Incognito — June 2025: Proposed Federal Data Broker Rule Scrapped

Welcome to the June 2025 issue of Incognito, the monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.

Here’s what we’re talking about this month: 

• Proposed federal data broker rule scrapped. Here’s what it would have looked like, why it failed to pass, and what this means for consumers. 
• Recommended reads, including “Trump Expands Palantir Partnership to Centralize Americans’ Data.” 
• Q&A: How to dispose of old devices without impacting privacy? 

Rule to Reign In Data Brokers Withdrawn 

In May, the Consumer Financial Protection Bureau (CFPB) quietly withdrew a proposed 2024 rule to limit data brokers’ sale of Americans’ personal information. 

The rule received more than 600 comments from the public, most of which were some variation of:

“please restrict this terrible collection of data.” 

If passed, the rule would have led to stronger consumer protections from data brokers. 

So why the U-turn?

According to the CFPB:

“[The CFPB] Has determined that legislative rulemaking is not necessary or appropriate at this time to address the subject matter.”

But let’s back up a little. What was the proposed rule about? 

“Protecting Americans from Harmful Data Broker Practices” 

Originally introduced in December 2024 under former CFPB director Rohit Chopra, the rule, titled “Protecting Americans from Harmful Data Broker Practices,” sought to bring certain data brokers under the umbrella of the Fair Credit Reporting Act (FCRA). 

The idea? 

Treat some data brokers more like credit reporting agencies, requiring them to adhere to stricter standards before selling or sharing sensitive consumer data, such as Social Security numbers, credit history, income details, and contact information.

The proposed rule targeted a major privacy gap: Data brokers operate in the shadows, gathering and selling consumer data without direct interaction or consent from consumers. 

By reclassifying (some) data brokers under the FCRA, the CFPB hoped to:

• Limit the sale of sensitive personal data without a “permissible purpose” (marketing doesn’t count).  
• Enhance consumer protections, including the right to access and correct information. 
• Crack down on the misuse of data and reduce the risk of identity theft, fraud, and targeted scams, especially against vulnerable groups like seniors and financially distressed individuals. 

What Happened? 

The CFPB said it was dropping the rule “in light of updates to Bureau policies.” It also said there was misalignment of the proposed rule with the agency’s “current interpretation of the FCRA,” which the CFPB is “in the process of revising.”

The decision followed intense lobbying.

• In a letter to the CFPB, the American Bankers Association said: “The CFPB’s proposal to use the FCRA for this purpose exceeds the agency’s statutory authority and would have harmful, unintended consequences. ABA urges the CFPB to withdraw the proposal.” 
• The Consumer Data Industry Association said that if finalized, the data broker rule would increase fraud risks, hinder law enforcement, and impact child support enforcement (the CFPB had previously said this wouldn’t be the case).  
• The Office of Advocacy of the U.S. Small Business Administration said, “The proposed rule fails to consider fully the economic impact of the proposal on small entities as required by the Regulatory Flexibility Act (RFA).”

What Now? 

Nothing. We’re back to where we started – data brokers being able to sell our data as they please. 

As you can probably imagine, privacy advocates and civil rights groups are not happy.

They argue that pulling the rule leaves millions of Americans vulnerable to:

• Identity theft and fraud.
• Targeted scams against veterans, abuse survivors, immigrants, and others.
• Unregulated surveillance by private entities.

Sean Vitka, executive director of Demand Progress, a nonprofit that supported the rule, said: 

“By withdrawing the CFPB’s data broker rulemaking […] Americans will continue to be bombarded by scam texts, calls and emails, and that military members and their families can be targeted by spies and blackmailers.”

And the Electronic Privacy Information Center (EPIC) said: 

“The CFPB’s withdrawal of the proposed rules is another attack in the administration’s war against consumers on behalf of corporate interests.” 

Without the rule, similar restrictions may only happen if Congress passes federal privacy legislation.

So, What Can You Do? 

Same thing as always: Be precious with the personal data you share. 

Don’t give it out unnecessarily. This also means being mindful of the services and apps you use and download.

As author and activist Cory Doctorow told The Register:

“The reason so many apps are so grabby is that data brokers effectively have an all-comers-welcome open offer for data they generate. In other words, any data you can steal from a user will be bought by a data broker, so it’s always worthwhile to grab any data you can.”

And, of course, monitor the data that’s already out there, including on data brokers and people search sites. Remember: data brokers can republish your data if they find more of it, even if you previously opted out. 

We’d Love to Hear Your Privacy Stories, Advice and Requests

Do you have any privacy-related dating app experiences you’d like to share? Have you ever been targeted with a romance scam? And how did you spot it for what it was? 

Also, do you have any privacy stories you’d like to share or ideas on what you’d like to see in Incognito going forward? 

Don’t keep them private!

We’d really love to hear from you this year. Drop me a line at laura.martisiute@joindeleteme.com.  

I’m also keen to hear any feedback you have about this newsletter.

Recommended Reads

Our recent favorites to keep you up to date in today’s digital privacy landscape. 

Trump Expands Palantir Partnership to Centralize Americans’ Data

The Trump administration has expanded its partnership with Palantir, deploying the company’s data integration technology across multiple federal agencies to centralize Americans’ personal data. Privacy advocates and former Palantir employees alike have raised concerns about surveillance, misuse, and political weaponization of data as a result. 

Coinbase Faces $400M Fallout After Insider-Driven Data Breach 

A group of Coinbase support agents leaked sensitive user data to cybercriminals after being bribed. The breach exposed personal information, including names, addresses, and masked financial details, and could cost Coinbase between $180M and $400M in reimbursements and remediation. Fortunately,  no private keys or two-factor codes were compromised. 

Kroger Accused of Selling Customer Data Collected Through Loyalty Program

Consumer Reports claims Kroger uses its loyalty program to collect extensive personal data on shoppers, build sometimes inaccurate profiles, and market that information to over 50 companies, including data brokers, tobacco firms, and financial entities. Kroger denies the claims, calling them misinformation based on isolated cases.

84M Login Credentials from Major Platforms Exposed

Cybersecurity researcher Jeremiah Fowler discovered an unprotected and unencrypted database containing over 184M login credentials, likely harvested by infostealer malware and linked to major platforms like Google, Facebook, and Microsoft. While the database has since been taken offline, many confirmed the credentials were valid. 

You Asked, We Answered

Here are some of the questions our readers asked us last month.

Q: How to dispose of old devices without impacting privacy? 

A: Good question, considering that most of us probably have an old laptop or phone lying around somewhere that we haven’t gotten around to throwing away because we’re not 100% sure how to wipe it securely. 

The first thing you’ll want to do is make sure you’ve taken everything you want to keep (photos, messages, files, etc.) off the device you’re ready to throw out. 

Then, log out of important accounts like banking and email and make sure the device is not your only 2FA method (move 2FA to a new device or use backup codes before wiping).

Now, it’s time to wipe your data:

• On iPhone, go to Settings → General → Transfer or Reset iPhone → Erase All Content and Settings. See also Apple’s broader guide – “What to do before you sell, give away, or trade-in your iPhone or iPad”.
• For Android devices, sign out of your Google account to turn off Factory Reset Protection, then encrypt your phone (if not already encrypted) and do a factory reset (see ZDNet’s guide for step-by-step instructions). 
• Clear your computer by deauthorizing software and signing out of accounts, then wiping your hard drive. See the Comparitech guide for Windows and Mac-specific instructions. 

If you’re really concerned about your privacy or the device is old, you can go a step further and remove the hard drive or SSD and damage it physically with a drill or hammer.

Q: Is it better to create new email addresses or use aliases?

A: Great question! 

The answer really depends on what you’re trying to do and your goals, but for most people, aliases probably make more sense. 

Email aliases work by acting as alternative addresses that forward messages to your real inbox.

The advantage of aliases over separate email addresses is that you can:

• Manage everything from your main email inbox. 
• Create hundreds of email aliases without losing track of them (though note that this works best with dedicated aliasing services or custom domains). 

This means you can create an alias for every single online service you use. In contrast, you probably won’t create a new email address for every single service just because it involves way more effort. 

If an alias starts getting a lot of spam or is compromised in a security incident (e.g., a breach), you can just delete it. 

Another cool use for alias emails is that they can act as honey traps for identifying who is sharing your data the most. If you use an alias for each online service and suddenly one alias receives a lot of spam, you know exactly who sold your data (i.e., the service with which you shared it). 

However, you shouldn’t use an alias for something you absolutely don’t want to be linkable to your actual identity (for example, whistleblowing). Remember: the aliasing service knows your real email. 

You’ll probably also want to have separate emails for different personas (i.e., personal and professional you). 

Back to You

We’d love to hear your thoughts about all things data privacy.

Get in touch with us. We love getting emails from our readers (or tweet us @DeleteMe).

Don’t forget to share! If you know someone who might enjoy learning more about data privacy, feel free to forward them this newsletter. If you’d like to subscribe to the newsletter, use this link.

Let us know. Are there any specific data privacy topics you’d like us to explore in the upcoming issues of Incognito? 

That’s it for this issue of Incognito. Stay safe, and we’ll see you in your inbox next month.