The Consumer Financial Protection Bureau (CFPB) has canceled plans to introduce new rules designed to limit the ability of US data brokers to sell sensitive information about Americans, including financial data, credit history, and Social Security numbers.
The CFPB proposed the new rule in early December under former director Rohit Chopra, who said the changes were necessary to combat commercial surveillance practices that “threaten our personal safety and undermine America’s national security.”
The agency quietly withdrew the proposal on Tuesday morning, publishing a notice in the Federal Register declaring the rule no longer “necessary or appropriate.”
The CFPB received more than 600 comments from the public this year concerning the proposal, titled Protecting Americans from Harmful Data Broker Practices. The rule was crafted to ensure that data brokers obtain Americans’ consent before selling or sharing sensitive personal information, including financial data such as income. US credit agencies are already required to abide by such regulations under the Fair Credit Reporting Act, one of the nation’s oldest privacy laws.
In its notice, the CFPB’s acting director, Russell Vought, wrote that he was withdrawing the proposal “in light of updates to Bureau policies,” and that it did not align with the agency’s “current interpretation of the FCRA,” which he added the CFPB is “in the process of revising.”
The CFPB did not immediately respond to a request for comment.
Data brokers operate within a multibillion-dollar industry built on the collection and sale of detailed personal information—often without individuals’ knowledge or consent. These companies create extensive profiles on nearly every American, including highly sensitive data such as precise location history, political affiliations, and religious beliefs. This information is frequently resold for purposes ranging from marketing to law enforcement surveillance.
Many people are unaware that data brokers even exist, let alone that their personal information is being traded. In January, the Texas Attorney General’s Office, led by attorney general Ken Paxton, accused Arity—a data broker owned by Allstate—of unlawfully collecting, using, and selling driving data from over 45 million Americans to insurance companies without their consent.
The harms from data brokers can be severe–even violent. The Safety Net Project, part of the National Network to End Domestic Violence, warns that people-search websites, which compile information from data brokers, can serve as tools for abusers to track down information about their victims.
Last year, Gravy Analytics—which processes billions of location signals daily—suffered a data breach that may have exposed the movements of millions of individuals, including politicians and military personnel.
“Russell Vought is undoing years of painstaking, bipartisan work in order to prop up data brokers’ predatory, and profitable, surveillance of Americans,” says Sean Vitka, executive director of Demand Progress, a nonprofit that supported the rule. Added Vitka: “By withdrawing the CFPB’s data broker rulemaking, the Trump administration is ensuring that Americans will continue to be bombarded by scam texts, calls and emails, and that military members and their families can be targeted by spies and blackmailers.”
Vought, who also serves as director of the White House Office of Management and Budget, received a letter on Monday from the Financial Technology Association (FTA) calling for the rule to be withdrawn, claiming the rules exceed the agency’s statutory mandate and would be “harmful to financial institutions’ efforts to detect and prevent fraud.” The FTA is a US-based trade organization that represents the interests of banks, lenders, payment platforms, and their executives.
Privacy advocates have long pressed regulators to use the Fair Credit Reporting Act to crack down on the data broker industry. Common Defense, a veteran-led nonprofit, urged the CFPB to take action in November, blaming data brokers for recklessly exposing sensitive information about US service members that placed them at “substantial risk” of being blackmailed, scammed, or targeted by hostile foreign actors.
A 2023 study cited by the group—funded by the US Military Academy at West Point—concluded that the current data broker ecosystem is a threat to US national security, permitting the sale of sensitive personal data that can be used not only to identify service members and “other politically sensitive targets,” but also to offer details about medical conditions, financial problems, and political and religious beliefs. “Foreign and malign actors with access to these datasets could uncover information about high-level targets, such as military service members, that could be used for coercion, reputational damage, and blackmail,” the authors report.
Common Defense political director Naveed Shah, an Iraq War veteran, condemned the move to spike the proposed changes, accusing Vought of putting the profits of data brokers before the safety of millions of service members. “For the sake of military families and our national security, the administration must reverse course and ensure that these critical privacy protections are enacted,” Shah says.
Investigations by WIRED have shown that data brokers have collected and made cheaply available information that can be used to reliably track the locations of American military and intelligence personnel overseas, including in and around sensitive installations where US nuclear weapons are reportedly stored.
WIRED reported in February that US data brokers were using Google’s ad-tech tools to sell access to information about devices linked to military service members and national security decisionmakers, as well as federal contractors that manufacture and export classified defense-related technologies. Experts say it proves trivial for foreign adversaries to de-anonymize the data.
“Data brokers inflict severe harm on individuals by degrading privacy, threatening national security, enabling scams and fraud, endangering public officials and survivors of domestic violence, and putting immigrant populations at risk,” says Caroline Kraczon, law fellow at the Electronic Privacy Information Center focused on consumer protection.
“The CFPB had a critical opportunity to address these harms by clarifying that data brokers must follow the Fair Credit Reporting Act,” adds Kraczon. “This withdrawal is deeply disappointing and another attack in the administration’s war against consumers on behalf of corporate interests.”
Last month, more than 1,400 CFPB employees had their positions at the agency terminated, leaving the agency with a staff of around 300 people. Elon Musk, whose so-called Department of Government Efficiency (DOGE) has spearheaded the White House’s efforts to radically restructure the federal government by slashing the size of its workforce, last November called on President Donald Trump to “delete” the CFPB, whose job includes shielding Americans from predatory lending practices.
