CFPB Issues Proposed Rule to Cover Data Brokers Under the Fair Credit Reporting Act

Jess Cheng, Taylor Stenberg Erb, Maneesha Mithal, Christopher Olsen, Libby Weingarten
Wilson Sonsini Goodrich & Rosati
Contact
LinkedIn
Facebook
X
Send
Embed

Wilson Sonsini Goodrich & Rosati

On December 3, 2024, the Consumer Financial Protection Bureau (CFPB) announced its highly anticipated and controversial proposed rule that primarily aims to bring data brokers within the scope of the Fair Credit Reporting Act (FCRA). Data brokers have long argued that they do not furnish “consumer reports,” and thus do not constitute “consumer reporting agencies” subject to the FCRA’s obligations. The CFPB catalogues the harms that have resulted from such a stance; namely, risks to national security, financial well-being, and personal safety when data brokers sell information to countries of concern, scammers, or stalkers. The proposed rule seeks to cover data brokers by clarifying key provisions within the definition of “consumer report.” The proposed rule also aims to shore up consumer protections under the FCRA by interpreting the definition of “consumer reporting agency” more broadly and permissible purposes for furnishing consumer reports more narrowly, such as consumer consent and legitimate business needs. The CFPB seeks public comment on the proposed rule, which must be received on or before March 3, 2025.

The CFPB’s proposed rule reflects an effort across the current Executive Branch to safeguard the sensitive personal data of Americans. This move comes less than two months after the U.S. Department of Justice announced its proposed rule restricting the transfer of Americans’ sensitive information to countries of concern, as analyzed in our prior client alert. In addition, the Federal Trade Commission has been active in this area by bringing enforcement actions against companies selling sensitive location data, including data broker Mobilewalla.

Of course, there will be a change in administration in January 2025 and press reports indicate that the new administration is likely to curb the activities of the CFPB. It is unclear how the CFPB in a Trump administration will deal with this rulemaking proceeding. We will continue to monitor developments in this area.

This alert provides an overview of the key provisions in the CFPB’s proposed rule.

Definition of “Consumer Report”

Clarifying the Two-Pronged Definition to Cover Data Brokers

Under 15 U.S.C. § 1681a(d) of the FCRA, a consumer report is:

“any written, oral, or other communication of any information by a consumer reporting agency [1] bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living [2] which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for… credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; or any other purpose authorized under [15 U.S.C. § 1681b]” (emphasis added).

In the proposed rule, § 1022.4(b)-(c) clarifies the CFPB’s interpretation of the definition’s second prong, which would cover data brokers.

  • “Is used”: The proposed rule states that information in a communication “is used” for a purpose enumerated in the second prong if a recipient of the information uses it for such a purpose. This clarification is significant for two reasons. First, it reiterates the CFPB’s position that the purpose for which information is used can transform a communication into a consumer report, even if the person communicating did not intend that it be used for such a purpose. Second, it clarifies that “is used” captures any recipient of the information, not just the immediate recipient. As such, this change seeks to prevent data brokers from selling information downstream to those intending to use it for a purpose otherwise subject to the FCRA.
  • “Is expected to be used”: The proposed rule explains that a communication of information by a consumer reporting agency “is expected to be used” for a purpose enumerated in the second prong if it meets one of the following tests: 1) the person making the communication expects or should expect that the recipient will use the information for such a purpose; or 2) the information is about a consumer’s credit history, credit score, debt payments, or income or financial tier. As the CFPB explains, the first test would capture communications of data brokers, since they often know that the data they are selling would be used for eligibility decisions. Moreover, the use of “should expect” seeks to avoid willful ignorance of data brokers in the purposes for which information is used. The CFPB specifically seeks comment on the factors that should inform whether a person “should expect” a recipient to use information for a covered purpose. Under the second test, the CFPB notes that these types of information are typically used for making an eligibility determination for credit. As such, data brokers could expect that such information would be used for an FCRA purpose.

Credit Header Information Covered by “Consumer Report”

Section 1022.4(d) of the proposed rule includes “personal identifiers,” otherwise referred to as “credit header” information, within the definition of consumer report. A personal identifier includes the consumer’s:

  • current or former name or names, including aliases;
  • age or date of birth;
  • current or former address or addresses;
  • current or former telephone number or numbers;
  • current or former email address or addresses;
  • Social Security Number or Individual Tax Identification Number; or
  • any other similar personal identifier.

Consumer reporting agencies sell credit header information to third parties, who may not have a permissible purpose for obtaining the information and may seek to exploit it. In addition, the CFPB emphasizes that personal identifiers are central to maintaining accurate consumer reports. By capturing credit header information within the definition of consumer report, consumer reporting agencies must have a permissible purpose before selling such information and would be subject to the FCRA’s accuracy obligations.

The CFPB acknowledges criticism of this proposal for potentially limiting the beneficial uses of credit header information. Industry trade groups warn that credit header information is used to prevent money laundering, terrorism financing, fraud online, and more. In response, the CFPB confirms that such uses of credit header information may still occur pursuant to a permissible purpose under the FCRA. Credit header information is also used by law enforcement to assist in criminal investigations or to identify witnesses. The CFPB notes that law enforcement can still access such information through various channels, but it seeks comment on how the proposed rule might be amended to ensure timely access to such information.

De-identification of Information Irrelevant to “Consumer Report” Determination

Section 1022.4(e) contains three proposals for determining when a communication of de-identified information constitutes a consumer report. Consumer reporting agencies sell information that is allegedly de-identified, whether through aggregation or other means, to purchasers who may not have a permissible purpose under the FCRA. However, the CFPB points out that technology increasingly makes it possible to identify individuals within data sets even when de-identification steps have been taken. The CFPB is concerned by the privacy implications of reidentification.

The proposed rule presents the three alternatives in increasingly business friendly terms. While the first proposal presents a bright-line rule in which the de-identification of information would be wholly irrelevant to determining whether a communication constitutes a consumer report, the two other proposals contemplate different conditions informing this determination. Under the second proposal, the de-identification of information would be irrelevant when the information is “linked or linkable to a consumer.” The third alternative proposes that the de-identification of information would be irrelevant if one of the following three conditions is met: 1) the information is “still linked or reasonably linkable to a consumer;” 2) the information is used to inform a business decision about a particular consumer, such as a decision whether to target marketing to that consumer; or 3) a person that directly or indirectly receives the communication, or any information from the communication, identifies the consumer to whom information from the communication pertains.

Definition of “Consumer Reporting Agency”

Under 15 U.S.C. § 1681a(f) of the FCRA, a “consumer reporting agency” is a person who regularly engages in “assembling or evaluating” consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties. Section 1022.5 clarifies the CFPB’s interpretation of “assembling or evaluating” consumer information. A person “assembles or evaluates” consumer credit information or other information if they:

  • collect, bring together, gather, or retain such information;
  • appraise, assess, make a judgment regarding, determine or fix the value of, verify or validate such information; or
  • contribute to or alter the content of such information.

The proposed rule also includes illustrative examples of activities that constitute "assembling or evaluating” consumer credit information or other information. Notable examples include determining the value of information by arranging or ordering information to suggest relevance to users or retaining information about consumers through a database or electronic file system. Though these interpretations are broad, the CFPB contends that they will not sweep in entities that have otherwise been outside the scope of the FCRA. Even if entities like newspapers or government agencies “assemble or evaluate” consumer credit information, they do not do so for the purpose of furnishing consumer reports to third parties and would thus not meet the definition of a consumer reporting agency. The CFPB seeks comment on the impact of this interpretation particularly on data aggregators and platforms in the mortgage lending industry.

Permissible Purposes for Furnishing Consumer Reports

Consent

Under 15 U.S.C. § 1681b of the FCRA, a consumer reporting agency may only furnish a consumer report pursuant to a permissible purpose under the statute. One permissible purpose is “in accordance with the written instructions of the consumer to whom the report relates.” The CFPB notes that companies attempt to comply with the consumer consent permissible purpose through vague authorizations that are buried in lengthy text that consumers do not understand. The proposed rule sets out conditions for obtaining sufficient consumer consent under the FCRA. Such requirements include express, informed consent with the consumer’s signature; easily accessible revocation of consent; and procurement, use, and retention limitations.

Legitimate Business Need

An additional permissible purpose for which a consumer reporting agency may furnish a consumer report is when the consumer reporting agency has reason to believe the third party has a “legitimate business need” for the information. Such needs must meet one of the following situations: 1) in a business transaction initiated by the consumer, or 2) to review an account to determine whether the consumer continues to meet the terms of the account. The proposed rule clarifies the circumstances that satisfy such legitimate business needs.

  • Consumer-Initiated Transaction: Section 1022.12(b)(2) of the proposed rule states that a consumer reporting agency may only furnish a consumer report to a third party under this permissible purpose if they have reason to believe that the consumer initiated a business transaction. The proposed rule clarifies that a consumer does not initiate a business transaction when asking about the availability or pricing of products or services.
  • Solicitation or Marketing: Section 1022.12(b)(3) states that furnishing a consumer report for a “legitimate business need” is not satisfied when a consumer reporting agency has reason to believe that the person is seeking information from the consumer report to either solicit the consumer for a transaction that the consumer did not initiate or to market products or services to the consumer. This clarification is driven by the CFPB’s concerns regarding consumer reports being used for marketing purposes.

Proposed Effective Date

The CFPB also seeks comment on whether a final rule should have an effective date six months or one year following publication in the Federal Register.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© Wilson Sonsini Goodrich & Rosati

Written by:

Wilson Sonsini Goodrich & Rosati
Wilson Sonsini Goodrich & Rosati
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Wilson Sonsini Goodrich & Rosati on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide