Skip to main content

Prepared Opening Remarks of CFPB Director Rohit Chopra at the Aspen Institute on Abuse and Misuse of Our Personal Data

Good afternoon, it’s a pleasure to be here alongside FTC Chair Khan and FCC Chair Rosenworcel. Each of our agencies regulates important sectors of the economy, but increasingly we find ourselves taking actions that have direct implications for national security.

Earlier this year, President Biden issued an Executive Order on Preventing Access to Americans’ Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern.1 Data on Americans is bought and sold around the clock, often through what we sometimes refer to as “data brokers.”

There is serious concern about the acquisition of highly sensitive data about each of us by countries of concern. Indeed, many of the most high-profile data breaches have not been perpetrated by hackers and scammers at home, but by state and non-state actors overseas seeking to develop detailed dossiers about each of us. In addition to enforcement actions by the CFPB and the FTC against the credit reporting conglomerate Equifax for sloppy security, the Justice Department charged four members of the Chinese People’s Liberation Army with orchestrating the operation at Equifax to obtain personal data on nearly 150 million Americans.2

And as I noted earlier this year, not only are these brokers potentially violating the laws already on the books, but their noncompliance may be putting our national security at risk.3 Countries of concern can easily purchase large volumes of sensitive individualized data, which they can leverage to threaten, to blackmail, dox, or otherwise compromise individuals who could be in a position of strategic national importance. For example, information in a credit report about a servicemember’s level of indebtedness could easily be exploited by bad actors to pressure those who may have classified information in ways that put our national security at risk.

The risks of a growing surveillance industry are only heightened by AI and other forms of predictive decision making, which are fueled by the vast datasets that data brokers compile. As artificial intelligence increasingly becomes embedded into how companies and foreign governments surveil Americans, the Executive Order sets out a roadmap for action.

The Order specifically asks the CFPB to explore how we can use existing law to better guard against abuse and misuse of Americans’ personal data. The Fair Credit Reporting Act was one of the first data privacy laws in the world, and it was enacted to address the widespread and unregulated reporting of information about people’s lives, including their bill paying history, habits, character and morals. People were powerless to protect themselves from third-party dossier development, often to recipients who had no business seeing that sort of sensitive data.

One key problem is that not all companies are complying with the law. Consistent with the Executive Order, the CFPB kicked off a rulemaking process to ensure that data brokers are respecting longstanding rights under existing law.4

The CFPB will soon propose a rule that will give consumers more control of their own sensitive data. By ensuring that the Fair Credit Reporting Act’s longstanding privacy protections apply to these so-called data brokers, it will limit the unfettered flow of sensitive data that fuels the targeting of servicemembers and puts our national security at risk, while also combating financial scams, identity theft, stalking, harassing, and doxing.


The Consumer Financial Protection Bureau is a 21st century agency that implements and enforces Federal consumer financial law and ensures that markets for consumer financial products are fair, transparent, and competitive. For more information, visit www.consumerfinance.gov.