A top Trump-era official has quietly shut down a proposed rule that would have stopped data brokers from selling sensitive personal and financial information—like Social Security numbers—without consent.
The Consumer Financial Protection Bureau (CFPB) had introduced the rule in December 2024, aiming to close a major loophole in the Fair Credit Reporting Act (FCRA). The plan would have forced data brokers to comply with the same privacy standards that credit bureaus and tenant-screening companies already follow. But that effort has now been scrapped.
The rule’s withdrawal was published early Tuesday in the Federal Register. CFPB acting director Russell Vought—who also leads the White House Office of Management and Budget—wrote that the proposed rule was “not aligned with the Bureau’s current interpretation” of the FCRA.
A Blow to Privacy as Data Broker Industry Faces Scrutiny
The rollback comes at a time when data brokers are already under fire. The multi-billion-dollar data broker industry profits by harvesting and selling vast amounts of personal data to advertisers, corporations, and even government agencies—usually without direct permission from the individuals involved.
This includes detailed financial records, real-time location data, and Social Security numbers—data that, once leaked or sold, can be difficult or impossible to retrieve or correct.
In 2024 alone, two major data breaches hit broker firms, exposing millions of Social Security numbers and location records. These breaches highlighted the severe risks of maintaining such enormous datasets without strong federal oversight.
Privacy Advocates and Regulators Sound the Alarm
For years, privacy advocates have urged regulators to use the FCRA as a tool to regulate data brokers and require them to offer transparency and consent-based data handling. The CFPB’s now-withdrawn rule was seen as a significant first step in curbing the unchecked reach of these firms.
But pushback came fast. Just days before the rule was killed, the Financial Technology Association—a lobbying group representing fintech companies—sent a letter to Vought urging the rule be scrapped. The group argued that the regulation would undermine fraud prevention efforts across the financial sector.
Despite those claims, critics argue the rollback benefits corporations more than consumers, and weakens long-overdue protections for Americans navigating a world of rampant data collection and sale.
With the rule dead, data brokers can continue collecting and selling personal information without the same federal privacy obligations that apply to traditional credit reporting agencies. That leaves millions of Americans with fewer options to control how their most sensitive data is shared—or exposed.
