The CFPB Leans Into Privacy With FCRA Advisory Opinion

July.18.2022

The Consumer Financial Protection Bureau (the “CFPB” or the “Bureau”) extended its reach into the realm of data protection with a recent advisory opinion interpreting the “permissible purpose” provision of the Fair Credit Reporting Act (the “FCRA”). The advisory (the “FCRA Advisory Opinion”), released on July 7, 2022, makes clear that consumer reporting companies and users of consumer reports have specific obligations to protect consumers’ data and that the CFPB will exert its regulatory power to enforce such obligations. As the FCRA impacts both financial and non-financial companies, the FCRA Advisory Opinion highlights the CFPB’s recent efforts to expand beyond its traditional jurisdiction over consumer financial products and services to protect consumer data. CFPB Director Rohit Chopra stated, “While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.”

Below, we highlight the key points of the FCRA Advisory Opinion and recommend best practices for compliance with the FCRA’s permissive purpose provisions.

Key Takeaways From the FCRA Advisory Opinion

The FCRA Advisory Opinion clarifies the CFPB’s interpretation that, under the FCRA’s permissible purpose provisions, a consumer reporting company may not provide a consumer report to a user unless it has reason to believe that all the information in the report pertains to the specific consumer who is the subject of the user’s request. The FCRA Advisory Opinion and its accompanying press release further underscore the importance of adequately protecting “the public’s data privacy” and the possibility of criminal liability.

The permissible purpose provisions of the FCRA provide an exclusive list of the situations in which consumer reporting agencies may disclose consumer information. In one such situation, consumer reporting agencies may disclose consumer reports to a user who it has “reason to believe” has a legally permissible purpose for its use. The FCRA Advisory Opinion describes practices that are considered violations of this provision, including:

The use of inadequate matching procedures. The FCRA Advisory Opinion builds on the CFPB’s Name-Only Matching Advisory Opinion, issued in November 2021, which announced the Bureau’s expectation that credit reporting companies employ reasonable procedures to assure “maximum possible accuracy” when preparing consumer reports.
- “Name-only” matching procedures are considered inadequate. Consumer reporting companies cannot rely on this type of matching to form a reasonable belief that the information included in a consumer report pertains to the specific consumer at issue. Accordingly, a report based upon this type of matching may violate the FCRA accuracy requirements.
- Disclaimers about inadequate matching procedures do not cure violations. The inclusion of a disclaimer in a report cannot be used to shield a consumer reporting company from liability if they have violated the provision.
Disclosing consumer reports that contain information related to multiple consumers as possible matches. Providing consumer reports of multiple people as “possible matches” without taking adequate steps to identify the specific individual subject to the request may not meet the permissible purpose requirements of the FCRA.
Obtaining a consumer report without a permissible purpose. Consumer report users are in violation of the provision and a consumer’s privacy if they obtain a consumer’s report without a permissible purpose for its use.

Who is considered a consumer reporting agency? Under the FCRA, a consumer reporting agency is a person or entity which regularly assembles or evaluates consumer information to disseminate consumer reports to third parties in exchange for a fee or other form of compensation.

The CFPB has taken an expansive view of the definition of “consumer reporting agency” choosing to specifically utilize the term “consumer reporting company” throughout the FCRA Advisory Opinion. This continues the Bureau’s efforts to emphasize that the FCRA applies to a much larger group of companies than those that might be considered more traditional consumer reporting agencies. For example, the CFPB published a list of companies that may potentially be considered consumer reporting agencies under the FCRA. The list includes companies that collect and provide reports based upon non-financial data such as medical diagnoses and prescription drug purchase history.

Who is considered consumer report user? A consumer report user is a person or entity that requests a consumer report from a consumer reporting agency. A user must have a permissible purpose for using the report.

What’s Next?

The FCRA Advisory Opinion and the CFPB’s recent statements and advisory opinions regarding consumer data protection are strong indications of the CFPB’s enforcement priorities. We recommend that all companies that might be considered consumer reporting agencies review their FCRA policies and procedures to ensure compliance.

Recommendations when providing consumer reports:

Eliminate name-only matching procedures. The FCRA requires the use of “reasonable procedures to assure maximum possible accuracy” with respect to matching.
Create policies and procedures to test the accuracy of data sources and outputs. Conducting regular audits of your data sources and matching procedures will help to ensure that your consumer reports are fair and accurate.
Remove language regarding possible matches from disclaimers. For example, the CFPB cited the following inadequate disclaimer language: “This record is matched by First Name, Last Name ONLY and may not belong to your subject. Your further review of the State Sex Offender Registry is required in order to determine if this is your subject.”

Recommendations when requesting consumer reports:

Ensure that you have a permissible purpose for the use of a report. Section 604(b)(3) of the FCRA provides a list of permissible purposes, such as when a user is evaluating the creditworthiness of consumer making a purchase or applying for a credit, underwriting insurance involving a consumer, or screening potential employees.

The CFPB has taken an expansive view of the definition of “consumer reporting agency” choosing to specifically utilize the term “consumer reporting company” throughout the FCRA Advisory Opinion. This continues the Bureau’s efforts to emphasize that the FCRA applies to a much larger group of companies than those that might be considered more traditional consumer reporting agencies. For example, the CFPB published a list of companies that may potentially be considered consumer reporting agencies under the FCRA. The list includes companies that collect and provide reports based upon non-financial data such as medical diagnoses and prescription drug purchase history.

The regulatory landscape of the FCRA may see rapid change as the CFPB marches forward with new advisory opinions and interpretive rules that impact both financial and non-financial companies. The CFPB is not the only regulatory agency with a regulatory eye towards data protection. The FTC has long taken the position that unreasonable security practices, when taken together, can constitute an unfair trade practice, and that misrepresenting security practices can constitute a deceptive practice under the FTC act. As such, the FTC has made numerous settlements with companies who have allegedly misused or failed to adequately protect their customers’ data. For more information on the FTC’s recent announcements regarding data breach notification, see Orrick’s thoughts here.

With new state data protection laws in California, Virginia, Colorado, Utah and Connecticut all going into effect in 2023, the time is now to adequately assess data protection requirements under both federal and state law and to develop an effective compliance program. See Orrick’s U.S. State Consumer Privacy Guide here. Building compliance into products and across organizational policies will allow companies to better serve clients and avoid costly regulatory actions. Stay tuned to Orrick Insights for updates, analyses, and recommendations regarding important regulatory changes.

Contact Shannon Yavorsky if you have questions regarding the privacy law implications of the CFPB’s FCRA Advisory Opinion.

Authors

Shannon Yavorsky Partner, Cyber, Privacy & Data Innovation, Technology Transactions

San Francisco; London

See my bio

D:+1 415 773 5731
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Technology Transactions
Global Compliance & Regulatory
Government Investigations and Enforcement Actions
Responsible Business
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Shannon Yavorsky Partner

San Francisco; London

She advises public and private companies across several sectors, including life sciences and health technology, financial services, private equity, insurance, social media and technology on a range of EU and U.S. federal and state privacy laws. Shannon’s strategic counseling advice includes, but is not limited to:

Advertising and payment card processing self-regulatory frameworks
Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM)
Electronic Communications Privacy Act (ECPA)
EU AI Act
EU e-Privacy Directive (EPD)
EU General Data Protection Regulation (GDPR)
Fair Credit Reporting Act (FCRA)
Gramm–Leach–Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
National Institute of Standards and Technology (NIST) AI Risk Management Framework (AIRMF)
Telephone Consumer Protection Act (TCPA)
U.S. state breach notification laws
U.S. state privacy laws in California, Colorado, Connecticut, Utah, Virginia and other states

Shannon also helps clients undertake comprehensive privacy, cybersecurity and AI risk assessments, evaluates privacy, security and AI risks in corporate transactions and drafts and negotiates data-related contracts. She advises clients on cross-border data transfers, data breaches and developing global privacy and AI compliance programs.