CFPB Proposes to Expand Reach of Fair Credit Reporting Act to “Data Brokers” and Beyond
On December 3, 2024, the Consumer Financial Protection Bureau (CFPB) issued a Notice of Proposed Rulemaking (NPRM or Proposed Rule) that proposes to significantly expand the scope of the Fair Credit Reporting Act (FCRA) to cover a range of consumer data sharing practices and companies. As previously summarized, the Proposed Rule follows efforts by the CFPB to address practices by “data brokers” that may not currently be subject to FCRA regulation, though the CFPB’s Proposed Rule would potentially impact entities well beyond data brokers. The NPRM proposes, among other things, to amend the definitions of “consumer report” and “consumer reporting agency” in the FCRA’s implementing Regulation V, potentially sweeping in much more activity involving consumer data sharing than is currently considered to be covered by the law. The Proposed Rule would also add restrictions on the use of de-identified consumer report data and implement new standards for obtaining consent when consumers direct the sharing of consumer reports.
Below we provide a high-level summary of the NPRM and highlight some of the key proposals included in the Proposed Rule. This NPRM is open for public comment until March 3, 2025.
NPRM Key Proposals
Consumer Reporting Agencies and Consumer Reports. Many of the Proposed Rule revisions would modify the regulatory definitions of a “consumer report” or “consumer reporting agency” (CRA) to cover additional activities or entities that share consumer information. For example, the Proposed Rule specifies that an entity that provides information to a third party about a consumer’s credit history, credit score, debt payments, or income or financial tier is a consumer reporting agency providing a consumer report, “regardless of the purpose for which any specific communication of such information is used or expected to be used,” as long as it otherwise would qualify as a consumer report. As a result, companies explicitly providing such consumer data for purposes not covered under the FCRA – for example, providing it for marketing purposes but not credit- or employment-purposes – would still need to evaluate whether the sharing triggers FCRA protections.
Additionally, under the Proposed Rule, a company that communicates information about a consumer for non-FCRA purposes will be considered to be providing a “consumer report” if the information actually is used for an FCRA-covered purpose (assuming the other conditions of a being “consumer report” are met). This would occur “regardless of whether there is evidence that the consumer reporting agency knew or expected that the information would be used for such a purpose.” As a result, companies could be considered CRAs and held responsible under the FCRA for providing consumer data, based on unforeseen – and potentially contractually prohibited – downstream uses of the data. This proposal also would require companies providing consumer information for marketing purposes to look more closely at whether the FCRA might apply.
The Proposed Rule would also regulate provision of certain personal identifiers, such as names, addresses, dates of birth, Social Security numbers, phone numbers, and email addresses – often known as “credit header information” – if the information was originally gathered for purposes of preparing a consumer report. As a result, CRAs that gather and sell such information would be restricted to selling it for FCRA-related purposes, such as credit or employment, but not other purposes like general fraud prevention. This kind of identifying information is often particularly valuable for fraud prevention, though the NPRM does clarify that the proposal would not apply to use of consumer reports to prevent fraud or verify the identity of a consumer when done in connection with an FCRA permissible purpose, like evaluating credit applications, government benefits, bank account opening, and rental applications.
Other Proposed Changes. Among other changes, the Proposed Rule would make explicit that a marketing purpose does not qualify as a “legitimate business need” to furnish a consumer report in connection with a consumer-initiated transaction. The Proposed Rule would also effectively prohibit CRAs from using consumer reports to send advertisements or decide which consumers should receive ads on an advertiser’s behalf, even if the consumer report is not provided to the third-party advertiser. (This prohibition does not affect established rules regarding pre-screened solicitations.)
Additionally, the Proposed Rule would require entities that rely on consumers’ written instructions as a permissible purpose to furnish a consumer report to provide a “clear and conspicuous” disclosure stating who may obtain their consumer report and how it will be used and follow certain procedures to obtain consent. In particular, the Proposed Rule would require a separate written authorization from the consumers that is not included in fine print and that discloses certain information, including the reason for obtaining the report, in advance of sharing consumer report information.
The NPRM also proposes three potential regulatory modifications to foreclose any arguable exceptions or carve-outs to the FCRA for “de-identified” information. The first of the three proposals would “set a bright-line rule that de-identification of information in a communication does not affect whether the communication is a consumer report,” and the other proposals are similar but require at a minimum that the information has the potential to be linked to an individual.
Ultimately, the Proposed Rule has potentially broad implications and its proposed amendments to core provisions of the FCRA may affect a wide range of companies. With a three-month public comment period, it will be up to the next Administration to determine whether and in what form to finalize it.
***
Wiley’s attorneys advise on financial services and privacy-related regulations, including advising and advocating on CFPB and FTC matters. Please contact the attorneys listed on this alert with any questions.
