A view from DC: Dramatic expansion of regulated consumer reports – International Association of Privacy Professionals
The day’s top stories from around the world
Stay on top of the latest AI governance news and developments of the profession.
Original reporting and feature articles on the latest privacy developments
Where the real conversations in privacy happen
Exploring the technology of privacy
A roundup of the top Canadian privacy news
A roundup of the top European data protection news
A roundup of the top privacy news from the Asia-Pacific region
A roundup of the top privacy news from Latin America
A roundup of US privacy news
Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.
Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.
Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.
Locate and network with fellow privacy professionals using this peer-to-peer directory.
Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.
Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.
Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.
Develop the skills to design, build and operate a comprehensive data protection program.
Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.
Introductory training that builds organizations of professionals with working privacy knowledge.
Meet the stringent requirements to earn this American Bar Association-certified designation.
The global standard for the go-to person for privacy laws, regulations and frameworks
The first and only privacy certification for professionals who manage day-to-day operations
As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.
Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.
The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.
The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.
Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.
Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
This report explores the compensation, both financial and nonfinancial, offered to privacy professionals.
This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
This report explores the state of AI governance in organizations and its overlap with privacy management.
The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Access all reports and surveys published by the IAPP.
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
The IAPP’s EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you’re meeting your obligations.
Hear top experts discuss global privacy issues and regulations affecting business across Asia.
Join top experts for practical discussions of issues and solutions for data protection in Germany.
P.S.R. 2023 is the place to find speakers, workshops and networking focused on the intersection of privacy and technology.
A new, must-see event for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, fairness testing and more.
Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.
Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.
Hear expert speakers address the latest developments in data protection globally and in the Netherlands.
Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.
View our open calls and submission instructions.
Increase visibility for your organization — check out sponsorship opportunities today.
Start taking advantage of the many IAPP member benefits today
See our list of high-profile corporate members—and find out why you should become one, too
Don’t miss out for a minute—continue accessing your benefits
Concerns about economic inflation may be waning, but privacy inflation is here to stay. Among the biggest themes in recent U.S. privacy policymaking is the inflation of sensitive categories of information.
Traditional models of what counts as sensitive data are crumbling, replaced by heightened scrutiny over an ever-widening set of personal data. This is as true for health-related data as it is for children’s data. You can also look to rules covering biometrics and considerations for whether collected data has the potential to be used as a biometric.
Consumer financial data is, apparently, also due for an expansion. Rohit Chopra, director of the Consumer Financial Protection Bureau, announced this week the agency is considering formal rule changes to expand its enforcement of the Fair Credit Reporting Act, which governs the behavior of organizations that sell reports related to consumers’ credit, character, general reputation, personal characteristics or mode of living. The FCRA grants consumers rights to access, correct and restrict the use of covered reports.
Chopra previewed the proposed rule changes at a White House roundtable that brought together regulators, administration leaders and a variety of civil society voices to discuss “harmful data broker practices.” The official readout of the gathering shows the conversation was wide-ranging, helping to underscore the plethora of underlying concerns leading to data privacy inflation.
Advocates and regulators seem to agree the harms from the “data broker economy” are worsening, and flow from a wide variety of factors:
These same concerns are reflected in Chopra’s remarks. He reports the agency’s earlier inquiry into specific data broker practices led to the decision to “launch a rulemaking to ensure that modern-day digital data brokers are not misusing or abusing our sensitive data.” The results of the inquiry also helped the agency learn “more about the significant harms – from the identification of victims for financial scams to the facilitation of harassment and fraud.”
Chopra’s remarks offer a rare glimpse into the ideas behind a proposed rulemaking before the agency has even announced its proposal. Two major proposed rule changes were highlighted in Chopra’s preview.
The first would change the scope of most operative provisions of the FCRA by broadening the application of the term “consumer reporting agency” to include anyone that sells certain types of consumer data, “for example, a consumer’s payment history, income, and criminal records.”
The FCRA relies on interdependent definitions for covered “consumer reporting agencies” that sell covered “consumer reports.” Fifty years of practice and enforcement by the Federal Trade Commission and others, including most recently the CFPB, have led to a complex set of definitions and exceptions to these terms, which are most recently outlined in great detail in the FTC’s 2011 staff report.
In keeping with Director Chopra’s regulatory philosophy of crafting simplified and streamlined rules, some of these exceptions and limitations may be on the chopping block. Of course, the agency can’t adjust the statutory text of the FCRA, which itself limits the scope of its coverage, so it remains to be seen how the proposed expansion will be effectuated.
The second proposal raised by Chopra would “address confusion around whether so called ‘credit header data’ is a consumer report.”
Consumer advocates have long insisted that the exclusion of credit header data from the definition of reports leads to the over-sharing of personal identifiers in the marketplace. A 2021 letter from the National Consumer Law Center explains in detail how a FCRA rule change would address the group’s concerns, particularly about consumers who do not wish to be located.
The NCLC’s letter indicated those seeking to remain unidentified may include “not only undocumented immigrants but debtors seeking refuge from harassing collectors, domestic violence survivors seeking to flee abusers, or consumers who simply do not wish to be contacted.” The group added, “These consumers, who might take great pains to avoid publicizing their home addresses or phone numbers, should not be forced to give up that privacy in order to obtain essential services such as cell phone, Internet, or utility service.”
Echoing these concerns, Chopra explained the possible rule change: “The CFPB expects to propose to clarify the extent to which credit header data constitutes a consumer report, reducing the ability of credit reporting companies to impermissibly disclose sensitive contact information that can be used to identify people who don’t wish to be contacted, such as domestic violence survivors.”
Based on Chopra’s statements, the CFPB is expected to publish an Advance Notice of Proposed Rulemaking next month, to be formalized through a public comment period “in 2024.” For now, the agency is seeking proactive engagement with small businesses to help it craft the rule. “We are encouraging small businesses looking to participate in the process to contact us.”
Data broker scrutiny is heating up across the policymaking world overall. Proposed federal reforms continue to pop up, even as the California Legislature considers a bill, Senate Bill 362, that would create an online portal for consumers to request that data brokers delete their data.
Whether new laws are successful, regulators have made it clear they will continue to refine existing laws to meet the shifting risks of our modern digital world.
Here’s what else I’m thinking about:
Please send feedback, updates and rulemaking ideas to cobun@iapp.org.
Submit for CPEs
If you want to comment on this post, you need to login.
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.
The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.
© 2023 International Association of Privacy Professionals.
All rights reserved.
Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200