CFPB Targets Consumer Report Protections with an Advisory Opinion

CFPB Targets Consumer Report Protections with an Advisory Opinion

Blog WilmerHale Privacy and Cybersecurity Law

On July 7, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion, “Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports” (the “Opinion”) to outline certain privacy obligations of consumer reporting agencies (“Reporting Agencies”) and consumer report users (“Users”) under section 604 of the Fair Credit Reporting Act (“FCRA”). This new Opinion will be important for any company in the consumer reporting space or any company that uses consumer reports in its business operations. 

The Opinion highlights that (a) the permissible purposes for reporting are consumer specific;  (b) Reporting Agencies may only provide consumer reports if they has “reason to believe” that all the consumer report information pertains to the subject of the user’s request; (c) disclaimers will not cure a failure to have a “reason to believe” that a User has permissible purpose; and (d) Users must ensure that they do not violate a person’s privacy by obtaining a credit report when they lack a permissible purpose for doing so.

In the past, the CFPB and the Federal Trade Commission have brought enforcement actions to address violation of the FCRA’s permissible purpose. This Opinion underscores the CFPB’s efforts to ensure that companies that use and share credit reports and/or background reports have a permissible purpose under the FCRA and highlights that Reporting Agencies and Users have specific obligations to protect the consumer’s data privacy. The Opinion also reminds covered entities of potential criminal liability for certain misconduct.

Companies that generate consumer reports or Reporting Agencies must carefully ensure that the report is generated under its permissible purpose. Users or those requesting the consumer must also ensure that the request is made for a permissible purpose. 

Background
 
Reporting Agencies collect and assemble an exorbitant amount of information about consumers including such consumers’ credit, criminal, employment and rental histories. This information is packaged into consumer reports (“Consumer Reports”). In turn, creditors, landlords, employers and other Users utilize the Consumer Reports to make eligibility determinations. Some common permissible purposes include using Consumer Reports for credit, insurance, housing, or employment decisions. For example, a bank, as a User, may request a Consumer Report in order to determine the terms on which it will offer an individual a line of credit. In the same vein, a landlord, as a User,  may request a Consumer Report in order to determine the terms on which it will offer someone a tenancy.
In order to keep such information confidential, in 1970, Congress enacted the FCRA to regulate companies that assemble Consumer Reports, including credit reporting companies, tenant screeners, and other data brokers. Among other things, the FCRA ensures fair and accurate reporting, and it requires users who buy such Consumer Reports to have a legally permissible purpose. This ensures that companies will not check an individual’s personal information, such as their credit history, without a bona fide reason. 

The Opinion

The Opinion and its accompanying press release further underscore the importance of adequately protecting “the public’s data privacy” and remind businesses of the possibility of criminal liability. Below are select takeaways from the Opinion:

Permissible purpose and insufficient identifiers as matching criteria. FCRA section 604(a)(3) enumerates the permissible purposes for which Reporting Agencies may provide Consumer Reports to a User such as for credit, employment and rental housing. A Reporting Agency may provide the Consumer Report when it has “reason to believe” that the User requesting the report has a permissible purpose with respect to the consumer (FCRA section 604(a)(3)). The CFPB interprets this to mean that section 604(a)(3) applies only to that consumer who is subject of the request, rather than anytime a User, such as a bank or a landlord, makes a request.
 
  • Permissible purpose and insufficient identifiers as matching criteria. FCRA section 604(a)(3) enumerates the permissible purposes for which Reporting Agencies may provide Consumer Reports to a User such as for credit, employment and rental housing. A Reporting Agency may provide the Consumer Report when it has “reason to believe” that the User requesting the report has a permissible purpose with respect to the consumer (FCRA section 604(a)(3)). The CFPB interprets this to mean that section 604(a)(3) applies only to that consumer who is subject of the request, rather than anytime a User, such as a bank or a landlord, makes a request.

    The CFPB notes that some Reporting Agencies use insufficient matching such as name-only matching. This means that a User could be provided a report about a person for whom the User does not have a permissible purpose to view the report for the sole purpose that the name matches. For example, when a Reporting Agency conducts a public records search using name-only matching and identifies one or more individuals with the same name as the  consumer who is the subject of the User’s request, it sometimes might provide the User with a report containing a possible match or list of possible matches. If the Consumer Report includes information that identifies (even if not by name) consumers who are only possible matches and information that bears on the credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living of those consumers, the Reporting Agency will have unlawfully provided Consumer Reports about those consumers to a User that does not have a permissible purpose for them.
  • Disclaimers will not suffice. The Opinion states that disclaimers such as “[t]his record is matched by First Name, Last Name ONLY and may not belong to your subject. Your further review of the State Sex Offender Registry is required in order to determine if this is your subject” are insufficient. Such a disclaimer does not change the fact that the Reporting Agency has failed to satisfy the requirements of 604(a)(3) by providing a Consumer Report about a consumer to a person lacking a permissible purpose with respect to that consumer.
  • Users of Consumer Reports must have permissible purpose. Finally, the CFPB interprets the FCRA (section 604(f)) to provide that Users are also strictly prohibited from using or obtaining Consumer Reports without a permissible purpose. In other words, Users are also accountable and that the standard of “permissible purpose” extends beyond Reporting Agencies to Users.

    By way of background discussion, the CFPB also mentions (and reminds businesses) of the potential for criminal liability under FCRA section 619 and section 620 arising from violations of the FCRA’s permissible purpose requirement. The Opinion highlights that the CFPB will continue to take steps to ensure that Reporting Agencies, Users and other relevant entities adhere to the FCRA and other consumer financial protection laws. 
     

 

Authors