The Consumer Financial Protection Bureau (the “CFPB” or the “Bureau”) extended its reach into the realm of data protection with a recent advisory opinion interpreting the “permissible purpose” provision of the Fair Credit Reporting Act (the “FCRA”). The advisory (the “FCRA Advisory Opinion”), released on July 7, 2022, makes clear that consumer reporting companies and users of consumer reports have specific obligations to protect consumers’ data and that the CFPB will exert its regulatory power to enforce such obligations. As the FCRA impacts both financial and non-financial companies, the FCRA Advisory Opinion highlights the CFPB’s recent efforts to expand beyond its traditional jurisdiction over consumer financial products and services to protect consumer data. CFPB Director Rohit Chopra stated, “While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.”
Below, we highlight the key points of the FCRA Advisory Opinion and recommend best practices for compliance with the FCRA’s permissive purpose provisions.
The FCRA Advisory Opinion clarifies the CFPB’s interpretation that, under the FCRA’s permissible purpose provisions, a consumer reporting company may not provide a consumer report to a user unless it has reason to believe that all the information in the report pertains to the specific consumer who is the subject of the user’s request. The FCRA Advisory Opinion and its accompanying press release further underscore the importance of adequately protecting “the public’s data privacy” and the possibility of criminal liability.
The permissible purpose provisions of the FCRA provide an exclusive list of the situations in which consumer reporting agencies may disclose consumer information. In one such situation, consumer reporting agencies may disclose consumer reports to a user who it has “reason to believe” has a legally permissible purpose for its use. The FCRA Advisory Opinion describes practices that are considered violations of this provision, including:
Who is considered a consumer reporting agency? Under the FCRA, a consumer reporting agency is a person or entity which regularly assembles or evaluates consumer information to disseminate consumer reports to third parties in exchange for a fee or other form of compensation.
Who is considered consumer report user? A consumer report user is a person or entity that requests a consumer report from a consumer reporting agency. A user must have a permissible purpose for using the report.
The FCRA Advisory Opinion and the CFPB’s recent statements and advisory opinions regarding consumer data protection are strong indications of the CFPB’s enforcement priorities. We recommend that all companies that might be considered consumer reporting agencies review their FCRA policies and procedures to ensure compliance.
Recommendations when providing consumer reports:
Recommendations when requesting consumer reports:
The CFPB has taken an expansive view of the definition of “consumer reporting agency” choosing to specifically utilize the term “consumer reporting company” throughout the FCRA Advisory Opinion. This continues the Bureau’s efforts to emphasize that the FCRA applies to a much larger group of companies than those that might be considered more traditional consumer reporting agencies. For example, the CFPB published a list of companies that may potentially be considered consumer reporting agencies under the FCRA. The list includes companies that collect and provide reports based upon non-financial data such as medical diagnoses and prescription drug purchase history.
The regulatory landscape of the FCRA may see rapid change as the CFPB marches forward with new advisory opinions and interpretive rules that impact both financial and non-financial companies. The CFPB is not the only regulatory agency with a regulatory eye towards data protection. The FTC has long taken the position that unreasonable security practices, when taken together, can constitute an unfair trade practice, and that misrepresenting security practices can constitute a deceptive practice under the FTC act. As such, the FTC has made numerous settlements with companies who have allegedly misused or failed to adequately protect their customers’ data. For more information on the FTC’s recent announcements regarding data breach notification, see Orrick’s thoughts here.
With new state data protection laws in California, Virginia, Colorado, Utah and Connecticut all going into effect in 2023, the time is now to adequately assess data protection requirements under both federal and state law and to develop an effective compliance program. See Orrick’s U.S. State Consumer Privacy Guide here. Building compliance into products and across organizational policies will allow companies to better serve clients and avoid costly regulatory actions. Stay tuned to Orrick Insights for updates, analyses, and recommendations regarding important regulatory changes.
Contact Melissa Baal Guidorizzi, and David Devich if you have any questions regarding best practices for compliance with the FCRA. Contact Shannon Yavorsky and Ryan McKenney if you have questions regarding the privacy law implications of the CFPB’s FCRA Advisory Opinion.