
CFPB Withdraws Sweeping Data Broker Rule After Legal Concerns
Washington, D.C. – On May 15, 2025, the Consumer Financial Protection Bureau (CFPB) formally withdrew its proposal titled “Protecting Americans from Harmful Data Broker Practices”, marking a significant rollback of its plan to regulate data brokers under the Fair Credit Reporting Act (FCRA) .
⚖️ What the Rule Would Have Done
Announced in December 2024, the proposed rule aimed to treat any data broker selling sensitive information—such as Social Security numbers, income, credit history, or phone numbers—as a consumer reporting agency (CRA) subject to FCRA protections. This would extend consumer rights including accuracy, access, dispute resolution, and consent requirements .
CFPB Director Rohit Chopra called the situation a “staggering problem” that compromised national security, personal safety, and privacy .
📥 Public Response & Industry Objections
The rule attracted over 600 public comments, with objections from major industry groups. The American Bankers Association argued it overreached FCRA’s statutory authority and could hamper fraud-prevention efforts . The Consumer Data Industry Association (CDIA) also raised legal concerns, pointing to misalignment with the FCRA’s text .
🔙 Why the Proposal Was Withdrawn
Acting CFPB Director Russell Vought explained the decision stemmed from shifts in bureau policy and its evolving interpretation of the FCRA, alongside legal concerns highlighted during the comment period.
A Federal Register notice stated the rule was “not necessary or appropriate at this time,” citing both policy misalignment and statutory doubts .
🗓 Timeline Recap
Dec 3, 2024: Proposed rule announced; comment period extended twice to April 2, 2025
May 15, 2025: Rule officially withdrawn (90 FR 20568)
🧭 Implications & Next Steps
With the rollback, no new data broker restrictions under FCRA are in effect. Consumer advocates warn this decision leaves a gap in protection against fraud, stalking, espionage, and other misuse of sensitive personal information .
The CFPB has signaled it may revisit its FCRA authority in future rulemaking when it deems it appropriate .
Meanwhile, the decision is indicative of broader agency retrenchment under the current administration. The bureau has withdrawn scores of guidance documents and paused other high-profile regulatory efforts .
🔍 Key Takeaways
The CFPB’s ambitious effort to regulate data brokers via FCRA was rolled back in May 2025 amid policy realignments and legal challenges.
Though withdrawn, the proposal revealed significant friction between consumer privacy goals and statutory limits.
Consumer and privacy advocates warn sensitive data markets remain largely unregulated—vulnerable to misuse.
RItch and Associates