for blackmail schemes or other attacks.
Do Not Collect
One of APRA’s primary goals will be to ensure that data brokers clearly identify themselves and expressly inform consumers of their motives. Brokers should tell people exactly what data they’re gathering and where they’re transferring it.
APRA is also tasking the Federal Trade Commission with creating a database to track brokers that handle data for more than 5,000 individuals. Consumers would then be able to send “Do Not Collect” requests to all the registered data brokers to safeguard their information.
Too Little, Too Late
For some critics, the recent push by legislators, including APRA, is too little and too late. The global data broker industry is expected to top $460 billion by 2031. It’s a highly profitable industry that is still largely unregulated, and poses an urgent, significant threat to consumers.
“When Americans’ health information, financial information, and even their travel whereabouts can be assembled into detailed dossiers, it’s no surprise that this raises risks when it comes to safety and security,” Chopra said.