Categories: Cybersecurity

On July 7, 2022, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion entitled ‘“Fair Credit Reporting: Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports.”[1] The advisory opinion clarifies that “permissible purposes” under the Fair Credit Reporting Act (the “FCRA”) are “consumer specific” and highlights that a person who uses or obtains a “consumer report” is “strictly prohibit[ed]” from doing so without a permissible purpose under the FCRA. In the midst of ongoing Congressional efforts to pass a comprehensive federal data privacy law, the CFPB’s advisory opinion is a reminder of the existing rules that protect consumer privacy.

The FCRA creates a framework to protect the accuracy and privacy of “consumer report” information, which includes information “bearing on” a consumer’s “credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living” and which is used or expected to be used for credit, employment, or insurance, among other purposes.[2] The FCRA primarily regulates consumer reporting agencies (“CRAs”)—broadly defined to include any person or entity that regularly assembles or evaluates information about consumers for fees [3]—in addition to those who use or obtain consumer reports (i.e., “users”),[4] as well as those who supply information to CRAs (i.e., “furnishers”).[5]

The CFPB’s advisory opinion emphasizes that the FCRA protects consumer privacy by “limiting the circumstances under which consumer reporting agencies may disclose consumer information”;[6] specifically, by restricting disclosure of consumer report information only to persons whom the CRA has “reason to believe” have a statutory “permissible purpose” for obtaining such information.[7] The CFPB now has formally clarified that this is a “consumer specific” requirement. Therefore, a CRA must have “reason to believe that all of the consumer report information” provided to a user “pertains to the consumer who is the subject of the user’s request.”[8] Practically speaking, this means that CRAs must use caution when employing “name only matching” procedures, which can result in disclosure of consumer information pertaining to more than one individual with the same name and lead to a potential violation of the FCRA.

The advisory opinion also highlights requirements imposed on “users” of consumer reports—which includes any person or entity that requests a consumer report from a person or entity that meets the definition of a CRA. In relevant part, the FCRA section 604(f) provides that a “person shall not use or obtain a consumer report for any purpose unless (1) the consumer report is obtained for a purpose authorized to be furnished under this section; and (2) the purpose is certified in accordance with” the provisions of the FCRA through a “general or specific certification.”[9] In the advisory opinion, the CFPB now clarifies that it is interpreting this requirement as a “strict” prohibition, rejecting the argument accepted by some courts[10] that a user might not violate the FCRA if the user has a “reason to believe” that a permissible purpose applies. For example, the CFPB notes that a company may violate the FCRA if, when requesting consumer report information, it incorrectly selects the “wrong consumer from a list of possible consumers,” even if done so in error.[11] The CFPB explains that this would “violat[e] the FCRA’s permissible purpose provisions and the privacy of consumers that were the subject of those reports” while also “generating an inquiry on the consumer’s credit reports.”[12]

The CFPB’s guidance demonstrates its focus on consumer privacy rights protected by the FCRA, and is a reminder to both CRAs, and users of consumer reports, to keep procedures in place to prevent the access or disclosure of information protected by the FCRA without a permissible purpose.

Nija Chappel, a Law Clerk – Admission Pending (not admitted to the practice of law) in the firm’s Washington, D.C. office, contributed to the preparation of this post.

********

[1] Bureau of Consumer Financial Protection, “Fair Credit Reporting; Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports” (July 2022). https://files.consumerfinance.gov/f/documents/cfpb_fair-credit-reporting_advisory-opinion_2022-07.pdf.

[2] Advisory Opinion, at 7; FCRA Section 603(d); 15 U.S.C. § 1681a(d).

[3] See FCRA section 603(f), 15 U.S.C. § 1681a(f).

[4] E.g., FCRA section 604(f), 15 U.S.C. § 1681b(f).

[5] E.g., FCRA section 623, 15 U.S.C. § 1681s-2.

[6] Advisory Opinion, at 3.

[7] FCRA section 604(a)(3), 15 U.S.C. § 1681b(a)(3).

[8] Advisory Opinion at 9.

[9] Advisory opinion at 11; FCRA section 604(f), 15 U.S.C. § 1681b(f); FCRA section 607(a), 15 U.S.C. § 1681e.

[10] Advisory opinion at 11-12 (citing Korotki v. Att’y Servs. Corp. Inc., 931 F. Supp. 1269, 1276 (D. Md. 1996)

(applying “reason to believe” standard to users of consumer reports under FCRA).

[11] Advisory opinion at 12; In re State Farm Bank, FSB, 2018-CFPB-0009, at ¶¶ 17-19 (Dec. 6, 2018),

https://files.consumerfinance.gov/f/documents/bcfp_state-farm-bank_consent-order.pdf.

[12] Id.

Back to Commercial Litigation Update Blog

Search This Blog

Blog Editors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Commercial Litigation Update posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.