CFPB Proposes To Expand Fair Credit Reporting Act Implementing Regulations to Target Data Brokers
On December 13, 2024, the Consumer Financial Protection Bureau (CFPB) published in the Federal Register a proposed rule that would revise Regulation V,1 the CFPB’s regulation implementing the Fair Credit Reporting Act (FCRA). The proposed rule would impose new limitations and obligations for many entities that collect, aggregate, sell, resell, license, enable the use of, or otherwise share consumer information with other parties (so called “data brokers”), and clarify that these data brokers are subject to the requirements of FCRA.
This rulemaking was originally announced in 2023 by the CFPB’s Small Business Advisory Review Panel for Consumer Reporting Rulemaking. This advisory panel was constituted pursuant to the Small Business Regulatory Enforcement Fairness Act 1996 (SBREFA), which requires federal agencies to collect the advice and recommendations of small businesses likely to be affected by a proposed rulemaking. The publication of the proposed rule follows the CFPB’s June 2024 proposal to ban medical bills from credit reports, which was initially proposed as part of the SBREFA process.
Background
As explained in the promulgating release for the proposed rule, the CFPB believes the proposed revisions to Regulation V are needed to ensure that FCRA’s protections apply to all data brokers that engage in the types of activities that Congress designed FCRA to regulate. That is, the preparation and furnishing of “consumer reports” — communications of certain information about a consumer that are used or expected to be used for determining eligibility for credit or insurance, employment purposes, or other “permissible” purposes enumerated in FCRA.2 Many of the obligations established by FCRA and Regulation Z fall on consumer reporting agencies (CRAs), which are defined by FCRA as entities that, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engage in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.3 Under FCRA, absent consent from the consumer to whom this information pertains, CRAs generally may disclose a consumer report only for the limited permissible purposes specifically identified in the statute.4
The CFPB noted in the promulgating release that consumers regularly engage in activities that reveal personal information about themselves, often without realizing it — such as surfing the web, using a credit card, or subscribing to a magazine. Data brokers gather this information — which can be private or highly sensitive — and sell it to other entities with which a consumer may not have a relationship. As stated in the proposed rule, the communication of some of this personal information, when used or expected to be used for a purpose covered by FCRA, would constitute a “consumer report.” The promulgating release for the proposed rule highlighted the risks that are associated with the collection and sale of such reports and noted the significant risk of misuse by third parties who might purchase this information from data brokers in order to scam, harass, or violate the privacy of consumers.
In the past, many data brokers have argued that they are not subject to FCRA because they do not meet the statutory definition of a CRA. As the CFPB acknowledged in the promulgating release for the proposed rule, FCRA’s definitions of “CRA” and “consumer report” are not without ambiguity and have been disputed in court since the law’s enactment. The proposed rule would provide greater specificity and clarity to enhance FCRA’s definitions of these terms, and would do so in a manner that would capture data brokers that arguably have been deemed outside of FCRA’s scope. The proposed rule would also provide clarity on what constitutes a “permissible use” of consumer reports under FCRA, as well as clarify other obligations of CRAs.
The Proposed Rule
As described above, “consumer report” as defined by FCRA means any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes, (B) employment purposes, or (C) any other purpose as specifically identified by FCRA.5 The proposed rule would clarify FCRA’s scope by interpreting the statutory definition of a consumer report to capture additional types of entities and activities that previously had not been interpreted as being within the scope of the statute:
- The proposed rule would clarify the meaning of the phrase “is used” in the definition of a consumer report such that when a data broker communicates consumer information for any reason, if any person receiving the information — not just the immediate recipient of the communication — then uses the information for one of the consumer report definition’s specified purposes, the communication would be a consumer report under FCRA. Accordingly, an entity could be captured within the scope of FCRA even if the entity does not intend or expect that the information being communicated will be used for one of the specified purposes, and the recipient the entity communicates it to does not use it for such a purpose. If a third party eventually receives that information and uses it for one of the consumer report definition’s specified purposes, the original communication of the information would be a consumer report under FCRA, assuming the other elements of the definition are met.
- The proposed rule would broaden the meaning of “expected to be used” in the definition of a consumer report. Specifically, the proposed rule would deem that communication of information fulfills the “expected to be used” element of the definition of a consumer report whenever (1) the person making the communication expects or should expect that a recipient of the information in the communication will use the information for such a purpose, or (2) whenever the information is about a consumer’s credit history, credit score, debt payments, or income or financial tier. This second change in particular would somewhat collapse two elements of the definition of a consumer report: the element that a consumer report be a communication of information “bearing on credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living” and the element that the information “is used or expected to be used for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes, (B) employment purposes, or (C) any other purpose as specifically identified by FCRA.” Specifically, by stating that any communication of information relating to credit history, credit score, debt payments, income, or financial tier by default is automatically assumed to be used for a purpose specified in the definition of a consumer report, communications of certain types of information do not have to actually be expected to be used for a specific purpose to qualify as a consumer report.
- Under the proposed rule, communications from CRAs of certain personal identifiers that they collected to prepare a consumer report (such as name, addresses, date of birth, Social Security numbers, and phone numbers) generally would be considered consumer reports. Even if these personal identifiers arguably do not bear on one of the enumerated characteristics to be used as a factor in establishing the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; or another purpose as specifically identified by FCRA, the communication of these kinds of information from CRAs would be deemed consumer reports. As a practical matter, the expansion of the interpretation of the statutory definition of a consumer report would limit the ability of CRAs to furnish “credit header” data if the user had a permissible purpose under FCRA, which could include receiving a consumer’s informed consent.
- Under the proposed rule, the phrase “assembling or evaluating” in the definition of a consumer report would be clarified to plainly state that entities that (1) collect, bring together, gather, or retain consumer credit information or other information, (2) appraise, assess, make a judgment regarding, determine or fix the value of, verify, or validate such information, or (3) contribute to or alter the content of such information (so called “data aggregators”) would be designated as CRAs, assuming the other elements of that definition are satisfied.
In addition to clarifying FCRA’s definition of “consumer report,” the proposed rule would make several other changes that would clarify the obligations imposed under FCRA.
- FCRA states that using a consumer report for “legitimate business needs” is a permissible purpose; however, the proposed rule would clarify that “legitimate business needs” under FCRA do not include using consumer report information for marketing and advertising. Accordingly, CRAs seeking to use consumer reports for marketing or advertising will need to justify that use through an alternative permissible purpose identified by FCRA — such as the use of a consumer report pursuant to a written instruction from a consumer.
- The proposed rule would also clarify the meaning of the word “furnishing” within the definition of “consumer reporting agency” in order to include facilitating a third party’s use of any information from the consumer report for the third party’s financial gain. For example, under the proposed rule, if a consumer reporting agency gives a third party the benefit of consumer report information by using consumer reports to target advertising to consumers on behalf of the third-party, the consumer reporting agency has furnished a consumer report to the third party by facilitating the third party’s use of the information from the consumer report for their financial gain.
- Any use of a consumer report pursuant to a written instruction of the consumer is typically considered a permissible purpose under FCRA. However, the proposed rule would require that, for the “written instruction” permissible purpose to apply, consumers must be provided a clear and conspicuous disclosure stating how their consumer report will be used.
Takeaways
If adopted as proposed, the proposed rule would extend the requirements of FCRA and Regulation V to a wide array of data-brokering activities which might otherwise have been deemed to be beyond the scope of those authorities. Further, some elements of the proposed rule would serve to constrict existing uses of FCRA data which were arguably permissible under the statutory text. The proposed rule, if adopted, has the potential to impose novel federal privacy obligations on many companies that collect, aggregate, evaluate, or transmit consumer data — both companies that had already been complying with FCRA, and companies which now may be swept within its scope.
Nevertheless, the prospects for a final rule are uncertain. With the pending change in administration and corresponding expected change in the leadership of the CFPB, the agency may elect to modify the rule proposal or abandon the rulemaking entirely. However, for the moment, comments on the proposed rule must be submitted on or before March 3, 2025, and industry participants may wish to submit comments to the CFPB to help shape the administrative record in the event that the CFPB under new leadership determines to retain the rule proposal as part of its rulemaking agenda.
If you are interested in submitting a comment, or if you would like more information about how the proposed rule or the CFPB’s SBREFA proposals may impact your business, please contact any of the authors of this Advisory or your usual Arnold & Porter contact. The firm’s Financial Services team and the Privacy, Cybersecurity, and Data Strategy team would be pleased to assist with any questions about the proposed regulation, other consumer reporting rulemaking under CFPB consideration, or financial regulation and privacy law more broadly.
© Arnold & Porter Kaye Scholer LLP 2024 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.