Tech companies accused of exposing consumers to fraud want the Trump administration to let them freely buy and sell your personal information.
As the Trump administration attempts to eviscerate the federal agency tasked with overseeing consumer protection, Big Tech trade associations and data brokers peddling consumer data are trying to kill a rule that would limit how they can sell sensitive personal information like your Social Security number and home address.
Some of those companies have been previously sued by regulators for issuing false credit reports and tricking consumers into monthly paid subscriptions. One of the largest of the companies was recently fined $150 million for knowingly selling more than 30 million consumers’ data to fraudsters who went on to target elderly victims.
If these groups get their way, the sensitive data for millions of Americans will continue to be up for sale, and experts say nefarious actors could potentially buy personal data that includes not just financial information but also data on dating app usage, exercise habits, health metrics, and users’ locations.
Buyers of this information have been known to use it for targeted ads, frauds, and scams. In one instance, a religious publication used “commercially available records of app signal data” to out a gay priest.
The proposed rule, first issued by the Biden administration in December 2024, would provide greater protection for consumers whose data is often spread across the internet by subjecting certain sensitive information — telephone numbers, personal financial ratings, income, and other personal details — to strict guidelines established in the Fair Credit Reporting Act, a 1970 law that placed limits on the selling of consumer data.
“In recent years, the consumer reporting marketplace has evolved in ways that imperil Americans’ privacy,” the Consumer Financial Protection Bureau wrote in the rule announcement. “Vast troves of sensitive data, including, for example, individualized data about a consumer’s finances, are bought and sold, without consumers’ knowledge or consent, by data brokers who believe that the [Fair Credit Reporting Act] does not apply to them or to some of their activities.”
But multiple trade associations that lobby on behalf of prominent financial technology companies and consumer reporting and data broker firms have filed comment letters with the Consumer Financial Protection Bureau (CFPB), urging the regulator to kill the rule.
These trade associations and companies have spent at least $4.7 million lobbying Congress, the CFPB, and other regulators on consumer privacy issues and other matters since January 2024, disclosures show. This includes more than $2 million in lobbying money spent by Experian, one of the three largest consumer reporting agencies in the country. Experian was sued by the CFPB in January for allegedly including false information in its consumer credit reports.
TransUnion, another giant credit reporting agency, spent $415,000 lobbying regulators on similar issues. The company was also sued in April 2022 by the CFPB for allegedly “employing deceitful digital dark patterns to profit from customers” by tricking customers into subscribing to a paid monthly credit monitoring program.
The Trump administration handed TransUnion a win in February when it dropped an enforcement action against the company for its deceitful practices. The move is just one of many by the Trump administration to curtail consumer protection.
The weakening of CFPB’s mandate, including potentially killing the data-protection rule, would be a “huge gift” to Big Tech, said Jeff Chester, executive director of consumer advocacy group Center for Digital Democracy.
“By not going through with this rule, it’s going to enable the tech giants and the financial tech companies to increasingly gather and analyze data to make financial determinations about people without consumers having any recourse at all to how that data is being used,” Chester told the Lever.
Your Data Is “Readily Available to Criminals”
By the late 1960s, concerns about the ways that businesses were collecting information on consumers reached a boiling point in Congress. Back then, companies “would scour local newspapers for notices of arrests, promotions, marriages, and deaths” in order to build dossiers they would use to determine hiring decisions, credit approvals, and other business decisions. And business cooperatives would share information with each other about certain consumers’ debts and other activities to determine offering credit to certain customers, according to a report by the Philadelphia Federal Reserve.
At the time, consumer reporting agencies blocked buyers of these dossiers from telling the public why there were certain adverse ratings in their reports. Multiple congressional hearings and investigations found a secretive industry of “vast size and scope” with “an almost complete lack of regulation.”
Congressional hearings at the time also revealed that consumers were not always permitted to check the information that consumer reporting agencies had about them, which led to widespread inaccuracies. The industry claimed they were not responsible for the accuracy of the reports.
To address the issue, Congress passed the Fair Credit Reporting Act in 1970, which set industry standards for the buying and selling of such “consumer reports.” The law also established consumer rights to see information collected on them and to dispute inaccuracies, among other actions.
A senator at the time said that the bill was needed to address threats to consumer privacy, which would likely increase due to “the growing accessibility of this information through computer- and data-transmission techniques.”
Nevertheless, companies have skirted the law by claiming they do not sell consumer reports, and instead provide buyers with consumer or financial analytics stripped of personal identifiers.
It’s why the buying and selling of sensitive consumer data has since ballooned into a multibillion-dollar industry. In 2012, the data broker industry raked in $156 billion in revenues, according to a Senate report at the time. By 2024, the industry was valued at more than $389 billion and is expected to be valued at more than $561 billion by 2029, according to industry estimates.
“Data collection is the essential commodity today [companies need] in order to generate revenues, to profile and target consumers, and there’s absolutely no limit on how this data can be used to determine a person’s financial profile, their interests, and vulnerabilities,” said Chester at the Center for Digital Democracy.
One of the ways data brokers make money now is by building “digital dossiers” of consumers and selling that information to whoever is willing to purchase it. The dossiers often include information from a variety of everyday sources, such as internet browsing, cellphone use monitoring through certain apps, and even information gleaned from digital streaming televisions, known as “connected TVs.”
And despite businesses’ assurances that this information is stripped of personal identifiers, regulators are increasingly concerned that data brokers and their buyers can use current technology to still identify consumers.
“The CFPB is concerned that advances in technology have made, and will continue to make, it easier for users to combine data and identify consumers within purportedly de-identified data sets, and that the sale of such information by consumer reporting agencies thus threatens the privacy of consumer information in the very ways Congress designed the [Fair Credit Reporting Act] to prevent,” the CFPB stated in the rule announcement.
To protect consumers from such surveillance, the proposed data-protection rule would redefine what constitutes a “consumer report,” expanding the definition to include a consumer’s credit history and score, debt payments, income, and other sensitive information. According to the Fair Credit Reporting Act, companies including data brokers are barred from selling consumer reports to others for marketing and other purposes.
The rule is needed to protect consumer data from “abuse and misuse” and to protect consumers from the “currently pervasive, non-transparent, unaccountable, and harmful” actions of data brokers, noted the Center for Digital Democracy in its comment letter to the CFPB.
The center’s letter also highlighted how consumer reporting and data broker companies like Experian, TransUnion, and Epsilon mine consumer data from everyday sources.
Experian is able to provide dossiers on more than “300 million Americans in over 126 million U.S. households, who collectively use some 3 billion devices that provide ‘1 trillion device signals,’” the center wrote. This information contains IP addresses (a digital address for a device’s internet connection), mobile device information, internet browsing history, and other information. This digital information is then often combined with offline information, such as home addresses, phone numbers, and date of birth to create a dossier on a consumer.
Experian has partnered with multiple leading television companies and streaming providers — Roku, Comcast, Google, Amazon, and others — to glean even more user information.
TransUnion, meanwhile, claims it holds data on “98 [percent] of the U.S. adult population, including more than 125 million households,” which is used to create “identity graphs” that are the “single backbone” for its “identity-driven marketing products,” the Center for Digital Democracy noted in its letter.
Among the companies highlighted in the letter is Epsilon, a Texas-based company, which claims it can place ads on connected televisions that “reach 100 million individuals and 51 million households.” According to the Justice Department, from July 2008 to July 2017, Epsilon “knowingly sold modeled lists of consumers to clients engaged in fraud.”
Epsilon admitted to selling consumer lists to companies that targeted elderly consumers with fake sweepstakes and astrology solicitations.
Epsilon “employees continued to sell consumer data to clients engaged in fraud despite knowing that those and similar clients had been arrested, charged with crimes, convicted, and otherwise subject to law enforcement actions for false and misleading practices,” the Justice Department wrote in a January 2021 press release, adding that more than 30 million consumers’ data was sold to fraudsters.
Epsilon agreed to pay $150 million in fines, with $127.5 million of it going to consumers who were victims of fraud stemming from Epsilon’s lists.
“Data provided by data brokers is readily available to criminals looking to separate older adults from their hard-earned money,” the senior citizen advocacy group AARP wrote in a comment letter to the CFPB regarding the proposed rule. “The proposed regulation will help to address the harms that data brokers can pose in a variety of different spaces, including sharing data about victims of domestic violence, public officials, military members, or to foreign adversaries.”
Companies Need Your Data for “Fraud Prevention”
Industry groups and companies peddling consumer data are pushing back by claiming that the buying and selling of consumer data is needed to address fraud and other issues, according to comment letters reviewed by the Lever.
TransUnion wrote to the CFPB that the data-protection rule, if implemented, would increase costs for companies, as well as “increase credit pricing, reduce competition, narrow access to financial products and services, and undermine the efficient and fair allocation of credit” for consumers.
Additionally, the Financial Data and Technology Association of North America, a lobbying group representing Experian, TransUnion, Plaid, and other data brokerage companies, claims that the rule and guidelines surrounding the selling of consumer data established in the Fair Credit Reporting Act “simply does not align with the nature of consumer-permissioned financial data.”
The group claims that the rule is focused on “curtailing advertising practices” that could lead to “undermining consumer control, stifling innovation and competition, and introducing regulatory confusion, which would ultimately harm the very consumers the Bureau aims to protect and empower.”
The association spent $300,000 since January 2024 lobbying lawmakers and regulators on “data security and data privacy issues regarding consumer financial transaction data” and “access to consumer permissioned financial electronic records,” among other issues, disclosures show.
Financial technology businesses are also fighting the data-protection rule. This so-called fintech industry — which involves a plethora of businesses offering buy-now-pay-later schemes and banking services — has been known to collect and sell user data and skirt banking regulations.
The Financial Technology Association, a major fintech lobbying group, claims that the CFPB’s proposed rule would limit the selling of “credit header” information — such as a consumer’s name, current and former addresses, telephone number, and Social Security number — and would therefore “meaningfully impede efforts to combat fraud and abuse.”
At least two companies that the fintech association represents have already been fined for misusing consumer data and allegedly skirting anti-money laundering laws.
That includes Plaid, a fintech company that had to pay $58 million in 2022 for harvesting and selling user data without consent, and Klarna, a buy-now-pay-later fintech company, that was fined $50 million by Swedish regulators for allegedly failing to fully assess how its service could be used for money laundering. Klarna is currently offering consumers the ability to set up payment plans for burrito deliveries.
Furthermore, the National Consumer Law Center, a nonprofit focused on consumer issues, stated in a March comment letter that the CFPB’s proposed rule already includes stipulations that would allow credit header information to be used for fraud prevention.
“The proposed rule does not prohibit the use of credit headers in fraud prevention; instead, it strikes a good balance between the goals of consumer privacy and the needs of businesses for identity verification,” the group wrote.
The Financial Technology Association spent $440,000 since January 2024 lobbying lawmakers and regulators on “policies and proposals impacting financial technology firms, including issues relating to fraud and artificial intelligence,” among other concerns, disclosures show.
Trump Is Gutting Consumer Protection
A final decision on the rule comes amid the Trump administration’s attempts to gut consumer protection across various government agencies. Since he has taken office, President Donald Trump and his staff have rolled back enforcement on fraud and scams in the cryptocurrency industry, attempted to kill labeling requirements for hazardous chemicals used on crops, and allowed financial institutions to hide junk fees, among other actions. Critics say the CFPB’s recent rollbacks are another step away from consumer protection.
On April 16, a CFPB memo stated that the agency would “deprioritize” oversight of medical debt, consumer data, and digital payments, among other areas. The next day, the Trump administration tried to fire roughly 90 percent of CFPB staffers, but a federal judge temporarily stopped the order. The judge will hold hearings on the matter starting on Tuesday.
“The Trump Administration’s willful destruction of the CFPB raises questions as to whether consumer financial protection is still a core mission of the agency — and whether it is even possible given the mass firings and abrupt terminations of policies and staff,” the Center for Digital Democracy wrote in its comment letter regarding the rule. “If the Trump CFPB decides not to enact the rule, it will place the majority of the American public at a new and higher level of financial risk, especially every time they go online or watch programming.”
You can subscribe to David Sirota’s investigative journalism project, the Lever, here.