The Consumer Financial Protection Bureau wants to propose new regulations that would require data brokers to comply with the Fair Credit Reporting Act. In a speech at the White House earlier this month, CFPB Director Rohit Chopra said the agency is looking into policies to “ensure greater accountability” for companies that buy and sell consumer data, in keeping with an executive order President Joe Biden issued in late February.

Chopra said the agency is considering proposals that would define data brokers that sell certain types of data as “consumer reporting agencies,” thereby requiring those companies to comply with the Fair Credit Reporting Act (FCRA). The statute bans sharing certain kinds of data (e.g., your credit report) with entities unless they serve a specific purpose outlined in the law (e.g., if the report is used for employment purposes or to extend a line of credit to someone).

The CFBP views the buying and selling of consumer data as a national security issue, not just a matter of privacy. Chopra mentioned three massive data breaches — the 2015 Anthem leak, the 2017 Equifax hack, and the 2018 Marriott breach — as examples of foreign adversaries illicitly obtaining Americans’ personal data. “When Americans’ health information, financial information, and even their travel whereabouts can be assembled into detailed dossiers, it’s no surprise that this raises risks when it comes to safety and security,” Chopra said. But the focus on high-profile hacks obscures a more pervasive, totally legal phenomenon: data brokers’ ability to sell detailed personal information to anyone who’s willing to pay for it.

Citing the February executive order, Chopra noted that data brokers can sell data to “countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or other companies controlled by foreign governments.” In other words, instead of hacking hotel chains and credit reporting bureaus to get access to millions of Americans’ personal data, intelligence agencies can buy information that is just as detailed, if not more so.

“For example, data brokers can facilitate the targeting of individuals by allowing entities to purchase lists that match multiple categories, like ‘Intelligence and Counterterrorism’ with ‘substance abuse,’ ‘heavy drinker,’ or even ‘behind on bills,’” Chopra said. “In other contexts, entities can purchase records for pennies per person, allowing relatively small investments to be leveraged into mass collection.” Put another way, the White House is concerned that the US’s adversaries — most explicitly, China — can use Americans’ data to identify targets for blackmail and surveillance.

The government is growing increasingly concerned about foreign governments’ access to Americans’ data. In March, the House passed a bill that would prohibit data brokers from selling Americans’ personally identifiable information to “any entity that is controlled by a foreign adversary.” Under the Protecting Americans’ Data from Foreign Adversaries Act, data brokers would face penalties from the Federal Trade Commission if they sell sensitive information — like location or health data — to any person or company based in certain countries. The Senate has yet to vote on the bill.

US government agencies, too, rely on data brokers to keep an eye on Americans. In 2022, the American Civil Liberties Union published a series of documents that showed how the Department of Homeland Security used location data to track the movement of millions of cell phones — and the people who own them — within the US.