- Key insight: Data minimization risks making consumers less safe.
- Supporting data: When core identity data is removed from fraud prevention models, model testing reveals that millions more consumers become victims of identity theft each year.
- Forward look: Policymakers should focus on how data is used, for what purpose and with what safeguards, rather than assuming that less data always equals less harm.
As policymakers and advocates grapple with the rise of fraud, scams, and identity theft, a familiar refrain has re-emerged: that the solution lies in
That framing is not only incomplete, but it also risks making consumers less safe.
"Data minimization" is often presented as an unqualified good: collect less, retain less, use less. But in
Effective identity verification and fraud detection can only occur with reliable data to distinguish legitimate consumers from criminals using stolen or synthetic identities. Removing key data inputs does not reduce risk, it degrades the accuracy of these tools. When fraud models lose access to foundational identity data, three things happen simultaneously: More fraud slips into the financial system undetected, more consumers are victimized by identity thieves and more legitimate consumers are wrongly flagged.
Closer analysis bears this out. When core identity data is removed from fraud prevention models,
But the damage is not distributed equally.
Thin-file consumers, young adults, and older Americans bear a disproportionate burden when fraud prevention models lose precision, yet these financially underserved populations are rarely centered in debates about data restrictions. For example, some consumers in these groups with limited credit histories present verification challenges that superficially resemble synthetic identity fraud. Both involve identities with sparse historical footprints. The difference is that one represents a real person building their financial life, while the other is a fabricated identity created to commit financial crime.
Sophisticated fraud prevention models trained on comprehensive identity data can distinguish between these scenarios with precision. They recognize the authentic patterns of someone new to the credit system versus the artificial construction of a synthetic identity. Strip away foundational data sources and that precision collapses.
Preferred Bank moved a $115 million block of loans to nonaccrual status after the borrower, which is battling fraud charges leveled by other banks, began missing payments.
The consequences are concrete and measurable. Analysis shows that when key identity data is removed, false positive rates surge, with thin file consumers bearing the brunt. These aren't abstract statistics. They represent real people: college students opening their first credit card or young professionals trying to rent an apartment.
Older Americans face risks on the other end of the spectrum. As prime targets for identity thieves and account takeover schemes, seniors often have long-established identities with stable personal information. Making detection even more complicated is the fact that identity fraud impacting seniors is often perpetrated by a family member or someone close to the victim. When fraud detection models lose access to historical identity baselines, criminals exploiting senior identities are more likely to slip through undetected. The result is not increased privacy protection, but greater exposure to financial loss and emotional distress for older Americans.
If consumer privacy policy is serious about financial inclusion and equity, it must account for how accuracy in fraud prevention directly enables access, and how degrading that accuracy has predictably negative results.
Another flaw in the current debate is the tendency to collapse fundamentally different activities into a single, pejorative category. The term "data broker" has become a catchall label applied indiscriminately to companies with vastly different business models, purposes and risk profiles. Firms engaged in fraud prevention and identity verification activities are now grouped together with entities engaged in entirely unrelated commercial activities.
Fraud prevention companies are using data to protect consumers. They operate under strict contractual, regulatory and cybersecurity controls. They help other businesses detect criminals and verify identities. Lumping them together with entirely different business models may make for compelling rhetoric, but it leads to misguided policy.
Protecting consumers without creating additional harm requires nuance. Policymakers should focus on how data is used, for what purpose and with what safeguards, rather than assuming that less data always equals less harm. Well-defined and responsible uses of data for identity verification and fraud prevention should be explicitly protected, not treated as collateral damage in broader campaigns against irresponsible data practices.
Privacy, security and fraud prevention protect consumers and the global financial ecosystem when data is used responsibly. But when policy paints with too broad a brush, the people who pay the price are not abstract "data brokers." They are consumers whose identities are stolen, whose accounts are drained, and whose access to and trust in the financial system is eroded.
If the goal is truly to protect consumers, we should start by preserving and clearly distinguishing the responsible data practices that keep fraud out of their lives in the first place.
