Yes — lenders, credit bureaus, and affiliated companies can and do sell or share your personal information, though the type of sharing depends on the entity involved and the specific laws that govern them. The primary driver of this problem is the Fair Credit Reporting Act (FCRA), which has long permitted credit bureaus to sell consumer data as “trigger leads” whenever a hard credit inquiry hits your file. Under Section 604(c) of the FCRA, consumer reporting agencies can furnish your credit information to lenders who make a “firm offer of credit or insurance” — even when you never asked for that offer.
A survey by LendingTree found that 74% of Americans said they received unwanted calls, texts, or emails after their credit was pulled for a loan or insurance policy. That’s millions of people each year whose personal data enters a marketplace they didn’t know existed.
Here’s what you’ll learn in this article:
- 🔍 How credit bureaus and lenders share your data — and the specific federal statutes that allow it
- 🛡️ What the new Homebuyers Privacy Protection Act changes starting March 2026
- ⚠️ Real enforcement actions where companies were fined millions for misusing borrower data
- 📋 Step-by-step methods to opt out and stop your information from being sold
- 💡 Common mistakes that leave your personal data exposed — and how to avoid every one of them
How Trigger Leads Work
The single biggest way your information gets sold after a loan application is through trigger leads. When you apply for a mortgage, auto loan, personal loan, or credit card, your lender performs a hard credit inquiry. That inquiry gets recorded by the three major credit bureaus — Equifax, Experian, and TransUnion. Within hours, those bureaus can package your data and sell it to competing lenders and data brokers.
The information sold in a trigger lead typically includes your name, address, phone number, the type of credit you applied for, and a general range of your credit score. The more detailed the list, the more credit bureaus charge for that information. These lists are generated within 24 hours of your application and sold to any lender willing to pay.
Trigger leads typically cost $30 to $150 per lead, depending on the borrower profile and how exclusive the data is. But since multiple lenders buy the same borrower’s information, the consumer gets flooded. One CBS News report showed a borrower receiving calls within five minutes of submitting a mortgage application online — from lenders he had never contacted.
Only about 2–3% of trigger leads convert into closed loans. For every 100 leads purchased, a lender might close just two or three deals — meaning the other 97 borrowers were contacted, disrupted, and had their data exchanged for nothing.
The Federal Laws That Govern Data Sharing
Three primary federal statutes control how lenders and credit bureaus handle your personal information. Each one creates different rights, different loopholes, and different consequences.
The Fair Credit Reporting Act (FCRA)
The FCRA is the statute that makes trigger leads possible. Section 604(c) permits consumer reporting agencies to provide your information to a creditor who will make a “firm offer of credit or insurance.” The creditor must set specific criteria — like a minimum credit score — before requesting the list from the credit bureau. The bureau applies the criteria and returns the names of consumers who qualify.
Under FCRA Section 615(d), any solicitation that results from prescreening must include a clear notice of your right to opt out of future prescreened offers. This is enforced through Regulation V at 12 C.F.R. § 1022.54.
The FCRA also governs affiliate sharing. Under Section 603(d)(2)(A)(iii), if a lender shares your credit report information or application data with an affiliated company (a company under the same corporate umbrella), that affiliate cannot use it for marketing unless you’ve been given notice and a chance to opt out. This creates two separate opt-out rights under the FCRA: one for affiliate sharing and one for affiliate marketing.
The Gramm-Leach-Bliley Act (GLBA)
The GLBA, enacted in 1999, requires financial institutions — including lenders, mortgage brokers, and loan servicers — to protect your nonpublic personal information (NPI). NPI includes everything from your Social Security number and income to your account balances and payment history.
Under the GLBA’s Privacy Rule (Title V), lenders must give you a privacy notice explaining how they collect, use, and share your financial information. If they want to share your NPI with a nonaffiliated third party — meaning a company not under the same corporate ownership — they must give you notice and a chance to opt out before sharing. This is the fundamental “opt-out” model: your data gets shared unless you take action to stop it.
However, the GLBA contains major exceptions. Lenders can share your NPI without giving you an opt-out right when the sharing is for:
- Processing or servicing a transaction you requested
- Maintaining or servicing your account
- A joint marketing arrangement with another financial institution (as long as there’s a confidentiality agreement)
- Fraud prevention, legal compliance, or responding to subpoenas
The GLBA also prohibits financial institutions from sharing your account numbers for marketing purposes — even if you haven’t opted out. This includes credit card numbers, deposit account numbers, and transaction account numbers.
A critical gap in the GLBA is that it uses an opt-out model rather than an opt-in model. A coalition of 45 consumer advocacy groups urged Congress in 2025 to change this, pushing for a requirement that lenders obtain your affirmative consent before sharing data with third parties.
The Homebuyers Privacy Protection Act (HPPA)
On September 5, 2025, President Trump signed the HPPA into law. This bipartisan legislation — sponsored by Representatives John Rose (R-TN) and Ritchie Torres (D-NY) — directly targets mortgage trigger leads. Starting March 5, 2026, credit bureaus will no longer be allowed to sell mortgage trigger leads unless:
- The consumer explicitly opts in
- The third party receiving the data is the consumer’s current mortgage originator, current loan servicer, or a bank/credit union where the consumer already holds an account
A group of 42 state attorneys general supported passage of this law. The bill passed with unanimous approval by the House Financial Services Committee and by voice vote in both the House and Senate. This marks the first time Congress has directly restricted the sale of trigger leads at the federal level.
Affiliated vs. Nonaffiliated Sharing: Understanding the Difference
When people ask “do lenders sell my information,” they often don’t realize there are two distinct tracks of sharing — and the rules differ for each.
| Sharing Type | Who Receives Your Data | Consumer Right | Governing Law |
|---|---|---|---|
| Affiliate Sharing | Companies under the same corporate parent as your lender | Opt-out required for credit report and application data; no opt-out for transaction/experience data | FCRA Section 603(d) |
| Nonaffiliate Sharing | Companies with no ownership connection to your lender | Opt-out required before sharing NPI | GLBA Privacy Rule |
| Joint Marketing | Another financial institution your lender partners with | No opt-out right, but confidentiality contract required | GLBA Section 313.13 |
| Trigger Leads | Any lender or data broker who purchases your inquiry data from a credit bureau | Opt-out through OptOutPrescreen (mortgage trigger leads banned starting March 2026) | FCRA Section 604(c) / HPPA |
This distinction matters. When your mortgage lender shares your data with its insurance affiliate for a cross-sell offer, that’s affiliate sharing governed by the FCRA. When the credit bureau sells your inquiry data to a competing lender you’ve never heard of, that’s a trigger lead governed by a different part of the FCRA. When your lender shares your income and account data with a nonaffiliated marketing company, that’s nonaffiliate sharing governed by the GLBA.
State Laws That Add Extra Protections
Federal law sets the floor, but several states add layers of protection that go beyond what the FCRA and GLBA require.
California (CCPA/CPRA)
The California Consumer Privacy Act gives California residents the right to know what personal information businesses collect, to request deletion, and to opt out of the sale of their data. The CCPA applies to for-profit businesses doing business in California that have over $25 million in gross annual revenue, buy/sell data on 100,000+ residents, or derive 50%+ of revenue from selling personal information.
The CCPA does exempt consumer credit reporting information governed by the FCRA from some of its provisions. But it covers non-financial data that lenders collect, including browsing history, geolocation data, and marketing profiles. As of 2026, businesses that sell or share data under the CCPA must also conduct a risk assessment evaluating the risks of that sharing to consumers.
Vermont
Vermont stands apart as an opt-in state. Under Vermont’s Privacy of Consumer Financial and Health Information Regulation, financial institutions cannot share consumer information with nonaffiliated third parties unless the consumer affirmatively consents first. This is the opposite of the federal GLBA model. Vermont also prohibits affiliates from obtaining a Vermont consumer’s creditworthiness information without the consumer’s consent.
Vermont also enacted one of the nation’s first data broker registration laws, requiring companies that collect and sell consumer data to register with the Secretary of State and disclose their practices. Vermont requires lead generators who sell loan leads to obtain a Loan Solicitation License.
Real-World Scenarios
Scenario 1: The First-Time Homebuyer
Maria applies for a mortgage with her local credit union. Within minutes, her phone starts ringing. She receives 15 calls, 8 texts, and a stack of mailers — all from lenders she’s never heard of. She panics and calls her credit union asking, “Did you sell my information?”
| What Happened | Consequence |
|---|---|
| Maria’s credit union pulled her credit report (hard inquiry) | The credit bureaus flagged her as an “in-market” borrower |
| The credit bureaus sold her data as a trigger lead within 24 hours | Competing lenders purchased her name, phone number, and loan type |
| Multiple lenders contacted her with unsolicited offers | Maria became confused about which lender was actually handling her loan |
| One caller posed as her “assigned loan officer” | Maria nearly provided her Social Security number to a company she didn’t apply with |
Maria’s credit union never sold her data. The credit bureaus did. Her credit union had no power to stop the trigger lead from being created. After March 2026, the HPPA will prevent this scenario for mortgage applications — but it will not cover auto loan, personal loan, or credit card trigger leads.
Scenario 2: The Lead Generator Trap
James visits a website called “QuickPersonalLoans.com” and fills out a loan application. The site promises to connect him with its “trusted network of lenders.” Instead, the site sells his Social Security number, bank account information, and credit score to over 50 different companies — including marketers, debt relief sellers, and credit repair companies.
| What Happened | Consequence |
|---|---|
| James submitted personal financial data on a lead generation site | The site collected his SSN, bank routing number, and income |
| The site sold 84% of applications to non-lenders | James’s data went to marketers and debt sellers, not actual loan providers |
| The site used his credit score to price leads higher | Companies with higher credit scores fetched higher prices — a violation of the FCRA |
| The FTC filed suit | The company paid a $1.5 million civil penalty and was restricted from future data sales |
This was the real case of ITMedia Solutions LLC, which operated sites like cashadvance.com, personalloans.com, and badcreditloans.com. The FTC found the company violated both the FTC Act and the FCRA. Executives were held personally liable.
Scenario 3: The Refinance Borrower
David refinances his mortgage. His new lender shares his loan balance, payment history, and contact information with an affiliated insurance company. The insurance company begins calling David to sell him a homeowner’s policy. David never agreed to receive these calls.
| What Happened | Consequence |
|---|---|
| David’s lender shared his NPI with its insurance affiliate | This is legal under the GLBA for transaction/experience data |
| The affiliate used his credit application data for marketing | This requires an opt-out notice under FCRA Section 624 |
| David was never told he could opt out | The lender violated the FCRA’s affiliate marketing opt-out requirement |
| David filed a complaint with the CFPB | The lender may face enforcement action and civil penalties |
FTC and CFPB Enforcement: Real Penalties
Federal agencies have not been passive. Here are documented enforcement actions against companies that mishandled consumer lending data:
- ITMedia Solutions LLC (2022): The FTC imposed a $1.5 million penalty after the lead generator sold 84% of loan applications to non-lenders while promising consumers their data would only go to “trusted lenders.”
- Mortgage Investors Corporation: The FTC collected a $7.5 million civil penalty — its largest ever for Do-Not-Call violations — after the company called consumers on the National Do Not Call Registry and misrepresented loan terms.
- Premier Capital Lending (2008): The FTC settled charges that this Texas mortgage lender violated the GLBA Safeguards Rule by allowing a third-party home seller to access consumer credit reports without proper security. A hacker compromised the seller’s system and accessed hundreds of consumer files.
- Goal Financial LLC: This student loan company settled FTC charges after employees transferred over 7,000 consumer files to unauthorized third parties. One employee sold surplus hard drives containing clear-text data on 34,000 consumers.
- Spokeo Inc. (2012): The FTC imposed an $800,000 penalty on this data broker for selling consumer data to employers for background checks without following FCRA requirements.
- Lead Generator Consent Farms (2024): The FTC fined a California lead generator $7 million for operating over 50 websites designed to trick consumers into providing personal information under the guise of getting a mortgage quote. The company was banned from lead generation.
- Equifax (CFPB Order): The CFPB ordered Equifax to pay a $15 million civil penalty for improperly handling credit disputes, miscalculating credit scores for hundreds of thousands of consumers, and sharing inaccurate data with lenders.
How to Opt Out and Protect Your Information
Step 1: Opt Out of Prescreened Offers
Visit OptOutPrescreen.com or call 1-888-5-OPTOUT (1-888-567-8688). This is the official site run by the Consumer Credit Reporting Industry. You can opt out for five years online or permanently by mail. Opting out permanently requires you to sign and return a confirmation form.
Do this before applying for a loan. If you opt out after applying, it takes several business days to take effect, and your data will likely be sold before the opt-out is processed.
Step 2: Register on the Do Not Call Registry
Visit DoNotCall.gov or call 1-888-382-1222. This stops legitimate telemarketers from calling your number. However, the Do Not Call Registry only prevents phone calls — credit bureaus can still sell your data, and you’ll still receive direct mail and email offers.
Step 3: Remove Yourself from Direct Mail Lists
Visit DMAchoice.org to remove your information from marketing mailing lists maintained by the Data & Marketing Association.
Step 4: Review Your Lender’s Privacy Notice
Every lender must send you a GLBA privacy notice when your customer relationship begins. Read it. Look for the section on sharing with nonaffiliated third parties. If there’s an opt-out checkbox or toll-free number, use it immediately.
Step 5: Exercise Your CCPA Rights (California Residents)
If you live in California, you can submit a “Do Not Sell My Personal Information” request to any lender or data broker subject to the CCPA. Check the California Attorney General’s Data Broker Registry for a list of registered data brokers and their opt-out links.
Mistakes to Avoid
Mistake 1: Assuming your lender sold your data. In most cases, it’s the credit bureau — not your lender — that creates and sells trigger leads. Your lender pulled your credit as part of the application process. The bureau then packaged and sold that inquiry data independently.
Mistake 2: Opting out after applying for a loan. The opt-out at OptOutPrescreen takes several business days. If you apply for a loan before opting out, your data is already on the market before the request is processed.
Mistake 3: Only signing up for the Do Not Call Registry. The Do Not Call list stops phone calls from legitimate telemarketers. It does not stop credit bureaus from selling your data. You’ll still receive mail and emails. You need both OptOutPrescreen and the Do Not Call list to reduce most contact.
Mistake 4: Filling out loan applications on unfamiliar websites. Lead generation sites disguise themselves as lenders. They collect your SSN, bank info, and income — then sell it to the highest bidder. Always verify you’re dealing with a licensed lender before providing financial information.
Mistake 5: Ignoring your lender’s privacy notice. That document you throw away contains your opt-out rights. If you don’t exercise the opt-out within the reasonable time window (typically 30 days), the lender can share your NPI with nonaffiliated third parties.
Mistake 6: Thinking the HPPA covers all loans. The Homebuyers Privacy Protection Act only applies to residential mortgage trigger leads. Auto loan, personal loan, credit card, and student loan trigger leads are not covered by this new law.
Mistake 7: Providing verbal-only opt-out requests. Under the GLBA, your lender must provide a reasonable method to opt out, such as a toll-free number or a mail-in form. Verbal requests during a phone call may not be sufficient. Always use the documented method in the privacy notice.
Do’s and Don’ts
| Do’s | Why |
|---|---|
| Opt out at OptOutPrescreen.com before applying for a loan | Prevents credit bureaus from selling your inquiry data to competing lenders |
| Read every lender’s privacy notice carefully | The notice contains your opt-out rights under the GLBA for nonaffiliate sharing |
| Register on DoNotCall.gov | Stops legitimate telemarketers from calling your phone number |
| Verify that any loan website is a licensed lender | Prevents your data from going to unregulated lead generators |
| File complaints with the FTC and CFPB if you’re contacted after opting out | Federal agencies have brought 151 enforcement actions based on consumer complaints |
| Don’ts | Why |
|---|---|
| Don’t give your SSN or bank info to any website claiming to “match” you with lenders | These are often consent farms that sell data to dozens of companies |
| Don’t ignore unsolicited calls that claim to be your lender | Trigger lead buyers sometimes pose as your assigned loan officer to steal your business |
| Don’t assume all sharing is illegal | Some sharing is permitted under GLBA exceptions for servicing, joint marketing, and fraud prevention |
| Don’t wait until after you’re flooded with calls to act | Opt-out requests take days to process; acting early prevents the worst of it |
| Don’t rely solely on state laws if you move | Different states have different protections; Vermont requires opt-in consent, while most states use the federal opt-out model |
Key Entities and How They Relate
Credit Bureaus (Equifax, Experian, TransUnion): These companies collect financial data from lenders and generate revenue by selling it. Equifax reported over $5.2 billion in annual revenue in 2023. Experian generated $3.3 billion from credit data operations. TransUnion had annual revenue of $3 billion with data on over 200 million U.S. consumers shared with 65,000 businesses.
The FTC: Enforces the GLBA Privacy Rule and the Telemarketing Sales Rule. The FTC has brought 151 enforcement actions related to Do Not Call violations and has recovered over $178 million in civil penalties.
The CFPB (Consumer Financial Protection Bureau): Enforces the FCRA against credit bureaus and large lenders. The CFPB has issued guidance on lead generator practices and has fined credit bureaus for inaccurate data handling.
Lead Generators: Companies that operate websites to collect consumer loan applications and sell the data. The CFPB describes lead generators as entities that sell information about prospective customers to lenders, sometimes using algorithms to route leads to the highest bidder.
The Mortgage Bankers Association (MBA): The industry group that worked with lawmakers to pass the Homebuyers Privacy Protection Act and ban abusive mortgage trigger leads.
The Broker Action Coalition: The organization that coordinated the industry push to ban trigger leads and supported the HPPA through its signing into law.
Pros and Cons of Current Data-Sharing Practices
| Pros | Why It Matters |
|---|---|
| Increases competition among lenders | Consumers may receive better rates from competitors they wouldn’t have found otherwise |
| Prescreened offers require firm credit terms | The FCRA mandates that offers include actual credit terms, not just marketing pitches |
| Joint marketing exceptions allow bundled financial products | Consumers can receive coordinated offers from partnered financial institutions without data going to unrelated third parties |
| The GLBA requires annual privacy notices | Consumers receive ongoing disclosure about how their data is shared |
| Opt-out mechanisms exist at multiple levels | Consumers can limit sharing through OptOutPrescreen, DoNotCall, and individual lender opt-outs |
| Cons | Why It Matters |
|---|---|
| The default is opt-out, not opt-in | Your data is shared unless you actively take steps to prevent it |
| Trigger leads cause confusion and harassment | Borrowers receive dozens or hundreds of calls within hours of applying for a loan |
| Lead generators exploit the system | Some companies collect sensitive data and sell it to non-lenders without consumers’ knowledge |
| The HPPA doesn’t cover non-mortgage trigger leads | Auto, personal, credit card, and student loan trigger leads remain unregulated under the new law |
| Enforcement is reactive, not preventive | The FTC and CFPB act after violations occur, meaning consumers are harmed before penalties are imposed |
FAQs
Can a lender sell my Social Security number?
No. The GLBA prohibits sharing account numbers and access codes for marketing purposes. However, lead generators have been fined for illegally selling SSNs collected through loan applications.
Do credit bureaus need my permission to sell trigger leads?
No. Under current law, credit bureaus can sell trigger leads under FCRA Section 604(c) without your consent. For mortgage leads, the HPPA changes this to an opt-in model starting March 2026.
Will the Homebuyers Privacy Protection Act stop all trigger leads?
No. The HPPA only bans trigger leads tied to residential mortgage transactions. Auto loan, credit card, personal loan, and student loan trigger leads remain legal.
Can I sue a lender for selling my information?
Yes, but only in limited circumstances. You can sue under the FCRA for willful violations involving trigger leads or affiliate sharing. The GLBA itself does not provide a private right of action for consumers.
Does the Do Not Call Registry stop trigger lead calls?
No. The registry stops sales calls from compliant telemarketers, but it does not prevent credit bureaus from selling your data. You must separately opt out through OptOutPrescreen.
Is it illegal for a lender to share my data with its affiliate?
No. Lenders can share transaction and experience data with affiliates under the FCRA. However, affiliates must give you an opt-out notice before using that data for marketing.
Does opting out at OptOutPrescreen hurt my credit score?
No. Opting out of prescreened offers has no effect on your credit score or your ability to apply for credit. It only prevents unsolicited offers.
Are online lead generation sites regulated?
Yes, but enforcement varies. The FTC has fined lead generators for deceptive practices and FCRA violations. Vermont requires lead generators to obtain a Loan Solicitation License.
Can I opt back in after opting out?
Yes. You can reverse your opt-out at OptOutPrescreen.com at any time if you want to receive prescreened offers again.
Does the CCPA protect me from lenders selling my data?
Yes, partially. California residents can request that businesses stop selling their personal information. However, the CCPA exempts certain data already governed by the FCRA, such as credit report information.