CFPB's December 2024 proposed rule on data broker sales of sensitive personal info

What's happening

In December 2024, the Consumer Financial Protection Bureau (CFPB) proposed a rule that would change how data brokers operate under federal law. The mechanism is regulatory, not new legislation. The CFPB is interpreting the existing Fair Credit Reporting Act (FCRA, from 1970) to cover modern data brokers that the 1970 statute didn't anticipate.

The basic move: under the FCRA, a "consumer reporting agency" has obligations. Accuracy. Disclosure to the consumer. Restrictions on who can buy what. Credit bureaus like Equifax have always been covered. Most data brokers have argued they're not consumer reporting agencies because they don't sell credit reports. The CFPB rule says that's wrong. If a broker sells data that's used for employment, housing, insurance, or other "consumer report" purposes, they're a CRA, and they have FCRA obligations.

What the rule would do, if finalized:

1. Treat most large data brokers as consumer reporting agencies under FCRA.
2. Restrict the sale of "sensitive" personal data (Social Security numbers, certain financial info, geolocation, others) without a permissible purpose.
3. Require accuracy, dispute resolution, and consumer-access mechanisms similar to what Experian and Equifax already provide.
4. Impose CFPB enforcement authority over the brokers that newly fall under FCRA.

EPIC (the Electronic Privacy Information Center) and a handful of other privacy advocates pushed for an even broader rule. The proposed version is narrower than what they wanted, but broader than the broker industry wanted.

Why it matters for first responders

The data brokers that put your home address on Spokeo, Whitepages, and TruePeopleSearch are the same brokers this rule would touch. If the rule finalizes:

1. The biggest brokers would face federal regulation for the first time. Right now, most brokers operate under a patchwork of state laws (CA's CCPA/CPRA, VA, CO, others) plus FTC enforcement. None of those reach the people-search side as cleanly as a federal CRA designation would.
2. Sensitive data sales would be restricted. The rule's "sensitive" category includes data that brokers currently sell freely. If you're a cop and a broker sells your home address bundled with your job category to a marketing list, that's now in scope.
3. Consumer access would become standard. You'd have a federal right to see what the broker has on you and to dispute inaccuracies. Right now, most brokers offer this voluntarily and slowly.

The rule does not directly fix the doxxing problem. The doxxer who runs your name through a broker isn't using the data for an FCRA-covered purpose. But the CFPB rule changes the broker's incentives. If the broker has to maintain accuracy, dispute, and access infrastructure for its FCRA-covered uses, the broker has less margin for the cheap-and-fast people-search side. Some brokers will consolidate or exit. That alone reduces exposure.

Where this stands as of April 2026

Status as of late April 2026:

• The rule was proposed in December 2024 under the prior CFPB leadership.
• Public comment period closed in early 2025.
• The rule has not been finalized.
• Under the current administration, CFPB priorities have shifted. The agency has not formally withdrawn the proposed rule, but it has also not moved to finalize it.
• The proposed rule remains on the agency's regulatory agenda as of the most recent public update.

Translation: the rule is in limbo. It could be finalized largely as proposed. It could be substantially weakened. It could be quietly shelved and replaced with something narrower. There is no public timeline for next steps.

If the rule is finalized in 2026 or 2027, the broker industry would have a compliance window (typically 12 to 18 months in CFPB rulemakings) before enforcement begins.

What the rule doesn't reach

Even if the CFPB rule finalizes in its full proposed form, there are gaps:

1. Public-records republishing. Brokers that pull from county property records, voter rolls, and court filings are in a different bucket than brokers that aggregate commercial data. The rule mostly targets the latter. Property-records pipelines keep running.
2. Small brokers. The rule's coverage thresholds favor regulating the biggest players. The long tail of small people-search sites would mostly remain outside FCRA.
3. Foreign brokers. Brokers based outside the US that scrape US data are hard to reach with US regulation regardless of how the rule shakes out.
4. State-level pipelines. The state-level frameworks (Daniel's Law in NJ, the federal Lieu Act for federal judges, others) operate in parallel. The CFPB rule does not preempt them.
5. The doxxing use case. As noted above, a doxxer using broker data for harassment is not using it for an FCRA-covered purpose, so FCRA accuracy and access rules don't directly stop the harm.

The honest version: the CFPB rule, if finalized, raises the cost of operating a major data broker. It does not eliminate broker pages. The most reliable protection for first responders remains a combination of state-level address-confidentiality elections, broker opt-outs, and (where available) Daniel's Law-style statutes. See our protections breakdown for the full stack.

What to watch

The signals that matter over the next 12 months:

• Whether the CFPB issues a final rule, withdraws the proposal, or quietly leaves it pending.
• Any congressional action (a bill to either codify the rule or block it).
• State attorneys general filing actions against major brokers under existing state laws. Pennsylvania, California, and Texas all have active broker enforcement programs that could fill some of the federal gap.
• Industry-side lobbying. The Interactive Advertising Bureau and broker trade groups have opposed the rule. Watch for amendments or carve-outs.
• Any Supreme Court ruling on whether agency rules of this scope require explicit congressional authorization (post-Loper Bright doctrine).

For now: the rule is a thing that might happen. Don't plan around it. Plan around the broker pipelines that exist today. We continue to file opt-outs across 200+ broker sites and re-check every two weeks. If the CFPB rule finalizes, that work gets easier. If it doesn't, the work stays the same.