Uncle Sam’s consumer watchdog has scrapped plans to implement Biden-era rules that would’ve treated certain data brokers as credit bureaus, forcing them to follow stricter laws when flogging Americans’ sensitive data.

The Consumer Financial Protection Bureau (CFPB) proposed the rules in December following a string of high-profile scandals that shed light on the massive amounts of personal data being stored and sold off, in some cases to criminals and scammers.

The rules would have reclassified certain data brokers as “consumer reporting agencies,” meaning they’d be subject to strict requirements for accuracy and transparency, and only allowed to sell data for recognized purposes such as credit checks or employment screening. And no, marketing doesn’t count.

Now? Well, never mind. “The Consumer Financial Protection Bureau is withdrawing its Notice of Proposed Rule: Protecting Americans from Harmful Data Broker Practices (Regulation V),” the agency said in an official filing.

“The bureau has determined that legislative rulemaking is not necessary or appropriate at this time to address the subject matter of the NPRM [Notice of Proposed Rulemaking]. The bureau will not take any further action on the NPRM.”

The potential for abuse and misuse is significant. Brokers can collect purchasing information from apps, for example, or collect the identities of people who’ve been in the vicinity of women’s health clinics or at a protest, then cross-reference it to create fairly detailed profiles. A huge source of this data comes from app developers selling out their users, which is one of the reasons why a downloaded game wants all your data in exchange.

Any data you can steal from a user will be bought by a data broker, so it’s always worthwhile to grab any data you can

“The reason so many apps are so grabby is that data brokers effectively have an all-comers-welcome open offer for data they generate,” author and activist Cory Doctorow told The Register. “In other words, any data you can steal from a user will be bought by a data broker, so it’s always worthwhile to grab any data you can.”

It’s not just app makers that are in on the game – major telcos have, too. Last year, the Federal Communications Commission fined AT&T, Verizon, Sprint, and T-Mobile US nearly $200 million for peddling the real-time location of their subscribers to data aggregators and brokers. The fine followed years of pressure from Senator Ron Wyden (D-OR). The comms providers have promised not to do it again. We’re sure they are trustworthy.

As the CFPB pointed out this year, data brokers seldom ask questions of the people they are selling personal records to. This in rare cases can pose a national security risk – we’ve already seen military bases exposed by data from fitness apps.

The agency more than anything flags up individuals buying this information for running financial scams, stalking people, and suchlike.

“By selling our most sensitive personal data without our knowledge or consent, data brokers can profit by enabling scamming, stalking, and spying,” said CFPB boss Rohit Chopra when the rule was originally proposed. “The CFPB’s proposed rule will curtail these practices that threaten our personal safety and undermine America’s national security.”

There’s also the security aspect, since data brokers make very attractive targets for criminals who want the information they hold. Last year, The Register covered the case of the impressive-sounding National Public Data, which turned out to be a one-man band in Florida. Cyber-intruders claimed to have stolen a 277.1 GB database containing 2.9 billion records from the outfit.

Barely a month later, another broker, formerly known as Pure Incubation, now operating as DemandScience, had 183 million business contact records posted for sale by a crook for $6,000. The data included email addresses, physical addresses, phone numbers, job titles, and social media profiles.

Two weeks after that, The Register broke the news that another broker, SL Data Services, had left 644,869 PDF files in a 713.1 GB archive sitting in an open Amazon S3 bucket. The archive included criminal histories, background checks, vehicle records, and property data, all freely accessible online with no password protection.

The US was not alone in trying to rein in the data brokerages. The UK is actively considering changing the rules on how these organizations operate and has just finished an inquiry and public comment period about whether or not to tighten the rules under which they operate.

Tuesday’s announcement means the CFPB has decided that everything’s fine for the moment, though the agency itself might not be around for much longer. Elon Musk has reportedly set his sights on gutting it entirely. ®