RegFi Episode 53: Expanding the FCRA to Data Brokers
25 min listen
RegFi Co-Hosts Jerry Buckley, Sherry Safchuk and Sasha Leonhardt explore the implications of the CFPB’s recently proposed amendments to Regulation V that would apply the Fair Credit Reporting Act to data brokers. The conversation examines the Bureau’s purpose in proposing the rule and key changes, how this interpretation of the FCRA could have an impact well beyond data brokers, and the path forward for the proposed changes to Reg. V considering the expected change in CFPB leadership next year.
Links:
Jerry Buckley: |
Hello, this is Jerry Buckley, and I’m here with RegFi cohosts Sasha Leonhardt and Sherry Safchuk. Today, we are going to be discussing a new and somewhat controversial rule proposed by the CFPB on December 3, 2024. Over the past several years, data brokers have been subject to increasing scrutiny from federal and state regulators, and also from enforcement agencies. On December 3, the Consumer Financial Protection Bureau took the significant step toward expanding data broker oversight and upending the regulatory environment by proposing the “Protecting Americans from Harmful Data Broker Practices,” the “Proposed Rule,” as we’ll call it. The Proposed Rule would significantly revise Regulation V, which implements the Fair Credit Reporting Act. So let’s dive right in by asking Sasha to describe at a high level the stated objectives of the rule and the changes it would make in existing regulatory landscape. |
Sasha Leonhardt: | Sure thing, Jerry, and thanks for chatting today about this. To understand how we got here with this Proposed Rule, let’s look back first. As you noted, the CFPB and the FTC have been focused closely on data brokers for some time now. The FTC has entered into several enforcement actions, leveraging its UDAP authority under the Federal Trade Commission Act over the past few years. These enforcement actions have focused on a variety of different companies, sources of data, and practices by data brokers and others. In 2022, the FTC issued its own advance notice of proposed rulemaking related to commercial surveillance and data security that would have covered the data broker industry. In March 2023, the CFPB stepped into the mix. It kicked off its review of this issue in earnest by issuing a request for information related to data brokers and their practices. Now, the 2023 RFI asserted that data brokers are subject to limited federal or state oversight. It asked for information about the industry as a whole, as well as consumers’ experiences with data brokers and their assessment of the benefits and harms that come from data brokers. And the CFPB made clear in its request for information its intent to use the Fair Credit Reporting Act to govern the actions of data brokers. But just last week, the CFPB issued a Proposed Rule to amend Regulation V, which, as you noted, implements the Fair Credit Reporting Act. And the Proposed Rule gives us a lot to talk about today. We’re going to go over this for the next 30 minutes or so, and I don’t want to steal everyone’s thunder. But at a high level, the rule does two things. First, it alters some of the key definitions under FCRA with an aim to incorporating data brokers. And second, it revises some of the permissible purposes and protections for consumers under FCRA. Now, I’ll note at the outset, this is a Proposed Rule. It is not yet in effect, and several steps would need to occur before this is binding upon anyone. But if it does come into effect, it could remake both the data broker industry and significantly affect how consumer reporting agencies and the companies that obtain and use consumer reports run their businesses. |
Jerry: | Sasha, thanks for setting the table. And, Sherry, let’s dig into the Proposed Rule. The CFPB spends quite a bit of time discussing the changes made in definitions of the terms “consumer report” and “consumer reporting agencies.” What stuck out to you about these changes, and how do you think these changes will affect the industry? |
Sherry Safchuk: | Thanks, Jerry. If enacted, this Proposed Rule would be a big deal. Let’s start with the changes to the term “consumer reporting agency.” If enacted, the CFPB would interpret the term “assembles or evaluates” broadly enough to capture data brokers in the definition of consumer reporting agency. The Proposed Rule would make companies who we think of as data brokers or companies that help process a transaction into a consumer reporting agency. The Proposed Rule would interpret “assembles” or “evaluates” to include a variety of actions with respect to consumer data, including gathering, assessing, verifying, validating, altering, or even reformatting the data. The CFPB provides five examples of when a person is considered to assemble or evaluate consumer information. The first example is one that you would think is covered--when a person groups or categorizes information. However, the other four examples would bring in a whole host of entities that are not today considered consumer reporting agencies. This includes entities that modify the date field to format years to four digits instead of two, entities that retain customer information, or entities that verify or validate information. As you’ll notice, some of these examples don’t involve bringing together information or applying judgment. This means that companies will need to reevaluate how they process data. I also want to turn to the changes to the definition of “consumer report,” or as folks generally know, a “credit report.” Credit report or consumer reports are reports that are used by companies to make decisions about consumers’ financial eligibility or insurance eligibility or for employment purposes. Currently, certain aspects of the definition of consumer report are open for interpretation, but the Proposed Rule would define certain aspects of the definition to expand the term to include information that we would have generally not thought of as consumer report information: information that is used or expected to be used for eligibility or some other benefit. The Proposed Rule would establish two tests for determining whether the information is expected to be used. First, the person making the communication expects or should expect that the user of the report will use that information for eligibility or other benefit. And the second bucket is information that’s automatically considered consumer report information. And that’s consumer credit history, credit score, debt payments, or income or other financial data points. |
Sasha: | And, Sherry, just to go back previously, I just want to jump in on this about how the CFPB would revise the definition of “consumer report.” One thing I want to highlight is that in its commentary to the proposed data broker rule, a report that contains purely credit header data would now be a consumer report. In fact, the term credit header explicitly appears 26 times in the commentary to the Proposed Rule. Unfortunately, this change is not specifically called out in the text of the Proposed Rule, but I thought it’s so important to note. I just wanted to make sure that no one missed that, because it may go under the radar if you’re just looking at the actual operative text. |
Jerry: | Thank you, Sasha. And, you know, it might be helpful to our audience to just recite a few of the parties currently not considered to be covered by the Fair Credit Reporting Act who would now be swept in by this broader definition. Just a few examples, if you could give them. |
Sasha: | Yeah. So let me back up to kind of go over what is credit header data and then what parties are going to come in under that. Credit header data is the data that’s used as a personal identifier when preparing a consumer report. It’s the name, date of birth, address, social, telephone number — those data points that are used to determine who we’re talking about. Critically, it is not data about credit trade lines, applications for credit, etc. It’s purely this identifying information. And it gets that name because it is in the header position on the report, at the top of it, when you get a paper credit report. Several companies, large and small, currently offer to provide this sort of identifying credit header information for limited purposes, such as identity verification, fraud detection, and so forth. Now, under FCRA as it currently stands, if a company provides this identifying header information as part of an overall consumer report with trade lines, then the entire report would be a consumer report. Don’t think there’s any question there. But the way FCRA is written currently, and as it sits now under Regulation V, if you just provide the header data, that’s not viewed as a consumer report, since this information — the name, the address, the social — doesn’t bear on creditworthiness. It’s just used for identifying purposes, and the company is not operating as a consumer reporting agency. Critical to the Proposed Rule, however, is that if it comes to play in its current form, providing this purely identifying information would be subject to FCRA. What that means is that this data, again, would be consumer report, and the company providing it would be a consumer reporting agency if they meet all the other tests under FCRA. And one final note I’ll put out here, this position that this credit header data, identifying data, is not a consumer report, is not a new position the industry’s taken that the CFPB is suddenly reacting to. This has been the position for years, and the FTC acknowledged this in its 40 Years report that it issued prior to losing rule-writing authority under the Fair Credit Reporting Act to the CFPB with the Dodd-Frank Act. So this is a long-standing position. But if the Proposed Rule becomes final, it’s going to upend this, and it’s going to expand, again, the applicability of FCRA to a new class of companies out there providing this sort of data. |
Jerry: | Well, Sherry, the CFPB spends quite a bit of time discussing de-identification of consumer information. They introduce three alternatives. Can you describe the alternatives and your thoughts about the alternatives? And also, how do you view this guidance in light of CFPB’s noting that most de identified data can be tracked back to a consumer? |
Sherry: | Of course, Jerry. The preamble of the Proposed Rule spends quite a bit of time discussing whether de-identified information should be considered a consumer report. Their concern is that de-identified information can be used to re identify individuals — for example, with the use of publicly available information — and to target individuals in violation of their right to privacy. The CFPB also cited to articles that mentioned an algorithm capable of identifying 99.98% of Americans from almost any available data set with as few as 15 attributes, such as gender, zip code, or marital status. The CFPB proposed treating de-identified data in one of the following ways. The first proposal is a bright-line approach. Consumer report information would continue to be considered consumer report information even if it was de-identified. Of course, this proposal likely would be the easiest to implement, but is the most restrictive to the industry. The second proposal would provide that consumer report information would continue to be considered consumer report information, even if it was de-identified, if such information is still linked or linkable to a consumer. And the third proposal would build on the second proposal and expand the types of de-identified data that would be considered consumer report. So, the other two elements would be that the information was used to inform a business decision or that the person that receives the communication is able to identify the consumer whom the information it pertains. So we can see here that the CFPB is really trying to focus on de-identified information that can be re-identified. |
Jerry: | So, Sherry, there have been some changes also in the permissible purpose provisions of the regulation. Could you describe them for our audience? |
Sherry: | The CFPB’s proposal attempts to streamline the current permissible purposes listed in the FCRA statute. The Proposed Rule provides that a CRA may furnish a consumer report in only three situations. The first one is with the consumer’s written instructions after they have received certain disclosures and obtained consent. And this one is currently a permissible purpose, but the CFPB expanded on what is a written instruction. The second situation is if the CRA has reason to believe that the person will use the information to make an eligibility decision for credit purposes, employment purposes, underwriting, or things of that nature. And, finally, the last situation includes in connection with court order, a subpoena, child support enforcement agency requests, requests by certain federal regulators, or other similar requests. These situations are a bit more descriptive than the current permissible purpose standard, which creates more limits on when a person may obtain a consumer report. The CFPB noted that these changes are intended to limit the use of consumer reports for marketing or advertising purposes unless the consumer authorizes such uses. |
Jerry: | That is a continuing question that we often get, as to, “How can I get access to this information and use it for marketing purposes?” And the permissible purpose standard being modified will, of course, be of interest to a lot of industry participants. The CFPB discusses this concept of legitimate business need for obtaining a consumer report. Is this a concept that is currently in FCRA? Or if not, how will this be a departure from the current rule? Sasha? |
Sasha: | So, Jerry, this is certainly part of FCRA, as Sherry noted above. The legitimate business need must be either in connection with a transaction initiated by the consumer or to review the consumer’s account. And just to dig into some of those a little bit and what they look like now, for the idea of a business transaction initiated by the consumer, the FTC’s 40 Years report gives some examples: the consumer applies for an apartment rental, a brokerage account, paying by personal check. At that point, the other party to this has a legitimate business need to get information about the consumer, to get a consumer report, because the consumer has applied for this transaction. There is a reasonable and non-pretextual business need to get a credit report. For review of an account, this is similarly a business need that’s permitted. And the FTC’s example is ensuring that a consumer still qualifies for a checking or savings account that has ongoing minimum requirements. But in the proposed data broker rule that the Bureau suggested, the Bureau states that there is not a legitimate business need for a consumer report if the use of the report is solicitation or marketing. The CFPB makes clear its view that if a company wants to use a consumer report for marketing, they must go through the formal prescreen firm offer of credit process with its various protections for consumers and opt-out rights. But simply saying that “I want a consumer report for marketing, and marketing is my legitimate business need” is not going to be permissible. Perhaps speculating just a bit here — but I think it’s pretty clear when you read the rule in the commentary — I think the Bureau’s reason for this addition is that they’re focusing on the risk that data brokers often use their information for marketing. So what they want to do is make very explicit the limits of the legitimate business need, not just relying upon what’s in the FTC’s report, but saying these particular activities, marketing and solicitation, are not legitimate business needs. Now, all that said, the Proposed Rule does leave open the possibility for direct non-prescreened marketing in one instance, and that’s if you first get the consumer’s written authorization to do such marketing. So, the consumer opts into marketing communications and authorizes a company to pull the consumer’s credit report. That would be a permissible purpose, and it could, in that instance, be used for marketing. |
Jerry: | Well, you know, the CFPB introduced a significant amount of guidance regarding written instructions for a permissible purpose. I’d anticipate that these requirements may be burdensome for consumers as well as the industry, especially in light of the fact that there are one-year limitations on the effectiveness of a written instruction. Any observations on that? |
Sherry: | I think this portion of the Proposed Rule will have significant impact on the industry and consumers. As you know, one of the permissible purposes for obtaining a consumer report currently — and in the Proposed Rule — is in accordance with the written instructions of the consumer. But the Proposed Rule sets forth significant new obligations on financial institutions and other companies that obtain consumers’ written instruction to pull consumer reports. I want to walk through the proposed changes at a high level. First, companies would be required to provide consumers with detailed written disclosures that identifies the consumer, the purpose for obtaining the report, the reporting agency that provides it, a brief description of the product or service, and a number of other data points. Companies would also need to offer consumers a way to revoke their authorization that was as easy as it was to obtain their consent. This revocation right would be a new requirement in FCRA, but it mirrors some of the laws we see at the state level, as well as the FTC’s negative option rule. Lastly, companies would need to obtain the consumer’s express informed consent and obtain their written or electronic signature if they would like to obtain a consumer report. Not only that, but there’s a one-year retention limitation. That means that a consumer’s written instructions to obtain a consumer report expires after one year. If the Proposed Rule is finalized without change, companies that rely on written authorization on an ongoing basis, such as to provide consumers with access to products or services, would need to rely on another permissible purpose or obtain a new written authorization from the consumer every year. And this is what the CFPB intended, Jerry. They wanted consumers to provide standing instructions to furnish consumer reports, and they wanted to make sure that consumer reports weren’t being kept or used for longer periods of time than the consumer needs or wants. |
Jerry: | That’s going to be a bit controversial, I would guess, especially because of the extraordinary burden of going back and getting consumer consent each time. Getting their attention to the need for written consent in the context of a transaction is very understandable. Having it come out of the blue a year later, it might wind up in the spam folder. So that certainly — I understand the purpose, but I also can see where it can be a big barrier to communications with the consumer by their financial services provider. Am I wrong on that? |
Sherry: | No, Jerry, I think that’s right. I think that will be an unintended consequence of the rule. |
Jerry: | We’ve gone over the pretty expansive revisions to Regulation V proposed by the CFPB. And, Sasha, what do you think is going to happen with this Proposed Rule, especially with the new administration coming in? And what about the states? |
Sasha: | Jerry, I’ll be honest. It’s probably unfair to ask me that during the lame duck period, but I’ll take the bait. Why not? Look, this is a Proposed Rule, and as such, it is an important and necessary step under the Administrative Procedures Act to getting a final rule in place. But it is still that: proposed. The rule is currently out for notice and comment, with comments due at the beginning of March. Now, under the ordinary course, once the comments would come into the CFPB, they’ll be reviewed by staff there and potentially incorporated into a final rule, which could take months, if not longer. Under the draft of the Proposed Rule we have, what it says is that once the final rule would be issued, they’re looking at having it take effect somewhere between 6 and 12 months thereafter. So if this ends up moving forward, there’s certainly time in front of us for that process to play out. But, of course, this all assumes that the rule is going to move forward, and it could be knocked off course at any one of a number of steps. The new administration may elect to withdraw the Proposed Rule before the comment period ends. It could choose not to move to a final rule at all once it gets the comments in. It could just say that it’s decided not to issue a final rule. A new leadership at the CFPB may decide that they want to take more time with the rule and could extend out that timeline. Or they may revise it significantly, or some combination of all of those, frankly, could happen. There’s a lot of options. Something else I’d be remiss to exclude here is potential litigation by the industry. We’re seeing more and more challenges to proposed rules by the CFPB and others, particularly in the last 12, 18, 24 months. And given the significance of this rule, if it comes into final state in its current form, I certainly could foresee that happening. But that said, why did the Bureau issue it now? It does let the CFPB’s current leadership set forth their position on the Fair Credit Reporting Act and on data brokers. But that may only last as long as when new leadership is installed at the Bureau. |
Sherry: | Sasha, I would also note that the CFPB may have issued the Proposed Rule as a guide for states. |
Sasha: | I think that’s right, Sherry. I think the Bureau may be attempting through the notice and comment process to communicate with the states what could be ways for states to move forward and regulate here. That’s a good point. And moving on to kind of the existing state laws in place, we’re not seeing similar substantive rules, but there are several states that have data broker rules in place right now. Now, notably, those state data broker rules generally exempt data or entities, depending upon the rule, covered by the Fair Credit Reporting Act. What that could mean practically is that if this rule comes into effect in its current state, it may create regulation for data brokers and entities under the Fair Credit Reporting Act, but, coincidentally, could strip authority from the states to govern data brokers. We may see state legislatures pivot in response. We may see discussions about preemption if that happens. It’s unclear how that will play out, and that’s certainly a couple steps down the line, and there’s a lot of moving parts. But, overall, I think one of the big takeaways here is that there’s a lot of uncertainty here, but if this does come into effect in its current state, it’s going to very significantly affect not only data brokers, but also current consumer reporting agencies and companies right now that are getting consumer reports. It really could shake the industry. |
Jerry: | Sasha, thanks for that prognostication and observation. I think we all feel that this has a long path ahead and many twists and turns in that path. And your observation about the preemptive effect on states is fascinating. So, you know, we’ve run out of time. I want to thank our listeners for joining us for this discussion. The rule is very new. We’re all getting our heads around it, but it certainly bears watching. So thank you for joining us, and thank you, Sasha and Sherry. |
Sherry: | Thank you. |
Sasha: | Thank you, Jerry. |
Please do not include any confidential, secret or otherwise sensitive information concerning any potential or actual legal matter in this e-mail message. Unsolicited e-mails do not create an attorney-client relationship and confidential or secret information included in such e-mails cannot be protected from disclosure. Orrick does not have a duty or a legal obligation to keep confidential any information that you provide to us. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.
By clicking "OK" below, you understand and agree that Orrick will have no duty to keep confidential any information you provide.