The Consumer Financial Protection Bureau (CFPB) has officially scrapped a proposed rule that would have imposed new limitations on the data broker industry, prompting widespread concern from privacy advocates, veterans groups, and cybersecurity experts. The abandoned regulation, introduced in December 2024, was designed to stop data brokers from selling Americans’ most sensitive personal information—such as Social Security numbers, credit histories, and financial data—without explicit consent.
Initially introduced under former CFPB Director Rohit Chopra, the rule was seen as a necessary step to combat what he called “commercial surveillance practices that threaten our personal safety and undermine national security.” But earlier this week, the agency quietly withdrew the proposal in a notice published in the Federal Register, calling the regulation no longer “necessary or appropriate.”
New Leadership, New Direction
Russell Vought, now serving as acting director of the CFPB and also the director of the White House Office of Management and Budget, said the decision stems from internal policy shifts. In the notice, he explained that the proposal didn’t align with the agency’s current interpretation of the Fair Credit Reporting Act (FCRA), a decades-old law meant to regulate the handling of consumer credit information. That interpretation, he added, is currently being revised.
No press conference or public statement accompanied the decision. But the rollback comes on the heels of a massive shake-up inside the agency, with more than 1,400 CFPB employees recently laid off—part of a broader government restructuring led by Elon Musk’s Department of Government Efficiency (DOGE), which has pushed for downsizing or dismantling federal oversight bodies, including the CFPB itself.
Public Support Brushed Aside
The proposed rule, titled Protecting Americans from Harmful Data Broker Practices, had received over 600 public comments this year, many calling for tighter controls on how personal data is collected and sold. Under the plan, data brokers would have been required to obtain consumer consent before sharing or monetizing sensitive information—much like credit bureaus already must under the FCRA.
Privacy experts and civil rights groups largely supported the initiative, citing the unchecked expansion of data broker networks and their capacity to harm individuals and national interests alike.
Industry Pressure and Corporate Backing
Just one day before the CFPB’s reversal, the Financial Technology Association (FTA)—a trade group representing banks, payment processors, and other financial tech companies—urged the agency to abandon the rule. The FTA argued that the proposed restrictions would interfere with fraud detection efforts and fall outside the CFPB’s legal authority.
Critics saw the move as a win for industry lobbyists. Sean Vitka, executive director of the nonprofit Demand Progress, condemned the reversal: “Russell Vought is dismantling years of bipartisan efforts to rein in data brokers. This decision protects profit margins, not people.”
A Business Built on Exploiting Personal Data
Data brokers form the backbone of a lucrative industry that gathers, analyzes, and sells highly personal information—often without consumers’ knowledge or consent. These companies construct detailed digital profiles on nearly every American, including financial data, medical conditions, political beliefs, and even real-time location histories. This information is routinely used by advertisers, insurers, and sometimes law enforcement.
Some cases have drawn significant legal and media scrutiny. In Texas, the Attorney General’s Office accused Allstate subsidiary Arity of collecting and selling driving behavior data from more than 45 million Americans without proper consent. Separately, location data broker Gravy Analytics suffered a breach that may have exposed sensitive movements of government and military officials.
“These practices put people’s lives and safety at risk,” said Caroline Kraczon, a law fellow with the Electronic Privacy Information Center. “Data brokers degrade privacy, fuel scams, and endanger vulnerable populations, including domestic violence survivors and immigrants.”
National Security at Stake
Veteran-led advocacy group Common Defense voiced alarm over the decision, warning it could leave U.S. service members open to foreign threats. “Data brokers are selling personal data that could be used to blackmail or coerce our troops,” said Naveed Shah, the group’s political director and an Iraq War veteran. “This isn’t just about privacy—it’s about protecting national security.”
A 2023 study by the U.S. Military Academy at West Point reached similar conclusions, finding that data brokers could expose military personnel and other sensitive individuals to foreign intelligence threats. The report warned that adversaries could weaponize the information for blackmail or reputational damage.
Investigations by WIRED have previously revealed that U.S. data brokers have used Google’s ad systems to sell access to device data tied to military and intelligence workers. Experts say it’s often easy for foreign actors to de-anonymize this information and target high-level national security figures.
Privacy advocates say the CFPB’s withdrawal represents a major setback in the ongoing fight for digital rights. “This was a critical opportunity to rein in one of the most dangerous and least regulated industries in America,” said Kraczon. “Instead, the administration is siding with corporations over consumers.”
Many warn the public will continue to face consequences—unwanted spam calls, phishing emails, identity theft, and even real-world safety threats—if no federal safeguards are put in place.
