Privacy Protection Through Regulation | Part 5

Background: In early 2023, we started preparing a public opinion on data rights and regulation for the Consumer Financial Protection Bureau (CFPB). Over the last few months, we've shared an overview of the CFPB's Request for Information (RFI), our perspective on the industry, and a few high level predictions.

For our final response, we summarized hundreds of pieces of feedback from our members who support stricter regulation on a harmful and creepy industry. We also summarized our data from sending millions of removal request and escalations to hundreds of data brokers. We shared our final response and a few recommendations with the CFPB publicly before the extended July 2023 deadline. In addition to the CFPB, we want to share our response and perspective on regulation with you.

Part 5 | Privacy Protection Through Regulating Consumer Reporting Organizations

We encouraged our members to respond to the CFPB request either directly or by providing us context for our response. We were shocked by the volume and vigor of replies. We’ve done our best to anonymize, organize, and present the most impactful testimonials about the harms caused by this industry. We grouped these broadly in to 3 sections, covering the third in this post:

1. Credit Reports, Debt Collection, and Housing Access

2. Stalking and Targeted Harassment

3. Frustration Toward the Industry & Regulators

😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠😠

Our Members' Frustration Toward the Industry & Regulators

I get daily unwanted solicitations because of these companies.

These data brokers have no right to post people’s personal information such as contact information, addresses, financial and any legal situations people are in. This is personal information and should stay just that. This also effects people’s employment and future employment. I find it offensive and underhanded.

Nothing will change bc they have lots of $ and lobbyist and govt does not care about the ppl it purports to represent.

It’s beyond creepy and definitely not safe for people. The more ppl that touch my data the more chances of data theft, which is what they’re doing while capitalizing on it without my permissions. I don’t believe govt will fix this just like they don’t stop the scam callers using my phone while they set up a “do not call” platform to end it, it does nothing. It’s worse than creepy and very dangerous. When you try to take back your data they don’t do it or they do it at their leisure.. and say we’ll get in it in 3 days, 3 days and no response. The industry should be held accountable for theft of personal data. It’s worse than having a trespasser on your property.

These companies (tech companies, and the government are in the business of taking (stealing) and not keeping the 4th amendment. They are doing it more than ever.

I’m being denied the dignity of privacy.

Even victims of crime can’t get relief. My friends had to unregister to vote in all federal, state and local elections to stop their information from being leaked.

This sounds like the government treating this like robocalls and their pathetic DO NOT CALL list which is a joke but we pay with our taxes.

It’s criminal that data broker sites are permitted to exist at all. I would support legislation that completely banned data aggregation in any publicly accessible way as well as banned the sale or purchase of aggregated data that could be used to identify a person or class of people.

All attempted disputes to FCRA compliant brokers like Lexis Nexis (LN) have been via phone call and solely based on SSN verification. LN phone reps are trained to argue historical information is accurate information and to ask intrusive personal questions to attempt to deny the dispute. LN then mails letters confirming the disputed entries “cannot be validated” and they do not remove the entries.

Multiple permanent opt-outs completed and confirmed via optoutprescreen program and individual permanent opt- outs confirmed are ineffective.

Adding identity theft/ fraud messages to NCTUE reports takes months via snail mail with copies of a utility bill and social security card. The IRS’ new requirement for establishing an ID.me account requires video conferencing for identity verification if you refuse to submit your driver license to this third party.

Healthcare records are not actually protected under HIPAA. Services like EPIC and MYCHART ask you to upload documents like financial statements and will directives if you’re asking for debt relief. Somehow, when I uploaded those docs to the medical systems, they also appeared in a background check. All my medical history is also in one big file, accessible at any appointment. So this feels like a digital strip search each time the record is accessed. If a patient has received medical treatment for sexual assault and traumatic stress, this information is available to anyone who may access the medical record.

I’m furious about people connect. I need to suppress my information but they are requiring I validate my login information to delete my data. But I never created an account with them. Please escalate this issue my entire family's information is exposed and I want this removed effective immediately.

How can I resolve a removal when the broker’s site is NOT FUNCTIONAL. There continues to be an error why I tried to follow their convoluted process and fill out their forms. "Error: Unable to save suppression behavior: APIError: Internal Server Error." This is a waste of my time and they should be held accountable.

Good luck ... is there another industry the size of data brokers which is unregulated? The data broker industry and their highly compensated lobbyists will fight any regulation like a cornered animal.

I think Radaris is a prime example of one of the worst. My sibling who was in a group home and blind, never had internet. When I looked them up, the long list of people associated included the name of the man who bought my condo, my partner’s ex. My other sibling had their name removed from identity broker sites as well, but I could identify names of roommates and colleagues in a list of associates. It was our identities it was mining to pull in this information. They make far too much passive income out of something that perpetuates identity theft and crime. I back any legislation to allow individual privacy on these sites. Today I have all my credit reports locked. Hopefully that is enough. But hard to say what will come next now that there is ChatGPT and AI. Seems almost impossible.

For the most part, many of these data collection businesses, are in legitimate businesses. They just take this too far. Government should respect entrepreneurs who need to operate their businesses, advertise, and reach their ideal customers. But the ones who take it too far aren’t being held accountable. That’s what needs to change.

The general guidance from these brokers is, if you don’t want your record (marriage, divorce, death) to be public, go to your country clerk and request them to seal the record. Well if you do, the clerks office has no idea what you’re talking about. They require a specific complaint against an individual to seal your records. They won’t just seal your records because of a general ID theft concern or hacking concern.

I’d be happy to stand on the steps of the Capital with a megaphone to say that this crap has GOT TO STOP. People’s lives are not for sale.

Needed reforms to Section 230 are essential in addition to issues the CFPB is examining. Reputational harm is at the outskirts of CFPB mission but central to those of us trying make a living and participate in community life online.

We have, and are continuing to jump through hoops to keep our personal info off various sites. In many cases, it seems that the same site has multiple URLs that we are required to opt out of. I am wondering if when we try to opt out of a URL, a new one is immediately created to place our personal info online. It’s a real battle. I have sent multiple emails to various personal info sites and it seems that it is never ending. Government regulation should offer citizens the opportunity to opt our their personal info without having to repeat the process multiple times. It is exhausting.

What's Next After The Request For Information?

Kanary believes our data about violations and sites compliance can be invaluable as the CFPB scales enforcement of existing FCRA violation. We expect to see them working with individuals and companies like Kanary to take the following next steps:

• Gather data on the worst violators of the FCRA (Radaris, People Connect, LexisNexis, BeenVerified… many others) and determine appropriate enforcement.

• Track progress and flag ongoing violations to help consumers understand which enforcement is most impactful.

In case you missed other parts of the series, Privacy Protection through Regulation, they can be viewed here. Have questions or thoughts to share? Email us at [email protected].