The Consumer Financial Protection Bureau (CFPB) has issued a legal interpretation [1] to ensure that companies that use and share credit reports and background reports have a permissible purpose under the Fair Credit Reporting Act [2] (FCRA). The CFPB’s new ruling clarifies that reporting companies and users of credit reports have specific obligations to protect the public’s data privacy. The advisory also reminds covered entities of potential criminal liability for certain misconduct.
“Americans are now subject to round-the-clock surveillance by large commercial firms seeking to monetize their personal data,” said CFPB Director Rohit Chopra [3]. “While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.”
Congress enacted FCRA in 1970 to ensure companies “exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.” FCRA protects information collected by consumer reporting agencies such as credit bureaus, medical information companies and tenant screening services. Information in a consumer report cannot be provided to anyone who does not have a purpose specified in the Act. Companies that provide information to consumer reporting agencies also have specific legal obligations, including the duty to investigate disputed information. In addition, users of the information for credit, insurance, or employment purposes must notify the consumer when an adverse action is taken based on such reports.
Over the last century, Congress enacted several sector-specific privacy laws to protect personal data, such as educational and health data. One law that includes privacy protections across multiple sectors is FCRA.
The CFPB’s advisory opinion will help to hold responsible any company, or user of credit reports, that violates the permissible purpose provisions of FCFRA.
Specifically, the advisory opinion makes clear:
- Insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, which would violate consumers’ privacy rights: For example, when a credit reporting company uses name-only matching procedures, the items of information appearing on a credit report may not all correspond to a single individual. That means the user of a credit report could be provided a report about a person for whom the user does not have a permissible purpose.
- It is unlawful to provide credit reports of multiple people as “possible matches:" Credit reporting companies may not provide reports on multiple individuals where the requester only has a permissible purpose to obtain a report on one individual.
- Disclaimers about insufficient matching procedures do not cure permissible purpose violations: Disclaimers will not cure a failure to take reasonable steps to ensure the information contained in a credit report is only about the individual for whom the user has a permissible purpose.
- Users of credit reports must ensure that they do not violate a person’s privacy by obtaining a credit report when they lack a permissible purpose for doing so: FCRA prohibits anyone from using or obtaining credit reports without a permissible purpose.
The CFPB’s advisory opinion outlines some of the criminal liability provisions in FCRA. Covered entities can face criminal liability for obtaining a background report on an individual under false pretenses or by providing a background report to an unauthorized individual. Section 620 of FCRA [4] imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to an unauthorized person. Violators can face criminal penalties and imprisonment.