U.S. regulators across the federal bureaucracy are taking a more holistic approach to consumer data protection, according to U.S. Consumer Financial Protection Bureau Director Rohit Chopra.

During a 4 April appearance at the IAPP Global Privacy Summit 2024, Chopra indicated the federal government is joining data protection regulators around the globe in a general recognition of a new paradigm around broad-based digital surveillance. The developing landscape is creating new data security problems due to the sheer volume of information being swept up in law enforcement investigations and intelligence gathering.

"We used to think broad surveillance actually helps protect security," Chopra said. "We're seeing that data can really be weaponized, including by adversarial state actors to manipulate, to engage in blackmail, to combine various data about all of us in order to achieve other sorts of objectives."

Following President Joe Biden's executive order banning data transfers containing sensitive personal information to designated "countries of concern," Chopra clarified that while the CFPB will play an active role in the execution of the order, his agency does not have a national security function, per se.

Rather, part of the federal government's awakening that data privacy concerns are a much larger consumer issue beyond identity theft has meant that the government is, "starting to think about not just the economic harms, but all of the other really egregious issues and harms to our society and individuals when it comes to lax data protection," he said.

"It’s not that we're doing national security agency work (at the CFPB), it's that consumer protection and privacy protection are now seen more hand in hand with some of these issues of national interest," Chopra added. "That executive order that the president signed was not just about bulk transfers of personal data to countries of concern, it highlighted the role of data brokers in our economy, for which we have to be concerned about how entities overseas may be able to purchase very sensitive data."

U.S. Congress is attempting to complement Biden's order with legislation. The proposed Protecting Americans' Data from Foreign Adversaries Act is sitting with the Senate following a unanimous 414-0 House vote.

CFPB's privacy mission

Chopra detailed the origins and growth of CFPB's privacy work in the financial sector.

In the wake of the 2008 global financial crisis, the Federal Trade Commission and the soon-to-be-established CFPB were primarily consumed with remediating harms individuals faced. After playing catch-up following economic recovery efforts, the CFPB and FTC began examining ways to enforce privacy requirements contained in laws such as the Fair Credit Reporting Act in a more broad sense.

"There was an impression five, six, ten years ago that the FTC was out to lunch when it came to protecting data, that it had taken a laissez-faire approach starting in the early 2000s, and what the results were was excessive surveillance across major industries," said Chopra, a former FTC commissioner from May 2018 to October 2021. "The CFPB … was focused in its early years on cleaning up after the global financial crisis. But actually, we're now responsible for administering all of these important privacy protections, not just in financial privacy, but applying the (FCRA) sector wide."

The CFPB has spent the last decade-plus enforcing many of the consumer privacy protections contained within the FCRA. Despite passing in 1970, the law enshrines "real limitations on permissible purposes" for credit reporting agencies to use background reports containing vast amounts of aggregated consumer data, Chopra said.

Chopra highlighted the FCRA allows for individuals, states and federal agencies to dispute inaccuracies in the consumer data obtained by credit monitoring agencies. The law's ability for regulatory agencies to issue new rules to better account for the impact technological advances, such as the rise of the data broker industry, can be tailored to protect consumers' data privacy more holistically.

Focus on data broker

One example of the CFPB's work in keeping the FCRA currently are new rules extending the law's protection to data brokers' business practices in September 2023. Chopra said many data brokers, such as tenant screening and employment background screening companies, "routinely accept" that they are subject to the FCRA. 

Some of the key updated FCRA rules for data brokers include ensuring both the entity aggregating consumer data and the data broker or reporting agency have accurate information on the specific individual.

"One, there are accuracy requirements both on the sender of data and the aggregator or broker of data. Two, there are dispute rights, you as a consumer have the ability to know about it and you have the ability to dispute incorrect information," Chopra said. "(Under the FCRA), there are obligations on the big credit reporting companies ... they must have a whole set of transparency requirements and all of those rules have been developed over time."

Chopra also mentioned the CFPB will soon issue proposed data broker-specific rules under the FCRA, however, his agency has only solicited input from small businesses on how such rules should be structured and to ensure the rules will apply equally to data brokers as they already do to credit monitoring agencies.

"Over time, we can update the rules," Chopra said. "We want to make sure that it's very clear that we're reflecting the modern market structure and putting into place rules that really give clarity about who needs to comply with the core provisions of this 1970 law."

Featured image: eurobanks / Shutterstock.com