89 FR 240 pgs. 101402-101462 - Protecting Americans From Harmful Data Broker Practices (Regulation V)
Type: PRORULEVolume: 89Number: 240Pages: 101402 - 101462
Pages: 101402, 101403, 101404, 101405, 101406, 101407, 101408, 101409, 101410, 101411, 101412, 101413, 101414, 101415, 101416, 101417, 101418, 101419, 101420, 101421, 101422, 101423, 101424, 101425, 101426, 101427, 101428, 101429, 101430, 101431, 101432, 101433, 101434, 101435, 101436, 101437, 101438, 101439, 101440, 101441, 101442, 101443, 101444, 101445, 101446, 101447, 101448, 101449, 101450, 101451, 101452, 101453, 101454, 101455, 101456, 101457, 101458, 101459, 101460, 101461101462, Docket number: [Docket No. CFPB-2024-0044]
FR document: [FR Doc. 2024-28690 Filed 12-12-24; 8:45 am]
Agency: Consumer Financial Protection Bureau
Official PDF Version: PDF Version
[top]
CONSUMER FINANCIAL PROTECTION BUREAU
12 CFR Part 1022
[Docket No. CFPB-2024-0044]
RIN 3170-AB27
Protecting Americans From Harmful Data Broker Practices (Regulation V)
AGENCY:
Consumer Financial Protection Bureau.
ACTION:
Proposed rule; request for public comment.
SUMMARY:
The Consumer Financial Protection Bureau (CFPB) is issuing a proposed rule for public comment to amend Regulation V, which implements the Fair Credit Reporting Act (FCRA). The proposed rule would implement the FCRA's definitions of consumer report and consumer reporting agency as well as certain of the FCRA's provisions governing when consumer reporting agencies may furnish, and users may obtain, consumer reports. The proposed rule is designed to, among other things, ensure that the FCRA's protections are applied to sensitive consumer information that the statute was enacted to protect, including information sold by data brokers.
DATES:
Comments must be received on or before March 3, 2025.
ADDRESSES:
You may submit comments, identified by Docket No. CFPB-2024-0044 or RIN 3170-AB27, by any of the following methods:
• Federal eRulemaking Portal: https://www.regulations.gov. Follow the instructions for submitting comments. A brief summary of this document will be available at https://www.regulations.gov/docket/CFPB-2024-0044.
• Email: 2024-NPRM-CONSUMER-REPORTING@cfpb.gov. Include Docket No. CFPB-2024-0044 or RIN 3170-AB27 in the subject line of the message.
• Mail/Hand Delivery/Courier: Comment Intake-Protecting Americans from Harmful Data Broker Practices (Regulation V), c/o Legal Division Docket Manager, Consumer Financial Protection Bureau, 1700 G Street NW, Washington, DC 20552.
Instructions: The CFPB encourages the early submission of comments. All submissions should include the agency name and docket number or Regulatory Information Number (RIN) for this rulemaking. Because paper mail is subject to delay, commenters are encouraged to submit comments electronically. In general, all comments received will be posted without change to https://www.regulations.gov.
All submissions, including attachments and other supporting materials, will become part of the public record and subject to public disclosure. Proprietary information or sensitive personal information, such as account numbers or Social Security numbers, or names of other individuals, should not be included. Submissions will not be edited to remove any identifying or contact information.
FOR FURTHER INFORMATION CONTACT:
George Karithanom, Regulatory Implementation and Guidance Program Analyst, Office of Regulations, at 202-435-7700 or https://reginquiries.consumerfinance.gov/. If you require this document in an alternative electronic format, please contact CFPB_Accessibility@cfpb.gov.
SUPPLEMENTARY INFORMATION:
Data brokers, including consumer reporting agencies, collect information about, among other things, the credit, criminal, employment, and rental histories of hundreds of millions of Americans. They analyze and package this information into reports used by creditors, insurers, landlords, employers, and others to make decisions about consumers. This collection, assembly, evaluation, dissemination, and use of vast quantities of often highly sensitive personal and financial data about consumers poses a significant threat to consumer privacy. It can also threaten national security and facilitate numerous tangible consumer harms, such as financial scams and the identification of victims for stalking and harassment.
Congress enacted the Fair Credit Reporting Act (FCRA)? 1 in part to protect consumer privacy by regulating the communication of consumer information by consumer reporting agencies. The statute subjects such communications, which are referred to as consumer reports, to certain requirements and limitations, and it affords certain protections to consumers. For example, the FCRA imposes clear bright-line rules permitting people to obtain consumer reports from consumer reporting agencies only for certain specified purposes, known as permissible purposes, and forbidding consumer reporting agencies from furnishing consumer reports to users who lack a permissible purpose. In addition, consumers have various rights under the FCRA, such as the right to dispute the accuracy of information in their file and to be notified when, for example, a creditor, landlord, or employer relies on consumer report information to make a negative decision about the consumer's application for credit, housing, or employment.
Footnotes:
1 ?15 U.S.C. 1681 et seq.
In recent years, the consumer reporting marketplace has evolved in ways that imperil Americans' privacy. There is an emerging consensus that intrusive surveillance and aggregation of sensitive data about consumers can create conditions for harming national security by exposing information that could be exploited by countries of concern. 2 Stalkers and domestic abusers can also obtain sensitive contact information from data brokers to contact or locate people who do not wish to be contacted or located, such as domestic violence survivors. In addition, vast troves of sensitive data, including, for example, individualized data about a consumer's finances, are bought and sold, without consumers' knowledge or consent, by data brokers who believe that the FCRA does not apply to them or to some of their activities. This data can be leveraged to scam or defraud people. Data brokers evading coverage under the FCRA include traditional consumer reporting agencies and recent market entrants using new business models and technologies to collect and analyze consumer information on an unprecedented scale. The CFPB is proposing this rule to address when a data broker is covered by the FCRA, and to protect Americans from the harms and invasions of privacy created by certain data broker activities that violate the FCRA.
Footnotes:
2 ? See, e.g., E.O. No. 14117, 89 FR 15421 (Feb. 28, 2024); Justin Sherman et al., Data Brokers and the Sale of Data on U.S. Military Personnel: Risks to Privacy, Safety, and National Security (Nov. 2023) (hereinafter Duke Report on Data Brokers and Military Personnel Data), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf.
I. Summary of the Proposed Rule
The CFPB proposes to implement the FCRA's definitions of consumer report and consumer reporting agency in several respects to ensure that the FCRA's protections apply to all data brokers that transmit the types of consumer information that Congress designed the statute to protect, and to the types of activities that Congress designed the statute to regulate. For example, the proposed rule:
[top] • Provides that data brokers that sell information about a consumer's credit history, credit score, debt payments (including on non-credit obligations), or income or financial tier generally are consumer reporting agencies selling consumer reports, regardless of the
• Provides that a communication by a consumer reporting agency of a portion of the consumer report that consists of personal identifiers such as the consumer's name, address, or age, is a consumer report if the information was collected for the purpose of preparing a consumer report about the consumer;
• Includes provisions intended to prevent privacy harms associated with the re-identification of de-identified consumer report information;
• Provides that a communication by a consumer reporting agency of information about a consumer is a consumer report if the information is used for an FCRA-covered purpose, regardless of whether there is evidence that the consumer reporting agency knew or expected that the information would be used for such a purpose;
• Provides that an entity that otherwise meets the definition of consumer reporting agency is a consumer reporting agency if it assembles or evaluates information about consumers, including by collecting, gathering, or retaining; assessing, verifying, or validating; or contributing to or altering the content of such information.
The CFPB also proposes to address certain aspects of FCRA section 604(a) regarding permissible purposes to furnish and obtain consumer reports. These proposals are designed to ensure that consumer reports are furnished for permissible purposes under the FCRA, and for no other reasons. For example, the proposed rule:
• Provides that a consumer reporting agency furnishes a consumer report to a person when the consumer reporting agency facilitates the person's use of the consumer report for the person's financial gain, even if the consumer reporting agency does not technically transfer the consumer report to the person;
• Provides that the FCRA provision that authorizes a consumer reporting agency to furnish a consumer report in accordance with the written instructions of the consumer can be used to obtain a consumer report for any reason specified by a consumer, but only if the consumer signs a separate authorization that is not hidden in fine print and that discloses certain information to the consumer, including the reason for obtaining the report; and
• Provides that the FCRA's permissible purpose relating to legitimate business needs for consumer reports does not authorize furnishing of consumer reports for marketing.
The proposal would not interfere with consumer reporting agencies' ability to furnish consumer reports to either prevent fraud or verify the identity of a consumer when done in connection with a permissible purpose, like credit applications, government benefits, bank account opening, and rental applications, and in compliance with the FCRA's other requirements.
II. Background
A. History and Purposes of the FCRA
Congress enacted the FCRA, one of the first data privacy laws in the world, in 1970. The FCRA's enactment was the culmination of multiple Congressional investigations into the growing data surveillance industry. 3 By the late 1960s, the industry was already of "vast size and scope."? 4 It involved: (1) the collection by private entities, known as consumer reporting agencies, of information about tens of millions of American consumers, including information about "their employment, income, billpaying record, marital status, habits, character and morals";? 5 (2) the assembly and evaluation of this information by consumer reporting agencies in order to create elaborate dossiers about individual consumers; and (3) the sale of those dossiers to a range of entities, including to potential creditors and employers, who used them to make eligibility determinations about consumers. 6
Footnotes:
3 ? See generally Robert M. McNamara Jr., The Fair Credit Reporting Act: A Legislative Overview, 22 J. Public Law 67, 77-88 (1973) (hereinafter Fair Credit Reporting Act: A Legislative Overview).
4 ?115 Cong. Rec. S2410 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire) ("For example, the Associated Credit Bureaus of America have over 2,200 members serving 400,000 creditors in 36,000 communities. These credit bureaus maintain credit files on more than 110 million individuals and in 1967 they issued over 97 million credit reports.").
5 ?115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).
6 ? See generally 115 Cong. Rec. S2410-11 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).
Before the FCRA's passage, the consumer reporting industry was subject to "an almost complete lack of regulation,"? 7 leaving consumers largely powerless to protect themselves from a wide range of serious harms. 8 Congressional hearings revealed an industry shrouded in secrecy. Many consumer reporting agencies prohibited consumer report users from disclosing to consumers that information in a consumer report was the reason for an adverse decision, such as the denial of credit, or the name of the consumer reporting agency that prepared the report on which the user relied. 9 According to one contemporary commentator, "[w]hether the consumer ever discovered the cause of his being rejected was largely a matter of an educated guess or clairvoyance bordering on blind luck."? 10 But even if a consumer knew the reason for an adverse decision and the name of the consumer reporting agency, this often was not enough: consumers were not always permitted to access their files or dispute inaccurate information. 11 And even if a consumer overcame these obstacles and managed to file a dispute, the investigations conducted by consumer reporting agencies were often standardless and shoddy, in part because many consumer reporting agencies deemed investigations too costly to conduct. 12
Footnotes:
7 ?S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969).
8 ? See generally Fair Credit Reporting Act: A Legislative Overview, supra note 3, at 77-88; S. Rep. No. 517, 91st Cong., 1st Sess. 3-4 (1969); 115 Cong. Rec. S2410-14 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).
9 ?S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969); 115 Cong. Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).
10 ?Fair Credit Reporting Act: A Legislative Overview, supra note 3, at 79.
11 ?S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969); 115 Cong. Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).
12 ?Fair Credit Reporting Act: A Legislative Overview, supra note 3, at 81-82; S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969); 115 Cong. Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).
Congressional hearings further revealed that many consumer reporting agencies at that time exhibited only a marginal commitment to accuracy. Consumer reports sometimes included information that was false or incomplete or that pertained to the wrong consumer altogether. 13 Indeed, consumer reporting agencies often disclaimed the accuracy of their reports, portraying themselves as mere transmitters of information without responsibility for ensuring that the information was correct. 14 Because consumers generally were unable to see the information for themselves and have it corrected, the harms that flowed from the communication of inaccurate, incomplete, irrelevant, and outdated information could be intractable.
Footnotes:
13 ?115 Cong. Rec. S2411-12 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).
14 ?Fair Credit Reporting Act: A Legislative Overview, supra note 3, at 80.
[top] Congressional hearings also revealed that the consumer reporting industry posed significant privacy risks to consumers, and the legislative history suggests that Congress was concerned about the invasion of consumer privacy generally, as well as the specific harms
Footnotes:
15 ?115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).
16 ? Id.
17 ?S. Rep. No. 517, 91st Cong., 1st Sess. 4 (1969); 115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).
18 ?115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).
Congress sought to address these and other consumer harms in the FCRA. In enacting the statute, it found that consumer reporting agencies played a "vital role" in assembling and evaluating consumer information to meet the needs of commerce, but that rules were necessary to ensure that consumer reporting agencies conduct their activities in a manner that is "fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization" of that information. 19 Accordingly, the FCRA established a framework with four principal pillars: (1) a bright-line prohibition on using or disseminating consumer reports unless for one of the limited permissible purposes identified by Congress; (2) a requirement that consumer reporting agencies follow reasonable procedures to assure the maximum possible accuracy of consumer reports; (3) a consumer right to dispute inaccurate or incomplete information and have it corrected; and (4) a consumer right to see the information that a consumer reporting agency possesses about the consumer. In the years since its passage in 1970, the FCRA has been amended many times, including to expand the statute's reach so that it now imposes obligations not just on consumer reporting agencies and consumer report users, but also on the entities that furnish information to consumer reporting agencies. 20
Footnotes:
19 ?FCRA section 602, 15 U.S.C. 1681 (Congressional findings and statement of purpose).
20 ? See, e.g., Fair & Accurate Credit Transactions Act of 2003, Public Law 108-159 (2003); Consumer Credit Reporting Reform Act of 1996, Public Law 104-208 (1996).
The CFPB's Regulation V, 12 CFR part 1022, generally implements the FCRA. In 2003, Congress granted the Federal Trade Commission (FTC) and several other Federal agencies rulemaking authority for certain FCRA provisions. 21 For some provisions the authority was joint; for others it was exclusive to a particular agency. Over the next several years, the FTC and those agencies issued multiple rules implementing various provisions of the statute. 22 With the passage of the Consumer Financial Protection Act of 2010 (CFPA), Congress transferred rulemaking authority for most provisions of the FCRA to the CFPB. 23
Footnotes:
21 ? See Fed. Trade Comm'n, 40 Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations, at 5-6 (July 2011) (hereinafter FTC 40 Years Staff Report), https://www.ftc.gov/sites/default/files/documents/reports/40-years-experience-fair-credit-reporting-act-ftc-staff-report-summary-interpretations/110720fcrareport.pdf.
22 ? See, e.g., 74 FR 31484 (July 1, 2009); 69 FR 63922 (Nov. 3, 2004); 69 FR 35467 (June 24, 2004).
23 ? See Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act), Public Law 111-203, section 1088, 124 Stat. 1376, 2086 (2010); see also Dodd-Frank Act sections 1024, 1025, and 1061, 124 Stat. 1987 (codified at 12 U.S.C. 5514, 5515, and 5581). Authority over FCRA sections 615(e) and 628, 15 U.S.C. 1681m(e) and 1681w, is limited to the Federal banking agencies and the National Credit Union Administration, the FTC, the Commodity Futures Trading Commission, and the U.S. Securities and Exchange Commission. In addition, section 1029 of the Dodd-Frank Act generally excludes from the transfer of authority to the CFPB rulemaking authority over a motor vehicle dealer that is predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both. 12 U.S.C. 5519(a) and (c).
B. Goals of the Rulemaking
Protecting Consumer Information in the Data Broker Market
Today, Americans regularly engage in activities that reveal personal information about themselves, often without realizing it. They may, for example, visit a website, download an app, charge an item to a credit card, use a loyalty card at a grocery store or pharmacy, order goods online, subscribe to a newspaper or magazine, or make a donation. In each instance, the entity with whom the consumer interacts might collect information about the consumer. These entities might sell the consumer's information to other entities with whom the consumer does not have a relationship, or they might keep or reuse the information for themselves. Entities that collect, aggregate, sell, resell, license, enable the use of, or otherwise share consumer information with other parties are commonly known as data brokers. 24
Footnotes:
24 ? See 88 FR 16951, 16952-53 (Mar. 21, 2023).
[top] Different data brokers compile and sell different types of consumer information. 25 Much of the information is private and highly sensitive, such as information about a consumer's finances, income, physical and mental health, sexual orientation, religious affiliation, and political preferences, as well as information about the websites and apps the consumer visits or uses, the stores the consumer frequents, the products the consumer buys, and the consumer's location throughout the day. 26 Data brokers obtain this information from a variety of sources, including retailers, websites and apps, newspaper and magazine publishers, and financial service providers, as well as cookies and similar technologies that gather information about consumers' online activities. 27 Other information is publicly available, such as criminal and civil record information maintained by Federal, State, and local courts and governments, and information available on the internet, including information posted by consumers on social media. 28 The volume of data collected, bought,
Footnotes:
25 ? See generally Urbano Reviglio, The Untamed and Discreet Role of Data Brokers in Surveillance Capitalism: A Transnational and Interdisciplinary Overview, 11 Internet Policy Review 3 (Aug. 4, 2022), https://policyreview.info/articles/analysis/untamed-and-discreet-role-data-brokers-surveillance-capitalism-transnational-and; Fed. Trade Comm'n, Data Brokers: A Call for Transparency and Accountability, at 11-18, 24, B3-B6 (May 2014) (hereinafter FTC Data Broker Report), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.
26 ? See Am. Compl. For Permanent Inj. and Other Relief ¶¶?72-76, 97-106, FTC v. Kochava, Inc., No. 2:22-cv-00377-BLW (D. Idaho June 5, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/26AmendedComplaint%28unsealed%29.pdf; Joanne Kim, Duke Sanford Cyber Policy Program, Data Brokers & the Sale of Americans' Mental Health Data (Feb. 2023) (hereinafter Duke Report on Data Brokers and Mental Health Data), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/02/Kim-2023-Data-Brokers-and-the-Sale-of-Americans-Mental-Health-Data.pdf; FTC Data Broker Report, supra note 25; Staff of S. Comm. on Com., Sci., & Transp., A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes, at ii, 13-21 (Dec. 18, 2013), https://www.commerce.senate.gov/services/files/0D2B3642-6221-4888-A631-08F2F255B577.
27 ? See, e.g., Alfred Ng & Jon Keegan, Who is Policing the Location Data Industry?, The Markup (Feb. 24, 2022), https://themarkup.org/the-breakdown/2022/02/24/who-is-policing-the-location-data-industry; FTC Data Broker Report, supra note 25, at 11-14.
28 ? See FTC Data Broker Report, supra note 25, at 11-13.
29 ?Justin Sherman, Duke Sanford Cyber Policy Program, Data Brokers and Sensitive Data on U.S. Individuals: Threats to American Civil Rights, National Security, and Democracy, at 4-8 (2021) (hereinafter Duke Report on Data Brokers and Sensitive Data), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2021/08/Data-Brokers-and-Sensitive-Data-on-US-Individuals-Sherman-2021.pdf.
Certain data brokers compile the information they collect into reports about individual consumers, which they sell to third parties for use in assessing a consumer's eligibility for credit, employment, or insurance. Data brokers may also use the information, or the inferences they have drawn from that information, to create elaborate dossiers about consumers for targeted marketing purposes. For example, a data broker may use information about a consumer's income, location, purchases, or health condition to classify the consumer-including, for instance, as "Financially Challenged," "Modest Wages," "Working-class Mom," "Senior Products Buyer," or "Consumer[?] with Clinical Depression"-and then sell lists of such consumers to advertisers. 30 In addition, data brokers may use the information they collect to develop and maintain their own products, such as "people search" engines and other online lookup tools, to build proprietary algorithms, to test and run advertising campaigns, and to train machine learning systems. 31 Some data brokers simply sell the consumer information they collect to individual purchasers, including to other data brokers and members of the general public.
Footnotes:
30 ? See Duke Report on Data Brokers and Mental Health Data, supra note 26, at 14; FTC Data Broker Report, supra note 25, at 20-21.
31 ? See, e.g., Will Knight, Generative AI Is Making Companies Even More Thirsty for Your Data, Wired (Aug. 10, 2023), https://www.wired.com/story/fast-forward-generative-ai-companies-thirsty-for-your-data/.
Government agencies, technology and privacy experts, consumer advocates, and others have identified a range of consumer harms posed by data brokers that treat consumer information as though it is not subject to the FCRA. 32 As discussed further in part IV, the data broker industry can threaten national security. For example, countries of concern can obtain from data brokers the financial information of active military members, such as income and level of indebtedness, to compromise or blackmail them in an effort to obtain sensitive national security information. The data broker industry also is used to facilitate a range of financial scams. For example, fraudsters can obtain from data brokers lists of people with income below a certain threshold, which can be used to pitch predatory and unlawful products to families in financial distress. The highly sensitive information collected and sold by data brokers also is an attractive target for other bad actors. For example, thieves can obtain information from data brokers that enables them to steal people's identities and open new accounts or drain existing ones. And stalkers, harassers, and other criminals can use sensitive information obtained from data brokers to contact people who do not wish to be contacted, such as domestic violence survivors.
Footnotes:
32 ? See, e.g., Elec. Privacy Info. Ctr., Disrupting Data Abuse: Protecting Consumers from Commercial Surveillance in the Online Ecosystem (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf; Duke Report on Data Brokers and Sensitive Data, supra note 29; FTC Data Broker Report, supra note 25.
To date, however, many data brokers have attempted to avoid liability under the FCRA by arguing that they are not consumer reporting agencies selling consumer reports, as those terms are defined in the statute. Many data brokers have made these arguments even though they collect, assemble, evaluate, or sell the same information as other consumer reporting agencies-and even though their activities pose the same risks to consumers that motivated the FCRA's passage. As explained further below, the proposed rule provides that the FCRA's definitions of consumer reporting agency and consumer report cover a wide range of data brokers and data broker activities under the FCRA. If the proposed rule is finalized, one practical effect would be that additional data brokers would be prohibited from selling information for non-FCRA purposes, thus limiting the transmission of information that is used to market products to consumers-and to scam, defraud, stalk, or harass them.
Protecting Consumer Information From Unauthorized Disclosure by Consumer Reporting Agencies
The CFPB also has observed that consumer reporting agencies continue to engage in practices that may be harmful to consumers. The consumer credit reporting industry has consistently been a major source of consumer complaints to the CFPB. Complaints about credit or consumer reporting represented roughly 80 percent of consumer complaints submitted to the CFPB during 2023, far more than any other category of consumer product or service. 33 Indeed, credit or consumer reporting has been the most-complained-about category of consumer financial product or service to the CFPB every year since 2017. 34 One ongoing area of concern for the CFPB is consumer reporting agencies engaging in practices that may threaten consumer privacy.
Footnotes:
33 ?Consumer Fin. Prot. Bureau, Consumer Response Annual Report, at 11 (Mar. 2024), https://files.consumerfinance.gov/f/documents/cfpb_cr-annual-report_2023-03.pdf (noting that the CFPB received approximately 1.3 million credit or consumer reporting complaints in 2023, a 34 percent increase compared to 2022).
34 ?Consumer Fin. Prot. Bureau, Consumer Response Annual Report, at 11 (Mar. 2023), https://files.consumerfinance.gov/f/documents/cfpb_2022-consumer-response-annual-report_2023-03.pdf; Consumer Fin. Prot. Bureau, Consumer Response Annual Report, at 3 (Mar. 2022), https://files.consumerfinance.gov/f/documents/cfpb_2021-consumer-response-annual-report_2022-03.pdf; Consumer Fin. Prot. Bureau, Consumer Response Annual Report, at 9 (Mar. 2021), https://files.consumerfinance.gov/f/documents/cfpb_2020-consumer-response-annual-report_03-2021.pdf; Consumer Fin. Prot. Bureau, Consumer Response Annual Report, at 9 (Mar. 2020), https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2019.pdf; Consumer Fin. Prot. Bureau, Consumer Response Annual Report, at 9 (Mar. 2019), https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2018.pdf; Consumer Fin. Prot. Bureau, Consumer Response Annual Report, at 9 (Mar. 2018), https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2017.pdf.
[top] As discussed above, privacy was a key motivating factor for passage of the FCRA, and the FCRA protects consumer privacy in multiple ways, including by strictly limiting the circumstances under which consumer reporting agencies may disclose consumer information. For example, FCRA section 604, entitled "Permissible purposes of consumer reports," identifies an exclusive list of permissible purposes for which consumer reporting agencies may furnish consumer reports, including in accordance with the written instructions of the consumer to whom the report relates and for purposes relating to credit, employment, and insurance. 35 The FCRA's
Footnotes:
35 ?15 U.S.C. 1681b(a). Other sections of the FCRA identify additional limited circumstances under which consumer reporting agencies are permitted or required to disclose certain information to government agencies. See FCRA sections 608, 626, and 627, 15 U.S.C. 1681f, 1681u, 1681v; see also, e.g., FTC v. Manager, Retail Credit Co., Miami Beach Branch Off., 515 F.2d 988, 994-95 (D.C. Cir. 1975) (holding that 15 U.S.C. 1681s(a) authorizes the FTC to obtain consumer reports in FCRA enforcement investigations). Further, the Debt Collection Improvement Act of 1996, Public Law 104-134, 110 Stat. 1321, section 31001(m)(1), allows the head of an executive, judicial, or legislative agency to obtain a consumer report under certain circumstances relating to debt collection. See 31 U.S.C. 3711(h). The proposed rule is not intended to alter the additional circumstances in which government agencies may obtain consumer report information.
For example, consumer reporting agencies sell personal identifiers collected for the purpose of preparing consumer reports-often known as "credit header" information-to third parties who may not have an FCRA-permissible purpose to obtain the information. The sale by consumer reporting agencies of personal identifiers, which may include sensitive information such as a consumer's Social Security number, contributes to the availability of such information for purchase online, potentially by fraudsters and other persons seeking to dox and expose consumers' personal information or otherwise exploit or harm consumers. The proposed rule would take steps to address this problem by providing that the term "consumer report" includes communications by a consumer reporting agency of personal identifiers that were collected for the purpose of preparing consumer reports and that such information therefore can be sold by consumer reporting agencies only to users who have a permissible purpose to obtain it.
The CFPB is also aware that consumer reporting agencies offer and sell to users who do not have an FCRA permissible purpose a variety of products that include information that has been drawn from consumer reporting databases and that has been aggregated or otherwise purportedly de-identified to try to mask the identities of the individual consumers to whom the information relates. This information may be sold or made available, for example, for use in marketing campaigns, even though advertising and marketing generally are not permissible purposes under the FCRA. 36 As with the sale of personal identifiers, the sale of purportedly de-identified information about consumers to users who do not have an FCRA permissible purpose to obtain it contributes to the proliferation of sensitive consumer information available for purchase online. The CFPB is concerned that advances in technology have made, and will continue to make, it easier for users to combine data and identify consumers within purportedly de-identified data sets, and that the sale of such information by consumer reporting agencies thus threatens the privacy of consumer information in the very ways Congress designed the FCRA to prevent. The CFPB proposes three possible alternatives to address this problem and clarify when a communication by a consumer reporting agency of information about a consumer is a consumer report.
Footnotes:
36 ?An exception exists for the purpose of making firm offers of credit or insurance. FCRA section 604(c)(1)(B), 15 U.S.C. 1681b(c)(1)(B). In addition, a consumer reporting agency may provide a consumer report to a user "in accordance with the written instructions of the consumer" to whom the report relates. FCRA section 604(a)(2), 15 U.S.C. 1681b(a)(2).
In addition to general concerns regarding the privacy of consumers' sensitive information, the CFPB is concerned that consumer reporting agencies are monetizing consumer report information for use in marketing in ways that the FCRA prohibits. As noted, marketing and advertising generally are not permissible purposes for furnishing or obtaining consumer reports. Nevertheless, as technology has advanced, consumer reporting agencies have begun to employ techniques and business models designed to evade this restriction. The proposed rule would address these developments and would emphasize that the FCRA's legitimate business need permissible purpose does not authorize consumer reporting agencies to furnish consumer reports to users for solicitation or marketing purposes.
The CFPB additionally proposes to specify what is needed to establish a permissible purpose based on the written instructions of a consumer. This proposed provision is intended to ensure that consumer reporting agencies and consumer report users do not abuse the written instructions permissible purpose by purportedly obtaining consumer consent to furnish or obtain a consumer report pursuant to disclosures buried within lengthy terms and conditions or otherwise presented to the consumer in a manner that interferes with the consumer's ability to make informed decisions.
C. Outreach and Engagement
Request for Information
On March 15, 2023, the CFPB issued a Request for Information (RFI) regarding the data broker industry and business practices involving the collection and sale of consumer information. 37 The RFI sought information about new business models that sell consumer data and about consumer harm that could result from such business models. The CFPB received over 7,000 comments in response to the RFI. The comments helped to inform the CFPB's approach to the proposed rule.
Footnotes:
37 ?88 FR 16951 (Mar. 21, 2023) (hereinafter CFPB Data Broker RFI).
Small Business Review Panel
[top] Pursuant to the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), 38 the CFPB issued an Outline of Proposals and Alternatives under Consideration in connection with this proposal in September 2023. 39 The CFPB convened a Small Business Review Panel (Panel) on October 16, 2023, and held Panel meetings on October 18 and 19, 2023. Representatives from 16 small businesses were selected as small entity representatives for the SBREFA process. These entities represented small businesses that the CFPB determined would likely be directly affected by one or more of the proposals under consideration. On December 15, 2023, the Panel completed the Final Report of the Small Business Review Panel on the CFPB's Proposals and Alternatives Under Consideration for the Consumer Reporting Rulemaking. 40 The CFPB also invited and received feedback on the proposals under consideration from others, including stakeholders other than small entity representatives, although this feedback was not included in the Small Business Review Panel Report. 41 The CFPB has considered the
Footnotes:
38 ?Public Law 104-121, 110 Stat. 857 (1996).
39 ?Consumer Fin. Prot. Bureau, Small Business Advisory Review Panel For Consumer Reporting Rulemaking-Outline of Proposals and Alternatives Under Consideration (Sept. 15, 2023) (hereinafter Small Business Review Panel Outline or Outline), https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-rule-sbrefa_outline-of-proposals.pdf.
40 ?Consumer Fin. Prot. Bureau, Final Report of the Small Business Review Panel on the CFPB's Proposals and Alternatives Under Consideration for the Consumer Reporting Rulemaking (Dec. 15, 2023) (hereinafter Small Business Review Panel Report or Panel Report), https://files.consumerfinance.gov/f/documents/cfpb_sbrefa-final-report_consumer-reporting-rulemaking_2024-01.pdf.
41 ?Feedback received on the Small Business Review Panel Outline will be placed on the public docket for this rulemaking.
This proposed rule does not address feedback received as part of the SBREFA process about proposals that were under consideration regarding medical debt collection information. Those proposals under consideration were addressed in the CFPB's proposed rule regarding consumer reporting of medical information. 42 This proposed rule also does not address feedback received as part of the SBREFA process about proposals that were under consideration regarding data security and data breaches, disputes involving legal matters, and disputes involving systemic issues. Those topics are not included in this proposed rule.
Footnotes:
42 ?89 FR 51692 (June 18, 2024) (hereinafter CFPB Medical Debt Proposed Rule).
Interagency and Stakeholder Consultations
Consistent with section 1022(b)(2)(B) of the CFPA, the CFPB has consulted with the appropriate prudential regulators and other Federal agencies, including regarding consistency with any prudential, market, or systemic objectives administered by these agencies. The CFPB has also consulted with officials from certain State agencies. In addition, the CFPB has discussed the proposed rule with, and considered written feedback submitted by, a range of interested stakeholders. The CFPB discusses throughout this document feedback received through these various channels that is relevant to the proposed rule.
III. Legal Authority
The CFPB is proposing to amend Regulation V pursuant to its authority under the FCRA and the CFPA. Section 1022(b)(1) of the CFPA authorizes the CFPB to prescribe rules "as may be necessary or appropriate to enable the [CFPB] to administer and carry out the purposes and objectives of the Federal consumer financial laws, and to prevent evasions thereof."? 43 The FCRA is a Federal consumer financial law, except with respect to sections 615(e) and 628. 44 Accordingly, the CFPB has authority under CFPA section 1022(b)(1) to issue regulations to administer and carry out the purposes and objectives of the FCRA and to prevent evasion thereof, except with respect to sections 615(e) and 628.
Footnotes:
43 ?12 U.S.C. 5512(b)(1).
44 ?CFPA section 1002(14), 12 U.S.C. 5481(14) (defining "Federal consumer financial law" to include the "enumerated consumer laws" and the provisions of the CFPA); CFPA section 1002(12), 12 U.S.C. 5481(12) (defining "enumerated consumer laws" to include the FCRA, except with respect to sections 615(e) and 628).
FCRA section 621(e) provides that, except with respect to sections 615(e) and 628, the CFPB "shall prescribe such regulations as are necessary to carry out the purposes of [the FCRA]."? 45 Specifically, FCRA section 621(e) provides that the CFPB "may prescribe regulations as may be necessary or appropriate to administer and carry out the purposes and objectives" of the FCRA. 46 The stated purpose of the FCRA is to ensure that "consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information."? 47 Except with respect to sections 615(e) and 628, the CFPB accordingly has authority to issue regulations "necessary or appropriate to administer and carry out" the provisions of the FCRA consistent with this purpose. 48 FCRA section 621(e) further provides that the CFPB may prescribe regulations as may be necessary and appropriate to prevent evasions of the FCRA or to facilitate compliance therewith. 49
Footnotes:
45 ?15 U.S.C. 1681s(e).
46 ? Id.
47 ?FCRA section 602(b), 15 U.S.C. 1681(b).
48 ? See Loper Bright Enters. v. Raimondo, 144 S. Ct. 2244, 2263 (2024) (explaining that Congress's use of the term "appropriate" "leaves agencies with flexibility" in regulating (citation omitted)).
49 ? Cf. Consumer Fin. Prot. Bureau v. Townstone Fin., Inc., 107 F.4th 768, 776 (7th Cir. 2024) ("In endowing the Board with authority to prevent `circumvention or evasion,' Congress indicated that the [Equal Credit Opportunity Act] must be construed broadly to effectuate its purpose of ending discrimination in credit applications.").
The CFPB has considered this proposed rule in the context of its legal authority under the FCRA and the CFPA and has developed the proposed provisions by relying on its expertise in understanding and developing policy regarding the consumer reporting market. The CFPB has preliminarily determined that each of the proposed provisions is consistent with the purpose of the FCRA and is authorized under FCRA section 621(e) and CFPA section 1022(b)(1). Pursuant to FCRA section 621(e), any final rule prescribed by the CFPB would apply to all persons subject to the FCRA, except as described in section 1029(a) of the CFPA. 50
Footnotes:
50 ?The CFPB also notes that, subject to certain exceptions, the FCRA states that it "does not annul, alter, affect, or exempt any person subject to [the FCRA] from complying with the laws of any State with respect to the collection, distribution, or use of any information on consumers, or for the prevention or mitigation of identity theft, except to the extent that those laws are inconsistent with any provision of this subchapter, and then only to the extent of the inconsistency." 15 U.S.C. 1681t(a); see also Davenport v. Farmers Ins. Grp., 378 F.3d 839, 842 (8th Cir. 2004) ("The FCRA makes clear that it is not intended to occupy the entire regulatory field with regard to consumer reports"). Therefore, State laws that are not inconsistent with the FCRA-including State laws that are more protective of consumers than the FCRA-are generally not preempted. See 87 FR 41042 (July 11, 2022).
As noted in proposed §?1022.1(b)(1) regarding the scope of Regulation V, the regulation implements only certain provisions of the FCRA. In this rulemaking, the CFPB proposes to implement for the first time in Regulation V the definitions of consumer report and consumer reporting agency in FCRA section 603(d) and (f) and the permissible purposes of consumer reports as set forth in FCRA section 604(a). 51 Unless specifically noted otherwise, the CFPB's mere restatement of statutory language is not intended to affect the status quo regarding caselaw or judicial or other interpretations that exist with respect to such restated language. Explaining the scope of Regulation V in proposed §?1022.1(b)(1) and restating certain statutory text should facilitate compliance with the statute, but the CFPB requests comment on the proposed approach.
Footnotes:
51 ?The proposed rule does not restate all of FCRA sections 603 and 604. Among other provisions in those sections, the proposed rule does not restate FCRA section 604(c) regarding credit or insurance transactions that are not initiated by the consumer.
IV. Discussion of the Proposed Rule
Subpart A-General Provisions
Section 1022.4 Definition; Consumer Report
[top] In general, a consumer report under the FCRA is a written, oral, or other communication by a consumer reporting agency of any information that: (1) bears on at least one of seven specified factors relating to a consumer; and (2) is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for credit or insurance, for employment purposes, or for any other purpose authorized under FCRA section 604 ( i.e., the section that establishes permissible purposes of consumer reports). The seven factors relating to a consumer specified in the definition of consumer report are a
Footnotes:
52 ?FCRA section 603(d), 15 U.S.C. 1681a(d).
Proposed §?1022.4(a), (f), and (g) restate the FCRA definition with minor wording and organizational changes for clarity. 53 Proposed §?1022.4(a)(1) restates the "bears on" prong of the definition, proposed §?1022.4(a)(2) restates the purposes listed in the definition, and proposed §?1022.4(f) and (g) restate provisions addressing exclusions from the definition. The CFPB proposes §?1022.4(b) through (e) to address whether and when the communication of certain consumer information constitutes a consumer report, with the goal of ensuring the FCRA's protections are applied to such information. The CFPB also proposes to revise several provisions in existing Regulation V that cross-reference the definition of consumer report in FCRA section 603(d) to instead cross-reference the definition in proposed §?1022.4. 54
Footnotes:
53 ?In restating FCRA section 603(d)(2)(D), proposed §?1022.4(f) cross-references FCRA section 603(y) rather than FCRA section 603(x) because the CFPA re-designated FCRA section 603(x) as FCRA section 603(y). See 15 U.S.C. 1681a, n.1; Fed. Trade Comm'n, Fair Credit Reporting Act, 15 U.S.C. 1681, at 2 n.1 (Sept. 2018), https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf (noting that "(o) or (x)" in FCRA section 603(d)(2)(D) "[s]hould be read as `(o) or (y)'?").
54 ?These provisions are §§?1022.20(b)(3), 1022.32(b), 1022.71(f), 1022.130(c), and 1022.142(b)(2). If this proposal and the CFPB's Medical Debt Proposed Rule, supra note 42, are both finalized, the CFPB intends to revise in the same way cross-references to the terms "consumer report" and "consumer reporting agency" in §?1022.38, as proposed to be added to Regulation V by the Medical Debt Proposed Rule.
Is Used or Expected To Be Used
Proposed §?1022.4(b) and (c) address the phrase "is used or expected to be used" and surrounding elements of the statutory definition of consumer report. The proposed provisions address whether and when the applicable information is used (proposed §?1022.4(b)) or is expected to be used (proposed §?1022.4(c)) for one of the purposes specified in the definition-that is, for the purpose of serving as a factor in establishing a consumer's eligibility for consumer credit or insurance, for employment purposes, or for any other purpose authorized under FCRA section 604. The CFPB proposes these provisions to ensure that the FCRA's protections apply to certain communications of consumer information, including by incentivizing entities that sell consumer information to monitor the uses to which such information is put and by ensuring that certain types of consumer information are within the scope of the FCRA regardless of how any particular communication of that information is used.
As explained further below, the FCRA's definition of the term "consumer report" presents several interpretive questions relevant to this proposed rule. First, what is the item that might be "used or expected to be used" for the relevant purpose-the specific "communication" ( i.e., the actual transmittal of data) or the "information" contained within that communication ( i.e., the facts that the communication describes)? Courts have tended to focus their analysis on the specific communication, although it is unclear how many courts have been presented with the alternative. 55 Second, given that the phrase is in the passive voice, by whom might a communication or information be "used or expected to be used" to qualify as a consumer report-the specific recipient of the communication or a broader population of parties? Again, courts have tended to consider the activities of the specific user in the case at issue, but it is unclear whether courts have been presented with the alternative. 56 Third, whose expectations are relevant in determining whether a communication of information is "expected to be used" for a particular purpose-the person making the communication or someone else? And fourth, are that person's subjective expectations all that matter, or, as courts have held, does the analysis also consider what the person objectively should expect?
Footnotes:
55 ? See, e.g., Comeaux v. Brown & Williamson Tobacco Co., 915 F.2d 1264, 1273-74 (9th Cir. 1990) ("The plain language of section 1681a(d) reveals that a credit report will be construed as a `consumer report' under the FCRA if the credit bureau providing the information expects the user to use the report for a purpose permissible under the FCRA . . . ." (second emphasis added)); cf. Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d 988, 994 (D. Nev. 2021) (applying the series-qualifier and nearest-reasonable-referent cannons to conclude that, under the definition of consumer report, "it is the information in the communication, not the communication itself, that must be of the kind that is used or expected to be used or collected in whole or in part for the purposes of serving as a favor [ sic ] in credit, employment, or insurance decisions or other reasons allowed under the FCRA").
56 ? See, e.g., Comeaux, 915 F.2d at 1273-74.
With these interpretive questions in mind, the CFPB is proposing provisions to administer and carry out the statutory scheme, prevent evasion of the FCRA's requirements, and ensure that the statute's protections apply to communications of consumer information that raise concerns the FCRA was designed to address. In doing so, the CFPB is also proposing particular approaches to resolving the interpretive questions set forth above. First, the CFPB proposes to treat "used or expected to be used" as modifying "information" rather than "communication." Grammatically, the term to which "used or expected to be used" refers should also be the term to which "collected" refers, and a consumer reporting agency does not "collect" communications. Second, the CFPB proposes to interpret "used" to include use by persons other than the direct recipient of a communication. If "used or expected to be used" referred only to how the direct recipient used or was expected to use the information in a communication, then the recipient's use or expected use for a non-permissible purpose would not violate the statute because, by virtue of that use or expected use, the communication would not be a consumer report. 57 Moreover, if the analysis focused only on the initial recipient, the statute would be easy to evade by passing information through intermediaries before it reached the ultimate user. Third, the CFPB proposes to interpret "expected to be used" to refer to the expectations of the person communicating the information, which is consistent with longstanding case law and is a natural reading of the statutory language. Fourth, the CFPB proposes to interpret "expected to be used" to consider both what that person subjectively expected and what that person objectively should have expected about the use of the transmitted information. This interpretation is consistent with past agency and judicial interpretations and would emphasize that persons cannot sell consumer information and attempt to avoid coverage by willfully ignoring the purposes for which the information will be used.
Footnotes:
57 ?The communication of the information could still be a consumer report if the information was collected for a purpose described in FCRA section 603(d)(1), in which case it could be furnished only to a recipient with a permissible purpose.
[top] Since the FCRA's enactment in 1970, applications of the law have often undermined one of the statute's core commitments: protecting consumer privacy. The CFPB proposes to implement the statute in a manner that respects Congress's concern with limiting the purchase and sale of sensitive consumer information and restores the full meaning of the statute's permissible purpose provisions.
The CFPB uses these threshold principles, described in more detail below, to guide the following proposals.
4(b) Is Used
Proposed §?1022.4(b) interprets the phrase "is used" in the definition of consumer report. It provides that information in a communication is used for a purpose described in proposed §?1022.4(a)(2) if a recipient of the information uses the information for such purpose. The proposal would clarify that the purpose for which information in a communication is used can cause the communication to be a consumer report, regardless of whether the person communicating the information collected it or expected it to be used for that purpose.
This interpretation derives from a straightforward reading of the statute. As summarized above, section 603(d)(1) of the FCRA defines a consumer report as a communication of information by a consumer reporting agency bearing on any of seven, specified consumer factors that is "[1] used or [2] expected to be used or [3] collected" in whole or in part for a purpose described in proposed §?1022.4(a)(2). The principle that a statute must be construed to "give effect, if possible, to every clause and word"? 58 requires that the phrase "is used" be given a meaning independent of "expected to be used" and "collected."? 59 The CFPB's proposed interpretation does so.
Footnotes:
58 ? Williams v. Taylor, 529 U.S. 362, 404 (2000) (quoting United States v. Menasche, 348 U.S. 528, 538-39 (1955)); see also Duncan v. Walker, 533 U.S. 167, 174 (2001) (discussing rule against surplusage).
59 ?Similarly, the series-qualifier cannon requires reading the phrase "in whole or in part" as modifying each word or phrase in the series ( i.e., "is used," "expected to be used," and "collected") rather than just the final one ( i.e., "collected"). See Facebook, Inc. v. Duguid, 592 U.S. 395, 402 (2021) (describing the series-qualifier canon); United States v. MyLife.com, Inc., 499 F. Supp. 3d 757, 764 (C.D. Cal. 2020) (finding that the complaint adequately pled that the defendant's reports "were used or expected to be used in whole or in part for a FCRA purpose").
The proposed interpretation is consistent with guidance previously issued by FTC staff explaining that a report that is not otherwise a consumer report may become a consumer report if it is subsequently used by the recipient for an FCRA-covered purpose. 60 That guidance also suggests that a communication of consumer information that is actually used for an FCRA-covered purpose might not be a consumer report if the person making the communication could not have reasonably expected the information to be used in such a way. 61 Under the CFPB's proposed interpretation, however, a report including information that "is used" for a purpose described in proposed §?1022.4(a)(2) (and that satisfies the other elements of the definition of consumer report) is a consumer report, irrespective of whether the person furnishing the report could have reasonably expected that use or took steps to prevent it.
Footnotes:
60 ?FTC 40 Years Staff Report, supra note 21, at 22.
61 ? See id. ("If the entity supplying the report has taken reasonable steps to [e]nsure that the report is not used for such a purpose, and if it neither knows of, nor can reasonably anticipate such use, the report should not be deemed a consumer report by virtue of uses beyond the entity's control.").
Proposed §?1022.4(b) also would clarify another aspect of the phrase "is used" in the FCRA's definition of consumer report. In the definition, the phrase "for the purpose of serving as a factor in establishing the consumer's eligibility," which follows the phrase "is used," lacks a subject, making it unclear whose use of the information matters in determining whether information is used for a purpose described in proposed §?1022.4(a)(2). Proposed §?1022.4(b) would clarify that information is used for a purpose described in proposed §?1022.4(a)(2) if anyone, not merely the direct recipient of the communication, uses the information for such a purpose.
Interpreting the phrase "is used" to encompass not just the immediate recipient of the information but also downstream users is necessary to carry out the purposes of the statute and prevent evasion. If all that mattered was what the immediate recipient would do with the information, a person could potentially avoid FCRA coverage even if the person had actual knowledge that the entity to which it communicated the information was selling the information to a downstream recipient who planned to use it for a purpose described in proposed §?1022.4(a)(2). Indeed, under such an interpretation, a person could potentially use intermediaries to ensure that they never sold information directly to a recipient who would use it for such a purpose, even if the person knew that was how the information would eventually be used. The CFPB's proposed interpretation is consistent with case law holding that the "is used" element of the definition of consumer report is satisfied if anyone -not just the initial recipient of the communication-uses the information for a purpose described in proposed §?1022.4(a)(2). 62
Footnotes:
62 ? Ernst v. Dish Network, LLC, 49 F. Supp. 3d 377, 383 (S.D.N.Y. 2014) ("This means that if anyone uses, expects to use or collects the information for [a permissible purpose], the statutory definition of `consumer report' is satisfied.") (emphasis added); see also Henderson v. Corelogic Nat'l Background Data, LLC, 161 F. Supp. 3d 389, 397-98 (E.D. Va. 2016).
As a practical matter, this would mean that a person that sells information that is used for a purpose described in proposed §?1022.4(a)(2) would become a consumer reporting agency, regardless of whether the person knows or believes that the communication of that information is legally considered a consumer report, assuming the other elements of the definition of consumer reporting agency are satisfied. In other words, so long as a person acts for the purpose of furnishing a report that is or becomes a consumer report as that term is defined in proposed §?1022.4, that person is a consumer reporting agency; a person need not know or believe it is furnishing a consumer report as that term is defined under the FCRA. For example, consider an entity that collects information about individual consumers' travel preferences for use in marketing and sells that information to a third party for marketing purposes with the belief that the communication of that information is not a consumer report. If the third party actually uses the information to establish a consumer's eligibility for credit, the report would be a consumer report (assuming the other elements of that definition were satisfied). The entity that sold the information would then be a consumer reporting agency (assuming the other elements of that definition were satisfied) because it intended to communicate to the third party the information that was in fact used for an FCRA-covered purpose, even if it did not believe that it was furnishing consumer reports. The CFPB proposes that this conclusion flows from the definition of consumer reporting agency in FCRA section 603(f).
[top] In addition to being consistent with the regulatory text, this reading of the statute better prevents entities from evading FCRA coverage by disclaiming intent to furnish consumer reports. A requirement that a person selling consumer information is a consumer reporting agency only if it believes that its communications meet the FCRA's definition of consumer report would incentivize willful ignorance and undermine the purpose of the statute. The CFPB's interpretation, by contrast, provides a clear, bright-line rule that should be more difficult for entities, particularly data brokers, to evade. For that reason, it is more consistent with
Footnotes:
63 ? See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722 (3d Cir. 2010) (describing the FCRA as "undeniably a remedial statute that must be read in a liberal manner in order to effectuate the congressional intent underlying it"); Guimond v. Trans Union Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that the FCRA's "consumer oriented objectives support a liberal construction" of the statute).
The CFPB proposes §?1022.4(b) as an interpretation of the phrase "is used." The CFPB also preliminarily concludes that proposed §?1022.4(b) is necessary to prevent evasion of the FCRA by entities that sell consumer information and ignore the uses to which that information is put by initial and downstream recipients. 64 The CFPB requests comment on whether the proposed interpretation is likely to incentivize entities to monitor more carefully how a communication of consumer information ultimately is used, any potential alternatives to prevent entities from evading coverage under the FCRA, and any compliance challenges associated with the proposed interpretation.
Footnotes:
64 ? See supra part II.B, Goals of the Rulemaking, Protecting Consumer Information in the Data Broker Market.
4(c) Is Expected To Be Used
Proposed §?1022.4(c) would establish two tests for determining whether information is expected to be used for a purpose described in proposed §?1022.4(a)(2). Under these tests, information in a communication is expected to be used for such a purpose if: (1) the person making the communication expects or should expect that a recipient of the information will use it for such a purpose; or (2) it is information about a consumer's credit history, credit score, debt payments, or income or financial tier. Information would need to satisfy only one of the tests for the "expected to be used" element of the definition of consumer report to be met. If either test were satisfied, the communication of the information would be a consumer report and the person communicating the information would be a consumer reporting agency, assuming the other elements of those definitions were met. As a result, the person's sale of the information would be subject to the FCRA.
4(c)(1)
Under the first test, described in proposed §?1022.4(c)(1), information in a communication is expected to be used for a purpose described in proposed §?1022.4(a)(2) if the person making the communication expects or should expect that a recipient of the information in the communication will use the information for such a purpose. 65 Proposed §?1022.4(c)(1) would clarify four aspects of the meaning of the phrase "expected to be used."
Footnotes:
65 ?Regulation V, 12 CFR 1022.3( l ) defines person to mean "any individual, partnership, corporation, trust, estate cooperative, association, government or governmental subdivision or agency, or other entity."
Information Is Expected To Be Used
The "expected to be used" element of the definition of consumer report does not identify what item must be "expected to be used" for a purpose described in proposed §?1022.4(a)(2). A consumer report is a "communication" of certain "information" about a consumer, so the phrase could reasonably refer to the communication itself ( i.e., the actual transmittal of data), or the information contained within the communication ( i.e., the facts that the communication describes).
Proposed §?1022.4(c) clarifies that, under the first test, the relevant inquiry is whether the information in a communication is expected to be used for a purpose described in proposed §?1022.4(a)(2). This proposed interpretation follows directly from the statutory language. As relevant here, the FCRA defines a consumer report as a communication of information by a consumer reporting agency "which is used or expected to be used or collected in whole or in part" for a purpose described in proposed §?1022.4(a)(2). Grammatically, the term to which "expected to be used" refers should also be the term to which "collected in whole or in part" refers. Consumer reporting agencies collect information, not communications. Accordingly, under the CFPB's proposed interpretation, the term "expected to be used" refers to information. 66
Footnotes:
66 ? See Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d 988, 994 (D. Nev. 2021) (applying the series-qualifier and nearest-reasonable-referent cannons to conclude that, under the definition of consumer report, "it is the information in the communication, not the communication itself, that must be of the kind that is used or expected to be used or collected in whole or in part for the purposes of serving as a favor [ sic ] in credit, employment, or insurance decisions or other reasons allowed under the FCRA").
Person Communicating the Information
The "expected to be used" element of the FCRA's definition of consumer report is phrased in the passive voice; it does not identify the subject whose expectations are relevant in determining whether a communication of information is a consumer report. Proposed §?1022.4(c)(1) rephrases this element of the definition in the active voice to clarify that, under the first test, the expectations of the person communicating the information determine whether the information is expected to be used for a particular purpose. In other words, the proposal clarifies that a communication of information is a consumer report if the person communicating the information expects the information to be used for a purpose described in proposed §?1022.4(a)(2) and the other elements of that definition are met. This proposed interpretation, which is consistent with longstanding case law, is a natural reading of the statutory language and makes sense in the context of the statute. 67 It is also necessary to prevent evasion by entities, such as data brokers, that have sufficient information to know that the consumer data they sell is likely being used for eligibility determinations.
Footnotes:
67 ? See, e.g., Fralish v. Transunion, LLC, No. 3:20-CV-969 JD, 2021 WL 4990003, at *3 (N.D. Ind. Oct. 26, 2021) ("Information constitutes a `consumer report' if the consumer reporting agency which prepares and sends the report `expects' the report to be used for one of the `consumer purposes' set forth by the FCRA."); Ippolito v. WNS, Inc., 864 F.2d 440, 449 (7th Cir. 1988) ("[A] consumer may establish that a particular credit report is a `consumer report' falling within the coverage of the FCRA if . . . the consumer reporting agency which prepares the report `expects' the report to be used for one of the `consumer purposes' set forth in the FCRA."); Heath v. Credit Bureau of Sheridan, Inc., 618 F.2d 693, 696 (10th Cir. 1980) (explaining that "?`expected to be used' would seem to refer to what the reporting agency believed").
Knowledge Standard
The FCRA does not define the term "expected." Proposed §?1022.4(c)(1) would clarify that, under the first test, information is expected to be used for a purpose described in proposed §?1022.4(a)(2) if the person communicating the information subjectively expects that it will be used for such a purpose, or if the person objectively should expect that it will be used for such a purpose.
[top] Interpreting the phrase "expected to be used" to encompass a person's subjective and objective expectations is consistent with FTC staff's longstanding view that the definition of consumer report covers uses of information that the person can reasonably anticipate. 68 And it is consistent with case law holding that a person's reasonable expectations about how information
Footnotes:
68 ?FTC 40 Years Staff Report, supra note 21, at 22 ("If the entity supplying the report has taken reasonable steps to [e]nsure that the report is not used for such a purpose, and if it neither knows of, nor can reasonably anticipate such use, the report should not be deemed a consumer report . . . ." (emphasis added)).
69 ? See, e.g., Harrington v. ChoicePoint Inc., No. CV 05-1294 MRP JWJX, 2005 WL 7979032, at *5 (C.D. Cal. Sept. 15, 2005) (holding that consumer reporting agency "should have expected the information it disclosed would be used for FCRA purposes" despite the entity's contractual language with users barring such uses); Mem. & Order at *6, Roybal v. Equifax, No. 2:05-CV-01207-MCE-KJM, 2008 WL 4532447 (E.D. Cal. Oct. 9, 2008) (allowing an FCRA claim based on inaccuracies in the reporting of a joint account because that information "could reasonably have been expected to be used" in establishing consumer's eligibility for credit); cf. Intel Corp. Inv. Pol'y Comm. v. Sulyma, 589 U.S. 178 (2020) ("[T]he law will sometimes impute knowledge-often called `constructive' knowledge-to a person who fails to learn something that a reasonably diligent person would have learned.").
Interpreting "expected to be used" in this way also is necessary to carry out the purposes of the FCRA and prevent evasion. If all that mattered was how a person subjectively expected the information to be used, the statute would reward willful ignorance: a person could potentially avoid FCRA coverage by, for example, choosing not to ask or deciding not to monitor how recipients of the information intended to use it. The proposed interpretation is therefore consistent with the statute's purpose. 70
Footnotes:
70 ? See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722 (3d Cir. 2010) (describing the FCRA as "undeniably a remedial statute that must be read in a liberal manner in order to effectuate the congressional intent underlying it"); Guimond v. Trans Union Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that the FCRA's "consumer oriented objectives support a liberal construction" of the statute).
The proposed interpretation also makes sense in the context of the statute as a whole. Elsewhere in the FCRA, Congress imposed requirements that refer only to a person's actual knowledge. For example, FCRA section 605 requires the exclusion of certain information from a consumer report if, among other things, the consumer reporting agency "has actual knowledge that the information is related to a veteran's medical debt."? 71 If Congress had intended the meaning of "expected to be used" to turn only on the person's actual, subjective expectations in the same way, it would have said so. 72
Footnotes:
71 ?15 U.S.C. 1681c(a)(7), (8) (emphasis added).
72 ? See DHS v. MacLean, 574 U.S. 383, 392 (2015) ("Congress generally acts intentionally when it uses particular language in one section of a statute but omits it in another.").
In enforcement actions and guidance documents, other regulators have identified a non-exhaustive list of factors that may be relevant to determining whether a person should expect that information will be used for an FCRA-covered purpose. These factors include, for example, whether the person screens potential users before allowing them to access information, whether the person advertises its information for non-FCRA-covered uses only, and whether the person maintains procedures to monitor and audit how its information is used. 73 The CFPB requests comment on whether it would be helpful to identify in Regulation V factors that are or may be relevant to determining whether a person should expect that information will be used for an FCRA-covered purpose, and, if so, what those factors might be. The CFPB also requests comment on whether it would be helpful to identify the steps a person must or should take to ensure that the consumer information it sells is not used for an FCRA-covered purpose, absent which the person would be deemed to expect that the consumer information will be used for such a purpose.
Footnotes:
73 ? See, e.g., Compl. ¶?9, United States v. Instant Checkmate, Inc., No. 3:14-CV-00675-H-JMA (S.D. Cal. Mar. 24, 2014), https://www.ftc.gov/system/files/documents/cases/140409instantcheckmatecmpt.pdf (alleging that Instant Checkmate, in its marketing and advertising, including through its Google Ad Words campaign, "promoted the use of its reports as a factor in establishing a person's eligibility for employment or housing"); Compl. for Civil Penalties, Permanent Inj. & Other Equitable Relief ¶?13, United States v. ChoicePoint (N.D. Ga. Jan. 30, 2006), https://www.ftc.gov/sites/default/files/documents/cases/2006/01/0523069complaint.pdf (alleging that ChoicePoint failed to adequately verify or authenticate the identities and qualifications of prospective users of its database).
Downstream Recipients
The phrase "for the purpose of serving as a factor in establishing the consumer's eligibility," which follows the phrase "expected to be used" in the definition, lacks a subject, making it unclear whose use of the information matters in determining whether information is expected to be used for a purpose described in proposed §?1022.4(a)(2). For the same reasons described in the discussion of proposed §?1022.4(b), proposed §?1022.4(c)(1) would clarify that, under the first test, information is expected to be used for a purpose described in proposed §?1022.4(a)(2) if the person communicating the information expects or should expect that any recipient of the information will use it for such a purpose.
As discussed above, the CFPB proposes §?1022.4(c)(1) as an interpretation of the phrase "expected to be used." The CFPB also proposes §?1022.4(c)(1) pursuant to its authority to prevent evasions of the FCRA. The CFPB preliminarily concludes that proposed §?1022.4(c)(1) is necessary to prevent evasion of the FCRA by entities that sell consumer information and ignore the uses to which that information is put by initial and downstream recipients. 74
Footnotes:
74 ? See supra part II.B, Goals of the Rulemaking, Protecting Consumer Information in the Data Broker Market.
4(c)(2)
Under the second test, described in proposed §?1022.4(c)(2), the CFPB preliminarily concludes that entities that sell consumer information generally expect certain types of that information to be used in the market at large for a purpose described in proposed §?1022.4(a)(2), because those types of information are typically used for such a purpose. Specifically, under proposed §?1022.4(c)(2), a person selling any of four types of information about a consumer-credit history, credit score, debt payments, and income or financial tier-for any purpose generally would qualify as a consumer reporting agency selling consumer reports because those information types are typically used to underwrite loans. Accordingly, the person's conduct would be governed by the FCRA's restrictions and requirements, including provisions that protect the privacy and promote the accuracy of consumer data.
As discussed in part II, the data broker industry poses a range of significant harms to consumers and the nation. These include national security harms. 75 As the U.S. Department of Justice (DOJ) has observed, countries of concern can use Americans' sensitive personal data "to engage in malicious cyber-enabled activities and malign foreign influence, and to track and build profiles on U.S. individuals, including members of the military and Federal employees and contractors, for illicit purposes such as blackmail and espionage."? 76 They can also use that data "to collect information on activists, academics, journalists, dissidents, political figures, or members of non-governmental organizations or marginalized communities in order to intimidate such persons; curb political opposition; limit freedoms of expression, peaceful assembly, or association; or enable other forms of suppression of civil liberties."? 77
Footnotes:
75 ? See, e.g., The White House, Fact Sheet: President Biden Issues Executive Order to Protect Americans' Sensitive Personal Data (Feb. 28, 2024), https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/.
76 ?89 FR 15780, 15781 (Mar. 5, 2024) (U.S. Dep't of Just. Advance Notice of Proposed Rulemaking seeking comment on topics related to the implementation of E.O. 14117).
77 ? Id.
[top]
Recent research funded by the U.S. Military Academy at West Point has highlighted the gravity of the threat posed by data brokers who sell information about the activities and private lives of United States military personnel, veterans, government employees, and their families. 78 With virtually no vetting, researchers were able to purchase individually identified information about active-duty military members' income, net worth, and credit rating-information that could be used by foreign adversaries to identify individuals for purposes of coercion, blackmail, or espionage. 79 Data brokers also facilitate the targeting of military members and government employees by allowing buyers to purchase lists that match multiple categories, such as lists that include individuals who fall into the "Intelligence and Counterterrorism" category and the "Behind on Bills" category. 80 As President Biden noted in a February 2024 executive order addressing foreign access to Americans' data, "[t]he continuing effort of certain countries of concern to access Americans' sensitive personal data and United States Government-related data constitutes an unusual and extraordinary threat . . . to the national security and foreign policy of the United States."? 81
Footnotes:
78 ? See Duke Report on Data Brokers and Military Personnel Data, supra note 2.
79 ? Id. at 5.
80 ?Consumer Fin. Prot. Bureau, Prepared Remarks of CFPB Director Rohit Chopra at the White House on Data Protection and National Security (Apr. 2, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-white-house-on-data-protection-and-national-security/.
81 ?E.O. No. 14117, 89 FR 15421 (Feb. 28, 2024).
The data broker industry also poses unique harms to individuals in financially precarious situations. Fraudsters can use information from data brokers to target individuals likely to purchase predatory financial products. For example, some data brokers sell consumer lists with titles such as "Rural and Barely Making It," "Retiring on Empty: Single," and "Credit Crunched: City Families."? 82 As the Senate Committee on Commerce, Science, and Transportation observed over a decade ago, these lists "appeal to companies that sell high-cost loans and other financially risky products to populations more likely to need quick cash."? 83 The purchase and sale of consumers' financial information can also be used to perpetrate outright scams against low-income individuals and individuals in financially precarious situations. In 2015, for example, the FTC brought suit against a data broker operation that sold payday loan applicants' financial information to phony internet merchants and fraudsters who used the information to debit consumers' bank accounts for financial products that the consumers never actually purchased. 84
Footnotes:
82 ?S. Comm. on Com., Sci., & Transp., Off. of Oversight & Investigations Majority Staff, A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes, at 5 (Dec. 18, 2013), https://www.commerce.senate.gov/services/files/0d2b3642-6221-4888-a631-08f2f255b577.
83 ? Id.
84 ?Compl. for Permanent Inj. and Other Equitable Relief, Fed. Trad Comm'n v. Sequoia One, LLC, No. 2:15-cv-01512-JCM-CWH (D. Nev. Aug. 7, 2015), https://www.ftc.gov/system/files/documents/cases/150812sequoiaonecmpt.pdf; Fed. Trade Comm'n, FTC Charges Data Brokers with Helping Scammer Take More Than $7 Million from Consumers' Accounts (Aug. 12, 2015), https://www.ftc.gov/news-events/news/press-releases/2015/08/ftc-charges-data-brokers-helping-scammer-take-more-7-million-consumers-accounts.
The data broker industry also poses data security risks. The highly sensitive consumer information collected and sold by data brokers is an attractive target for hackers and identity thieves. In recent years, cyber criminals have stolen from data brokers information about hundreds of millions of Americans, 85 some of which has been made available for sale. 86 Purchasers can use this information to open new financial accounts in consumers' names, drain existing accounts, obtain loans, seek employment, apply for government benefits, and send "phishing" communications to family and friends. According to the DOJ, in 2021 nearly 24 million U.S. residents over 16 had experienced identity theft in the past 12 months, with financial losses of over $16 billion. 87
Footnotes:
85 ? See, e.g., Brian Krebs, NationalPublicData.com Hack Exposes a Nation's Data, Krebs on Security (Aug. 15, 2024), https://krebsonsecurity.com/2024/08/nationalpublicdata-com-hack-exposes-a-nations-data/; Justin Sherman, Duke Sanford School of Public Policy, Data Brokers and Data Breaches (Sept. 27, 2022), https://techpolicy.sanford.duke.edu/blogroll/data-brokers-and-data-breaches; Brian Krebs, Hacked Data Broker Accounts Fueled Phone COVID Loans, Unemployment Claims, Krebs on Security (Aug. 6, 2020), https://krebsonsecurity.com/2020/08/hacked-data-broker-accounts-fueled-phony-covid-loans-unemployment-claims/; Lily Hay Newman, 1.2 Billion Records Found Exposed Online in a Single Server, Wired (Nov. 22, 2019), https://www.wired.com/story/billion-records-exposed-online; Stacy Cowley, Equifax to Pay at Least $650 Million in Largest-Ever Data Breach Settlement, N.Y. Times (July 22, 2019), https://www.nytimes.com/2019/07/22/business/equifax-settlement.html.
86 ? See, e.g., Brian Krebs, National Public Data Published Its Own Passwords, Krebs on Security (Aug. 19, 2024), https://krebsonsecurity.com/2024/08/national-public-data-published-its-own-passwords/; Brian Krebs, Data Broker Giants Hacked by ID Theft Service, Krebs on Security (Sept. 25, 2013), https://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/.
87 ?Erika Harrell & Alexandra Thompson, Bureau of Just. Stat., U.S. Dep't of Just., NCJ 306474, Victims of Identity Theft, 2021, at 1 (Oct. 2023), https://bjs.ojp.gov/document/vit21.pdf.
[top] In addition, the data broker industry poses risks to the personal safety of American consumers. For example, domestic abusers and others can use data from data brokers to stalk, harass, and commit violence. 88 Other bad actors can use data broker information to dox consumers, expose their personal information, and subject them to distress, embarrassment, shame, and stigma. 89 Moreover, the data broker industry threatens consumers' right to privacy-the right to be left alone, free from wrongful intrusions into private activities. 90 Surveys suggest that many consumers would be concerned to know that information about their personal lives was being bought and sold without their consent and outside their control by entities with whom they have no
Footnotes:
88 ? See, e.g., Letter from Amy Klobuchar & Lisa Murkowski, Sens., U.S. Senate, to Hon. Rebecca K. Slaughter, Acting Chair, Fed. Trade Comm'n (Mar. 4, 2021), https://www.klobuchar.senate.gov/public/_cache/files/5/e/5e1e58a4-4b38-49e8-9a8b-37ea1604d9b9/A6F005737B2A977445475E4E0C2E3685.ftc-privacy-and-domestic-violence-letter-final---signed.pdf (expressing "serious concerns regarding recent reports that data brokers are publicizing the location and contact information of victims of domestic violence, sexual violence, and stalking"); Esther Salas, My Son Was Killed Because I'm a Federal Judge, N.Y. Times (Dec. 8, 2020), https://www.nytimes.com/2020/12/08/opinion/esther-salas-murder-federal-judges.html (recounting instance in which aggrieved litigant obtained Federal judge's address from data broker); Mara Hvistendahl, I Tried to Get My Name Off People-Search Sites. It Was Nearly Impossible., Consumer Reports (Aug. 20, 2020), https://www.consumerreports.org/personal-information/i-tried-to-get-my-name-off-peoplesearch-sites-it-was-nearly--a0741114794/ (recounting domestic abuse victim's effort to delete her information from data broker databases so that her abuser could not obtain it); Remsburg v. Docusearch, Inc., No. Civ. 00-211-B, 2002 WL 844403, at *2-3 (D.N.H. Apr. 25, 2002) (describing stalker's use of data broker information to locate victim).
89 ? See, e.g., Joseph Cox & Emanuel Maiberg, Fiverr Freelancers Offer to Dox Anyone With Powerful U.S. Data Tool, 404 Media (July 2, 2024), https://www.404media.co/fiverr-freelancers-offer-to-dox-anyone-with-powerful-u-s-data-tool-tloxp/; Joseph Cox, The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15, 404 Media (Aug. 22, 2023), h ttps:/ / www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/?curator=TechREDEF.
90 ? Cf. In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 603-04 (9th Cir. 2020) (observing that "[t]echnological advances . . . provide access to a category of information otherwise unknowable and implicate privacy concerns in a manner different from traditional intrusions as a ride on horseback is different from a flight to the moon" (internal quotation marks and citations omitted)); FTC v. Kochava, Inc., 715 F. Supp. 3d 1319, 1324 (D. Idaho 2024) (noting that the Supreme Court has recognized "the unique threat that modern technology can pose to privacy rights" (citing Carpenter v. United States, 585 U.S. 296 (2018)).
91 ? See, e.g., Brooke Auxier et al., Americans and Privacy: Concerned, Confused and Feeling Lack of Control Over Their Personal Information, Pew Rsch. Ctr. (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/; cf. Tiffany Johnson et al., It's All Personal: A Study on Consumer Attitudes Towards Data Collection & Usage, PCH Consumer Insights, at 3 (Nov. 15, 2023), https://insights.pch.com/img/data-ethics-design.pdf (identifying data types that consumers regard as "personal").
92 ? See FTC Data Broker Report, supra note 25, at 31 (noting that score produced by data brokers "could be used to determine the types of offers consumers may receive, the number of offers, or even the level of customer service provided to specific individuals").
Notwithstanding these harms, for years many data brokers have attempted to avoid liability under the FCRA by arguing that the "expected to be used" portion of the statute's definition of consumer report is satisfied only if the person selling the communication expects that the buyer will use the communication for a purpose described in FCRA section 603(d)(1), such as to assess the consumer's eligibility for credit. According to this argument, if the seller expects that the buyer will use the communication for another purpose, such as to market products, the "expected to be used" portion of the definition is not satisfied. And as long as the communication was not actually used, and the information in the communication was not collected, for a purpose described in FCRA section 603(d)(1), this argument provides that there is no consumer report and the FCRA does not apply. Where courts have been presented with certain fact patterns, such as where the data broker took steps to monitor and prohibit the sale of data for FCRA uses, this has sometimes served as an adequate defense. However, it is unclear whether courts have been squarely presented with an alternative approach to the issue. 93
Footnotes:
93 ? See, e.g., Ippolito v. WNS, Inc., 864 F.2d 440, 450-51 (7th Cir. 1988) (focusing on the purchaser's conduct in determining whether the entity that sold a report expected that it would be used for an FCRA-covered purpose).
Construing the phrase "expected to be used" in this way leads to a result contrary to the FCRA's stated objective in section 602(a)(4) of "respect[ing] . . . the consumer's right to privacy." Section 604's prohibition on furnishing consumer reports for non-permissible purposes, such as marketing outside of the prescreening context, is evaded by the very acts that section 604 purportedly prohibits. This is because, as the FCRA defines the term "consumer report" in section 603(d)(1)(C), a communication of information is not a consumer report unless it is used or expected to be used for a permissible purpose in the first place- i.e., for a purpose "authorized under section [604]." This reading of "expected to be used" would render section 604's prohibitions a nullity with respect to the furnishing of consumer reports for non-permissible purposes, except for the fact that a communication of information could still be a consumer report if the information was "collected in whole or in part" for a permissible purpose. Under this reading, if an entity collects information for a permissible purpose, it cannot provide that same information for an impermissible purpose.
But it would shortchange the FCRA's privacy-protecting objectives to conclude that consumer information collected by a consumer reporting agency for a purpose authorized under section 604 is subject to all of the FCRA's restrictions, including prohibitions on uses outside of what section 604 authorizes, while identical consumer information collected by a data broker solely for a purpose not authorized under section 604 is subject to none of the FCRA's restrictions. Under such an interpretation, for example, Congress would have prohibited a consumer reporting agency that collects consumers' income information for use by banks in making credit eligibility decisions from selling that information for marketing purposes (or any other non-permissible purpose), but it would have permitted a data broker that collects the exact same income information solely for purposes Congress did not authorize in the FCRA to sell the information for those purposes. This has led to the unregulated proliferation of the very types of consumer information that the FCRA's framers intended to protect. 94
Footnotes:
94 ? See 115 Cong. Rec. S2413 (Jan. 31, 1969) (statement of FCRA's primary sponsor expressing concern about companies that maintain "files on millions of Americans, including their employment, income, billpaying record, marital status, habits, character and morals" without adequate regulations restricting the files' use).
Proposed §?1022.4(c)(2) would avoid this result and conform with Congress's intent to protect consumers' right to privacy by providing that certain types of information about consumers-namely, credit history, credit score, debt payments, and income or financial tier-are expected to be used for a purpose described in proposed §?1022.4(a)(2) even if the specific communication in which the information is conveyed is not itself used or expected to be used for such a purpose.
The CFPB proposes that the text of FCRA section 603(d)(1) alone may support proposed §?1022.4(c)(2). In contrast to prior case law that did not consider this approach, the CFPB preliminarily determines that the part of the definition of consumer report referring to what the sender "expects" could be construed as referring not to how the sender expects the "communication" or report will be used, but rather to how the sender expects the "information" within the report will be used. 95 "Information" is defined as "knowledge obtained from investigation, study, or instruction; intelligence, news; facts, data."? 96 Accordingly, whether information "is expected to be used" for a particular purpose may depend, in part, on how the facts in a communication might be used in the future, even if they are provided by other entities in different "communications" or reports.
Footnotes:
95 ? Cf. Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d 988, 994 (D. Nev. 2021).
96 ? See Information, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/information (last visited Oct. 15, 2024).
[top] The CFPB preliminarily concludes that a data broker selling information about a consumer's credit history, credit score, debt payments (including on non-credit obligations), or income or financial tier should know that such information is typically used in determining a consumer's eligibility for credit, and therefore should expect that such information will be used for an FCRA purpose. According to FICO, for example, its credit scores are used in 90 percent of all lending decisions. 97 Moreover, in assessing a consumer's eligibility for a mortgage loan, the nation's largest lenders consider, among other things, a prospective borrower's income (often by reviewing a consumer's W-2 statements, tax returns, and pay stubs), as well as the borrower's credit history and level of indebtedness
Footnotes:
97 ? Basic Facts About FICO Scores, FICO, https://www.fico.com/en/latest-thinking/fact-sheet/basic-facts-about-fico-scores (last visited Oct. 30, 2024).
98 ? See, e.g., What Documents Are Needed to Apply for a Mortgage?, Chase, https://www.chase.com/personal/mortgage/education/financing-a-home/mortgage-application (last visited Oct. 30, 2024); How to Apply for a Mortgage, Bank of America, https://www.bankofamerica.com/mortgage/learn/how-to-apply-for-a-mortgage/ (last visited Oct. 30, 2024); Home-Buying & Mortgage Process, US Bank, https://www.usbank.com/home-loans/mortgage/first-time-home-buyers/mortgage-process.html (last visited Oct. 30, 2024); Importance of Credit, Debt, and Savings When Buying a House, Wells Fargo, https://www.wellsfargo.com/mortgage/learning/getting-started/importance-of-credit-debt-savings-in-homebuying/ (last visited Oct. 15, 2024); Hanna Kielar, Qualifying For A Mortgage: The Basics, Rocket Mortgage (Apr. 10, 2024), https://www.rocketmortgage.com/learn/mortgage-qualification.
99 ? See Fed. Hous. Fin. Agency, FHFA Statistics, What Types of Mortgages Do Fannie Mae and Freddie Mac Acquire? (Apr. 14, 2021), https://www.fhfa.gov/blog/statistics/what-types-of-mortgages-do-fannie-mae-and-freddie-mac-acquire (listing enterprise share of mortgage originations by year).
100 ? See, e.g., Fannie Mae, Selling Guide: Fannie Mae Single Family, at B3 (June 5, 2024), https://singlefamily.fanniemae.com/media/39241/display; Freddie Mac, Seller/Servicer Guide, at Series 5000, https://guide.freddiemac.com/app/guide/series/5000 (last visited Oct. 30, 2024).
101 ?Regulation Z, 12 CFR 1026.43(c).
As a practical matter, if proposed §?1022.4(c)(2) were finalized, then, under FCRA section 604, data brokers and similar entities that otherwise met the definition of a consumer reporting agency could not sell reports containing a consumer's credit history, credit score, debt payments, or income or financial tier to anyone who lacked a permissible purpose to obtain them, such as a company that intended to use the reports for marketing purposes outside of the statute's pre-screening provisions. 102 Such entities also would need to comply with the FCRA's other prohibitions and requirements for consumer reporting agencies, such as the requirement in FCRA section 607 to follow reasonable procedures to assure maximum possible accuracy of the information in their reports, and the requirements in FCRA sections 609 and 611 to disclose certain information to consumers and to investigate consumers' disputes. 103
Footnotes:
102 ?15 U.S.C. 1681b.
103 ?15 U.S.C. 1681e, 1681g, 1681 i.
If proposed §?1022.4(c)(2) is finalized, a substantial number of additional data brokers operating today likely will qualify as consumer reporting agencies selling consumer reports under the FCRA, resulting in improved consumer protections and a substantial reduction in the volume of consumer information being bought and sold for non-permissible purposes, such as marketing. In addition, proposed §?1022.4(c)(2), if finalized, should make it more difficult for bad actors to purchase consumer information from data brokers and threaten national security or facilitate financial scams and fraud. In these ways, proposed §?1022.4(c)(2) would further the FCRA's broad remedial purpose? 104 and Congress's intent to protect consumers' right to privacy and to provide greater protections for particularly sensitive consumer information. 105
Footnotes:
104 ? See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722 (3d Cir. 2010) (describing the FCRA as "undeniably a remedial statute that must be read in a liberal manner in order to effectuate the congressional intent underlying it"); Guimond v. Trans Union Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that the FCRA's "consumer oriented objectives support a liberal construction" of the statute).
105 ? See 15 U.S.C. 1681(a).
In the Small Business Review Panel Outline, the CFPB described a proposal under consideration that would have provided that information in a communication is expected to be used for an FCRA purpose if the information is the type of information typically used for such a purpose. The Small Business Review Panel recommended that the CFPB consider how best to provide guidance on the types of information about consumers that are typically used for an FCRA purpose. Proposed §?1022.4(c)(2) is limited to the four types of information listed in that section: a consumer's credit history, credit score, debt payments, and income or financial tier. This limitation creates a bright-line rule that is responsive to the Small Business Review Panel's feedback, and that should simplify compliance and enforcement and reduce market uncertainty. The CFPB requests comment on whether it would be helpful to provide further guidance defining the four types of information listed in proposed §?1022.4(c)(2).
The CFPB notes that proposed §?1022.4(c)(2) would cover, for example, a list of people with income or credit scores above or below a certain number or within a certain range, even if a consumer's precise income or credit score is not specified. If all other elements of the definitions of consumer report and consumer reporting agency were satisfied, the list would be a series of consumer reports and the entity communicating the list would be a consumer reporting agency. In addition, the CFPB reiterates that information would need to satisfy only one of the tests in proposed §?1022.4(c) for the "expected to be used" element of the definition of consumer report to be met. In other words, the communication of information that is not specifically listed in proposed §?1022.4(c)(2)-including, for example, criminal records, employment information, eviction history, and alternative data? 106 -could still be a consumer report if the person communicating the information expects or should expect that a recipient of the information in the communication will use the information for an FCRA purpose.
Footnotes:
106 ? See generally 82 FR 11183 (Feb. 21, 2017) (request for information about the use or potential use of alternative data in the credit process).
[top] The CFPB proposes §?1022.4(c)(2) as an administrable, bright-line rule for certain categories of information to implement the phrase "expected to be used" in the FCRA's definition of consumer report. The CFPB also proposes §?1022.4(c)(2) pursuant to its authority to prescribe regulations necessary to carry out the purposes of the FCRA and prevent evasion. It is likely that a substantial number of data brokers sell the types of information listed in proposed §?1022.4(c)(2), and that a substantial number of the entities that buy such information from data brokers in fact use it for FCRA purposes-including to make credit eligibility determinations. Nevertheless, many data brokers attempt to avoid the legal obligations of the FCRA by remaining ignorant of how their data ultimately is used, in some instances by selling data without inquiring into the buyer's identity or intended use of the data, in other instances by ignoring certain uses or disclaiming liability for them, and in other instances by selling data to intermediary entities that sell it further downstream. 107 These practices-data brokers' sale of information that is typically used for credit eligibility determinations and data brokers' minimal oversight of the uses to which that information is
Footnotes:
107 ? See, e.g., Duke Report on Data Brokers and Military Personnel Data, supra note 2, at 25-29; Compl. For Permanent Inj., Monetary Relief, Other Equitable Relief, and Civil Penalties, FTC v. Instant Checkmate, LLC, No. 3:23-cv-01674 TWR (MSB) (S.D. Cal. Sept. 11, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/truthfinder_complaint.pdf; Press Release, Fed. Trade Comm'n, FTC Warns Data Broker Operations of Possible Privacy Violations (May 7, 2013), https://www.ftc.gov/news-events/news/press-releases/2013/05/ftc-warns-data-broker-operations-possible-privacy-violations.
108 ? See, e.g., Duke Report on Data Brokers and Sensitive Data, supra note 29, at 4-8; FTC Data Broker Report, supra note 25, at B1-B5.
109 ? See 15 U.S.C. 1681a(d)(1)(A) through (C) and 1681b(a)(3).
110 ? See 115 Cong. Rec. S2413 (Jan. 31, 1969).
The CFPB requests comment on proposed §?1022.4(c)(2) and other possible approaches to implementing the definition of consumer report, as well as on the potential impacts of each approach, including on whether they would advance the privacy interests of consumers and protect consumers from data misuses and abuses. In addition, the CFPB requests comment on the possible effects, if proposed §?1022.4(c)(2) is finalized, on entities that furnish data to, purchase data from, or rely on the services of entities that would qualify as consumer reporting agencies selling consumer reports.
4(d) Personal Identifiers for a Consumer
Proposed §?1022.4(d) relates to certain personal identifiers for a consumer that are often referred to as "credit header" information. Personal identifiers typically appear at the top of consumer reports and include, for example, names, date of birth, addresses, Social Security number (SSN), and telephone number. In §?1022.4(d)(1), the CFPB proposes to provide that the term "consumer report" includes a communication by a consumer reporting agency of a personal identifier for a consumer that was collected by the consumer reporting agency in whole or in part for the purpose of preparing a consumer report about the consumer. This would mean that a consumer reporting agency could only make such a communication if the user had a permissible purpose under the FCRA to obtain it. Proposed §?1022.4(d)(2) sets forth an enumerated list of information that would constitute personal identifiers for a consumer. The CFPB proposes §?1022.4(d) to prevent the misuse of personal identifiers collected by consumer reporting agencies to prepare consumer reports and to prevent evasions of the FCRA.
How Personal Identifiers Are Treated Today
The FTC has addressed personal identifiers collected by consumer reporting agencies in various contexts over the last few decades and has generally taken a fact-specific approach in determining whether communications of identifying information by consumer reporting agencies are consumer reports. For example, in 2000, the FTC determined in an administrative opinion that age was consumer report information when communicated by a consumer reporting agency, 111 but that various other types of personal identifiers were not, based on evidence in a proceeding regarding whether the different types of information bore on the seven factors specified in the definition of consumer report and how they were used or expected to be used. 112 In its 2011 staff report, the FTC indicated that demographic and identifying information about consumers such as name and address generally is not considered consumer report information under the FCRA, unless it is used for eligibility determinations. 113 The FTC stated that a report limited to identifying information does not constitute a consumer report if it does not bear on any of the seven factors specified in the definition and is not used to determine eligibility. 114
Footnotes:
111 ? In re Trans Union Corp., FTC Docket No. 9255, at 31 (Feb. 10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf ("[T]he record shows that an individual's age does bear on their credit capacity and is used in credit granting decisions. . . . The record . . . demonstrates that lenders use age information as a factor in credit granting decisions. Further, age clearly bears on credit capacity where state laws restrict contracting with minors. Therefore, age information falls within the definition of a consumer report and its disclosure by a CRA to target marketers violates the FCRA.") (citations omitted); see also 65 FR 33645, 33668 n.35 (May 24, 2000) (noting that age is consumer report information).
112 ? In re Trans Union Corp., FTC Docket No. 9255, at 30-31 (Feb. 10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (concluding that (1) name, mother's maiden name, generational designator, telephone number, and SSN were not consumer report information because the evidence presented in the proceeding did not show that they bore on any of the seven factors specified in the definition of consumer report, and (2) address was not consumer report information because, while it might bear on creditworthiness, the evidence presented in the proceeding did not show that address was used or expected to be used as a credit eligibility factor in scoring or as a credit criterion in prescreening).
113 ?FTC 40 Years Staff Report, supra note 21, at 1 n.4.
114 ? Id. at 21. The 2011 staff report indicated, for example, that "[t]elephone and other directories that only provide names, addresses, and phone numbers, are not `consumer reports,' because the information is not collected to be used or expected to be used in evaluating consumers for credit, insurance, employment, or other purposes." The FTC recognized, however, that a list of consumers' names and addresses is a series of consumer reports if the list is assembled or defined by reference to characteristics or other information that is also used (even in part) in eligibility decisions. For example, the FTC noted that "a list comprised solely of consumer names and addresses, but compiled based on the criterion that every name on the list has at least one active trade line, updated within six months, is a series of consumer reports." Id.
In finalizing its initial privacy regulation under the Gramm-Leach-Bliley Act (GLBA), the FTC explained that, to the extent that a consumer reporting agency's communication of "credit header" information is not a consumer report, GLBA and its implementing regulation limit consumer reporting agencies' redisclosure of information furnished by financial institutions pursuant to the GLBA's consumer reporting exception, which allows financial institutions to share nonpublic personal information with a consumer reporting agency in accordance with the FCRA without providing consumers notice and an opportunity to opt out of such sharing. 115 Specifically, the FTC explained that GLBA and its implementing regulation do not allow a consumer reporting agency that receives information pursuant to this exception to redisclose the information to "individual reference services, direct marketers, or any other party that does not have a permissible purpose to obtain that information as part of a consumer report."? 116 The FTC noted, however, that consumer reporting agencies may be able to sell consumer identifying information if they receive the information from financial institutions outside of a GLBA exception. 117
Footnotes:
115 ?65 FR 33646, 33668 (May 24, 2000) (citing 15 CFR 313.15(a)(5), which the CFPB later restated in Regulation P as 12 CFR 1016.15(a)(5)).
116 ?65 FR 33646, 33668 (May 24, 2000) (declining requests that the FTC create a new exception to the reuse and redisclosure limitations that would allow consumer reporting agencies to sell "credit header" information); see also Trans Union LLC v. FTC, 295 F.3d 42 (D.C. Cir. 2002) (rejecting challenges to FTC privacy rule, including to its handling of header information).
117 ?65 FR 33646, 33668-69 (May 24, 2000).
[top] Courts considering communications of personal identifiers by consumer reporting agencies have generally concluded that such communications are not consumer reports, largely on the ground that the information does not bear on the factors specified in the definition. 118 However, similar to the
Footnotes:
118 ? See, e.g., Gray v. Experian Info. Sols. Inc., No. 8:23-CV-981-WFJ-AEP, 2023 WL 6895993, at *3-4 (M.D. Fla. Oct. 19, 2023); Bickley v. Dish Network, LLC, 751 F.3d 724, 729 (6th Cir. 2014); Ali v. Vikar Mgmt. Ltd., 994 F. Supp. 492, 497, 499 (S.D.N.Y. 1998); Dotzler v. Perot, 914 F. Supp. 328, 330-31 (E.D. Mo. 1996), aff'd, 124 F.3d 207 (8th Cir. 1997).
119 ? Steinmetz v. LexisNexis, No. 2:19-CV-00070-RFB-DJA, 2020 WL 2198974, at *3 (D. Nev. May 5, 2020) (noting that "it is not inconceivable that information like one's birthdate could be relevant for determining eligibility for certain consumer credit products").
Consumer reporting agencies and other industry stakeholders have generally taken the position that personal identifiers are not subject to the FCRA at all. 120 Consumer reporting agencies thus currently sell "credit header" information for purposes that are not permissible purposes under the FCRA. 121 For example, such information appears to be offered for sale for purposes not authorized under section 604, such as marketing? 122 that is not done in accordance with the statute's prescreening or written instructions provisions. 123
Footnotes:
120 ? See, e.g., Comment from stakeholder Equifax, Re: CFPB's Small Business Advisory Review Panel for Consumer Reporting Rulemaking-Outline of Proposals and Alternatives Under Consideration, at 2 (Nov. 6, 2023) ("Credit header information, such as name, current and former addresses, Social Security number, date of birth, and phone number, does not meet the current, definitional standard for a consumer report."). Indeed, an industry trade association has erroneously suggested that the FTC has categorically excluded identifying information from the definition of consumer report. Comment from stakeholder CDIA, Re: CFPB's Small Business Advisory Review Panel for Consumer Reporting Rulemaking-Outline of Proposals and Alternatives Under Consideration, at 13 (Nov. 6, 2023) ("The FTC's long-standing and unambiguous interpretation of the FCRA is that identifying information ( i.e., credit header information) does not constitute a consumer report.").
121 ? See, e.g., What Is Credit Header?, Tracers (Oct. 22, 2020), https://www.tracers.com/blog/what-is-credit-header/ ("You can see how beneficial all of this information can be if you're a business trying to reach out to brand new or existing customers. This type of data isn't regulated under the Fair Credit Reporting Act because it's not part of a customer's credit history, which means you can use it in a variety of ways for your business's benefit.").
122 ? See, e.g., Introducing Acxiom Auto 360: Data Solution for OEMs and Car Dealerships, Acxiom, https://www.acxiom.com/auto-360/ (last visited Oct. 30, 2024) ("What if you needed only one, incredibly powerful data-marketing tool? One solution using best-in-industry capabilities combining household data sets with credit header data and adding insights to influence a customer's next buying decision.").
123 ?FCRA section 604(c)(1)(B) permits consumer reporting agencies to furnish consumer reports in connection with credit or insurance transactions not initiated by the consumer under certain conditions, including that the consumer reporting agency must allow consumers to opt out of the prescreening process, the user must provide a firm offer of credit or insurance to consumers whose information they receive, and both the consumer reporting agency and the user must comply with notice requirements. FCRA section 604(a)(2) permits consumer reporting agencies to furnish a consumer report in accordance "with the written instructions of the consumer to whom it relates."
Implementing the FCRA's Definition of the Term "Consumer Report"
The CFPB proposes §?1022.4(d) pursuant to its authority under FCRA section 621(e)(1) to "prescribe regulations as may be necessary or appropriate to administer and carry out the purposes and objectives" of the FCRA, including the definition of consumer report in FCRA section 603(d). As noted above, a consumer report under the FCRA is, in general, a communication by a consumer reporting agency of any information that: (1) bears on at least one of seven specified factors; and (2) is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing a consumer's eligibility for credit, insurance, or employment purposes or for any other purpose authorized under FCRA section 604. The CFPB preliminarily concludes that a consumer reporting agency's communication of a personal identifier for a consumer that the consumer reporting agency collected for the purpose of preparing a consumer report about the consumer meets both prongs of the definition and, therefore, that a communication of such information by a consumer reporting agency is a consumer report.
The CFPB preliminarily concludes that personal identifiers for a consumer bear on one or more of the seven factors specified in the definition of consumer report. Those factors are a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.
Webster's dictionary defines "characteristic" as "a distinguishing trait, quality, or property."? 124 A consumer's names (including aliases), age or date of birth, addresses, telephone numbers, email addresses, and SSN or Individual Taxpayer Identification Number (ITIN) are all themselves personal characteristics of the consumer because they are personal traits, qualities, or properties that serve to distinguish the consumer. 125
Footnotes:
124 ? See Characteristic, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/characteristic (last visited Oct. 30, 2024).
125 ? See, e.g., Moreland v. CoreLogic SafeRent LLC, No. SACV 13-470 AG ANX, 2013 WL 5811357, at *4 (C.D. Cal. Oct. 25, 2013) ("Where a person lives is a fundamental 'personal characteristic [?].'?").
Personal identifiers for a consumer also can bear on the specified factors in other ways. For example, a consumer's current and former names and aliases may bear on the consumer's mode of living by revealing family associations, marital history, and the names the consumer has chosen to use. Similarly, email addresses that the consumer uses or has used may, for example, provide information about the consumer's educational or employment associations. Addresses and telephone numbers provide information about where a consumer has lived, how often they have moved, and whether they receive mail at a post office box, which are part of the consumer's mode of living. The fact that no SSN is provided for a consumer or that another identification number (such as an ITIN or a matricula consular number) is provided can reveal information about the consumer's immigration status, which is a personal characteristic and bears on the consumer's mode of living.
Additionally, the mere fact that a particular consumer reporting agency or type of consumer reporting agency has personal identifiers for a consumer can itself bear on one or more of the factors specified in the definition of consumer report. For example, the fact that a nationwide consumer reporting agency has personal identifiers for a consumer suggests that it has credit records about the consumer and the consumer is not "credit invisible," which goes to the consumer's credit capacity or credit standing. Similarly, the fact that a particular type of specialty consumer reporting agency has personal identifiers for a consumer might suggest that the consumer rents rather than owns their home; has applied for individually underwritten life or health insurance; has had claims filed against their homeowner's or automobile insurance policies; or has a telecommunication, pay TV, or utility account. 126
Footnotes:
126 ? See, e.g., Consumer Fin. Prot. Bureau, List of Consumer Reporting Companies (2024), https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/companies-list/ (last visited Oct. 15, 2024) ("Most tenant screening companies won't have information on you unless you apply for rental housing or otherwise authorize a landlord or property manager to obtain a report from them."); Request Your MIB Underwriting Services Consumer File, MIB Group, https://www.mib.com/request_your_record.html (last visited Oct. 15, 2024) ("You will not have an MIB Underwriting Services Consumer File unless you have applied for individually underwritten life or health insurance in the last seven years."); Natalie Todoroff & Jessa Claeys, What are CLUE reports in insurance? Bankrate (Sept. 3, 2024), https://www.bankrate.com/insurance/homeowners-insurance/clue-report/ (describing information included in CLUE reports); NCTUE empowers you to take control of your credit, NCTUE Consumers, https://nctue.com/consumers/ (last visited Oct. 15, 2024).
[top] The CFPB also preliminarily determines that personal identifiers collected by consumer reporting agencies to prepare consumer reports meet the second prong of the definition
Moreover, every time any information from a consumer report, such as income or employment history, is used as a factor in determining eligibility for an FCRA purpose, a personal identifier for the consumer must also be used. Otherwise, it would be impossible for users to be sure that the information used from the consumer report relates to the correct consumer.
Indeed, personal identifiers provided by consumer reporting agencies can be critical in assessing whether applicable requirements are met. For example, employers may be required for certain positions to ensure that prospective employees do not appear on a sex offender registry and may use names and other personal identifiers from consumer reporting agencies to do so. Similarly, financial institutions and others may use names and other personal identifiers in determining whether an applicant for credit or other products or services is on the list of Specially Designated Nationals maintained by the Office of Foreign Assets Control (OFAC) or one of OFAC's other sanctions lists, to ensure that OFAC's regulations do not prohibit them from approving the transaction. 127
Footnotes:
127 ? See generally Off. of Foreign Assets Control, U.S. Dep't of Treas., FFIEC, BSA/AML Manual: Office of Foreign Assets Control-Overview, https://bsaaml.ffiec.gov/manual/OfficeOfForeignAssetsControl/01 (last visited Oct. 15, 2024); Cortez v. Trans Union, LLC, 617 F.3d 688, 707-08 (3rd Cir. 2010) ("Trans Union invites us to conclude that information that goes to the very legality of a credit transaction is somehow not 'a factor in establishing the consumer's eligibility . . . for credit.'. . . . It is difficult to imagine an inquiry more central to a consumer's 'eligibility' for credit than whether federal law prohibits extending credit to that consumer in the first instance. The applicability of the FCRA is not negated merely because the creditor/dealership could have used the OFAC Screen to comply with the USA PATRIOT Act, as well as deciding whether it was legal to extend credit to the consumer."); Off. of Foreign Assets Control, U.S. Dep't of Treas., Frequently Asked Question #46 (Sept. 10, 2002), https://ofac.treasury.gov/faqs/46 (last visited Oct. 15, 2024) (discussing what to provide as a denial reason on an adverse action notice if a loan meets an institution's underwriting standards but is a true "hit" on the Specially Designated Nationals list).
Personal identifiers provided by consumer reporting agencies can also serve as a factor in eligibility determinations in other ways. For example, age may be specifically considered in determining whether a consumer meets requirements for credit and insurance products and services. Minors, for example, may be ineligible to even enter into contracts under State law, and some products such as reverse mortgages are only offered to seniors. 128 Age also can determine whether an applicant is eligible for a particular employment position or for benefits such as Social Security retirement benefits and Supplemental Security Income. 129 Similarly, whether a consumer has an SSN can affect eligibility for employment, Social Security benefits, and certain other government benefits. 130
Footnotes:
128 ?Fed. Trade Comm'n, Reverse Mortgages (Aug. 2022), https://consumer.ftc.gov/articles/reverse-mortgages (noting that you cannot legally commit to a regular mortgage until you are 18, unless you have a co-signer, and that you must be 62 or older to get a reverse mortgage); cf. In re Trans Union Corp., FTC Docket No. 9255, at 31 (Feb. 10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (explaining various ways in which age had been used in credit granting decisions).
129 ? See, e.g., Soc. Sec. Admin., Retirement Benefits, at 2-4 (2024), https://www.ssa.gov/pubs/EN-05-10035.pdf (explaining age restrictions for Social Security retirement benefits); Soc. Sec. Admin., Supplemental Security Income (SSI) Eligibility Requirements (2024), Understanding SSI-SSI Eligibility (ssa.gov).
130 ?Soc. Sec. Admin., Social Security Numbers for Noncitizens (Apr. 2023), https://www.ssa.gov/pubs/EN-05-10096.pdf ("You need an SSN to work, collect Social Security benefits, and receive other government services.").
Address information provided by consumer reporting agencies can also play a role in eligibility determinations. For example, many financial service providers and insurance companies are only licensed to operate in particular States and therefore can only offer their products or services to consumers residing in those jurisdictions. Federally regulated lenders are also prohibited from making a mortgage loan to a consumer if a property is not covered by flood insurance and is located in a Special Flood Hazard area where flood insurance is available. 131 Employment positions may be limited to residents of certain localities.
Footnotes:
131 ?42 U.S.C. 4012a(b).
In light of all of these considerations, the CFPB preliminarily concludes that communications by consumer reporting agencies of personal identifiers for a consumer that are collected by a consumer reporting agency for the purpose of preparing consumer reports about the consumer are consumer reports. FCRA section 608 further supports this interpretation by specifically permitting consumer reporting agencies to share "identifying information respecting any consumer, limited to his name, address, former addresses, places of employment, or former places of employment" with a governmental agency notwithstanding the permissible purpose requirements for consumer reports. 132 If identifying information were entirely excluded from the definition of consumer report as industry has suggested, there would have been no need for Congress to craft FCRA section 608 to expressly allow sharing of certain identifying information with government agencies.
Footnotes:
132 ?15 U.S.C. 1681f.
Proposed §?1022.4(d) Would Promote the FCRA's Goals and Prevent Misuse of Personal Identifiers
[top] Proposed §?1022.4(d) would promote the FCRA's goals of ensuring accuracy and fairness in consumer reporting by ensuring that personal identifiers collected by consumer reporting agencies for the purpose of preparing consumer reports are subject to all of the FCRA's protections that apply to consumer reports. A primary purpose of the FCRA is "to protect consumers from the transmission of inaccurate information about them, and to establish credit reporting practices that utilize accurate, relevant, and current information in a confidential and responsible manner."? 133 The CFPB has long recognized how important personal identifiers are in ensuring the accuracy of consumer reports. 134 Specifying that such information is a consumer report when it is communicated on its own by a consumer reporting agency would ensure that consumers receive notice when adverse actions are taken based on the information, thereby alerting
Footnotes:
133 ? Guimond v. Trans Union Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (citations omitted).
134 ?For example, the CFPB highlighted in an advisory opinion regarding name-only matching the importance of consumer reporting agencies' matching procedures in ensuring accuracy. 86 FR 62468 (Nov. 10, 2021). However, even the best matching procedures cannot prevent mistakes if the identifying information maintained by consumer reporting agencies is itself wrong.
135 ?In the absence of a bright-line rule regarding personal identifiers, at least one consumer reporting agency has taken the position that consumer reporting agencies have no obligation to investigate consumer disputes about inaccurate identifying information that they use in generating consumer reports, notwithstanding the fact that the FCRA clearly requires them to do so. See Brief of Amici Curiae, Consumer Fin. Prot. Bureau and Fed. Trade Comm'n in Supp. of Plaintiff-Appellant, Nelson v. Experian Info. Sols., Inc., No. 4:21-cv-00894-CLM (11th Cir. filed Mar. 29, 2024), https://files.consumerfinance.gov/f/documents/cfpb_amicus-brief-nelson-v-experian_2024-03.pdf.
Providing that the term "consumer report" includes personal identifiers collected by consumer reporting agencies to prepare consumer reports would also protect consumers' privacy by limiting access to such information to entities that have one of the purposes recognized by Congress in the FCRA. As discussed elsewhere in this document, recent studies by Duke University have found that data brokers are openly and explicitly advertising for sale sensitive demographic and other information about U.S. individuals, including active-duty members of the military, their families, and veterans, which can be used to identify and compromise or blackmail them in order to obtain sensitive military information, threatening national security. 136 Personal identifiers may include sensitive information, including SSNs and driver's license numbers, as well as addresses and telephone numbers for people who do not wish to be located, such as domestic violence survivors seeking to stay safe from their abusers. Consumer groups have noted that, because consumer reporting agencies sell "credit header" information, this information has become readily available for purchase online. They have expressed concern that this online marketplace for "credit header" information is used for doxing, identity theft, harassment, and physical violence. 137 Investigative reporting by 404 Media indicates that criminals have obtained access to "credit header" information and are selling unfettered access to such data to other criminals. 138
Footnotes:
136 ?Duke Report on Data Brokers and Military Personnel Data, supra note 2; Duke Report on Data Brokers and Sensitive Data, supra note 29.
137 ? See, e.g., Comment from stakeholders Just Futures Law, Consumer Action, and six other nonprofits, Re: CFPB's Small Business Advisory Review Panel for Consumer Reporting Rulemaking-Outline of Proposals and Alternatives Under Consideration, at 2 (Nov. 6, 2023).
138 ?Joseph Cox, The Secret Weapon Hackers Can Use to Dox Nearly Anyone in America for $15, 404 Media (Aug. 22, 2023), https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/?curator=TechREDEF ("This is the result of a secret weapon criminals are selling access to online that appears to tap into an especially powerful set of data: the target's credit header. . . . Through a complex web of agreements and purchases, that data trickles down from the credit bureaus to other companies who offer it to debt collectors, insurance companies, and law enforcement. A 404 Media investigation has found that criminals have managed to tap into that data supply chain, in some cases by stealing former law enforcement officer's identities, and are selling unfettered access to their criminal cohorts online."); see also Joseph Cox & Emanuel Maiberg, Fiverr Freelancers Offer to Dox Anyone With Powerful U.S. Data Tool, 404 Media (July 2, 2024), https://www.404media.co/fiverr-freelancers-offer-to-dox-anyone-with-powerful-u-s-data-tool-tloxp/ ("Dozens of sellers on the freelancing platforming Fiverr claim to have access to a powerful data tool used by private investigators, law enforcement, and insurance firms which contains personal data on much of the U.S. population. The sellers are then advertising the ability to dig through that data for prospective buyers, including uncovering peoples' Social Security numbers for as little as $30, according to listings viewed by 404 Media. . . . The advertised tool is TLOxp, maintained by the credit bureau TransUnion, and can also provide a target's unlisted phone numbers, utilities, physical addresses, and more.").
Except for certain information that may be released to government agencies under specific FCRA provisions, the proposal would curtail consumer reporting agencies' ability to furnish without a permissible purpose personal identifiers that had been collected for the purpose of preparing consumer reports. The proposal would thus reduce the ability of consumer reporting agencies to disclose sensitive contact information that ultimately could be accessed and used by stalkers, doxxers, domestic abusers, and other lawbreakers, as discussed above. While the storage of Americans' sensitive data may be necessary to facilitate lending, employment background checks, and other beneficial uses prescribed under the FCRA, it cannot be used to facilitate crimes.
Impacts on Other Current Uses of Personal Identifiers
The Small Business Review Panel recommended that the CFPB consider the impacts on current uses of "credit header" information (including, e.g., for identity verification, fraud prevention and detection, employment background checks, other investigations, and digital advertising) and ways to mitigate any negative effects if communications of "credit header" information are consumer reports. 139 Small entity representatives and others have noted that "credit header" information has numerous beneficial uses. For example, it is often used currently to comply with legal obligations related to identity verification. These obligations include customer identification programs and anti-money laundering compliance obligations pursuant to the USA PATRIOT Act and the Bank Secrecy Act, which are designed to prevent and detect money laundering and the financing of terrorism. 140 According to industry trade associations, "credit header" information is also used for other purposes, such as identifying and locating people in a range of contexts, including missing children, victims of natural disasters, and responsible parties and witnesses in insurance claims investigations and civil and criminal matters. 141 Other uses cited include investigating human trafficking, ensuring that packages are sent to the correct address, preventing online purchase fraud, and ensuring age-restricted content and merchandise is not available to minors.
Footnotes:
139 ?Small Business Review Panel Report, supra note 40, at 47-48 & section 9.3.3.
140 ?For example, section 326 of the USA PATRIOT Act requires the U.S. Department of Treasury's Financial Crimes Enforcement Network (FinCEN) to prescribe regulations that require financial institutions to establish programs for account opening that include: (1) verifying the identity of any person seeking to open an account, to the extent reasonable and practicable; (2) maintaining records of the information used to verify the person's identity, including name, address, and other identifying information; and (3) determining whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency. 31 U.S.C. 5318(l).
141 ?Other examples cited include identifying and locating owners of lost or stolen property, heirs, pension beneficiaries, organ and tissue donors, suspects, terrorists, fugitives, tax evaders, and parents and ex-spouses with delinquent child or spousal support obligations.
[top] Industry stakeholders have expressed concern that treating "credit header" information as consumer report information may increase costs, result in delays where time is of the essence, and cause consumer frustration, while undermining efforts to combat money laundering, terrorism, and other crimes. However, it appears that many of these predictions overstate the consequences of reading the FCRA's definition of consumer report to include communications of personal identifiers collected by consumer reporting
Footnotes:
142 ?FCRA section 604(a)(3)(A), 15 U.S.C. 1681b(a)(3)(A).
143 ?FCRA section 604(a)(1), 15 U.S.C. 1681b(a)(1).
144 ? See infra discussion of proposed §?1022.11.
Furthermore, proposed §?1022.4(d) would not affect access to identifying information from any sources that are not subject to the FCRA. Proposed §?1022.4(d) would not, for example, affect the status or availability of an ordinary telephone directory or of any other repository of identifying information that is not collected for the purpose of preparing consumer reports. Other data sources could include, for example, public records directly from a government entity, such as property records, voter registrations, and professional license filings. 145
Footnotes:
145 ?See discussion of government-run databases in the discussion of proposed §?1022.5 below.
Proposed §?1022.4(d) also would not affect the status or availability of identifying information obtained from financial institutions for purposes other than to prepare consumer reports. 146 The GLBA and Regulation P generally require financial institutions to provide consumers with notice and a right to opt out of the sharing of their nonpublic personal information with non-affiliated third parties, but an exception to these requirements provides that financial institutions can share such information "to protect against or prevent actual or potential fraud, unauthorized transactions, claims, or other liability."? 147
Footnotes:
146 ?To the extent any repository included identifying information obtained from financial institutions, it would need to comply with the restrictions and requirements of the GLBA and its implementing regulations, including the limitations on reuse and redisclosure. See, e.g., 15 U.S.C. 6802(c); 12 CFR 1016.11.
147 ?15 U.S.C. 6802(e)(3)(B); 12 CFR 1016.15(a)(2)(ii). A financial institution may provide identifying information to a non-affiliated third party for purposes of identity verification and fraud prevention pursuant to this exception, and Regulation P's reuse and redisclosure provisions would allow the recipient of such information to redisclose the information to other non-affiliated third parties for the same purposes. 15 U.S.C. 6802(c); 12 CFR 1016.11(a)(1)(iii), (c)(3) (providing that information received pursuant to an exception, such as the fraud exception, may generally only be used or disclosed in the ordinary course of business to carry out the activity covered by the exception under which the recipient received the information). As long as the information was not received under Regulation P's exception to the notice and opt out requirements to allow disclosure of nonpublic personal information for consumer reporting purposes ( see 12 CFR 1016.15(a)(5)(i), allowing financial institutions to provide consumers' nonpublic information to consumer reporting agencies in accordance with the FCRA), or otherwise collected, expected to be used, or used for the purpose of serving as a factor in establishing the consumer's eligibility for an FCRA permissible purpose, the communication of such data would not be a consumer report under proposed §?1022.4(d).
Some stakeholders have raised questions about the impact that this proposed intervention might have on government agencies' access to identifying information originating from consumer reporting agencies for law enforcement and other purposes. Government agencies, including local, Tribal, State, and Federal law enforcement, access personal identifiers for numerous beneficial uses. These include for facilitating access to and administering government benefits, identifying and ruling out suspects for criminal investigations, identifying witnesses, and other uses that may serve the public interest.
Law enforcement and other government agencies currently obtain data from a broad range of sources and proposed §?1022.4(d) would not affect many of these sources, such as government-run databases addressed below in the discussion of proposed §?1022.5. To the extent that government agencies currently use information that would be affected by proposed §?1022.4(d), they would continue to be able to access such information in a variety of ways if the proposed rule were finalized. For example, FCRA section 608 provides that a consumer reporting agency may furnish to a governmental agency the name, address, former addresses, places of employment, or former places of employment of any consumer even if no permissible purpose exists. FCRA sections 626 and 627 also provide that, under specified circumstances, consumer reporting agencies must provide certain consumer reporting information to the FBI and a consumer report and all other information in a consumer's file to certain government agencies for counterintelligence or counterterrorism purposes. 148 If government agencies required additional information beyond what is available pursuant to FCRA sections 608, 626, and 627, access could be obtained through a court order, a subpoena, a consumer's written instructions, or any other permissible purpose.
Footnotes:
148 ?15 U.S.C. 1681u, 1681v.
While personal identifiers would remain available to law enforcement and other government agencies through these various channels, the CFPB recognizes the value of government agencies' access to personal identifiers in efficient, consolidated, and timely ways. The CFPB therefore requests comment on proposed §?1022.4(d) and how best to maintain government agencies' access to personal identifiers in order to ensure that the beneficial uses described above can continue as usual. In particular, the CFPB requests comment on a potential exemption from §?1022.4(d) for communications consisting exclusively of personal identifiers that are solely furnished to, or solely used to furnish to, local, Tribal, State, and Federal governments.
The CFPB is also continuing to consider the potential impacts of proposed §?1022.4(d) on the other areas identified by the Small Business Review Panel. The CFPB requests comment on those impacts and on ways to mitigate any potentially negative impacts.
Preventing Evasions of the FCRA
[top] In addition to proposing §?1022.4(d) pursuant to the CFPB's authority to "prescribe regulations as may be necessary or appropriate to administer and carry out the purposes and objectives" of the FCRA, the CFPB also proposes §?1022.4(d) pursuant to its rulemaking authority under FCRA section 621(e) to prevent evasions of, and to facilitate compliance with, the FCRA. Proposed §?1022.4(d) would facilitate compliance with the FCRA by establishing a clear, bright-line rule on how the FCRA applies to personal identifiers. It also would help to prevent evasions of the FCRA where consumer reporting agencies willfully or otherwise ignore how the personal identifiers they sell are used or expected to be used or
The absence of a bright-line rule regarding personal identifiers could raise more compliance concerns and make the rule more susceptible to evasions than proposed §?1022.4(d)'s categorical approach. As noted above, the FTC's staff guidance in the 40 Years Staff Report indicated that identifying information can be consumer report information if it bears on any of the seven factors identified in the FCRA and is used to determine eligibility. 149 Rather than engaging in the communication-by-communication analysis required under the FTC's approach, many consumer reporting agencies and trade associations have instead taken the position that communication of personal identifiers is never a consumer report. Indeed, although the FTC recognized decades ago that communications of age information drawn from consumer reporting databases fall within the definition of a consumer report, 150 consumer reporting agencies have continued to include age information, such as full or partial dates of birth, in the "credit header" information they sell to entities that have no permissible purpose under the FCRA, incorrectly claiming that such information is not covered by the FCRA. 151 As technology advances, uses of identifying information in eligibility determinations are likely to expand and develop in ways that may not be visible to regulators and consumers, amplifying the concern that consumer reporting agencies may violate the FCRA in the absence of a bright-line rule regarding personal identifiers. The CFPB preliminarily determines that proposed §?1022.4(d)'s categorical approach with respect to personal identifiers is necessary to facilitate compliance with the FCRA and to prevent evasion of the FCRA by consumer reporting agencies that sell personal identifiers without adequately considering whether the information they are selling constitutes a consumer report.
Footnotes:
149 ?FTC 40 Years Staff Report, supra note 21, at 21.
150 ? In re Trans Union Corp., FTC Docket No. 9255, at 31 (Feb. 10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (concluding based on the evidence presented that "age information falls within the definition of a consumer report"); see also 65 FR 33645, 33668 n.35 (May 24, 2000) (noting that the FTC's 2000 decision determined that age is consumer report information).
151 ? See, e.g., Matt Wiley, What Is Header Data?, Equifax (Feb. 22, 2021), https://www.equifax.com/business/blog/-/insight/article/what-is-header-data/); CLEAR Enhancements Overview, Thomson Reuters, https://legal.thomsonreuters.com/content/dam/ewp-m/documents/legal/en/pdf/fact-sheets/clear-enhancements-2021.pdf (announcing inclusion of full Equifax "credit header" information regarding date of birth in CLEAR database) (last visited Oct. 15, 2024); Letter from Ron Wyden, Sen., U.S. Senate, to Rohit Chopra, Director, CFPB (Dec. 8, 2021), https://www.wyden.senate.gov/imo/media/doc/CFPB%20Letter%20120821.pdf (describing sale of "credit header" information from the National Consumer Telecom and Utilities Exchange including date of birth).
The CFPB requests comment on whether, in lieu of adopting the approach of proposed §?1022.4(d), a final rule should provide that a communication by a consumer reporting agency of personal identifiers can be a consumer report if the information meets the two-prong test in proposed §?1022.4(a)'s definition of consumer report. If the CFPB adopted this alternative approach in a final rule, the final rule could provide illustrative examples of communications by consumer reporting agencies of personal identifiers that are consumer reports, such as communications of age or address information. The CFPB requests comment on examples that might be helpful to include if it were to adopt this alternative approach in a final rule.
4(e) De-Identification of Information
Proposed §?1022.4(e) addresses when a consumer reporting agency's communication of de-identified information should be considered a consumer report. Industry participants often assume that information drawn from a consumer reporting database is not a consumer report if the information has been aggregated or otherwise stripped of identifying information. However, information that has been aggregated or otherwise purportedly de-identified can often be used to re-identify individuals and to target individuals to receive or not receive marketing or used in other ways that may violate consumer privacy. The CFPB is considering a range of options to address the risk of re-identification of consumer report information that has been de-identified. 152 The CFPB therefore proposes three alternative versions of §?1022.4(e). The proposed alternatives are all designed to further the FCRA's goal of ensuring the privacy of consumer information, including by preventing targeted marketing using purportedly de-identified consumer reporting information that could be re-identified. Each alternative would have varying effects on the use of de-identified information as discussed below.
Footnotes:
152 ?In the Small Business Review Panel Outline, the CFPB indicated that it was considering proposals to clarify whether and when "aggregated or anonymized" consumer report information constitutes or does not constitute a consumer report. Small Business Review Panel Outline, supra note 39, at 11. The CFPB is using the terms "de-identified information" and "de-identification" in this proposal because it believes these terms capture information that has been stripped of identifiers, through aggregation or other means, and therefore can encompass information that has been aggregated or anonymized or both. The term "de-identified" is similar to the term "anonymized" that was used in the Outline but more aptly conveys that there is a possibility that data may be re-identified.
FCRA section 603(d)(1) defines consumer report, in part, as a "communication of . . . information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living."? 153 FCRA section 603(c) defines a consumer as "an individual."? 154 Interpreting these terms, the FTC 40 Years Staff Report states that "information may constitute a consumer report even if it does not identify the consumer by name if it could `otherwise reasonably be linked to the consumer.'?"? 155 Extrapolating from that statement, many stakeholders today believe that a communication of information by a consumer reporting agency is not a consumer report if the information is not linked or reasonably linkable to a specific individual. Many stakeholders also often seem to assume that information is not reasonably linkable when in fact it is.
Footnotes:
153 ?15 U.S.C. 1681a(d)(1).
154 ?15 U.S.C. 1681a(c).
155 ?FTC 40 Years Staff Report, supra note 21, at 21.
[top] In light of advances in technology and current industry practices, the CFPB is concerned that the reasonably linkable standard articulated in the FTC 40 Years Staff Report alone may not be sufficiently protective of consumer reporting information that, while nominally de-identified, may in fact be re-identifiable. The CFPB is aware that, in many cases, consumers may be re-identified with relative ease from purportedly de-identified datasets. 156 Indeed, there have been numerous reports over the years of supposedly de-identified data being re-identified and revealing potentially sensitive personal information such as web browsing
Footnotes:
156 ? See Kristen Cohen, Fed. Trade Comm'n, Location, Health, and Other Sensitive Information: FTC Committed to Fully Enforcing the Law Against Illegal Use and Sharing of Highly Sensitive Data (July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal; The White House, Exec. Off. of the President, Big Data: Seizing Opportunities, Preserving Values, at 8 (May 2014), https://obamawhitehouse.archives.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf; Fed. Trade Comm'n, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers, at iv, 18-22 (Mar. 2012) (hereinafter 2012 FTC Privacy Report), https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers; see also Fed Trade Comm'n, FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising: Tracking, Targeting, and Technology, at 20-21 (Feb. 2009), https://www.ftc.gov/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising.
157 ? See Press Release, Fed. Trade Comm'n, FTC Order Will Ban Avast from Selling Browsing Data for Advertising Purposes, Require It to Pay $16.5 Million Over Charges the Firm Sold Browsing Data After Claiming Its Products Would Block Online Tracking (Feb. 22, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over (browsing history combined with persistent identifiers could be re-identified and connected to individual consumers).
158 ?Chris Culnane et al., Health Data in an Open World: A Report on Re-Identifying Patients in the MBS/PBS Dataset and the Implications for Future Releases of Australian Government Data (Dec. 18, 2017), https://arxiv.org/pdf/1712.05627.
159 ?Marisa Iati & Michelle Boorstein, Case of High-Ranking Cleric Allegedly Tracked on Grindr App Poses Rorschach Test for Catholics, Wash. Post (July 21, 2021), https://www.washingtonpost.com/religion/2021/07/21/catholic-official-grindr-reaction/.
160 ?Letter from Maneesha Mithal, Assoc. Dir., Div. of Privacy & Identity Prot., Fed. Trade Comm'n, to Reed Freeman, Counsel for Netflix, Morrison & Foerster LLP, at 2 (Mar. 12, 2010), https://www.ftc.gov/legal-library/browse/cases-proceedings/closing-letters/netflix-inc.
161 ?Gina Kolata, Your Data Were `Anonymized'? These Scientists Can Still Identify You, N.Y. Times (July 23, 2019), https://www.nytimes.com/2019/07/23/health/data-privacy-protection.html; see generally Paige Collings, Debunking the Myth of `Anonymous' Data, Elec. Frontier Found. (Nov. 10, 2023), https://www.eff.org/deeplinks/2023/11/debunking-myth-anonymous-data.
162 ? See 2012 FTC Privacy Report, supra note 156, at 20.
The CFPB is aware that consumer reporting agencies offer and sell a variety of products that include information that has been drawn from consumer reporting databases and that has been aggregated or otherwise purportedly de-identified. 163 Some of these products include information that has been aggregated at a household or neighborhood level ( e.g., a ZIP Code or ZIP-plus-four Code segmentation); others may include information aggregated according to specific behavioral characteristics ( e.g., consumers who shop at high-end retailers). Given the potential ease with which household and other data can be re-identified, the sale of these types of data raises concerns that sensitive consumer reporting information may be disclosed in circumstances where no FCRA permissible purpose exists, such as for marketing. In light of these concerns, the CFPB is proposing three alternative versions of §?1022.4(e) and, as noted below, requests comment on how each alternative, or combinations thereof, would affect current uses of de-identified information drawn from consumer reporting databases.
Footnotes:
163 ? See, e.g., Robinson + Yu, Knowing the Score: New Data, Underwriting, and Marketing in the Consumer Credit Marketplace, A Guide for Financial Inclusion Stakeholders, at 2, 17-19 & tbl. 10 (Oct. 2014), https://www.upturn.org/static/files/Knowing_the_Score_Oct_2014_v1_1.pdf (providing examples of aggregated marketing scores and noting that such scores "have become a primary way for credit bureaus to sell, and for creditors and other actors to use, consumers' credit histories to market to them with greater precision"); FTC Data Broker Report, supra note 25, at 19-21 (describing the creation of lists of consumers who share similar characteristics, including lists that segment consumers based on their financial status, e.g., underbanked, credit worthiness, and upscale retail card holder); In re Trans Union, 129 FTC 417, 493-94 (2000), https://www.ftc.gov/system/files/documents/commission_decision_volumes/volume-129/vol129complete_0.pdf (discussing a ZIP-plus-four aggregation, i.e., an average of the credit data of a geographical area covering 5 to 15 households divided by the number of people in the area who have credit reports).
Proposed Alternative One
The first proposed version of §?1022.4(e) is a bright-line approach under which de-identification of information would not be relevant to a determination of whether the definition of consumer report is met. Under this alternative, a consumer reporting agency's communication of de-identified information that would constitute a consumer report if the information were not de-identified would be a consumer report, regardless of the measures taken to de-identify the information. While different methods of de-identification, including different methods of aggregation, may present varying levels of re-identification risk, this alternative would set a bright-line rule that de-identification of information in a communication does not affect whether the communication is a consumer report. Of the three proposed alternatives, this would be the most protective of consumer privacy and would place the greatest restriction on information sharing. This alternative could address concerns about consumer reporting information being used for differentiated marketing and pricing, such as sending or not sending advertisements to certain consumers based on aggregated indicators of the financial well-being of their neighborhood. This approach would also provide a bright line for supervisory and enforcement purposes that would make it easier to identify and prove violations. However, it would also constrict or eliminate the availability of de-identified information from consumer reporting databases for policy analysis and development, research, advocacy work, model and risk score development, and market monitoring. For example, the National Mortgage Database (NMDB), which the CFPB and the Federal Housing Finance Agency (FHFA) jointly established, uses de-identified information from a nationwide consumer reporting agency to facilitate Federal agencies' monitoring of the U.S. mortgage markets. Such information would no longer be available to assist with such monitoring if the first alternative version of proposed §?1022.4(e) were finalized. Under this alternative, a consumer reporting agency could generally only disclose information drawn from a consumer reporting database for a purpose that is permissible under the FCRA, regardless of the extent to which the information is de-identified.
Proposed Alternative Two
[top] The second proposed version of §?1022.4(e) would provide that de-identification of information is not relevant to a determination of whether the definition of consumer report in §?1022.4(a) is met if the information is still linked or linkable to a consumer. Under this alternative, a consumer reporting agency's communication of de-identified information that would constitute a consumer report if the information were not de-identified is a consumer report if the information is still linked or linkable to a consumer. The Office of Management and Budget (OMB), the National Institute of Standards and Technology, and various other Federal agencies have used similar "linked or linkable" standards in defining "personally identifiable
Footnotes:
164 ? E.g., 6 CFR 37.3 (defining personally identifiable information in Department of Homeland Security's regulation on Real ID Driver's Licenses and Identification Cards); 45 CFR 75.2 (defining personally identifiable information for purposes of uniform administrative requirements, cost principles, and audit requirements for Department of Health and Human Services awards); M-17-12, Memorandum for Heads of Exec. Dep'ts & Agencies from Shaun Donovan, Off. of Mgmt. & Budget, at 8 (Jan. 3, 2017), https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf (defining personally identifiable information for purposes of Federal agency data breaches); U.S. Gen. Servs. Admin., Order CIO 2180.2, GSA Rules of Behavior for Handling Personally Identifiable Information (PII) (Oct. 8, 2019), https://www.gsa.gov/directives-library/gsa-rules-of-behavior-for-handling-personally-identifiable-information-pii-2; Erika McCallister et al., Nat'l Inst. of Standards and Tech., U.S. Dep't of Com., Special Publ'n 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) at ES-1 (Apr. 2010), https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=904990; U.S. Dep't of Def., DoD 5400.11-R, Dep't of Def. Privacy Program, at 9 (May 14, 2007), https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/540011r.pdf.
165 ?17 CFR 227.305.
Proposed Alternative Three
The third proposed version of §?1022.4(e) would provide that de-identification of information is not relevant to a determination of whether the definition of consumer report is met if at least one of the conditions set forth in proposed §?1022.4(e)(1)(i) through (iii) is met. The CFPB designed this proposed alternative to allow uses of de-identified data that present less risk for consumers, such as research conducted by academic institutions and government agencies, to continue, while nonetheless ensuring the FCRA's protections apply where appropriate (for example, to sales of de-identified consumer report information when such information is re-identified). Under this alternative, a consumer reporting agency's communication of de-identified information that would constitute a consumer report if the information were not de-identified is a consumer report if at least one of the conditions set forth in proposed §?1022.4(e)(1)(i) through (iii) is met. The CFPB could finalize any of the conditions alone or in combination. The conditions in a final rule thus could include one or more of the following: (i) the information is still linked or reasonably linkable to a consumer; (ii) the information is used to inform a business decision about a particular consumer, such as a decision whether to target marketing to that consumer; or (iii) a person that directly or indirectly receives the communication, or any information from the communication, identifies the consumer to whom information from the communication pertains.
Using the "linked or reasonably linkable" standard set forth in proposed §?1022.4(e)(1)(i) as a condition in the third proposed version would be the most consistent with how the FTC has approached the issue of de-identified information under the FCRA. 166 A reasonableness test also is embedded in various other Federal provisions that address personally identifiable information or other types of information in identifiable form, such as the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA). 167 Additionally, the comprehensive privacy laws that various States have enacted incorporate a "linked or reasonably linkable" approach in defining "personal data" or similar concepts. 168 While almost any piece of data theoretically could be linked to a consumer, a reasonableness standard would consider whether such a link is practical or likely in light of current technology and context, and could evolve over time as technology advances. Including "reasonably" in the condition might help to ensure that the rule does not unnecessarily limit the use of data that does not pose a meaningful risk to consumers, such as research conducted by government and academic institutions. On the other hand, it might make §?1022.4(e) more difficult to enforce than the first and second proposed alternatives, particularly if the examples and other conditions in the third proposed alternative are not finalized.
Footnotes:
166 ?FTC 40 Years Staff Report, supra note 21, at 21.
167 ? See 34 CFR 99.3 (defining personally identifiable information for purposes of FERPA to include "information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty"); 45 CFR 160.103 (defining individually identifiable health information for purposes of the HIPPA as "information that is a subset of health information, including demographic information collected from an individual . . . [t]hat identifies the individual; or [w]ith respect to which there is a reasonable basis to believe the information can be used to identify the individual").
168 ? See, e.g., Cal. Civ. Code section 1798.140(v)(1) (defining personal information as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household"); Colo. Rev. Stat. section 6-1-1303(17) (defining personal data as "information that is linked or reasonably linkable to an identified or identifiable individual" and providing that the term "[d]oes not include de-identified data or publicly available information"); Va. Code section 59.1-575 (similar).
The third proposed version includes in §?1022.4(e)(2) three examples of information that would be considered linked or reasonably linkable to a consumer. The three examples are intended to clarify the "linked or reasonably linkable" condition in proposed §?1022.4(e)(1)(i) and to ensure the condition is read in a way that is protective of consumer privacy. The examples could help to clarify when information that has nominally been aggregated or otherwise stripped of identifiers is reasonably linkable to a consumer. The first two examples, in proposed §?1022.4(e)(2)(i) and (ii), are information that identifies a specific household or that identifies a specific ZIP+4 Code in which a consumer resides. The risk of re-identification of information is extremely high when data is provided at the household level, as households may contain a small number of occupants, and household data may be merged with other available sources of information to tease out information about specific occupants. Similarly, the ZIP+4 Code denotes a highly specific delivery segment for U.S. mail and can identify a small population, such as the people who live on one side of a block or in a specific building or house or who use a specific Post Office box. 169 Data provided about consumers in a specific ZIP+4 Code thus raise similar concerns about potential re-identification as data identifying a specific household.
Footnotes:
169 ?U.S. Postal Serv., Postal Facts: 41,704 ZIP Codes, https://facts.usps.com/42000-zip-codes/; U.S. Postal Serv., The United States Postal Service: An American History, at 68 (2022), https://about.usps.com/publications/pub100.pdf?_gl=1*2lqbsa*_gcl_au*Njg4MjQ2MzU4LjE3MTU4OTA3MDM.*_ga*MTkzNTkxMDUwNy4xNzE1ODkwNzAz*_ga_3NXP3C8S9V*MTcxNTg5MDcwMy4xLjAuMTcxNTg5MDcwMy4wLjAuMA.
[top] The third example, in proposed §?1022.4(e)(2)(iii), relates to persistent identifiers, such as a cookie identifier, an internet Protocol (IP) address, a
Footnotes:
170 ?Proposed §?1022.4(e)(2)(iii) is similar to part of the definition of personal information in the FTC's regulation implementing the Children's Online Privacy Protection Act. See 16 CFR 312.2 (defining personal information to include "[a] persistent identifier that can be used to recognize a user over time and across different websites or online services" and noting that "[s]uch persistent identifier includes, but is not limited to, a customer number held in a cookie, an internet Protocol (IP) address, a processor or device serial number, or unique device identifier").
171 ? See, e.g., Press Release, Fed. Trade Comm'n, Developer of Apps Popular with Children Agrees to Settle FTC Allegations It Illegally Collected Kids' Data without Parental Consent (June 4, 2020), https://www.ftc.gov/news-events/news/press-releases/2020/06/developer-apps-popular-children-agrees-settle-ftc-allegations-it-illegally-collected-kids-data (collection of persistent identifiers to track users to deliver targeted advertising in violation of Children's Online Privacy Protection Act); Press Release, Fed. Trade Comm'n, Google and YouTube Will Pay Record $170 Million for Alleged Violations of Children's Privacy Law (Sept. 4, 2019), https://www.ftc.gov/news-events/news/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations-childrens-privacy-law (same); Press Release, Fed. Trade Comm'n, Online Advertiser Settles FTC Charges ScanScout Deceptively Used Flash Cookies to Track Consumers Online (Nov. 8, 2011), https://www.ftc.gov/news-events/news/press-releases/2011/11/online-advertiser-settles-ftc-charges-scanscout-deceptively-used-flash-cookies-track-consumers (misrepresentations of consumers' ability to control online tracking through persistent identifiers); Press Release, Fed. Trade Comm'n, FTC Puts an End to Tactics of Online Advertising Company That Deceived Consumers Who Wanted to "Opt Out" from Targeted Ads (Mar. 14, 2011), https://www.ftc.gov/news-events/news/press-releases/2011/03/ftc-puts-end-tactics-online-advertising-company-deceived-consumers-who-wanted-opt-out-targeted-ads (same).
The second condition in the third proposed alternative, as set forth in proposed §?1022.4(e)(1)(ii), is if the information is used to inform a business decision about a particular consumer. Including this condition would mean, for example, that a consumer reporting agency's communication of income information from a consumer reporting database that is aggregated at the ZIP Code level would be a consumer report if the aggregated information was used to target marketing to a particular consumer who lives in that ZIP Code (such as by sending a mailing to an address). The proposal also would help to prevent the use of consumer report information to facilitate targeted advertising, such as in generating "look-alike" audiences, where an entity might use information-such as consumer characteristics, behaviors, and credit history-from an existing audience to determine the types of offers to present to a different audience bearing the same or similar identified characteristics. The CFPB preliminarily determines that such use of consumer reporting information to facilitate targeted marketing is counter to the FCRA's purpose to limit the ways in which such sensitive data can be used. The CFPB is concerned that such marketing techniques might be used to unfairly exclude certain types of consumers from particular offers or to single them out for less favorable offers or terms. The business decision condition would not affect the use of de-identified consumer reporting information to develop scoring or other models, since model development does not involve a business decision about a particular consumer for purposes of proposed §?1022.4(e)(1)(ii). As noted below, the CFPB requests comment on whether business decision condition would prevent the use of de-identified consumer reporting information for any potentially beneficial uses and, if so, whether the CFPB should take any steps to address that.
The final condition included in the third proposed version, as set forth in proposed §?1022.4(e)(1)(iii), is if a person that directly or indirectly receives the communication, or any information from it, identifies the consumer to whom information pertains. This condition would address the concern that subsequent users may be able to re-identify data that has been nominally de-identified. Finalizing this condition would give consumer reporting agencies a strong incentive to ensure de-identified consumer report information is not re-identified through a number of tactics, including contractual limitations, stronger due diligence on the recipients of de-identified consumer report information, or technological means to prevent re-identification because, if either the initial recipient or a downstream recipient of such information identifies the consumer to whom the information pertains, the communication would be deemed a consumer report subject to all of the FCRA's protections.
The Small Business Review Panel recommended that, in evaluating whether and when the communication of aggregated consumer report information constitutes a consumer report, the CFPB should continue to consider both the consumer harms it is seeking to prevent and whether the CFPB's definition might preclude the continued use of aggregated consumer reporting data for purposes like internal account reviews by financial institutions and economic research by government agencies and others. Some small entity representatives noted that such data currently are used for many reasons other than marketing, such as by financial institutions to refine their credit and pricing policies to avoid losses and offer consumers the most competitive pricing possible. As discussed above, the CFPB has proposed a range of alternatives. The CFPB recognizes that the proposed alternatives that are likely to more fully address consumer harms related to privacy, including targeted marketing, are also likely to have impacts on other uses of aggregated or otherwise de-identified information. In contrast, the CFPB preliminarily determines that proposed alternative three would not impact the uses of aggregated consumer reporting data that the Small Business Review Panel raised but requests comment on whether that is the case. As noted below, the CFPB also requests comment on the extent to which each alternative would protect consumer privacy and preclude use of aggregated or otherwise de-identified information for beneficial purposes.
[top] The CFPB proposes the alternative versions of §?1022.4(e) pursuant to its authority under FCRA section 621(e) to "prescribe regulations as may be necessary or appropriate to administer and carry out the purposes and objectives" of the FCRA because information that purportedly has been de-identified through aggregation or other means nevertheless can bear on a consumer where it is derived from identified information and can be re-identifiable. The CFPB also proposes §?1022.4(e) pursuant to its authority under FCRA section 621(e) to prevent evasions of, and to facilitate compliance with, the FCRA. Permitting the sale of purportedly de-identified consumer reporting information to entities that lack a permissible purpose may allow market participants to evade the FCRA's permissible purpose restrictions where the information can be re-identified. Because it is not possible to know ex ante with certainty whether a particular item of de-identified information will be re-identified, it may be necessary to include within the consumer report definition some communications of de-identified consumer reporting information that never will be re-identified in practice in order to ensure that the definition covers all such communications that will be re-identified.
The CFPB requests comment on the likelihood that de-identified information drawn from consumer reporting databases will be re-identified and on the extent to which such information is currently used for marketing purposes. The CFPB also requests comment on the extent to which such information is used for purposes that may be beneficial for consumers, such as research or policy analysis and development, and whether other data sources exist that could be used for any or all of those purposes if a final rule were to constrict the availability of de-identified information drawn from consumer reporting databases.
The CFPB also requests comment on the three alternative versions of proposed §?1022.4(e), and on which of the three if any (or combinations thereof), it should adopt in a final rule and, if it adopts the third alternative version, on what condition(s) it should adopt. If the CFPB adopts the third alternative version with the linked or reasonably linkable condition, the CFPB also requests comment on whether it should finalize the examples of information that is reasonably linkable in proposed §?1022.4(e)(2) and on whether, as part of the "reasonably linkable" condition, it should consider any other additional, more specific, or alternative requirements or examples, such as ones that affirm the ability of government and academic institutions to conduct research using de-identified information. 172 The CFPB also requests comment on whether there are any other conditions that it should consider as part of the proposed third alternative for when de-identified information is or is not a consumer report. The CFPB also requests comment on the extent to which each of the three proposed alternatives would (1) protect consumer privacy and curtail targeted marketing using information drawn from consumer reporting databases and (2) preclude use of aggregated or otherwise de-identified information for any purposes that are beneficial. In addition, the CFPB requests comment on whether there are other approaches, in addition to the three alternative versions of proposed §?1022.4(e), that it should consider for addressing when a consumer reporting agency's communication of de-identified information is a consumer report.
Footnotes:
172 ?The CFPB seeks comment on whether it should consider adding any portions of the three-prong test for a reasonably linkable standard that the FTC articulated in a 2012 privacy report or any other additional or more specific requirements to the reasonably linkable standard. See 2012 FTC Privacy Report, supra note 156, at 18-21. Although the FTC did not develop its three-prong standard specifically to apply in the FCRA context, the CFPB seeks comment on whether some or all of the test's elements could be relevant to the reasonably linkable standard in this rulemaking. If applied in the FCRA context, such a test could, for example, provide that the following three conditions would need to be met for data not to be reasonably linkable: (1) the consumer reporting agency must take reasonable measures to ensure that the data are de-identified; (2) the initial recipient must publicly commit not to try to re-identify the data; and (3) any downstream recipients must be contractually prohibited from trying to re-identify the data. Similar three-prong tests appear in some State laws defining the term "de-identified" and in proposed Federal legislation on data privacy. See, e.g., Cal. Civ. Code section 1798.140(m); Utah Code Ann. section 13-61-101(14); Press Release, Energy & Com. Chair Rodgers, Committee Chairs Rodgers, Cantwell Unveil Historic Draft Comprehensive Data Privacy Legislation (Apr. 7, 2024), https://energycommerce.house.gov/posts/committee-chairs-rodgers-cantwell-unveil-historic-draft-comprehensive-data-privacy-legislation.
Section 1022.5 Definition; Consumer Reporting Agency
In general, a consumer reporting agency under FCRA section 603(f) is a person that regularly engages in assembling or evaluating consumer credit or other information about consumers for the purpose of furnishing consumer reports to third parties. To be a consumer reporting agency, the person must undertake these activities for monetary fees, dues, or on a cooperative nonprofit basis and must use a means of interstate commerce to prepare or furnish the reports. The CFPB proposes §?1022.5 to implement and interpret this definition. Proposed §?1022.5(a) restates the FCRA definition with minor wording and organizational changes for clarity. Proposed §?1022.5(b) interprets the phrase "assembling or evaluating." The CFPB also proposes to revise several provisions in existing Regulation V that currently cross-reference the definition of consumer reporting agency in FCRA section 603(f) to instead cross-reference the definition in proposed §?1022.5. 173
Footnotes:
173 ?These provisions are 12 CFR 1022.41(c)(2); 1022.71(g); 1022.130(d); and 1022.142(a), (b)(3). If this proposal and the Medical Debt Proposed Rule, supra note 42, are both finalized, the CFPB intends to revise in the same way cross-references to the terms "consumer report" and "consumer reporting agency" in §?1022.38, as proposed to be added to Regulation V by the Medical Debt Proposed Rule.
As discussed in the analysis of proposed §?1022.4(b) and (c), if certain other provisions of the CFPB's proposed rule are finalized, many additional data broker products will qualify as consumer reports, and the data brokers who sell those products will qualify as consumer reporting agencies (assuming they satisfy the other elements of that definition). For example, if proposed §?1022.4(c)(2) is finalized, all data brokers that sell information about a consumer's credit history, credit score, debt payments, or income or financial tier generally will qualify as consumer reporting agencies selling consumer reports. 174
Footnotes:
174 ?This would include, for example, enrollment management companies that sell or use financial data, including information about income and creditworthiness, to help educational institutions set tuition prices and scholarship award amounts. See, e.g., Lilah Burke, Why colleges are using algorithms to determine financial aid levels, Higher Ed Dive (Sept. 5, 2023), https://www.highereddive.com/news/colleges-enrollment-algorithms-aid-students/692601/. An enrollment management company could also qualify as a consumer reporting agency if a recipient of the information uses it for an FCRA purpose (such as credit underwriting), see proposed §?1022.4(b), or if the company expects or should expect that a recipient of the information will use it for such a purpose, see proposed §?1022.4(c)(1).
[top] However, the proposed rule would not turn into consumer reporting agencies a range of non-data broker entities that have long been outside the FCRA's scope. For example, newspapers and similar entities that publish news or information that concerns local, national, or international events or other matters of public interest would not be consumer reporting agencies based on those activities-even if their reporting includes information about a consumer's credit history, credit score, debt payments, or income or financial tier-because they do not assemble or evaluate information about consumers for the purpose of furnishing consumer reports to third parties. 175 Rather, these entities assemble or evaluate information on consumers for the purpose of reporting news to the public. Their incidental reporting of an information type listed in proposed §?1022.4(c)(2) does not change that their purpose is to report news to the public. The same analysis would apply when such information appears in a book, blog post, motion picture, or podcast episode: the presence of that information would not turn the publisher of the book, post, movie, or podcast into a consumer reporting agency because the publisher is not acting for the purpose of furnishing consumer reports. 176 This interpretation
Footnotes:
175 ? See Barge v. Apple Computer, Inc., 164 F.3d 617 (2d Cir. 1998) (unpublished table decision) (holding that a newspaper article was not a consumer report provided by a consumer reporting agency).
176 ?Additionally, a person that does not engage in the practice of assembling or evaluating consumer information "for monetary fees, dues, or on a cooperative nonprofit basis" is not a consumer reporting agency under FCRA section 603(f) and proposed §?1022.5(a). Thus, even if a person produces what would otherwise appear to be a consumer report, the person is not a consumer reporting agency if it does not charge for the report. This requirement provides an additional reason why news organizations, website operators, and other sources that make information available to the public for free are not consumer reporting agencies under the proposed interpretation.
Likewise, this proposal is not intended to alter the longstanding interpretation of the FCRA that a government agency or government-run database that provides information only to other branches of the government is not a consumer reporting agency-regardless of the purposes for which it provides information or the types of information it provides-because no information is provided to third parties. For example, as FTC staff have stated, although the Office of Personnel Management collects data on current and potential Federal employees and transmits it to other government agencies, the Office of Personnel Management "is not a CRA . . . because the recipient is another governmental branch and not a `third party.'?"? 177
Footnotes:
177 ?FTC 40 Years Staff Report, supra note 21, at 31. It is also the case that many of these databases do not charge a fee to users. See supra note 176.
Nor is this proposal intended to alter the longstanding interpretation that the FCRA's consumer reporting agency requirements generally do not apply to government agencies or government-run databases that provide information to the public, such as the Federal Public Access to Court Electronic Records (PACER) website. These entities are required by statute to carry out certain information-sharing purposes, and treating them as consumer reporting agencies would run counter to those statutes and the FCRA itself. 178 Further, the FCRA imposes obligations on consumer reporting agencies-such as FCRA section 609(a)'s requirement to disclose information in consumers' files at their request and section 605(a)'s requirement to exclude most information more than seven years old-that may be incompatible with the operations of these entities. 179 Treating these entities as consumer reporting agencies also could lead to absurd results, such as potentially turning the entities or individuals who provide information to them into furnishers under the FCRA. 180
Footnotes:
178 ? Ollestad v. Kelley, 573 F.2d 1109, 1111 (9th Cir. 1978); see also FTC 40 Years Staff Report, supra note 21, at 31; FTC Informal Staff Opinion Letter to Copple (June 10, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-copple-06-10-98; FTC Informal Staff Opinion Letter to Pickett (July 10, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-pickett-07-10-98; FTC Informal Staff Opinion Letter to Goeke (June 9, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-goeke-06-09-98.
179 ?15 U.S.C. 1681g(a) and 1681c(a).
180 ? See FTC 40 Years Staff Report, supra note 21, at 8-10.
5(b) Assembling or Evaluating
In General
Proposed §?1022.5(b) interprets the phrase "assembling or evaluating" in the definition of consumer reporting agency. Proposed §?1022.5(b)(1) would clarify that a person assembles or evaluates consumer credit information or other information about consumers if the person: (1) collects, brings together, gathers, or retains such information; (2) appraises, assesses, makes a judgment regarding, determines or fixes the value of, verifies, or validates such information; or (3) contributes to or alters the content of such information. Proposed §?1022.5(b)(2) provides examples of conduct that would constitute assembling or evaluating under the interpretation in proposed §?1022.5(b)(1). The CFPB proposes §?1022.5(b) as an interpretation of the FCRA's definition of consumer reporting agency and to facilitate compliance with the statute.
The FCRA does not define the terms "assembling" and "evaluating." But the FCRA is a remedial statute? 181 with a focus on ensuring the accuracy of information in consumer reports. FCRA section 602(b) provides that the purpose of the FCRA is to require consumer reporting agencies to adopt reasonable procedures to meet the needs of commerce for information about consumers in a manner that is fair and equitable to the consumer with regard to accuracy and other factors. 182 In light of this purpose, the CFPB preliminarily determines that Congress intended for the terms "assembling" and "evaluating" to be interpreted broadly? 183 to protect consumers. Whenever an entity assembles or evaluates consumer information, the entity may introduce inaccuracies into consumer reports that can harm consumers. Consumer reports play an important role in key aspects of consumers' lives such as credit, housing, and employment. Accuracy in consumer reports therefore is of vital importance to consumers and the consumer reporting system. Consistent with these FCRA purposes, the CFPB proposes §?1022.5(b) to clarify that assembling or evaluating encompasses the activities described in the proposed regulatory text. Proposed §?1022.5(b) should also facilitate compliance by interpreting key terms that are undefined in the FCRA.
Footnotes:
181 ? See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722 (3d Cir. 2010) (describing the FCRA as "undeniably a remedial statute that must be read in a liberal manner in order to effectuate the congressional intent underlying it"); Guimond v. Trans Union Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that the FCRA's "consumer oriented objectives support a liberal construction" of the statute).
182 ? See, e.g., 115 Cong. Rec. 2410, 2411 (1969) (The FCRA's principal Congressional sponsor described "inaccurate or misleading information" as "perhaps the most serious problem in the credit reporting industry."); 15 U.S.C. 1681(a)(1) ("The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system.").
183 ?Interpreting assembling or evaluating broadly is consistent with FTC staff opinion letters and legislative history. See, e.g., FTC Informal Staff Opinion Letter to LeBlanc (June 9, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-leblanc-06-09-98 ("[I]t is clear from a review of the legislative history that Congress intended for the FCRA to cover a very broad range of `assembling' or `evaluating' activities.").
The activities identified in proposed §?1022.5(b) are consistent with dictionary definitions of assemble or evaluate, which plainly encompass a wide range of activity. Dictionary definitions of assemble include "to bring together"? 184 and "to gather, collect, convene."? 185 Dictionary definitions of evaluate include "to determine or fix the value of"? 186 and "[t]o determine the importance, effectiveness, or worth of; assess."? 187
Footnotes:
184 ? See Assemble, Merriam-Webster.com Dictionary Online, https://www.merriam-webster.com/dictionary/assemble#:~:text=1,fit%20together%20the%20parts%20of (last visited Oct. 15, 2024).
185 ? See Assemble, Oxford English Dictionary Online, https://www.oed.com/dictionary/assemble_v1 (last visited Oct. 15, 2024 ).
186 ? See Evaluate, Merriam-Webster.com Dictionary Online, https://www.merriam-webster.com/dictionary/evaluate (last visited Oct. 15, 2024).
187 ? See Evaluate, Am. Heritage Dictionary of the English Language Online (2022), https://www.ahdictionary.com/word/search.html?q=evaluate (last visited Oct. 15, 2024).
[top] The activities identified in proposed §?1022.5(b)(1) are also consistent with longstanding FTC staff guidance regarding the meaning of the terms "assemble" and "evaluate." FTC staff have opined that assembling as used in the definition of consumer reporting agency means, for example, "gathering, collecting, or bringing together consumer information such as data obtained from [consumer reporting agencies] or other third parties, or items provided by the consumer in an application."? 188 And FTC staff have opined that evaluating encompasses a broad range of activities, including "appraising, assessing, determining or
Footnotes:
188 ?FTC 40 Years Staff Report, supra note 21, at 29.
189 ? Id.
190 ?FTC Informal Staff Opinion Letter to Islinger (June 9, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-islinger-06-09-98.
Proposed §?1022.5(b)(1) is also consistent with how courts have interpreted assembling and evaluating. For example, one court opined that assembling requires only "that the assembler gather or group the information"; it does not require the entity assembling the information to change the information's contents. 191 Thus, for example, when an entity gathered arrest data from sheriff's offices and "grouped [the arrest data] together into a database," the court deemed that "action sufficient to satisfy the `assemble' requirement of FCRA."? 192 Another court found that the terms "assembling" and "evaluating" applied to the activities of a background screening agency that combined a criminal history report that the agency had not created with the results of a personal interview. 193 Similarly, a court found that an entity assembled consumer information when it combined a list of open judgments and other public records information pertaining to consumers. 194
Footnotes:
191 ? Lewis v. Ohio Pro. Elec. Network LLC, 190 F. Supp. 2d 1049, 1057-58 (S.D. Ohio 2002) (noting that "one who assembles information does not necessarily change its contents").
192 ? Id.
193 ? Poore v. Sterling Testing Sys., Inc., 410 F. Supp. 2d 557, 569 (E.D. Ky. 2006); see also Adams v. Nat'l Eng'g Serv. Corp., 620 F. Supp. 2d 319, 324-28 (D. Conn. 2009).
194 ? McGrath v. Credit Lenders Serv. Agency, Inc., No. CV 20-2042, 2022 WL 580566, at *6 & n.9 (E.D. Pa. Feb. 25, 2022).
Proposed Examples of Assembling or Evaluating
Proposed §?1022.5(b)(2) provides five non-exhaustive examples of when a person assembles or evaluates consumer credit information or other information about consumers for purposes of the proposed interpretation of assembling or evaluating in §?1022.5(b)(1). These examples only illustrate when a person assembles or evaluates for purposes of the definition of consumer reporting agency and do not address the other elements of that definition. In order to be a consumer reporting agency, a person would need to meet every element of that definition.
The first example, in proposed §?1022.5(b)(2)(i), illustrates that a person assembles or evaluates when the person collects information from a data source and then groups or categorizes it, regardless of whether the person alters or changes the information. When a person groups or categorizes information, the person necessarily assesses or makes a judgment regarding the information to determine in which group or category the information belongs. The example thus provides that a person assembles or evaluates when the person collects information from a consumer's bank account and assesses it, such as by grouping or categorizing it based on transaction type. The CFPB understands that data aggregators often engage in such activities. The CFPB understands, for instance, that, when a data aggregator collects information from a consumer's bank account, the data aggregator may apply its own taxonomy to group or categorize the collected information. To take just one factual scenario, a data aggregator that collects bank account information pursuant to consumer authorization in connection with a loan application may group or categorize deposits or withdrawals by type of income or expense, such as " rent " and " loan repayment, " prior to sharing it with the lender. In doing so, the data aggregator assembles or evaluates the information.
The second example, in proposed §?1022.5(b)(2)(ii), illustrates that a person assembles or evaluates when the person alters or modifies the content of consumer information, including for formatting purposes. For example, when a person collects consumer information from multiple sources, the formats in which the information is received may not be uniform, e.g., the person may receive date fields with four digits for the year from one data source and receive date fields with two digits for the year from a different data source. The proposed example provides that a person assembles or evaluates when the person modifies date fields in this circumstance to ensure consistency.
The third example, in proposed §?1022.5(b)(2)(iii), illustrates that a person assembles or evaluates consumer information when the person determines the value of such information, such as by arranging or ordering it based on perceived relevance to the user. For example, when entities bring together online search results related to consumer information, they may need to determine the value of the information to make decisions about how the results will be ordered. Entities can use a variety of methods, such as algorithms or an individual's judgment, to make such decisions. Regardless of the method, under proposed §?1022.5(b)(1), a person that makes a judgment about the order in which to display search results has assembled or evaluated the information. The proposed example thus provides that a person assembles or evaluates when the person hosts a searchable online database regarding consumers' criminal histories and orders search results in order of perceived relevance to the user.
The fourth example, in proposed §?1022.5(b)(2)(iv), illustrates that a person assembles or evaluates consumer information when the person retains information about consumers. Given that retention of consumer information typically involves gathering information, it is consistent with the plain meaning of the statutory term "assemble." Similarly, retention of information typically involves a periodic evaluation of which data to retain, in what manner, and for how long. The proposed example thus provides that a person assembles or evaluates when it retains information about a consumer, such as by retaining data files containing consumers' payment histories in a database or electronic file system.
The fifth example, in proposed §?1022.5(b)(2)(v), illustrates that a person assembles or evaluates consumer information when the person verifies or validates information received about a consumer. Verification and validation of information involve assessing information for errors to ensure accuracy and determining the trustworthiness of the information. For example, when a person verifies or validates that a consumer's date of birth received from a third party matches the consumer's date of birth as listed in an external database or is properly formatted, the person assesses the data for any errors or incompleteness. A person verifying or validating data would be assembling or evaluating the data regardless of whether the person takes action to correct any errors it finds.
[top] The Small Business Review Panel recommended that, given the CFPB's intent to define the phrase assembling or evaluating, the CFPB should further clarify the activities that fall within that phrase. 195 The details in proposed §?1022.5(b), including the examples in proposed §?1022.5(b)(2), are responsive to the Panel's recommendation to provide a more bright-line definition for when entities, such as data brokers that facilitate consumer-authorized data
Footnotes:
195 ?Small Business Review Panel Report, supra note 40, at 47.
Pursuant to a Panel recommendation, the CFPB also requests comment on the implications of its proposed interpretation of assembling or evaluating for technology providers and platforms used by consumer reporting agencies and others in mortgage lending and other industries. Noting that assembling or evaluating is just one component of the definition of consumer reporting agency, the CFPB generally requests comment on the kinds of entities that could be covered as consumer reporting agencies if the proposed definition of assembling or evaluating were finalized.
Subpart B-Permissible Purposes of Consumer Reports
The CFPB proposes §§?1022.10 through 1022.13 to implement FCRA section 604(a), which describes circumstances under which a consumer reporting agency may furnish a report, referred to as permissible purposes of consumer reports. Except as specifically discussed in the analysis of subpart B below, the CFPB proposes to restate the statutory provisions with only minor wording or organizational changes for clarity. Relatedly, the CFPB proposes to revise the cross-reference to FCRA section 604(a) in §?1022.41(c)(1) in existing Regulation V to instead cross-reference the permissible purposes of consumer reports as set forth in proposed §?1022.10 through §?1022.13.
Section 1022.10 Permissible Purposes of Consumer Reports; In General
10(a) In General
FCRA section604(a) provides that, subject to FCRA section 604(c), a consumer reporting agency may furnish a consumer report only under specific enumerated circumstances, i.e., permissible purposes. The CFPB proposes to implement this general provision in §?1022.10(a) with only minor wording or organizational changes for clarity.
10(b) Furnish a Consumer Report
Proposed §?1022.10(b) would address what it means for a consumer reporting agency to "furnish" a consumer report, as that term is used in FCRA section 604(a) and proposed §?1022.10(a).
10(b)(1)
Proposed §?1022.10(b)(1) states that a consumer reporting agency furnishes a consumer report if it provides the consumer report to a person. The FCRA does not define either the term "furnish" or the phrase "furnish a consumer report." However, the ordinary meaning of the term "furnish" is "to provide" or "supply."? 196 The CFPB proposes §?1022.10(b)(1) to implement the term consistent with these definitions and the FCRA's purposes.
Footnotes:
196 ? See Furnish, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/furnish (last visited Oct. 15, 2024).
10(b)(2)
A core pillar of the FCRA is the limitation in section 604(a) on the dissemination of consumer reports except for one of the permissible purposes identified by Congress. For instance, except in narrowly defined circumstances, consumer reporting agencies generally are prohibited from furnishing a consumer report to a third party for marketing or advertising purposes. Consistent with the FCRA's prohibition on the use of consumer report information for non-permissible purposes, proposed §?1022.10(b)(2) provides that the term "furnish" includes instances where a consumer reporting agency does not technically transfer a consumer report but facilitates a person's use of any information in the consumer report for that person's financial gain. The proposed provision would thus further the FCRA's general prohibition on the use of consumer report information for marketing and advertising purposes without a permissible purpose and prevent evasion thereof, regardless of whether the report is provided to the user.
The CFPB understands that, despite the general prohibition in the FCRA, some consumer reporting agencies use information from consumer reports to present advertisements to consumers from third parties. For example, a merchant might want to advertise to an audience of consumers based on income, credit score, education, and credit usage ratio. The merchant might provide the relevant attributes of the target audience to a consumer reporting agency, which might use its consumer report data to identify that audience. Then, the consumer reporting agency or its service provider might deliver the merchant's advertisement to consumers in the target audience. The consumer reporting agency might believe that, because it is not technically transferring the consumer report to the merchant in this scenario but rather is using a workaround to allow the merchant to still obtain the financial benefit of the consumer report information, no consumer report has been furnished and, therefore, that the activity is permissible under the FCRA.
However, this business model is incompatible with the goals of the FCRA's general prohibition on the use of consumer reports for marketing or advertising purposes. The FCRA's prescreening provision strictly limits the use of consumer reports for marketing or advertising purposes unless the consumer authorizes such use. Congress provided that, absent such authorization, consumer reporting agencies must allow consumers to opt out of the prescreening process, third parties must provide firm offers of credit or insurance to consumers whose information they receive, and both consumer reporting agencies and third parties must comply with notice requirements. 197 However, some entities have used the business model described above to deliver advertisements to consumers without these statutory protections. This business model allows third parties to advance their private financial interests as if they had delivered advertising in compliance with the prescreening provision. The proposed provision would make clear that consumer reporting agencies cannot use technological and contractual workarounds to profit off consumers' sensitive consumer report information in circumstances that fall outside the FCRA's permissible purposes, and that run counter to the protections Congress intended to provide under the FCRA.
Footnotes:
197 ?15 U.S.C. 1681b(c), (e), 1681m(d).
[top] Not only can the business model described above run counter to the FCRA's statutory limitations on when consumer reporting agencies may furnish a consumer report, but it also undermines the FCRA's core interest in protecting consumer privacy against certain types of marketing. 198 If the advertisement is unwanted, then its delivery alone is an intrusion on the
Footnotes:
198 ?115 Cong. Rec. 2415 (Jan. 31, 1969) (Senator Proxmire, who introduced the FCRA, believed it would "preclude the furnishing of information . . . to market research firms or to other business firms who are simply on fishing expeditions.").
199 ? Digital advertising in the United States-statistics & facts, Statista (June 18, 2024), https://www.statista.com/topics/1176/online-advertising/#topicOverview.
200 ? See, e.g., Learn about final URLs and tracking templates, Google, https://support.google.com/google-ads/answer/6273460?hl=en ( last visited Oct. 15, 2024 ); URL Tracking with Upgraded URLs, Microsoft (Mar. 19, 2023), https://learn.microsoft.com/en-us/advertising/guides/url-tracking-upgraded-urls?view=bingads-13.
201 ?A similar possibility for linking a consumer to the consumer report criteria used to target the advertisement exists for marketing and advertising delivered by mail, if for example the mailed advertisement contains a QR code or other method for the consumer to navigate to a specific page on the third party's website created for a particular advertising campaign.
202 ?15 U.S.C. 1681b(c)(2).
203 ? See Michelle Faverio, Key Findings About Americans and Data Privacy, Pew Rsch. Ctr. (Oct. 18, 2023), https://www.pewresearch.org/short-reads/2023/10/18/key-findings-about-americans-and-data-privacy/ (finding that 61 percent of respondents feel skeptical that anything they do to manage their privacy online will make much difference).
Proposed §?1022.10(b)(2) would provide that, consistent with the FCRA's purposes and Congress' intent to strictly limit use of consumer reports for marketing or advertising purposes, the phrase "furnish a consumer report" includes facilitating a third party's use of any information from the consumer report for the third party's financial gain. Under proposed §?1022.10(b)(2), if a consumer reporting agency engages in the business model described above by allowing a third party to seek financial gain from consumer report information, regardless of whether such information is transmitted to the third party, the information is a consumer report, and the consumer reporting agency would have furnished it to a third party. Proposed §?1022.10(b)(2) would thus help ensure that consumer reporting agencies do not use technological or contractual maneuvers to enable third parties to use consumer report information for marketing or advertising in a manner not permitted under the FCRA.
The CFPB proposes §?1022.10(b)(2) to implement FCRA section 604(a). Proposed §?1022.10(b)(2) provides that a consumer reporting agency furnishes a consumer report if it facilitates a person's use of the consumer report for the person's financial gain. The CFPB preliminarily determines that this approach is necessary or appropriate to carry out the protections afforded under the statute. The CFPB also preliminarily determines that proposed §?1022.10(b)(2) is necessary or appropriate to prevent evasion. In allowing prescreening (subject to the consumer's opt-out rights), Congress endeavored to balance the privacy invasion created by the use of sensitive consumer report information for marketing and advertising without the consumer's consent with the potential benefit to consumers of a firm offer of credit or insurance. 204 The CFPB preliminarily determines that proposed §?1022.10(b)(2) reflects the balance Congress intended to strike. Proposed §?1022.10(b)(2) specifically addresses uses of consumer report information that further a third party's profit-seeking activity because the CFPB has preliminarily determined that those uses present the greatest risk of evasion at this time. Specifically, facilitating a person's use of a consumer report for that person's financial gain presents a significant risk of evasion of the FCRA's limitations on the use of consumer reports for marketing or advertising.
Footnotes:
204 ? See S. Rep. No. 103-209, at 13-14 (1993); Trans Union Corp. v. FTC, 267 F.3d 1138, 1143 (D.C. Cir. 2001) ("Congress apparently believe[d] that people are more willing to reveal personal information in return for guaranteed offers of credit than for catalogs and sales pitches.").
The Small Business Review Panel recommended that the CFPB consider whether the proposal could permit targeted marketing in situations where there might be low risk of consumer harm. The CFPB notes that the proposal would not limit either the use of non-consumer reports for advertising purposes or the use of consumer reports pursuant to written instructions or for prescreening purposes in compliance with FCRA section 604(c). But the CFPB preliminarily determines that using consumer reports for general advertising purposes is a harmful practice that the statute prohibits.
The CFPB requests comment on proposed §?1022.10(b)(2), including on the proposal's impact on purposes other than marketing and advertising where consumer reporting agencies might facilitate the use of consumer reports for a third party's financial gain without directly transferring the reports to the third party. The CFPB also requests comment on examples a final rule could provide to further clarify when a consumer reporting agency "facilitates the use" of a consumer report and when such use would be for a person's "financial gain." Proposed §?1022.10(b)(2) would not prohibit academics, nonprofit organizations, and government agencies from seeking the assistance of consumer reporting agencies in analyzing consumer report information or delivering surveys to consumers based on consumer report information. Such entities generally do not use consumer reports for financial gain. However, the CFPB requests comment on whether other beneficial uses of consumer reports might be prohibited by proposed §?1022.10(b)(2), and on alternatives that would accomplish the goals of proposed §?1022.10(b) while preserving those uses.
Section 1022.11 Permissible Purpose Based on a Consumer's Written Instructions
[top] Proposed §?1022.11 would implement the written instructions permissible purpose in FCRA section 604(a)(2). FCRA section 604(a)(2) provides that a consumer reporting agency may furnish a consumer report in accordance with the written instructions of the consumer to whom it relates. Proposed §?1022.11 implements FCRA section 604(a)(2) by specifying the conditions that would need to be satisfied for a consumer
The conditions, which are set forth in proposed §?1022.11(b), include, among other provisions, a disclosure requirement; limitations on the procurement, use, and retention of consumer reports obtained pursuant to a consumer's written instructions; and a requirement regarding revocation. While either the consumer reporting agency or the person to whom the consumer report will be furnished would be authorized to obtain the consumer's express consent to the furnishing of the consumer report and to provide the required disclosure, the consumer reporting agency ultimately would be responsible for ensuring that it furnishes a consumer report in accordance with FCRA section 604(a)(2) and proposed §?1022.11. 205 Proposed §?1022.11(b) and (c) align closely with the requirements for third-party authorization in subpart D of the CFPB's Personal Financial Data Rights final rule. 206
Footnotes:
205 ?To use or obtain a consumer report, a user is independently responsible for ensuring it has one of the permissible purposes in FCRA section 604. See FCRA section 604(f), 15 U.S.C. 1681b(f).
206 ?89 FR 90838 (Nov. 18, 2024) (hereinafter PFDR Rule).
Meaning of "In Accordance With the Written Instructions of the Consumer"
The CFPB preliminarily determines that proposed §?1022.11 is "necessary or appropriate to administer and carry out the purposes and objectives" of the FCRA as stated in FCRA section 621(e)(1). The CFPB proposes that the phrase "in accordance with the written instructions of the consumer" requires, at a minimum, that the consumer affirmatively directs a consumer reporting agency to furnish their consumer report to a third party, that the consumer is informed of and reasonably expects the scope of the use of their consumer report, and that the consumer retains control over such access and use. The term "instruction" means "a direction," an "authoritative order," or a "command."? 207 The phrase "in accordance with" means to "agree with" or "follow."? 208 Taken together, Congress's use of the term "written instructions" suggests that, for the written instructions permissible purpose to apply, the consumer must provide affirmative, written direction for a consumer reporting agency to furnish a consumer report to a third party, and the consumer report must be furnished and used in accordance with those instructions.
Footnotes:
207 ? See Instructions, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/instructions (last visited Oct. 15, 2024) (defining "instructions" to mean "a direction calling for compliance: order"). See also Instruction, Oxford English Dictionary Online, https://www.oed.com/dictionary/instruction_n?tab=meaning_and_use#387233 (last visited Oct. 15, 2024) ("An authoritative order to be obeyed; an oral or written command. Frequently in plural or as a mass noun: orders, directives").
208 ? See In accordance with, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/in%20accordance%20with (last visited Oct. 15, 2024) (defining "in accordance with" to mean "in a way that agrees with or follows (something, such as a rule or request)").
Similarly, the CFPB preliminarily determines that FCRA section 604(a)(2) also requires that the consumer is informed of and can reasonably anticipate at the very least how their consumer report will be used, including by whom, for how long, and for what purposes. It stands to reason that a consumer report cannot meaningfully be provided "in accordance with the consumer's written instructions" if the consumer does not understand or cannot reasonably anticipate how their consumer report will be used. Such an interpretation of the written instructions permissible purpose is also in accordance with FTC staff guidance, which has previously cautioned against purported "instructions" that are based on language that is "not a sufficiently specific instruction from the consumer to authorize a [consumer reporting agency] to provide a consumer report."? 209 Broad, lengthy, or otherwise confusing consent forms are inadequate to meet the statute's requirement that the consumer be informed and able to reasonably anticipate how their consumer report will be used.
Footnotes:
209 ?FTC 40 Years Staff Report, supra note 21, at 43 n.1.
Finally, a consumer's ability to direct the furnishing and use of their consumer report suggests that the consumer must have the power to revoke such consent. Accordingly, the CFPB proposes that the written instructions permissible purpose requires that a consumer may revoke any prior consent without interference.
The CFPB also preliminarily determines that interpreting the written instructions permissible purpose to require the consumer's affirmative, knowing, and revocable consent is consistent with the overall structure and purpose of the FCRA's permissible purpose provisions. As stated in FCRA section 602(a)(4), Congress enacted the FCRA to, among other things, "[e]nsure that consumer reporting agencies exercise their grave responsibilities with . . . respect for the consumer's right to privacy."? 210 As courts have also recognized, "[a] major purpose of the [FCRA] is the privacy" of consumer data. 211 A central component of how the FCRA protects consumer privacy is by limiting the circumstances under which consumer reporting agencies may disclose consumer information. Specifically, FCRA section 604 identifies an exclusive list of permissible purposes for which consumer reporting agencies may furnish consumer reports, including, in section 604(a)(2), in accordance with the written instructions of the consumer to whom the report relates. Section 604(a) states that a consumer reporting agency may furnish consumer reports under these circumstances "and no other."? 212
Footnotes:
210 ?S ee S. Rep. No. 91-517, at 1 (1969) (The statute was enacted to "prevent an undue invasion of the individual's right of privacy in the collection and dissemination of credit information.").
211 ? Trans Union Corp. v. FTC, 81 F.3d 228, 234 (D.C. Cir. 1996).
212 ? See also supra note 35 (discussing other provisions establishing additional limited circumstances under which consumer reporting agencies are permitted or required to disclose certain information to government agencies).
The phrase "[i]n accordance with the written instructions of the consumer" should be construed in a manner that is consistent with the central role FCRA section 604 plays in protecting consumer privacy. The CFPB preliminarily determines that, if the written instructions permissible purpose is construed to allow consumer reporting agencies to furnish, or third parties to obtain, a consumer report in circumstances in which the consumer does not understand that their consumer report will be furnished, to whom, or for what purposes, it would undermine the core consumer privacy purposes of the permissible purpose provisions. 213 Therefore, the CFPB preliminarily determines that, consistent with the purposes of the FCRA, FCRA section 604(a)(2) requires a demanding standard of consent that does not subvert a consumer's intent.
Footnotes:
213 ?The CFPB notes that, in addition to section 604(a)(2), the FCRA includes other permissible purpose provisions requiring consumer authorization or consent in various circumstances. See, e.g., FCRA section 604(b)(2)(A), 15 U.S.C. 1681b(b)(2)(A), and FCRA section 604(c)(1)(A), 15 U.S.C. 1681b(c)(1)(A). The CFPB is not addressing the scope or meaning of those provisions in this document.
[top] Finally, the conditions set forth in proposed §?1022.11 are also necessary to prevent evasion of the written instructions permissible purpose. The CFPB is concerned that companies are evading the written instructions permissible purpose by purportedly
The CFPB preliminarily concludes that such agreements are not in accordance with the written instructions of the consumer because the consumer likely is not informed or able to reasonably anticipate such uses of their consumer reports when signing up for such products. For example, research suggests consumers often do not understand how companies will use their behavioral or transactional data, even when such use is purportedly obtained pursuant to consumer consent. 214 Moreover, research also indicates that, as a general matter, consumers often affirmatively do not want their personal or financial data to be accessed or used, 215 providing further evidence that consumers are not affirmatively and knowingly directing that such information be shared. Often, when companies include terms and conditions that grant themselves access to consumer reports, the terms set few or no limits on the duration of the access and with whom or for what purposes the company can further share a consumer report with third parties. 216 As a result, consumers are not informed about the scope of the consent they are purportedly providing.
Footnotes:
214 ? See Ramy El-Dardiry et al., Brave New Data: Policy Pathways for the Data Economy in an Imperfect World, CPB Netherlands Bureau for Econ. Policy Analysis, at 10 (July 2021), https://www.cpb.nl/sites/default/files/omnidownload/CPB-uk-Policy-Brief-Brave-new-datah.pdf ("Consumers cannot see what companies are doing with their data, nor can they read all of the data terms of use or oversee the consequences.").
215 ?See, e.g ., Colleen McClain et al., How Americans View Data Privacy: The Role of Technology Companies, AI and Regulation-Plus Personal experiences with Data Breaches, Passwords, Cybersecurity and Privacy Policies, Pew Rsch. Ctr., at 15 (Oct. 18, 2023), https://www.pewresearch.org/internet/wp-content/uploads/sites/9/2023/10/PI_2023.10.18_Data-Privacy_FINAL.pdf (stating that "81 [percent of consumers] say they feel very or somewhat concerned with how companies use the data they collect about them").
216 ? See, e.g., Krystal Scanlon, Even financial services businesses want a piece of the ad pie now, Digiday (June 3, 2024), https://digiday.com/marketing/even-financial-services-businesses-want-a-piece-of-the-ad-pie-now/ (describing increasing push for financial services companies to include advertising and data mining in standard contracts); Brogan v. Fred Beans Chevrolet, Inc., 855 F. App'x 825, 827 (3d Cir. 2021) (consumer alleged that he did not understand at the time he signed a contract that his consumer report would be furnished to multiple banks over a longer period of time). See also Malbrough v. State Farm Fire & Cas. Co., No. Civ. A. 96-1540, 1997 WL 159511, at *4-5 (E.D. La. Mar. 31, 1997) (noting that misrepresentations or misunderstanding could cause a consumer's written instructions to be invalid).
Proposed Conditions Implementing Written Instructions Permissible Purpose
As discussed above, the CFPB preliminarily determines that the written instructions permissible purpose should be interpreted to mean that a consumer is informed of and reasonably expects the scope of a given use, and the consumer retains control over such use. Proposed §?1022.11 sets forth conditions intended to ensure that these core components of FCRA section 604(a)(2) are satisfied and to prevent evasion thereof.
In proposing §?1022.11, the CFPB has considered its PFDR rulemaking, and particularly the authorized third-party provisions in that rulemaking. Similar to the aims of the written instructions permissible purpose in the FCRA, the PFDR Rule seeks to ensure that the consumer understands and clearly directs how and for what purpose their data will be used by a third party. 217 In addition, the CFPB recognizes that certain entities that are subject to the PFDR Rule may also have obligations under the FCRA. For example, certain companies seeking to become authorized third parties under the PFDR Rule may also be required to comply with the FCRA as users of consumer reports from consumer reporting agencies because they are using the services of aggregators that are consumer reporting agencies to obtain consumer-permissioned data. Certain of these companies may be obtaining consumer reports pursuant to the FCRA written instructions permissible purpose. In light of these interactions and the similarities between the FCRA written instructions permissible purpose and the requirements for authorized third parties under the PFDR Rule, the CFPB has carefully considered as part of this proposal the legal, research, and policy considerations described in the PFDR rulemaking and proposes to align the requirements of §?1022.11 with the PFDR Rule requirements for authorized third parties.
Footnotes:
217 ? See PFDR Rule, supra note 206 (describing limits on third-party collection, use, and retention of covered data).
Proposed §?1022.11 sets forth conditions intended to ensure that these core components of FCRA section 604(a)(2) are satisfied and to prevent evasion thereof.
Consumer Disclosure and Consent
Proposed §?1022.11(b)(1) would require, among other things, that the consumer provide express, informed consent to the furnishing of their report. The proposed provision would require the consumer reporting agency or person to whom the consumer report will be provided to give the consumer a disclosure setting forth the key terms and scope of how their report will be used. As set forth in proposed §?1022.11(c), the disclosure must be clear, conspicuous, and segregated from other material, and include the name of the person the report will be obtained from; who the report will be provided to; the product or service, or specific use, for which the consumer report will be furnished or obtained; limitations on the scope of such use; and how a consumer may revoke consent. Together, these proposed provisions are designed to ensure that the consumer has provided affirmative "instructions" regarding the furnishing and use of their consumer report and to provide the consumer with information necessary to be informed and form reasonable expectations about how their report will be used in the future.
Reasonably Necessary to a Consumer's Requested Product, Service, or Use
[top] The CFPB is proposing several conditions intended to ensure that consumer reports furnished pursuant to written instructions are furnished in connection with a specific product, service, or use the consumer has actually requested (proposed §?1022.11(b)(2)), and that once consent is obtained, the user of the report procures, uses, retains, or shares the report with a third party only as reasonably necessary to provide the product or service requested by the consumer, or the specific use? 218 the
Footnotes:
218 ?An example of a specific use requested by the consumer that is not a product or service is when a consumer requests the furnishing of a consumer report to a potential business partner.
When obtaining a product or service, consumers might provide written instructions to furnish their consumer report if doing so is necessary to obtain the benefits of the sought-after product or service. For example, a consumer could provide written instructions to an entity that provides credit monitoring to obtain their consumer report so that the entity could provide the consumer with the credit monitoring service they desire. In such cases, the consumer's reason for allowing the consumer report to be furnished is that they want to receive the credit monitoring service. However, in such circumstances, the consumer likely does not expect (much less affirmatively intend to authorize) that their consumer report will be used for purposes other than credit monitoring-such as to provide targeted marketing to the consumer. 219 Consistent with the CFPB's proposed interpretation of the written instructions permissible purpose, proposed §?1022.11(b)(2) and (3) are intended to ensure that the furnishing of the consumer report is in accordance with the consumer's affirmative instructions and intent, that the consumer is informed about the scope of such use, and that such use aligns with the consumer's reasonable expectations. The proposed provisions are also designed to prevent evasion of the written instructions permissible purpose by ensuring that each product or service (or use, if not in connection with a product or service) is authorized by one, separate written instruction. For example, a company could otherwise evade the written instructions permissible purpose when it obtains written instructions in connection with one product or service, but then exploits such consent through obscure and lengthy terms and conditions language to use consumer reports for purposes other than as reasonably necessary to provide the product or service the consumer requested.
Footnotes:
219 ? See generally Yosuke Uno et al., The Economics of Privacy: A Primer Especially for Policymakers, at 8-9, Bank of Japan, Working Paper Series No.21-E-11 (Aug. 6, 2021), https://www.boj.or.jp/en/research/wps_rev/wps_2021/data/wp21e11.pdf (surveying research demonstrating that consumers generally do not understand the scope or risks of sharing private data even after having agreed to do so).
Proposed §?1022.11(d) provides examples of uses of consumer reports that would not be reasonably necessary to provide a product or service. For example, proposed §?1022.11(d) provides that certain activities-such as targeted advertising, cross-selling of other products or services, or the sale of information in the consumer report-are not part of, or reasonably necessary to provide, any other product or service. 220 When a consumer seeks a particular product or service-such as signing up for a credit monitoring service-the use of a consumer report for the types of purposes described in proposed §?1022.11(d) is generally not contemplated or reasonably expected by the consumer, and is instead a tactic used by companies to evade the permissible purpose limitations, including the strict limitations on use of consumer reports for marketing purposes. 221 In such circumstances, any "consent" to such purposes would be unknowingly or reluctantly provided and accordingly not sufficient to meet the requirement that the consumer report be shared at the affirmative direction of the consumer. Having said that, companies are free to procure separate written instructions for different products or services, which the CFPB preliminarily concludes would ensure consumers are truly providing informed consent.
Footnotes:
220 ?The proposed rule would not prevent a user from engaging in an activity described in proposed §?1022.11(d) as a stand-alone product or service. To the extent that the consumer seeks such a product or service and the consumer's consumer report is reasonably necessary to provide that product or service, the consumer report could be furnished or obtained pursuant to the consumer's written instructions consistent with, and subject to, proposed §?1022.11.
221 ? See supra notes 36 and 197 and accompanying text.
Duration Limitations
Proposed §?1022.11(b)(3)(ii) would prevent a user from procuring a consumer report more than one year after the date on which the consumer provides consent for the consumer reporting agency to furnish the report. The CFPB recognizes that some products or services, such as credit monitoring, require consumer reporting agencies to repeatedly furnish consumer reports over time, and, if separate written instructions were required each time the consumer report were furnished, consumers as well as persons offering these services could be frustrated or burdened. On the other hand, for products and services that rely on standing instructions to furnish consumer reports, such as credit monitoring, instructions with no or lengthy duration limits may, over time, result in the consumer report being used outside the consumer's knowledge and reasonable expectations. The CFPB preliminarily determines that the proposed limitation of one year reasonably balances these concerns and serves as an effective check against consumer reports being furnished for longer periods than the consumer needs or wants. 222 After the one-year period has elapsed, if the consumer wishes to continue to receive the requested product or service, the consumer would be able to provide new consent to the furnishing of the report as described in proposed §?1022.11(b)(1)(i).
Footnotes:
222 ?Pursuant to proposed §?1022.11(b)(3)(i), a user would be limited to procuring, using, or retaining a consumer report for less than a year if these activities were not reasonably necessary to provide the product or service the consumer requested or for the specific use the consumer identified. For example, a product or service or specific use the consumer identified that requires only one instance of access to a consumer report, such as furnishing a consumer report to a potential business partner, would not authorize the consumer reporting agency to continue to furnish, or the potential business partner to obtain, more than one consumer report.
Revocation
A final condition included in proposed §?1022.11 is a consumer's right to revoke consent previously granted. Specifically, proposed §?1022.11(b)(4) would require that the consumer is provided a method to revoke consent that is as easy to access and operate as the method by which the consumer initially provided consent to the furnishing of their consumer report. The proposal would also provide that a consumer could not be charged any costs or penalties to revoke consent.
As discussed above, the CFPB preliminarily determines that the text of FCRA section 604(a)(2) supports this proposed provision. The notion of a consumer providing "instructions" suggests that the consumer is able to revoke such instructions. For the right to revocation to be meaningful, the method of revocation should be familiar and easily accessible to the consumer and should not involve additional costs or penalties to the consumer.
Facilitation of Compliance for Authorized Third Parties Under the PFDR Rule
[top] As described above, the CFPB has carefully considered the PFDR rulemaking in developing this proposal. To facilitate compliance for entities that would seek to comply with both proposed §?1022.11 and the PFDR Rule, the CFPB is proposing to expressly provide that a consumer reporting agency furnishes a consumer report in accordance with the written instructions of the consumer for purposes of the FCRA and Regulation V if the person to whom the report is furnished is an authorized third party under subpart D of the PFDR Rule. The CFPB anticipates that this proposal, if finalized, would be
Footnotes:
223 ? See PFDR Rule, supra note 206. The PFDR Rule is not yet in effect. As a result, this proposed method of compliance with §?1002.11 has not been included in the proposed regulatory text here.
Small Business Review Panel Recommendations
The conditions set forth in proposed §?1022.11 are responsive to the Small Business Review Panel's recommendations related to the written instructions permissible purpose. 224 For example, proposed §?1022.11(b) and (c), which would require that consumers be presented with a clear and conspicuous description of who may obtain their consumer report and how it will be used, is responsive to the Panel's recommendation that the proposal maximize consumer understanding. Similarly, proposed §?1022.11(b)(1)(i)(B), which would require a consumer reporting agency or the person to whom the consumer report will be furnished to obtain the consumer's signature, either in writing or electronically, is responsive to the Panel's recommendation that the CFPB permit consumers' written instructions to be obtained electronically or through more traditional methods. Finally, as discussed above, the CFPB's proposal is responsive to the Panel's recommendation to ensure that the written instructions permissible purpose proposal does not conflict with other regulatory frameworks for consumer authorization of data sharing.
Footnotes:
224 ?Small Business Review Panel Report, supra note 40, at 48.
The Panel also recommended that the CFPB consider an alternative approach of requiring that, upon a consumer's request, users delete consumer reports previously obtained, rather than obtain one-time-use consumer authorizations. 225 The CFPB considered this approach but has preliminarily determined that it would be insufficient to establish a written instructions permissible purpose under the statute. As discussed above, the CFPB preliminarily determines that, under FCRA section 604(a)(2), the consumer must provide affirmative, knowing, and revocable consent for a consumer reporting agency to furnish their consumer report to a third party. Requiring entities that have obtained consumer reports to delete them upon the consumer's request would not achieve this result. Putting the burden on consumers to affirmatively take steps to request deletion of their sensitive data, rather than putting the responsibility on the consumer reporting agency and user to limit their provision and use of such reports as originally "instructed" by the consumer, would be inconsistent with the FCRA's statutory language and purposes. The CFPB also notes that proposed §?1022.11(b)(3)(ii) does not contemplate a one-time-use consumer authorization but allows a consumer's written instructions to permit access for up to one year so long as access to a consumer's consumer report remains reasonably necessary to provide the consumer's requested product or service or use.
Footnotes:
225 ? Id.
Finally, consistent with the Panel's recommendation, the CFPB requests public comment on the appropriate scope and duration of a consumer's written instructions, as well as whether the consumer reporting agency or the person to whom the consumer report will be furnished should be required to memorialize or confirm consumers' written instructions.
Section 1022.12 Permissible Purposes Based on a Consumer Reporting Agency's Reasonable Belief About a Person's Intended Use
The CFPB proposes §?1022.12 to incorporate into Regulation V the permissible purposes listed in FCRA section 604(a)(3)(A) through (F). 226 As noted above, FCRA section 604(a) permits a consumer reporting agency to furnish a consumer report under specific enumerated circumstances and no other. The permissible purposes in FCRA section 604(a)(3)(A) through (E) cover circumstances in which a consumer reporting agency has reason to believe that a person intends to use the information in the consumer report for certain purposes related to credit, employment, insurance, license or benefit eligibility, and valuing or assessing credit or prepayment risks associated with existing credit obligations. These permissible purposes are restated in proposed §?1022.12(a)(1) through (5) without interpretation. The permissible purpose in FCRA section 604(a)(3)(F) is implemented in proposed §?1022.12(b), as discussed below.
Footnotes:
226 ?15 U.S.C. 1681b(a)(3)(A) through (F).
12(b) Permissible Purpose Based on Legitimate Business Need
Proposed §?1022.12(b) would implement and interpret the legitimate business need permissible purpose in FCRA section 604(a)(3)(F). FCRA section 604(a)(3)(F) provides that a consumer reporting agency may furnish a consumer report to a person which it has reason to believe has a legitimate business need for the information in two scenarios: (1) in connection with a business transaction that is initiated by the consumer (the consumer-initiated transaction prong) and (2) to review an account to determine whether the consumer continues to meet the terms of the account (the account review prong). The CFPB proposes to restate both prongs in §?1022.12(b)(1) and to provide clarifications and examples in §?1022.12(b)(2) and (3). Among other things, proposed §?1022.12(b) would highlight that the legitimate business need permissible purpose does not authorize use of consumer report information for marketing.
Consumer-Initiated Transactions
Proposed §?1022.12(b)(2) would clarify that the consumer-initiated transaction prong of the legitimate business need permissible purpose authorizes a consumer reporting agency to furnish a consumer report to a person only if the consumer reporting agency has reason to believe that the consumer has initiated a business transaction. Proposed §?1022.12(b)(2) sets forth examples to illustrate the types of interactions between a consumer and a prospective user that would and would not establish a consumer-initiated transaction. Among other things, the examples clarify that a consumer may interact with a business without initiating a transaction, such as by asking about the availability or pricing of products or services. The CFPB preliminarily determines that the examples in proposed §?1022.12(b)(2) would facilitate compliance with the FCRA for consumer reporting agencies furnishing consumer reports to users pursuant to the consumer-initiated transaction prong of the legitimate business need permissible purpose and prevent evasion of the FCRA. The proposed examples are consistent with prior interpretations by FTC staff. 227
Footnotes:
227 ? See, e.g., FTC 40 Years Staff Report, supra note 21, at 14, 48 (citing 1990 comment 604(3)(E)-3); FTC Informal Staff Opinion Letter to Greenblatt (Oct. 27, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-greenblatt-10-27-98; FTC Informal Staff Opinion Letter to Kaiser (July 16, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-kaiser-07-16-98; FTC Informal Staff Opinion Letter to Coffey (Feb. 11, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-coffey-02-11-98.
Solicitation or Marketing
[top] As discussed elsewhere in this document, the CFPB is concerned about reports of unauthorized use of consumer report information for marketing purposes. Proposed §?1022.12(b)(3) would emphasize that neither prong of the legitimate business need permissible
The proposal is supported by the plain language of the FCRA. With respect to the consumer-initiated transaction prong of the legitimate business need permissible purpose, FCRA section 604(a)(3)(F)(i) provides that a consumer reporting agency may furnish a consumer report to a person that the consumer reporting agency has reason to believe has a legitimate business need for the information in connection with a business transaction that is initiated by the consumer. FCRA section 604(a)(3)(F)(i) does not, by its plain language, authorize a consumer reporting agency to furnish a consumer report to a person that the consumer reporting agency has reason to believe is seeking the information from the report to solicit a consumer for a transaction that the consumer did not initiate or to otherwise market products or services to the consumer. Similarly, FCRA section 604(a)(3)(F)(ii) does not authorize account reviews for marketing purposes; instead, by its plain language, it merely authorizes reviews to determine whether the consumer continues to meet the terms of the account.
Under the FCRA, a person is prohibited from using a consumer report for a purpose that is not authorized under FCRA section 604, and the permissible purposes authorized by FCRA section 604 do not include solicitation or marketing (except as permitted under the statute's prescreening and written instructions provisions). FCRA section 604(f) provides that a person shall not use or obtain a consumer report unless the report is obtained for a permissible purpose and that purpose is certified by the prospective user. FCRA section 607(a) requires prospective users to certify the purposes for which the information is sought and that "the information will be used for no other purpose."? 228 The legitimate business need permissible purpose thus does not authorize a consumer reporting agency to furnish a consumer report to a person if the consumer reporting agency has reason to believe the person is seeking information from the report for solicitation and marketing purposes. Moreover, a person that obtains a consumer report under either prong of the legitimate business need permissible purpose may not then use the consumer report for solicitation or marketing.
Footnotes:
228 ?15 U.S.C. 1681e(a).
Where Congress did permit consumer reporting agencies to disclose certain consumer report information for marketing, it did so explicitly and mandated specific guardrails to protect consumers. The FCRA's prescreening provisions authorize consumer reporting agencies to furnish a consumer report in connection with credit or insurance transactions not initiated by the consumer but provide specific limitations in these circumstances, as discussed above. 229 Congress would have imposed similar safeguards for the legitimate business need permissible purpose if Congress had intended for the legitimate business need permissible purpose to authorize solicitation and marketing.
Footnotes:
229 ? See supra note 197 and accompanying text.
The legislative history is also instructive. Senate Report 103-209 explains that "[t]he permissible purpose created by this provision . . . is limited to an account review for the purpose of deciding whether to retain or modify current account terms. It does not permit access to consumer report information for the purpose of offering unrelated products or services."? 230
Footnotes:
230 ?S. Rep. No. 103-209, at 11 (1993) (discussing S.783, a predecessor bill that included language later adopted in the 1996 FCRA amendments).
The D.C. Circuit recognized that targeted marketing did not fall within the legitimate business need permissible purpose, even under the original version of this permissible purpose that broadly referred to a "legitimate business need for the information in connection with a business transaction involving the consumer."? 231 In doing so, the court noted that protecting the privacy of consumer report information is a major purpose of the FCRA and explained that such information should be kept private unless a "consumer could be expected to wish otherwise or, by entering into some relationship with a business, could be said to implicitly waive the [FCRA]'s privacy to help further that relationship."? 232
Footnotes:
231 ?15 U.S.C. 1681b(3)(E) (1994) (emphasis added); Trans Union Corp. v. FTC, 81 F.3d 228, 233-34 (D.C. Cir. 1996).
232 ? Trans Union Corp. v. FTC, 81 F.3d 228, 234 (D.C. Cir. 1996).
Prior FTC staff interpretations have similarly concluded that marketing is not authorized by the legitimate business need permissible purpose. For example, the FTC 40 Years Staff Report explains that the account review prong provides a permissible purpose to banks that have a legitimate need to consult a current customer's consumer report in order to determine whether the terms of a consumer's current non-credit (savings or checking) accounts should be modified, but it does not allow consumer reporting agencies to provide businesses with consumer reports to market other products or services. 233
Footnotes:
233 ?FTC 40 Years Staff Report, supra note 21, at 42, 48-49 (citing FTC Informal Staff Opinion Letter to Gowen (Apr. 29, 1999), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-gowen-04-29-99 ).
With respect to the proposal related to the legitimate business need permissible purpose discussed during the Small Business Review Panel meeting, the Panel recommended that the CFPB consider clarifying in general how the proposal under consideration would relate to or impact other FCRA permissible purposes. 234 To clarify, the proposed legitimate business need provisions interpret solely the FCRA section 604(a)(3)(F) legitimate business need permissible purpose.
Footnotes:
234 ?Small Business Review Panel Report, supra note 40, at 48 & section 9.3.6.
Section 1022.13 Permissible Purposes Based on Certain Agency or Other Official Requests
The CFPB proposes §?1022.13 to incorporate into Regulation V the permissible purposes listed in FCRA section 604(a)(1), 604(a)(3)(G), and 604(a)(4) through (6). 235 As noted above, FCRA section 604(a) permits a consumer reporting agency to furnish a consumer report under specific enumerated circumstances and no other. The permissible purposes in the FCRA sections incorporated in proposed §?1022.13 cover circumstances under which a consumer reporting agency may furnish a consumer report in connection with certain agency or other official requests. These permissible purposes are restated in proposed §?1022.13(a)(1) through (5).
Footnotes:
235 ?15 U.S.C. 1681b(a)(1), 1681b(a)(3)(G), 1681b(a)(4) through (6).
[top] FCRA section 604(a)(3)(G) sets forth a permissible purpose related to government-sponsored individually billed travel charge cards. In the statute, this permissible purpose is grouped with the permissible purposes based on
Footnotes:
236 ?Consistent with proposed §?1022.13(a)(5), the FTC 40 Years Staff Report notes that "[s]ection 604(a)(3)(G) allows CRAs to provide consumer reports to `executive departments and agencies in connection with the issuance of government sponsored individually-billed travel charge cards.'?" FTC 40 Years Staff Report, supra note 21, at 49.
V. Proposed Effective Date
The CFPB requests comment on an effective date for the proposed rule. For example, the CFPB is considering whether a final rule should take effect six months or one year after publication in the Federal Register . Consistent with recommendations of the Small Business Review Panel, the CFPB specifically requests comment on whether either a six-month or one-year implementation period would provide sufficient time for entities, including small entities, that are not currently complying with the FCRA to begin to do so. The CFPB also requests comment on whether either a six-month or one-year implementation period would provide sufficient time for vendors to complete the work necessary to assist small entities in coming into compliance with any final rule. The CFPB further requests comment on ways that it might facilitate implementation for small entities, such as by providing for a longer implementation period for small entities and what that period should be.
VI. CFPA Section 1022(b) Analysis
The CFPB is considering the potential benefits, costs, and impacts of the proposed rule in accordance with section 1022(b)(2)(A) of the Consumer Financial Protection Act of 2010 (CFPA). 237 The CFPB requests comment on the analysis presented below, as well as submissions of information and data that could inform its consideration of the impacts of the proposed rule. This section contains an analysis of the benefits and costs of the proposed rule for consumers, consumer reporting agencies, and other covered persons.
Footnotes:
237 ?12 U.S.C. 5512(b)(2)(A).
A. Statement of Need
By enacting the FCRA in 1970, Congress sought to ensure the accuracy, fairness, and privacy of consumer information collected, maintained, and furnished by consumer reporting agencies. In recent years, the consumer reporting marketplace has evolved in ways that imperil Americans' privacy. Today, Americans regularly engage in activities that reveal personal information about themselves, often without realizing it. Entities with whom the consumer interacts might collect, aggregate, and sell information about the consumer to other entities with whom the consumer does not have a relationship, such as data brokers. Technological advancements have also made it increasingly feasible to re-identify consumers in datasets that have otherwise been de-identified, and at times even identify consumers from aggregated data. In the FCRA context, these concerns about re-identification of data are particularly pronounced due to the sensitivity of consumer report information and the privacy goals that prompted Congress to enact the statute. The CFPB is concerned that some of these data are shared by consumer reporting agencies with users who do not have an FCRA permissible purpose, or who otherwise use consumer report information for marketing in ways that the FCRA prohibits. In addition, many data brokers attempt to avoid liability under the FCRA by arguing that they are not consumer reporting agencies selling consumer reports. Consequently, they do not treat the consumer information they sell as subject to the requirements of the FCRA, even though they collect, assemble, evaluate, and sell the same information as other consumer reporting agencies-and even though their activities pose the same risks to consumers that motivated the FCRA's passage.
Under this current state of the world, the activities of data brokers, including consumer reporting agencies, potentially harm consumers. Inaccurate information can cause consumers to be denied access to products, services, or opportunities that they would have qualified for had the information been accurate; often, consumers are unaware of these inaccuracies and, even if they are aware, may lack recourse to dispute such inaccuracies. The proliferation of sensitive information being exchanged in the data broker marketplace, often without consumers' knowledge or consent, harms consumer privacy. While consumers theoretically may be willing to part with their private information for a price, this choice is not typically provided in the activities that would be subject to the proposed rule. Moreover, sensitive consumer information can be used to target certain consumers for identity theft, fraud, or predatory scams, potentially causing consumers significant monetary losses.
The proposed rule would mitigate these consumer harms by addressing the definitions of consumer reporting agency and consumer report and certain responsibilities of consumer reporting agencies. This would help safeguard consumer information and help ensure it is only used as permitted by the FCRA. The provisions in the proposed rule would cause many additional data brokers to be subject to the FCRA and necessitate that they and other consumer reporting agencies modify their operations and activities to be in compliance with the FCRA.
B. Baseline
In evaluating the proposed rule's impacts, the CFPB considers the impacts against a baseline in which the CFPB takes no action. This baseline includes existing regulations, State and Federal laws, and the current state of the marketplace. In particular, the baseline includes current industry practices and current applications of the law.
C. Data and Evidence
[top] The CFPB's analysis of costs, benefits, and impact is informed by information and data from a range of sources. As discussed in part II.C, the CFPB convened a Small Business Review Panel on October 16, 2023, and held Panel meetings on October 18 and 19, 2023, to gather input from small businesses. The discussions at the Panel meetings and the comment letters submitted by small entity representatives during this process were presented in the Small Business Review Panel Report completed in December 2023. The CFPB also invited and received feedback on the proposals under consideration from other stakeholders, including stakeholders who were not small entity representatives. To estimate the number of entities that may be subject to the proposed rule, the CFPB used the December 2022 National Credit Union Administration (NCUA) and Federal Financial Institutions Examination Council (FFIEC) Call Report data, the 2017 Economic Census data from the U.S. Census Bureau, the California and
Footnotes:
238 ? See Off. of the Att'y Gen., State of Cal. Dep't of Just., Data Broker Registry, https://oag.ca.gov/data-brokers (list of data brokers registered in California) (last visited Oct. 15, 2024); Vt. Sec'y of State, Data Broker Search, https://bizfilings.vermont.gov/online/DatabrokerInquire/ (list of data brokers registered in Vermont) (last visited Oct. 15, 2024). See Consumer Fin. Prot. Bureau, List of consumer reporting companies, https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/ (last visited Oct. 15, 2024). The CFPB's list of consumer reporting agencies is not intended to be all-inclusive and does not cover every company in the industry.
D. Coverage of the Proposed Rule
Part VII.B.3 provides a discussion of the estimated number and types of entities potentially affected by the proposed rule.
E. Potential Benefits and Costs of the Proposed Rule to Consumers and Covered Persons
The CFPB discusses the potential benefits and costs to consumers and covered persons of each of the main provisions of the proposed rule below. For purposes of this discussion, the CFPB has grouped proposed provisions that the CFPB expects would have similar benefits and costs though notes that some provisions could be grouped in multiple categories due to their potential effects. The discussion will note where the CFPB expects provisions would have both distinct and overlapping impacts. Provisions have been grouped as follows:
• Provisions addressing the definitions of consumer report and consumer reporting agency that could affect which entities are consumer reporting agencies ("consumer reporting agency coverage"). These are:
? Proposed §?1022.4(b), addressing the phrase "is used" in the definition of consumer report;
? Proposed §?1022.4(c), addressing the phrase "expected to be used" in the definition of consumer report; and
? Proposed §?1022.5(b), addressing the phrase "assembling or evaluating" in the definition of consumer reporting agency.
• Provisions addressing the definition of consumer report that could affect what constitutes a consumer report ("consumer report coverage"). These are:
? Proposed §?1022.4(d), addressing certain personal identifiers for a consumer that are often referred to as "credit header" information; and
? Proposed §?1022.4(e), addressing when a consumer reporting agency's communication of de-identified information is a consumer report.
• Provisions clarifying the FCRA's general prohibition on using consumer report information for marketing and advertising. These are:
? Proposed §?1022.10(b)(1) and (2), addressing what it means for a consumer reporting agency to furnish a consumer report; and
? Proposed §?1022.12(b)(3), highlighting that the legitimate business need permissible purpose does not authorize use of consumer report information for marketing.
• Provisions clarifying certain responsibilities of consumer reporting agencies. These are:
? Proposed §?1022.11, clarifying the written instructions permissible purpose; and
? Proposed §?1022.12(b)(2), clarifying the consumer-initiated transaction prong of the legitimate business need permissible purpose.
In this discussion, the CFPB focuses on direct costs and benefits. However, the CFPB acknowledges that the covered persons that would be affected by the proposed rule operate in interconnected industries, and that costs may be passed through beyond the entity initially impacted. For instance, to the extent that the proposed rule would increase costs to consumer reporting agencies, those consumer reporting agencies may respond by increasing the cost of consumer reports. The CFPB estimates that the cost of a single credit report for an individual is between $18 to $30. 239 A data broker in the baseline that does not consider itself to be a consumer reporting agency but may indeed be covered by the FCRA could also experience cost increases they would pass along to users. Some data brokers currently charge less than a dollar per record, several dollars for a search, or under $30 for monthly access to an unlimited number of reports. 240 The costs each of these entities incur as a result of the rule would likely differ in magnitude, leading to differences in the change in future pricing for their products if the rule is finalized. Covered persons with consumer-facing businesses may pass these costs on to consumers in the form of higher prices as well. The CFPB does not separately discuss each instance but acknowledges the possibility of pass through. Because this is speculative and the CFPB does not have data that would allow it to estimate the likelihood and amount of any industry-to-industry or industry-to-consumer pass through in the consumer reporting industry and related industries, the CFPB requests comment on this issue.
Footnotes:
239 ? See Press Release, Rohit Chopra, Consumer Fin. Prot. Bureau, Prepared Remarks of CFPB Director Rohit Chopra at the Mortgage Bankers Association (May 20, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-mortgage-bankers-association.
240 ?An online search of people-search sites in August 2024 revealed at least one data broker that was selling unlimited person and location reports for $28.33 per month. Separately, some researchers have reported prices of information from data brokers for less than a dollar. See Justin Sherman, People Search Data Brokers, Stalking, and `Publicly Available Information' Carve-Outs, The Lawfare Inst. (Oct. 30, 2023), https://www.lawfaremedia.org/article/people-search-data-brokers-stalking-and-publicly-available-information-carve-outs.
In addition, the CFPB acknowledges that it does not possess data to quantify the magnitude of many of the potential effects of the proposed rule. The CFPB requests information and comment that would enable it to quantify such impacts.
Provisions That Could Affect Consumer Reporting Agency Coverage
[top] The proposed rule would clarify that certain entities, such as many additional data brokers, are covered by the FCRA. The effect of proposed §?1022.4(b) would be that a person that sells information that is used for a purpose described in proposed §?1022.4(a)(2) would become a consumer reporting agency, regardless of whether the person knows or believes that the communication of that information is legally considered a consumer report, assuming the other elements of the definition of consumer reporting agency are satisfied. In addition, the effect of proposed §?1022.4(c) addressing the phrase "expected to be used" in the definition of consumer report would be to require many companies, such as additional data brokers, that currently sell information about consumers' credit history, credit score, debt payments (including on non-credit obligations), or income or financial tier to comply with the FCRA. The CFPB proposes that an entity selling any of these four data types-credit history, credit score, debt payments, and income or financial tier-for any purpose generally would qualify as a consumer reporting agency selling consumer reports, because these information types are typically used to
Footnotes:
241 ?For brevity, information about a consumers' credit history, credit score, debt payments, and income or financial tier are referred to throughout this discussion as the "four data types."
Since marketing is not a permissible purpose, other than in the limited circumstances expressly provided for in the FCRA, data brokers would generally be unable to sell the four data types to target marketing to consumers. As described in more detail in Provisions to reduce the use of consumer report information for marketing and advertising, data brokers sometimes employ the four data types to place consumers into categories. Many of these categories reflect sensitive information and potentially inaccurate inferences about consumers, such as that the consumer is "financially challenged," is "behind on bills," or is an "upscale retail card holder."? 242 Data brokers then sell lists of these consumers to advertisers who are interested in targeting certain types of consumers.
Footnotes:
242 ? See Duke Report on Data Brokers and Mental Health Data, supra note 26, at 14; FTC Data Broker Report, supra note 25, at 20-21; Consumer Fin. Prot. Bureau, Prepared Remarks of CFPB Director Rohit Chopra at the White House on Data Protection and National Security (Apr. 2, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-white-house-on-data-protection-and-national-security/.
Potential Benefits to Consumers of Provisions That Could Affect Consumer Reporting Agency Coverage
The provisions that could impact which entities are consumer reporting agencies would extend the responsibilities of the FCRA to additional entities. This would have the net effect of reducing the overall supply of available consumer information for sale and transfer for non-permissible purposes. Additional entities would bear the responsibilities and limitations of consumer reporting agencies under the FCRA, thus overall reducing the available amount of consumer information, including particularly sensitive data such as consumers' credit history and income.
This overall reduction in the supply of available consumer information could confer privacy benefits on consumers in several ways. First, consumers might intrinsically value privacy in the sense of being generally uneasy about their data being shared. The revelation of personal information about consumers can lead to a variety of non-monetary costs, such as distress, embarrassment, shame, and stigma. 243 The availability of personal information could also lead to stalking, harassment, and doxing, where a consumer's private information is publicly published with malicious intent. 244 There is existing evidence that consumers feel unaware of how their personal data is being used and that this could cause concern. On surveys, consumers report feeling that they are "concerned, lack control and have a limited understanding about how the data collected about them is used."? 245 Several empirical studies have documented by revealed preference the existence and magnitude of such intrinsic valuations. 246 Consumers are concerned about financial data and maintaining the privacy of these data. 247 For example, a 2021 survey found that 94 percent of banked consumers preferred that their primary financial institution not share their financial data with other companies for marketing purposes. 248
Footnotes:
243 ? See, e.g., Am. Compl. For Permanent Inj. & Other Relief ¶¶?97-106, FTC v. Kochava, Inc., No. 2:22-cv-00377-BLW (D. Idaho June 5, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/26AmendedComplaint%28unsealed%29.pdf; Charles Duhigg, How Companies Learn Your Secrets, N.Y. Times (Feb. 16, 2012), https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html (recounting instance in which a retailer developed a "pregnancy predictor model" and sent coupons for baby supplies to a consumer, thereby revealing to members of the consumer's household that she was pregnant, a fact that she had kept private).
244 ?A 2012 survey conducted by the National Network to End Domestic Violence found that 54 percent of victim service agencies surveyed reported that they work with victims whose stalker used public information gathered online to stalk the victim. At least half of victim service agencies also reported working with victims on help with safety and privacy strategies on using their cell phone and other privacy-related practices. See Safety Net Project, New Survey: Technology Abuse & Experiences of Survivors and Victim Service Agencies, Nat'l Network to End Domestic Violence (Apr. 29, 2014), https://www.techsafety.org/blog/2014/4/29/new-survey-technology-abuse-experiences-of-survivors-and-victim-services.
245 ? See, e.g., Colleen McClain et al., How Americans View Data Privacy, Pew Rsch. Ctr. (Oct. 18, 2023), https://www.pewresearch.org/internet/2023/10/18/views-of-data-privacy-risks-personal-data-and-digital-privacy-laws/.
246 ? See, e.g., Tesary Lin, Valuing Intrinsic and Instrumental Preferences for Privacy, 41 (4) Mktg. Sci. (May 13, 2022), https://pubsonline.informs.org/doi/epdf/10.1287/mksc.2022.1368; Huan Tang, The Value of Privacy: Evidence from Online Borrowers (Dec. 2019), https://wpcarey.asu.edu/sites/default/files/2021-11/huan_tang_seminar_paper.pdf.
247 ? See, e.g., Consumer Reports, American Experiences Survey: A Nationally Representative Multi-Mode Survey (Dec. 2023), https://article.images.consumerreports.org/image/upload/v1704482298/prod/content/dam/surveys/Consumer_Reports_AES_December-2023.pdf; Michelle Cao, National Telecomm. and Info. Admin., U.S. Dep't of Com., Nearly Three-Fourths of Online Households Continue to Have Digital Privacy and Security Concerns (Dec. 13, 2021), https://www.ntia.gov/blog/2021/nearly-three-fourths-online-households-continue-have-digital-privacy-and-security-concerns; Dan Murphy et al., Financial Data: The Consumer Perspective (June 30, 2021), https://finhealthnetwork.org/research/financial-data-the-consumer-perspective/.
248 ?Dan Murphy et al., Financial Data: The Consumer Perspective (June 30, 2021), https://finhealthnetwork.org/research/financial-data-the-consumer-perspective/.
Consumers' data might be used (or they may fear that it could be used) by careless or malicious actors to directly harm them. This could include identity theft, of which many instances occur in the U.S. every year. 249 Personal data could also be used to target vulnerable consumers with pitches for predatory financial products and scams. 250 Consumers may also fear that their personal data could be used to discriminate against them according to a personal characteristic. The proposed rule would mitigate the risk of consumer report information being used to target consumers, as data brokers would be prohibited from selling the four data types to those lacking a permissible purpose.
Footnotes:
249 ?The DOJ estimates that 23.9 million U.S. residents 16 or older (9 percent of the population) had experienced identify theft in the past 12 months in 2021. See Press Release, U.S. Bureau of Just. Stat., Victims of Identity Theft, 2021 (Oct. 12, 2023), https://bjs.ojp.gov/press-release/victims-identity-theft-2021#:~:text=As%20of%202021%2C%20about%201,email%20or%20social%20media%20account.
250 ?The FTC reported that consumers lost more than $10 billion to fraud in 2023. See Press Release, Fed. Trade Comm'n, As Nationwide Fraud Losses Top $10 Billion in 2023, FTC Steps Up Efforts to Protect the Public (Feb. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public.
[top] Consumers' data, in particular data about income and financial tier, could also be purchased by entities to engage in more targeted and precise forms of price discrimination. Price discrimination occurs when an entity charges differentiated prices to consumers based, at least in part, on their willingness to pay. 251 While price discrimination may lead to higher revenue and profits for firms, it would come at the expense of consumers who would obtain less surplus in the market (the difference between the price and the price the consumer was willing to pay). Firms can currently purchase or use consumers' financial data to charge them higher prices or present targeted offers to achieve such an effect. For
Footnotes:
251 ? See, e.g., Alessandro Acquisti et al., The Economics of Privacy, 54(2) J. of Econ. Literature 442 (June 2016), https://www.aeaweb.org/articles?id=10.1257/jel.54.2.442.
252 ? See, e.g., Educ. Advisory Board (EAB) Webinar Presentation, Optimizing Pricing and Aid Dollars for Graduate and Adult Students (Sept. 12, 2024), https://pages.eab.com/rs/732-GKV-655/images/ALR-GradFAO092024-update-PDF?version=0?x_id=&utm_source=prospect&utm_medium=presentation&utm_campaign=alr-faowebinar-0924&utm_term=&utm_content=inline; EAB, Enroll360, Enrollment Management Solution for Higher Education, https://eab.com/solutions/enroll360/ (last visited Nov. 4, 2024); Enrollment Management Association, Recruiting Private School Students With PROSPECT (Oct. 27, 2021), https://www.enrollment.org/articles/recruiting-private-school-students-with-prospect.
253 ? See, e.g., Fed. Trade Comm'n Staff, Behind the FTC's Inquiry into Surveillance Pricing Practices, FTC Tech. Blog (July 23, 2024), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/07/behind-ftcs-inquiry-surveillance-pricing-practices#ftn_3.
Valuing the benefits to consumers from increased privacy is difficult. It is common to find that consumers express a stated preference for digital privacy. Empirical studies have estimated consumers' willingness to pay for privacy through methods that elicit revealed preferences. While many find a positive valuation on privacy, the empirical estimates are highly varied and range from positive but quite low, to estimates that are much more significant in magnitude. 254 Studies have also found large differences in this valuation across consumers. This variation in the estimated value of privacy complicates a quantitative estimate of the proposed rule's benefits to consumers' privacy.
Footnotes:
254 ?To illustrate the breadth of estimates, Tesary Lin, for example, finds that consumers are willing to accept, on average, $10 to share a demographic profile, while Huan Tang finds that consumers are willing to pay on average $32 to hide a social network ID and employer contact information on a loan application. See Tang, Lin supra note 246. In contrast, Athey et al. find that half of their subjects were willing to disclose contact information of their close friends in exchange for pizza. See Susan Athey et al., The Digital Privacy Paradox: Small Money, Small Costs, Small Talk, Stanford Graduate Sch. of Bus. (Feb. 13, 2017), https://gsb-faculty.stanford.edu/susan-athey/files/2022/04/digital_privacy_paradox_02_13_17.pdf.
An additional complication with placing a direct value on privacy is the observation that, despite stated preferences for privacy, consumers tend to freely share their data. This can be seen by the proliferation of online data sharing through social networks. Some studies have also documented that consumers can be induced to share data with quite small incentives. 255 The difference between stated or realized preferences for privacy and the other evidence of a willingness to share data has been referred to as the "privacy paradox," though there are multiple potential explanations, including consumers' confusion about how their data is used, consumers not having fixed preferences over privacy, and that systems can be designed to result in the oversharing of data even if consumers do value privacy highly. 256
Footnotes:
255 ?Athey, supra note 254.
256 ? See, e.g., Daron Acemoglu et al., Too Much Data: Prices and Inefficiencies in Data Markets, 14(4) Am. Econ. J. Microeconomics 218 (Nov. 2022), https://www.aeaweb.org/articles?id=10.1257/mic.20200200&&from=f; Alessandro Acquisti et al., What is Privacy Worth?, 42(2) J. of Legal Studies 249 (June 2013), https://www.cmu.edu/dietrich/sds/docs/loewenstein/WhatPrivacyWorth.pdf.
The CFPB does not have data to quantify these privacy benefits to consumers, which are in some ways unquantifiable. This includes the benefits from reducing harms that arise from sensitive information about consumers being sold without a permissible purpose. Examples of these harms that are expected to be reduced include those related to financial scams; fraud and identity theft; and stalking, harassment, and doxing. The CFPB requests information and comment on these issues.
Scammers can use data from data brokers, including the four data types, to facilitate scams and predatory behavior. For example, fraudsters can obtain lists of people with income below a certain threshold and use that information to pitch predatory and unlawful products to families in financial distress. Data brokers have marketed financial-related lists including those with names such as "Bad Credit-Card Declines," "Paycheck to Paycheck Consumers," "Suffering Seniors," "Cash Cows-Underbanked File," and "Bankruptcy Filers," among others. 257 The information in these lists have included "both explicit and implied signals about consumer financial behavior."? 258 In helping identify vulnerable targets for scammers, these lists have helped to facilitate concrete financial harms. For instance, the DOJ charged one data broker, Macromark, in relation to its dissemination of such lists of potential victims for fraudulent mass-mailing schemes. 259 Macromark admitted that the lists it provided to clients engaged in fraud resulted in losses to victims of at least $9.5 million. 260 The CFPB expects that the reduced transmission of the four data types would likely benefit consumers by making it more difficult to target people for such fraudulent schemes. The CFPB requests comment on the potential benefit to consumers due to reduced fraud as a result of the proposed rule.
Footnotes:
257 ?CFPB Data Broker RFI, Comments of U.S. Public Interest Research Group (PIRG) and Center for Digital Democracy (CDD), at 8, Docket No. CFPB-2023-0020, Comment ID 2023-0020-3412 (July 2023), https://www.regulations.gov/comment/CFPB-2023-0020-3412.
258 ? Id. at 9.
259 ?Press Release, Off. of Pub. Affs., U.S. Dep't of Just., List Brokerage Firm Pleads Guilty To Facilitating Elder Fraud Schemes (Sept. 28, 2020), https://www.justice.gov/opa/pr/list-brokerage-firm-pleads-guilty-facilitating-elder-fraud-schemes.
260 ? Id.
In addition to these privacy gains, the CFPB expects consumers would benefit through their ability, under the FCRA, to receive adverse action notices and address inaccuracies in consumer reports sold by entities that do not currently operate as consumer reporting agencies. As a result of their ability to address and correct inaccuracies, consumers may also benefit through improved outcomes in the decisions that are made based on this more-accurate information. For example, many risk mitigation services that are used to detect fraudulent applications or suspicious activities at financial institutions will be subject to the provisions in the FCRA designed to promote accuracy. To the extent these services rely on information in the baseline from data brokers that do not currently comply with the FCRA's accuracy requirements, the improved accuracy of information subject to the FCRA could increase the accuracy of such services. In turn, this could reduce the number of consumers who are denied accounts or other access to financial services as a result of decisions based on inaccurate information used for risk mitigation.
Potential Benefits to Covered Persons of Provisions That Could Affect Consumer Reporting Agency Coverage
[top] Covered persons would benefit from provisions of the proposed rule that could affect consumer reporting agency coverage through an anticipated reduction in fraud and identity theft. For example, by requiring many companies, such as data brokers, that currently sell one of the four data types to comply with the FCRA, the CFPB expects the risk of data being obtained by unauthorized parties and used to commit fraud and identity theft to decrease. Therefore, covered persons,
Potential Costs to Consumers of Provisions That Could Affect Consumer Reporting Agency Coverage
Proposed §?1022.4(c) would restrict the use of the four data types to permissible purposes. The CFPB is not aware of consumer products and services facilitated by the four data types for non-permissible purposes or the extent that consumers may experience increased costs and/or reductions in service. Similarly, proposed §?1022.5(b) may increase costs for certain data aggregators, online databases, and other entities that would satisfy the proposed consumer reporting agency definition but do not currently comply with the FCRA. Depending on other market factors, companies might pass-through the increase in input costs partially or in full to the price of consumer products or services. It is also possible that consumers would incur costs due to changes or reductions in services and products made available by users of the current data. The CFPB requests comment on the types of products and services, if any, that would be impacted and on the expected impact to consumers.
Potential Costs to Covered Persons of Provisions That Could Affect Consumer Reporting Agency Coverage
This proposed rule would have significant impacts on the business models of firms that currently use the four data types for activities not permitted under the FCRA. For instance, with certain exceptions, entities that sell consumers' income data generally would be consumer reporting agencies under the proposal, and thus generally would no longer be permitted to sell such income information for use in marketing. These users of the four data types would face costs associated with finding alternative data to substitute into their business models. To the extent that these alternatives are not as effective as the four data types, these firms would potentially experience decreased revenues. Alternatively, if users of the four data types opt to try to continue using the four data types for non-permissible purposes, they generally would need to rely upon the written instructions provision in order to have a permissible purpose. Thus, they would incur technological and legal costs to create systems and procedures to obtain consumers' written instructions, as well as ongoing costs associated with proving that they have obtained consumers' written instructions in compliance with the proposed rule. To the extent that consumers would be unwilling to provide their written instructions to allow use of their consumer report data, these firms would potentially experience decreased revenues.
One industry that would be particularly impacted by this proposal is the digital advertising ecosystem. When consumers browse online, they interface with programmatic advertisements that are bought and sold individually via an automated, instantaneous auction process that leverages data from a range of sources, including cookies, device IDs, browsing history, demographics, and other personal data. There are a variety of business types that help facilitate this digital ecosystem. To the extent that any of these entities rely on the four data types, they would generally qualify as consumer reporting agencies selling consumer reports. Thus, these entities would generally be unable to sell services that use this data for non-permissible purposes like advertising. Given this, these entities could face impacts to their businesses, such as costs associated with adjustments to targeting algorithms to avoid using the four data types. To the extent that ad algorithms not relying on the four data types are less effective at targeting ads, entities may also experience a loss in revenues. In particular, firms generally would no longer be able to provide the service of specifically targeting ads to people based on their income or financial tier.
Proposed §?1022.5(b) addressing the phrase "assembling or evaluating" could also impact data aggregators that provide information or products, for non-permissible purposes, that involve assembling or evaluating consumer information. To the extent data aggregators engage in these activities, they may face costs associated with adjusting their business practices to comply with the FCRA. The CFPB does not have data on the extent to which data aggregators engage in these practices, and requests comment on this issue.
In addition, entities that the proposed rule would clarify are consumer reporting agencies under the proposed rule but that do not currently comply with the FCRA would incur both one-time costs to develop FCRA-compliant systems, processes, policies, and procedures, as well as ongoing costs to maintain them. For example, such entities would be required to comply with the FCRA's dispute resolution and accuracy requirements. During the SBREFA process, small entity representatives argued that investigating disputes, if and when they were to arise, would be very costly due to increased staffing, technical, and legal costs. 261 Some data broker small entity representatives asserted that they would face compliance costs so high that they might cease operation. 262 The CFPB does not have data allowing it to quantify these one-time and ongoing costs and requests comment on this issue.
Footnotes:
261 ?Small Business Review Panel Report, supra note 40, at 17.
262 ? Id. at 19.
The FCRA includes a private right of action, so entities newly considered to be consumer reporting agencies could incur costs related to FCRA litigation. These entities would also face ongoing compliance costs, for example those associated with ensuring that they are only furnishing consumer reports for FCRA section 604 permissible purposes. These entities would also likely need to retain personnel with professional skills related to software development, general and operational management, legal expertise, and customer support. The CFPB does not have data indicating the magnitude of these costs and requests comment on this issue.
Entities newly considered to be consumer reporting agencies would face costs associated with credentialing and monitoring recipients' actual use of the consumer reports that they furnish. The CFPB does not have data indicating the magnitude of these costs and requests comment on this issue.
[top] Under the proposed rule, entities that provide data to other entities that would newly be considered consumer reporting agencies could, depending on the facts and circumstances, qualify as furnishers subject to the FCRA. Furnishers would incur one-time costs to develop FCRA-compliant systems, processes, policies, and procedures, as well as ongoing costs to maintain them. Entities newly considered to be furnishers could also experience increased legal expenses, to the extent that they face litigation associated with disputes. Indeed, furnishers would likely need to retain personnel with skills related to software development, general and operational management, legal expertise, and customer support. If the ongoing cost of furnishing in compliance with the FCRA exceeds the benefits companies currently receive from furnishing, those entities may cease furnishing information to consumer reporting agencies.
Provisions Addressing What Constitutes a Consumer Report
The proposed rule would address when communications by consumer reporting agencies constitute consumer reports. Proposed §?1022.4(d) would provide that any communication by a consumer reporting agency of a personal identifier for a consumer that was collected in whole or in part by a consumer reporting agency for the purpose of preparing a consumer report about the consumer (also known as "credit header" information) is a consumer report, therefore limiting the sale of this information to FCRA permissible purposes.
The three alternative versions of proposed §?1022.4(e) regarding de-identified information would effectively limit the sale of aggregated or otherwise de-identified data derived from a consumer reporting database by specifying when this information constitutes a consumer report, and thus may only be sold for FCRA permissible purposes.
• Proposed Alternative One would provide that de-identification of information is not relevant to a determination of whether the definition of consumer report is met. This alternative would mean that a consumer reporting agency's communication of consumer report information would still constitute a consumer report even if the consumer report information was de-identified.
• Proposed Alternative Two would instead provide that de-identification of information is not relevant to a determination of whether the definition of consumer report is met if the data is "linked or linkable" to an individual consumer.
• Proposed Alternative Three would provide that de-identification of information is not relevant to a determination of whether the definition of consumer report is met if at least one of the specific conditions listed is met, including that the information is "still linked or reasonably linkable" to a consumer, is "used to inform a business decision about a particular consumer," or ultimately is used to identify the consumer in practice. This proposed alternative was designed to permit research using de-identified data so long as it is not re-identified. The CFPB is requesting comment as to which condition or combinations of conditions should be included in a final rule consistent with that goal and whether any additional conditions should be added if the third alternative approach is finalized.
Although Proposed Alternative One would technically be a more stringent restriction on the use of de-identified consumer report information than Proposed Alternative Two, because almost any data from a consumer report could theoretically be linked to a consumer, the ultimate impacts appear to be similar. Thus, Proposed Alternatives One and Two would have qualitatively similar benefits and costs for consumers and covered persons by eliminating a broad range of current uses of de-identified consumer report information. For example, Proposed Alternative One would prohibit researchers from government and other reputable entities from obtaining de-identified consumer report data for research on topics including the state of consumer finances, as research is not an FCRA permissible purpose, and Proposed Alternative Two would likely have a similar effect. In contrast, Proposed Alternative Three generally would not prohibit researchers from obtaining de-identified consumer report data for use in research, and the CFPB requests comment on which conditions under this alternative would allow for research to continue.
Potential Benefits to Consumers of Provisions Addressing What Constitutes a Consumer Report
A consequence of the proposed definition of consumer report is that additional information would be treated as having FCRA protections and limitations on sharing as compared to the baseline. This would confer privacy benefits to consumers similar to those discussed above regarding clarifying which entities are consumer reporting agencies. Defining personal identifiers obtained from a consumer reporting agency as consumer report information, for example, would reduce the ability of entities to share and sell that information and would likely have the net effect of reducing the total amount of consumers' private information available in the marketplace.
Reduction of this sensitive information in the marketplace, such as contact information, including phone numbers, could have benefits for consumers by decreasing the risk of these data being obtained by unauthorized parties for uses that can harm consumers, such as for fraudulent purposes. Though the CFPB does not have information to quantify this reduction in risk, the FTC reported that consumers lost $10 billion to fraud and scams in 2023, and that the second most commonly reported contact method by scammers was contacting people by phone, leading to the highest per person reported median loss of $1,480. 263 Certain consumer populations may experience distinct impact from scammers. For example, elder fraud is a significant subcategory of fraud that can be facilitated by the unauthorized use of contact information. The FBI's Internet Crime Complaint Center (IC3) reported that call center schemes overwhelmingly target older adults and consumers over the age of 60 lost more to these scams than any other age group. 264 In 2023, "total losses reported to the IC3 by those over the age of 60 topped $3.4 billion, an almost 11% increase in reported losses from 2022."? 265 To the extent that financial fraud and identity theft is facilitated by such sensitive consumer information from consumer reporting agencies, the CFPB expects that limiting transmission of this information to permissible purposes would reduce unauthorized access by fraudsters, which could reduce incidences of fraud and the associated losses to consumers. The CFPB requests information that can be used to quantify the expected changes in fraud or identity theft related to this information.
Footnotes:
263 ? See Press Release, Fed. Trade Comm'n, As Nationwide Fraud Losses Top $10 Billion in 2023, FTC Steps Up Efforts to Protect the Public (Feb. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public.
264 ? See Press Release, Fed. Bureau of Investigation Los Angeles, U.S. Dep't of Just., FBI Releases 2023 Elder Fraud Report with Tech Support Scams Generating the Most Complaints and Investment Scams Proving the Costliest (May 2, 2024), https://www.fbi.gov/contact-us/field-offices/losangeles/news/fbi-releases-2023-elder-fraud-report-with-tech-support-scams-generating-the-most-complaints-and-investment-scams-proving-the-costliest.
265 ? See Fed. Bureau of Investigation, U.S. Dep't of Just., 2023 Elder Fraud Report (Dec. 12, 2023), https://www.ic3.gov/AnnualReport/Reports/2023_IC3ElderFraudReport.pdf.
[top] Reducing the flow of personal identifiers that are available for purchase may also benefit consumers who may become targets for doxing, stalking, harassment, or violence as a result of their contact information being made available by data brokers. These include consumers who are targeted for their profession, such as abortion care providers, military service members, judges, prosecutors, police officers, and other members of law enforcement. 266
Footnotes:
266 ? See CFPB Data Broker RFI, Comment from Digital Defense Fund, The National Network of Abortion Funds, and Apiary for Practical Support (July 17, 2023), CFPB Data Broker RFI, Comment ID 2023-0020-3946, https://www.regulations.gov/comment/CFPB-2023-0020-3946; Herbert B. Dixon & James L. Anderson, The Evolving Nature of Security Threats to Judges, Am. Bar Ass'n (Aug. 4, 2023), https://www.americanbar.org/groups/judicial/publications/judges_journal/2023/summer/evolving-nature-security-threats-to-judges/; Esther Salas, My Son Was Killed Because I'm a Federal Judge, N.Y. Times (Dec. 8, 2020), https://www.nytimes.com/2020/12/08/opinion/esther-salas-murder-federal-judges.html.
267 ?Rachel E. Morgan & Jennifer L. Truman, Bureau of Just. Stat., U.S. Dep't of Just., Stalking Victimization, 2019 (Feb. 2022), https://www.justice.gov/d9/2023-06/2022%20Report%20to%20Congress%20on%20Stalking.pdf.
268 ? See Safety Net Project, New Survey: Technology Abuse & Experiences of Survivors and Victim Service Agencies, Nat'l Network to End Domestic Violence (Apr. 29, 2014), https://www.techsafety.org/blog/2014/4/29/new-survey-technology-abuse-experiences-of-survivors-and-victim-services.
269 ? See, e.g., Remsburg v. Docusearch, Inc., No. Civ. 00-211-B, 2002 WL 844403, at *2-3 (D.N.H. Apr. 25, 2002).
270 ?Stalking Prevention, Awareness, and Resource Center, Stalking Fact Sheet (Jan. 2019), https://www.stalkingawareness.org/wp-content/uploads/2019/01/SPARC_StalkngFactSheet_2018_FINAL.pdf.
271 ? See, e.g., Justin Sherman, People Search Data Brokers, Stalking, and `Publicly Available Information' Carve-Outs, The Lawfare Inst. (Oct. 30, 2023), https://www.lawfaremedia.org/article/people-search-data-brokers-stalking-and-publicly-available-information-carve-outs.
Likewise, clarifying that consumer information that has been de-identified, whether through aggregation or other means, may constitute a consumer report additionally could limit the sharing and sale of consumers' data relative to baseline. Aggregation and other methods have been longstanding approaches to preventing the disclosure of information linked to a specific individual that can be used to identify a consumer, even among government agencies. 272 However, recent research has illuminated how even carefully aggregated data may still present a risk of being identified, depending on the context. For example, research from the U.S. Census Bureau has shown how information linked to specific individuals can at times be obtained from publicly available aggregate-level information. 273 In many other examples, researchers have been able to re-identify individuals from seemingly de-identified data. 274 To the extent that consumers can be re-identified from the aggregated or otherwise de-identified data currently derived from consumer reporting databases at baseline, the proposed rule may benefit consumers by reducing the amount of personal information obtained about them. The benefits would be similar to those discussed above related to the overall reduction in the supply of consumer information. The CFPB does not have data to quantify these benefits to consumers and requests information and comment on these issues.
Footnotes:
272 ? Report on Statistical Disclosure Limitation Methodology, Fed. Comm. on Stat. Methodology (Exec. Off. of the President of U.S., OMB, Working Paper No. 22, Dec. 2005), https://nces.ed.gov/FCSM/pdf/SPWP22_rev.pdf.
273 ?John M. Abowd & Michael B. Hawes, 21st Century Statistical Disclosure Limitation: Motivations and Challenges, at 8 (U.S. Census Bureau, Working Paper No. ced-wp-2023-002, Mar. 03, 2023), https://www.census.gov/library/working-papers/2023/adrm/ced-wp-2023-002.html.
274 ? See, e.g., Jane Henriksen-Bulmer & Sheridan Jeary, Re-identification attacks-A systemic literature review, 36(6)(B) Int'l J. of Info. Mgmt. (Dec. 2016), https://www.sciencedirect.com/science/article/abs/pii/S0268401215301262.
Providing that communications of personal identifiers by consumer reporting agencies are consumer reports would also benefit consumers by confirming they have protection under the FCRA when personal identifiers are used to make certain decisions that bear on them. For example, personal identifiers are purchased from consumer reporting agencies by data brokers in order to provide end users with identity verification services designed to prevent financial fraud. When these entities rely on outdated personal identifiers or otherwise introduce inaccuracies into these data, it could result in false positives that can impact a consumer's access to financial products and services. In recent years, reports of financial fraud have increased along with reports of increased account closures ("debanking") and denial of services to consumers. 275 Additionally, consumers who are denied financial services may turn to other more costly financial alternatives, such as check cashing, or miss out on the benefits of building credit. 276 By providing that communications of personal identifiers on their own by consumer reporting agencies are consumer reports, the proposed rule would apply the FCRA's accuracy provisions to data brokers who receive personal identifiers from consumer reporting agencies to provide risk mitigation services. While the CFPB does not have data to quantify the impact that inaccurate information plays in the decisions resulting from risk mitigation services provided by such data brokers, the CFPB expects that by improving the accuracy of such information, the proposed rule could mitigate the associated harms of such decisions based on inaccurate information. The CFPB requests comment on the role personal identifiers play in risk mitigation services and the associated impacts for consumers.
Footnotes:
275 ? See, e.g., Press Release, Fed. Trade Comm'n, As Nationwide Fraud Losses Top $10 Billion in 2023, FTC Steps Up Efforts to Protect the Public (Feb. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public; Tara Siegel Bernard & Ron Lieber, Banks Are Closing Customer Accounts, With Little Explanation, N.Y. Times (Apr. 8, 2023), https://www.nytimes.com/2023/04/08/your-money/bank-account-suspicious-activity.html; Kristine Lazar, On Your Side: Bank customers report unexpected account closures, CBS News (July 17, 2023) https://www.cbsnews.com/losangeles/news/on-your-side-bank-customers-report-unexpected-account-closures/.
276 ?Tyler Desmond & Charles Sprenger, Estimating the Cost of Being Unbanked, Fed. Rsrv. Bank of Boston (Spring 2007), https://www.bostonfed.org/-/media/Documents/cb/PDF/article9.pdf.
[top] In addition, users of reports consisting solely of personal identifiers purchased from consumer reporting agencies would be required to send adverse action notices to consumers in situations where an adverse action is taken against a consumer based on the information. Consumers would benefit from receiving such adverse action notices to the extent that it alerts them to potentially incorrect information and their right to dispute such information, and prompts them to address adverse actions that may have resulted, such as denial of government benefits or bank accounts due to an inability to verify the identity of the consumer. The CFPB does not have data to quantify how often users of personal identifiers provide adverse action notices based on this information at baseline and requests comment on these issues.
Potential Benefits to Covered Persons of Provisions Addressing What Constitutes a Consumer Report
Many financial institutions use risk mitigation services provided by data brokers to detect fraudulent applicants and suspicious activity to reduce the cost of fraud against the financial institution, or fraud against consumers that the financial institution must cover pursuant to the Electronic Fund Transfer Act or payment network rules. The proposed rule would ensure the FCRA's protections apply to these risk mitigation services if the data broker purchased personal identifiers from the consumer reporting agencies. These data brokers would be required to comply with FCRA provisions applicable to consumer reporting agencies, including the legal requirement to maintain policies and procedures to assure maximum possible accuracy. 277 In addition, consumers would receive greater notice and ability to dispute inaccurate personal identifiers used for risk mitigation purposes if proposed §?1022.4(d) is finalized. To the extent that correction of inaccurate reports increases as a result of the proposed rule, covered persons that rely on these services would benefit from the improved accuracy of risk mitigation. For example, financial institutions that use data brokers that purchase personal identifiers from consumer reporting agencies for identity verification services would have better information to detect fraudulent applications. By improving the accuracy of information used for risk mitigation, the CFPB also expects the proposed rule to reduce costs to financial institutions, which currently expend resources, incur fraud losses, or may lose business due to decisions resulting from inaccurate data used in risk mitigation in the baseline. 278 The CFPB does not have data to quantify these benefits and requests information and comment on these issues.
Footnotes:
277 ?15 U.S.C. 1681e.
278 ?David Vergara, The banking industry's multi-billion dollar fraud problem and how to solve it, Bank Admin. Inst. (Jan. 16, 2019), https://www.bai.org/banking-strategies/the-banking-industrys-multi-billion-dollar-problem/.
The CFPB does not anticipate that any covered persons would benefit from any of the three alternative versions of proposed §?1022.4(e).
Potential Costs to Consumers of Provisions Addressing What Constitutes a Consumer Report
Regarding proposed §?1022.4(d), at baseline, personal identifiers from consumer reporting agencies are used in a variety of activities, some of which involve FCRA permissible purposes and some of which do not. Personal identifiers from consumer reporting agencies are used for risk mitigation activities, such as identity verification and fraud prevention, which overlap but can be distinct from each other. Generally, entities will have a permissible purpose to purchase personal identifiers from consumer reporting agencies for risk mitigation services on current or prospective customers, either because there is an applicable permissible purpose or the user is able to obtain the consumer's written instruction. The CFPB requests comment on the extent to which risk mitigation strategies and services that use personal identifiers from consumer reporting agencies could be impacted under the proposal and subsequent impacts on consumers.
In some instances, law enforcement agencies purchase personal identifiers from consumer reporting agencies via data brokers. However, law enforcement currently obtains personal identifiers from a broad range of other sources, and proposed §?1022.4(d) would not affect many of these sources. 279 If law enforcement is able to obtain necessary information pursuant to these other sources, or through other sources that are not subject to the FCRA, the CFPB expects the impacts of the proposed rule to law enforcement would be small and seeks comment on whether there would be any subsequent impacts to consumers. Furthermore, as noted above, the CFPB is requesting comment on a potential exemption from proposed §?1022.4(d) for communications consisting exclusively of personal identifiers that are solely furnished to, or solely used to furnish to, local, Tribal, State, or Federal governments, which would likely ameliorate this impact.
Footnotes:
279 ? See supra pp. 4-6, Part I: Summary of the Proposed Rule.
Consumers could also face impacts related to use of de-identified data by entities that develop and test financial models if the first or second alternative version of proposed §?1022.4(e) is finalized. For example, financial institutions and other entities use de-identified consumer reporting agency data to develop, test, and validate credit, fraud, and similar risk-management models (such as VantageScore and FICO scores), develop and test products, manage credit portfolios, and for other purposes. While existing risk-management scores that have already been developed could still be used if the proposed rule were finalized, without access to de-identified consumer report data, entities would be unable to test and improve such scores as they currently do. Similarly, entities attempting to develop new models would not be able to do so using de-identified consumer report data. To the extent that risk-management scores created without access to de-identified consumer report data are less accurate in predicting consumers' ability to repay than existing scores, there could be downstream effects on processes and products that rely upon such metrics. While financial institutions would be able to rely on consumer reporting agencies, particularly nationwide consumer reporting agencies, to develop risk-management scores, reduced competition in developing risk-management scores could impose costs on consumers in the form of higher prices and less accurate scores. Small entity representatives noted during the Small Business Review Panel that, if creditors could not use de-identified data for their own models, they would need to tighten their credit policies or increase pricing, both of which would harm consumers, particularly those who do not have access to traditional financial products and services. 280 The CFPB requests information on the potential impacts to risk-management models and the subsequent impacts to consumers.
Footnotes:
280 ?Small Business Review Panel Report, supra note 40, at 25.
[top] Consumers may also lose benefits from research, policymaking, or market monitoring activities that rely on de-identified information. Currently, consumer reporting agencies regularly sell de-identified information from their consumer reporting databases to government agencies, nonprofits, and academic institutions to facilitate research. Research using de-identified consumer report information has become increasingly common, as it allows policymakers to identify current trends in consumer welfare and identify emerging financial risks to consumers. For example, the CFPB uses its Consumer Credit Information Panel (CCIP), a comprehensive, national 1-in-50 longitudinal sample of de-identified credit records, sourced from one of the three nationwide consumer reporting agencies, to conduct economic research, monitor financial markets, and inform rulemakings that support consumers in the financial marketplace. Similarly, the CFPB and FHFA jointly fund and manage the National Mortgage Database (NMDB), a de-identified nationally representative five percent sample of closed-end first-lien residential
Footnotes:
281 ?Fed. Hous. Fin. Agency, National Mortgage Database Program, https://www.fhfa.gov/programs/national-mortgage-database-program (last visited Oct. 15, 2024). The core data in NMDB is de-identified data drawn from the files of Experian, one of the three national credit bureaus. Fed. Hous. Fin. Agency, Technical Report 1: National Mortgage Database Technical Documentation, at 1-2 (Dec. 28, 2022), https://www.fhfa.gov/sites/default/files/documents/NMDB-Technical-Documentation-20221228.pdf.
282 ?12 U.S.C. 4544(c)(1); see also Fed. Hous. Fin. Agency, National Mortgage Database Program, https://www.fhfa.gov/programs/national-mortgage-database-program (last visited Oct. 15, 2024).
283 ?Univ. of Cal. Consumer Credit Panel (UC-CCP), California Policy Lab, https://www.capolicylab.org/data-resources/university-of-california-consumer-credit-panel/, (last visited Oct. 15, 2024).
Under the first alternative version of proposed §?1022.4(e), government agencies, nonprofits, and academic institutions would generally no longer be able to obtain de-identified data from consumer reporting databases and numerous other sources, as they do not generally have an FCRA permissible purpose to do so; the second alternative would have similar effects where the de-identified data is linkable back to individual consumers. To the extent that consumers currently benefit from such research, consumers would face costs associated with its prohibition under the first and second proposed alternatives.
Depending on which conditions are finalized and how they are implemented, the third alternative could also impact government agencies' and other researchers' ability to engage in research practices that use de-identified data from consumer reporting agencies going forward. To the extent that consumers and covered persons receive value from these research activities that use de-identified information from consumer reporting databases, a version of the de-identified data provision that would prohibit these practices would impose costs on consumers by eliminating the benefits of that research. The CFPB requests information on the potential impacts to research activities and the subsequent impacts to consumers.
Potential Costs to Covered Persons of Provisions Addressing What Constitutes a Consumer Report
The provisions relating to personal identifiers and de-identified data purchased from consumer reporting agencies could reduce the ability of consumer reporting agencies to sell current products or services, potentially reducing their revenues. For example, consumer reporting agencies sell de-identified consumer report data to government agencies, nonprofits, and academic institutions for use in research and policy work, as well as to financial institutions and other entities for a variety of finance-related modeling purposes. Revenues from such sales could be reduced or eliminated, depending on the version of the de-identified data provision that is finalized. The CFPB is aware that some nationwide consumer reporting agencies sell personal identifiers and de-identified consumer report information but does not have information to determine the extent to which other entities that meet the definition of consumer reporting agency engage in similar practices.
Additionally, entities that currently use de-identified consumer report data for credit and other financial models could face impacts and costs associated with the loss of or change to this data access, such as those noted in the above discussion on costs to consumers. Examples of costs include, but are not limited to, operational costs to adjust their processes and models, costs associated with finding alternative data, and potential business and revenue impacts to the extent these changes are not as effective as the current models that use de-identified consumer report data. The CFPB requests information from entities on the use cases of de-identified data for these purposes and the potential impacts on entities of the alternatives under consideration.
Some data brokers that purchase personal identifiers from consumer reporting agencies for resale would themselves be considered consumer reporting agencies. Those firms would have similar additional costs as described above in the section pertaining to costs to covered persons of provisions that could affect consumer reporting agency coverage. For example, these firms would be subject to FCRA compliance requirements for how consumer report information can be used and distributed. The CFPB requests information and comment that can be used to quantify potential revenue losses and compliance costs to these entities.
Some consumer reporting agencies sell personal identifiers to financial institutions for their in-house risk mitigation activities, including identity verification or fraud detection, or to users who provide risk mitigation services to financial institutions. For example, financial institutions use credit header data for identity verification when a consumer applies for a loan, opens a checking account, or applies for a credit limit increase. 284 Users of personal identifiers for identity verification services could continue to obtain identifying information drawn from a consumer reporting database if they have an FCRA permissible purpose. For example, if an entity has a permissible purpose under FCRA section 604(a)(3) to obtain a consumer report, a consumer reporting agency could provide that entity with a consumer report for identity verification conducted in connection with that permissible purpose (such as a creditor seeking to confirm the identity of an applicant in connection with a loan application). In other cases, users could obtain a consumer's written instructions. However, the CFPB received feedback from the Small Business Review Panel that obtaining written instructions might lead to increased operational costs, slow down consumer-initiated transactions, or cause confusion among customers. 285 The CFPB does not have information to quantify these potential costs but preliminarily determines that some of the cost to entities that would rely on the written instructions permissible purpose could be minimized by obtaining a consumer's written instructions electronically. The CFPB requests comment on this issue.
Footnotes:
284 ?Small Business Review Panel Report, supra note 40, at 22.
285 ? Id. at 23.
[top] If the proposal is finalized, consumer reporting agencies would generally not be able to provide personal identifiers that they collect for the purpose of preparing consumer reports to entities that want to use the information for identity verification in connection with a transaction that is not a permissible purpose, absent written instructions from the consumer. Given that identity verification is primarily conducted by entities on their customers or prospective customers who submit an application to the entity, the CFPB expects that many users of personal identifiers from consumer reports will be able to obtain written instructions in
Debt collectors may also use data brokers that purchase personal identifiers from consumer reporting agencies to locate consumers to collect unpaid debts on credit accounts at baseline. If the personal identifier proposal is finalized, debt collectors collecting on such credit accounts could continue to use personal identifiers purchased from consumer reporting agencies in compliance with the FCRA under FCRA section 604(a)(3)(A). The CFPB received feedback from the Small Business Review Panel that some debt collectors would increase reliance on litigation as a collection tool. 286 Since collecting on a credit account is a permissible purpose under the FCRA, the CFPB does not have information on the likelihood of debt collectors changing collection approaches or other costs related to the rule and requests comment.
Footnotes:
286 ?Small Business Review Panel Report, supra note 40, at 24.
Provisions To Reduce the Use of Consumer Report Information for Marketing and Advertising
The proposed rule includes provisions intended to further the FCRA's general prohibition on the use of consumer report information for marketing and advertising without a permissible purpose, i.e., without compliance with the FCRA's prescreening provisions set out in FCRA section 604(c) or the consumer's written instructions under FCRA section 604(a)(2). Under proposed §?1022.10(b)(2), if a consumer reporting agency facilitates a third party's use of consumer report information for that person's financial gain, regardless of whether such information is transmitted to the third party, the consumer reporting agency has furnished the consumer report to a third party for purposes of FCRA section 604 and proposed §?1022.10(a). In addition, proposed §?1022.12(b)(3) would highlight that the legitimate business need permissible purpose in FCRA section 604(a)(3)(F) does not authorize use of consumer report information for marketing. Given that proposed §?1022.12(b)(3) does not change the baseline, the CFPB does not anticipate any significant impacts of this provision. Additionally, while not the focus of this analysis, proposed §?1022.4(e) regarding when de-identified consumer information constitutes a consumer report, discussed above, may also deter the use of consumer report information for marketing and advertising without a permissible purpose.
Potential Benefits to Consumers of Provisions To Reduce the Use of Consumer Report Information for Marketing and Advertising
To the extent that entities rely on consumer reporting agencies to facilitate their use of consumer report information to target marketing to consumers without receiving such information and without a permissible purpose, the proposed rule would prevent such marketing. Specifically, the proposals would cause consumer reporting agencies to cease facilitating advertisers' ability to target ads based on consumer report information, except in limited circumstances ( i.e., with consumer authorization or under the limited circumstances permitted by the FCRA for firm offers of credit or insurance). While companies may instead use alternative data that could proxy for consumer report information so as to avoid FCRA restrictions, alternative data may be prohibitively expensive or of lower quality. 287 To the extent that companies fail to identify suitable proxies for consumer report information, the proposed rule could reduce the amount of targeted marketing presented to consumers.
Footnotes:
287 ? See, e.g., Eric Farkas, How accurate third-party data leads the way for advertisers, Experian (Jan. 5, 2024), https://www.experian.com/blogs/marketing-forward/how-accurate-third-party-data-leads-the-way-for-advertisers/.
Reductions in targeted marketing and advertising based on consumer report information could result in benefits to consumer privacy. Some existing research suggests that consumers can find targeted advertising intrusive and may even respond negatively if the targeting is made more salient. 288 Researchers have also found evidence that consumers value the European Union's General Data Protection Regulation's right to object to profiling provision, which provides consumers a limited ability to object to companies using their personal data for marketing purposes. 289 To the extent consumers find targeted advertising based on consumer report information intrusive, then consumers may benefit from any reduction in this type of targeted marketing stemming from the proposed rule.
Footnotes:
288 ?Avi Goldfarb & Catherine Tucker, Online Display Advertising: Targeting and Obtrusiveness, 30(3) Mktg. Sci. (Feb. 9, 2011), https://pubsonline.informs.org/doi/10.1287/mksc.1100.0583.
289 ?Maciej Sobolewski & Michal Palinski (2017), How much to consumers value on-line privacy? Welfare assessment of new data protection regulation (GDPR) (Univ. of Warsaw, Faculty of Econ. Sci., Working Papers No. 17/2017 (246) 2017), https://www.wne.uw.edu.pl/files/7915/1505/9038/WNE_WP246.pdf.
[top] It is also possible for marketing based on consumer report information to negatively impact consumers. For example, targeted marketing based on financial characteristics, such as income, credit score, or payment of debts, might enable the targeting of consumers in financial distress with advertisements for predatory products and services, which may result in financial or other harms to consumers. Firms could also use consumer report information, for example, to target only expected higher-income consumers and prevent lower-income consumers from seeing advertisements for products that may benefit them. To the extent the proposed provisions affect targeted advertising based on these types of characteristics, the proposed rule may benefit consumers. Consistent with the discussion above about price discrimination, advertising based on income or financial tier can lead to consumers being offered products at prices closer to the consumer's willingness to pay, resulting in higher
Potential Benefits to Covered Persons of Provisions To Reduce the Use of Consumer Report Information for Marketing and Advertising
The CFPB does not anticipate that any covered persons would benefit from the provisions in the proposed rule intended to reduce the use of consumer report information for marketing and advertising.
Potential Costs to Consumers of Provisions To Reduce the Use of Consumer Report Information for Marketing and Advertising
To the extent that the proposed provisions impact targeted advertising or marketing by reducing companies' ability to rely on consumer report information, such as income and financial tier, for targeted marketing, they may impose some costs on consumers. For consumers, advertising can serve an informative purpose. 290 In targeting consumers based on personalized information (including consumer report information such as income or financial tier) for profit-maximizing purposes, companies may be informing certain consumers of products or discounts that they would be interested in, and potentially would not have known about otherwise. While the proposed rule would not prohibit companies from using targeting algorithms, the reduced ability to rely on consumer report information for targeted marketing could reduce the amount and usefulness of the marketing consumers receive. However, these potential costs to consumers would be small if targeted marketing based on consumer report information currently has limited value for consumers. The CFPB is not aware of research that examines whether using consumer report information specifically in targeting algorithms affects the amount and degree to which ads meet consumer preferences. Existing empirical research concerning the value of targeted marketing, in general, to consumers is mixed. 291 The CFPB does not have information to quantify the value to consumers of targeted advertising that uses consumer report information, or the change in value that could result if this use were to cease under the proposed rule, and requests information on the potential impact to consumers.
Footnotes:
290 ? See, e.g., Yehuda Kotowitz & Frank Mathewson, Informative Advertising and Welfare, 69(3), The American Econ. Review 284 (June 1979), https://www.jstor.org/stable/1807364.
291 ? See, e.g., Erik Brynjolfsson et al., The Consumer Welfare Effects of Online Ads: Evidence from a 9-year Experiment (NBER Working Paper No. 32846, Aug. 2024), https://www.nber.org/papers/w32846; Eduardo Schnadower Mustri et al., Behavioral Advertising and Consumer Welfare, Soc. Sci. Rsch. Network (Mar. 23, 2023), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4398428; Navdeep S. Sahni & Charles Zhang, Are Consumers Averse to Sponsored Messages? The Role of Search Advertising in Information Discovery, Stanford Univ. Graduate Sch. of Bus. Rsch. Paper No. 3441786 (Mar. 27, 2022), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3441786.
By providing that the FCRA prohibits consumer reporting agencies from facilitating a third party's use of consumer report information for financial gain without a permissible purpose, the proposed rule would also impact some surveys. Since academics, nonprofit organizations, and government agencies do not conduct or sponsor surveys for financial gain, their use of consumer reporting agencies to facilitate surveys would not be prohibited, and consumers would continue to benefit from research that relies upon these types of surveys. However, to the extent that consumers benefit from surveys that rely on or elicit consumer report information and are conducted for financial gain, consumers would face reduced benefits associated with their prohibition. While it is likely that entities would simply cease relying on consumer reporting agencies to facilitate surveys rather than abandon the surveys entirely, this could reduce the efficacy of such surveys, and in turn, reduce their value to consumers. The CFPB requests comment on the extent to which consumers benefit from surveys facilitated by consumer reporting agencies for a person's financial gain.
The CFPB requests information that can be used to quantify these costs to consumers, as well as comment on whether there are additional use cases outside of targeted marketing and research that one would expect to be impacted by the proposed rule.
Potential Costs to Covered Persons of Provisions To Reduce the Use of Consumer Report Information for Marketing and Advertising
There are several ways in which consumer reporting agencies would lose revenues under the provisions of the proposed rule related to marketing. If the provision clarifying that furnishing includes facilitating a person's use of a consumer report for financial gain is finalized, consumer reporting agencies would forgo revenues that they previously could have generated from certain activities, such as facilitating marketing or conducting surveys that rely upon consumer report information on behalf of other entities for those entities' financial gain. In addition to lost revenue, consumer reporting agencies could incur costs of compliance associated with changing processes, policies, and procedures related to these activities if the provision is finalized. The proposed provisions are expected to have fewer impacts on consumer reporting agencies that do not at baseline engage in these activities. The CFPB requests comment on these issues, especially data that can be used to quantify these potential losses in revenue, such as data on the sales of consumer report information that would be affected by the proposed provisions.
[top] Companies may also incur costs due to the proposed provisions pertaining to marketing and advertising. Companies target ads for a variety of purposes, including to build an applicant pool or customer base meeting certain criteria, or to increase the percentage of ads that lead to customer acquisition or purchases. Companies generally use a variety of advertising methods to increase customer volume at the lowest customer acquisition cost possible. In the modern economy, targeted digital ads using consumer data is one method for doing so, along with contextual digital ads, behavioral digital ads, physical mailings, email, texts, telemarketing, television, billboards, radio, podcasts, and other ad types. This proposed rule could impact the efficacy of digital advertising by preventing consumer reporting agencies from facilitating companies' use of consumer report information, such as that pertaining to income or financial tier, in the design and development of targeting algorithms, which is not a permissible purpose. The CFPB is not aware of research demonstrating whether, and the degree to which, the inclusion of consumer report data like income or financial tier in targeting algorithms increases customer acquisition efficiency. But in theory, the proposed rule may result in a higher customer acquisition cost for firms with a heavier reliance on digital advertising (in particular targeted marketing based on surveillance data, as opposed to contextual or behavioral ads) and with
In recent years, large firms such as Google and Apple, 292 and some States ( e.g., California, Colorado, Connecticut, Virginia, and Utah) have considered or have implemented changes to strategies and policies related to consumer privacy. While the proposed provisions would specifically affect targeted advertising based on consumer report information, companies' prior adjustments to industry and State-level changes could potentially mitigate the additional costs that they may incur if this proposed rule is finalized. Some companies may choose to instead rely on written instructions as a means of obtaining consumer reports for marketing or advertising purposes, which could increase paperwork and processes associated with requesting consumer information, or to comply with the FCRA's prescreening provisions. The CFPB requests data and information that can be used to estimate the potential revenue losses or additional costs that may be incurred by companies that would be affected by the proposals.
Footnotes:
292 ?Tim Bajarin, Apple's Do Not Track Me Rules Are Having Significant Impact On Digital Advertising, Forbes (July 26, 2022), https://www.forbes.com/sites/timbajarin/2022/07/26/apples-do-not-track-me-rules-are-having-significant-impact-on-digital-advertising/.
Provisions Clarifying the Responsibilities of Consumer Reporting Agencies
The proposed rule would clarify certain responsibilities of consumer reporting agencies. Proposed §?1022.11 would clarify the conditions that must be met for a consumer reporting agency to furnish or a person to obtain a consumer report in accordance with the written instructions of the consumer, including consumer disclosure and consent requirements, and limitations on procurement, use, and retention of consumer reports, including that such activities must be reasonably necessary to provide the product or service the consumer requested or the specific use identified by the consumer. Proposed §?1022.11 would also provide that a consumer reporting agency furnishes a consumer report in accordance with the written instructions of the consumer if the report is furnished to a person that is an authorized third party under subpart D of the PFDR Rule.
Proposed §?1022.12(b)(2) would provide examples of the types of transactions that would and would not establish a consumer-initiated transaction for purposes of the legitimate business need permissible purpose in FCRA section 604(a)(3)(F). For instance, the proposal clarifies that a consumer does not initiate a business transaction for purposes of the legitimate business need permissible purpose by inquiring about the availability or pricing of products or services.
Potential Benefits to Consumers of Provisions Clarifying the Responsibilities of Consumer Reporting Agencies
Proposed §§?1022.11 and 1022.12(b) would enhance consumer protections by limiting the risk of unauthorized use and sharing of consumer report information. The written instructions permissible purpose in proposed §?1022.11 provides this benefit in several ways. First, by limiting the permissible purpose to users who will obtain, use, and retain a consumer report only as reasonably necessary to provide a product or service or use requested by a consumer, consumers are protected from unknowingly agreeing to uses of their consumer report that they do not want. Indeed, by providing that users may only share a consumer report as reasonably necessary for these purposes, the proposal would decrease the chance that the information would be obtained by unauthorized or unanticipated users, including through data leaks. 293 Next, by requiring consumer reporting agencies or consumer report users to disclose key information to consumers concerning the requested written instructions, the proposal would enable consumers to make informed decisions as to how their consumer report information is used. In addition, by limiting the duration for which a consumer's written instructions provide a permissible purpose to up to one year, the proposed rule would allow consumers to provide standing instructions to furnish consumer reports where required to provide the requested product or service but would provide a check against consumer reports being furnished for longer periods of time than the consumer needs or wants. The CFPB does not have data that would allow it to quantify how much consumers would benefit from these additional protections.
Footnotes:
293 ? See supra note 85.
Similarly, proposed §?1022.12(b)(2), which clarifies the legitimate business need permissible purpose, could benefit consumers by minimizing the risk of unauthorized information sharing and reducing market-based harms to consumers. The CFPB is concerned that some companies could impermissibly obtain consumer reports before a consumer initiates a business transaction, which could lead to the consumer report being used to make decisions about the consumer in ways not authorized by the FCRA. For example, in theory, companies might use consumer report information to assess consumers and then discriminate against certain consumers in terms of attention paid and differential pricing. These situations could lead to higher prices for some consumers. The proposed rule could further deter such conduct by clarifying that users do not have a legitimate business need permissible purpose for this information before the consumer has initiated a transaction. To quantify the impact, the CFPB would need to know how often and to what extent consumer report information is currently used in this manner or in other ways that might harm certain consumers.
Taken together, proposed §§?1022.11 and 1022.12(b)(2) would minimize the unauthorized flow of consumer report information and provide consumers with other privacy-related benefits. The CFPB invites comments and feedback on the privacy implications of these proposals for consumers.
Potential Benefits to Covered Persons of Provisions Clarifying the Responsibilities of Consumer Reporting Agencies
The examples provided in proposed §?1022.12(b)(2), regarding the legitimate business need permissible purpose, could benefit consumer reporting agencies by providing clarity and thus reduce legal uncertainty that the consumer reporting agency impermissibly furnishes consumer report information, enabling them to make more efficient business decisions. The CFPB does not anticipate that any covered persons would benefit from the written instructions provisions in proposed §?1022.11. The CFPB requests comment on benefits to covered persons of these proposed provisions.
Potential Costs to Consumers of Provisions Clarifying the Responsibilities of Consumer Reporting Agencies
[top] Consumers would face additional burdens and frictions associated with proposed §?1022.11. Regarding proposed
Under proposed §?1022.11, consumers may also face frictions associated with the proposal to limit consumer instructions to a duration that is reasonably necessary to provide the product or service or use but no longer than one year. For example, if a consumer is signed up for a credit monitoring service, consumers may be required to reauthorize the entity to access their consumer reports on at least an annual basis.
The cost of certain products and services that rely on consumer report information may increase for consumers if proposed §?1022.11 were adopted. For example, today users may obtain a consumers' written instructions to obtain their consumer report without specifying the consumer reporting agency from which the user will obtain it, and afterwards change which consumer reporting agency they want to use to acquire the report. Under the proposed rule, however, entities would no longer be able to do this (or would need to obtain a new written instruction), as they would be required to include in the disclosure the name of the consumer reporting agency from which they intend to obtain the consumer report. Therefore, the proposed rule may disincentivize users from changing which consumer reporting agency they use, even if a different consumer reporting agency offers less expensive reports. To the extent that users pass through the increased costs of consumer reports, as well as other costs associated with complying with the proposed rule, consumers would face increased costs. The CFPB does not have data to quantify these costs to consumers and requests information and comment on these issues.
Potential Costs to Covered Persons of Provisions Clarifying the Responsibilities of Consumer Reporting Agencies
Covered persons, including consumer reporting agencies and users of consumer report information, would face costs associated with complying with proposed §?1022.11 regarding the written instructions permissible purpose. Specifically, these covered persons that rely upon the written instructions permissible purpose to furnish or obtain consumer report information would experience legal and technological costs associated with updating their processes and procedures to comply with this proposed rule. All covered persons' systems would need to be updated to present consumers with a segregated consumer authorization disclosure. Covered persons' systems would also need to identify the consumer reporting agency from which the user intends to pull the consumers' report information, the name of the person for whom the consumer is providing consent to obtain their consumer report, and other information that would be required to be included in the disclosure. Moreover, since consumer authorizations would only be valid for as long as is reasonably necessary to provide the requested product or service or identified use, up to one year, entities' systems would need to be updated to reobtain consumers' written instructions after the initial instructions lapse, should continued authorization be needed. In addition, these systems would need to be updated to allow for consumers to revoke their written instructions. Beyond the technical and legal costs, these added frictions may also result in decreased revenues for users.
Consumer reporting agencies would face frictions associated with ensuring that consumers' written instructions comply with the proposed rule. Likewise, users would face costs associated with proving to consumer reporting agencies they have obtained consumers' written instructions in a manner that comports with the proposed rule.
Today, consumers may not realize that they are providing written instructions authorizing access to their consumer reports, such as when such authorizations are buried in terms and conditions. Under this proposed rule, entities would instead be required to provide consumers with a "clear and conspicuous" disclosure. Therefore, in light of this proposed rule, consumers may be more likely to decline authorizing such access when a user or consumer reporting agency seeks written instructions as required under the proposal. To the extent that this occurs, the user requesting written permission, as well as the consumer reporting agency that would have provided the consumer report, could have decreased revenue due to the proposed rule. The CFPB requests comment on this issue, particularly information on the extent to which users and consumer reporting agencies would experience decreased revenue.
Regarding proposed §?1022.12(b)(2), consumer reporting agencies that, in compliance with existing law, are already operating within the scope of the legitimate business need permissible purpose as clarified in the proposed rule are expected to face relatively few costs associated with this proposal. However, consumer reporting agencies that are currently selling consumer report information to users for purposes outside of this scope and realize that they need to change their practices due to the clarifications in the proposed rule would lose revenue from the resulting decreased sale of consumer reports. The CFPB does not have data available to quantify this revenue loss. The CFPB requests comment on this issue, particularly information on the extent to which the sale of consumer report information would cease under the proposal. 294
Footnotes:
294 ?Small Business Review Panel Report, supra note 40, at 29.
F. Potential Reduction of Access by Consumers to Consumer Financial Products or Services
[top] The provisions addressing the definitions of consumer report and consumer reporting agency that could affect which entities are consumer reporting agencies may impose significant compliance costs on data brokers and other entities that would become consumer reporting agencies under the proposed rule. To the extent this occurs, data brokers may, depending on market factors, pass through some or all of those costs to creditors and depository institutions that use their services. Creditors and depository institutions could then pass through some or all of that increase to consumers in the form of higher prices. This price impact may be mitigated to the extent that creditors and depository
G. Potential Impacts on Depository Institutions and Credit Unions With $10 Billion or Less in Total Assets, as Described in Section 1026
The CFPB has preliminarily concluded that, relative to larger depository institutions and credit unions, the proposed rule would not have significantly different impacts on depository institutions and credit unions with $10 billion or less in total assets. The CFPB requests comment on its analysis of the potential impacts on these smaller financial institutions.
H. Potential Impacts on Consumers in Rural Areas
The potential impacts of the proposed rule on consumers in rural areas would likely be the same, on average, as those impacts on consumers who do not reside in rural areas. For example, data brokers that would become consumer reporting agencies if the proposed rule was finalized likely operate similarly for rural and non-rural consumers. Likewise, the CFPB is not aware of reasons why, at baseline, marketing based on consumer report information currently impacts consumers differently depending on whether they live in rural areas or not. The CFPB requests comment on its analysis of potential impacts on consumers in rural areas.
VII. Regulatory Flexibility Act Analysis
The Regulatory Flexibility Act (RFA) requires the CFPB to conduct an initial regulatory flexibility analysis (IRFA) and convene a panel to consult with small entity representatives before proposing a rule subject to notice-and-comment requirements, 295 unless it certifies that the rule will not have a significant economic impact on a substantial number of small entities. 296 The CFPB has not certified that the proposed rule would not have a significant economic impact on a substantial number of small entities within the meaning of the RFA. Accordingly, the CFPB convened a Small Business Review Panel under the Small Business Regulatory Enforcement Fairness Act (SBREFA) on October 16, 2023, and held two Panel meetings on October 18 and 19, 2023, to consider the impacts on small entities that would be subject to the proposals under consideration and to obtain feedback from representatives of such small entities. The Small Business Review Panel for this proposed rule is discussed in part VII.A. The CFPB is also publishing an IRFA. Among other things, the IRFA contains estimates of the number of small entities that may be subject to the proposed rule and describes the impact on those entities. The IRFA for this proposed rule is set forth in part VII.B.
Footnotes:
295 ?5 U.S.C. 603, 609(b), (d)(2).
296 ?5 U.S.C. 605(b).
A. Small Business Review Panel
Under section 609(b) of the RFA, as amended by SBREFA and the CFPA, in certain circumstances, the CFPB must seek, prior to conducting the IRFA, information from representatives of small entities that may potentially be affected by a proposed rule to assess the potential impacts of that rule on such small entities. The CFPB complied with this requirement. Details on the Small Business Review Panel and Panel Report for this proposed rule are described in part II.C.
B. Initial Regulatory Flexibility Analysis
1. Description of the Reasons Why Agency Action Is Being Considered
Developments in the consumer reporting marketplace have resulted in vast amounts of sensitive consumer information being bought and sold, often without the knowledge or consent of consumers, involving entities (commonly known as data brokers) some of whom do not believe that the FCRA applies to them or their activities. Data brokers use consumer information to engage in or facilitate a variety of activities, including targeting consumers for marketing. The CFPB is also aware that data brokers that are consumer reporting agencies engage in activities that may threaten consumer privacy and potentially disclose consumer information to third parties who do not have a permissible purpose to obtain the information. The proliferation of consumer information in the market potentially leads to national security, consumer privacy, consumer fraud, and data security risks that data brokers, including consumer reporting agencies, might not be fully accounting for. In addition, technological advancements have made it increasingly feasible to identify or re-identify consumers from aggregated or otherwise de-identified data using fewer data fields or variables than before. 297
Footnotes:
297 ?Gina Kolata, Your Data Were `Anonymized'? These Scientists Can Still Identify You, N.Y. Times (July 23, 2019), https://www.nytimes.com/2019/07/23/health/data-privacy-protection.html.
The activities of data brokers, including consumer reporting agencies, pose a range of potential harms to consumers. For example, lists of individuals with income information could potentially be used to facilitate predatory marketing or financial scams. Personal identifying information about consumers could potentially be used to stalk or harass consumers who do not wish to be contacted. Consumers might not be able to monitor or dispute the accuracy of information that is bought and sold by data brokers when they do so outside of the FCRA. The CFPB has preliminarily determined that clarifying that certain activities and entities are covered by the FCRA would mitigate these harms, as well as improve consumer privacy. Further details are discussed in part II.B.
2. Succinct Statement of the Objectives of, and Legal Basis for, the Proposed Rule
The objective of the proposed rule is to ensure that the FCRA's protections are applied to sensitive consumer information that Congress designed the statute to protect, including information sold by data brokers, and to the types of activities Congress designed the statute to regulate. Specifically, the proposed rule aims to clarify when entities such as data brokers are consumer reporting agencies and to ensure that consumer reports are furnished for permissible purposes under the FCRA, and for no other reasons. The CFPB expects that the proposed rule, if finalized, would protect Americans from the harms and invasions of privacy created by certain activities that violate the FCRA. These objectives are described in more detail in part II.B.
[top] The CFPB proposes this rule pursuant to its authority under the FCRA and the CFPA. Section 1022(b)(1) of the CFPA authorizes the CFPB to prescribe rules "as may be necessary or appropriate to enable the [CFPB] to administer and carry out the purposes and objectives of the Federal consumer financial laws, and to prevent evasions thereof." Under section 621(e) of the FCRA, the CFPB "may prescribe regulations as may be necessary or appropriate to administer and carry out the purposes and objectives" of the FCRA. FCRA section 621(e) further provides that the CFPB may prescribe regulations as may be necessary and appropriate to prevent evasions of the FCRA or to facilitate compliance therewith. Part III contains a more detailed discussion of the legal authority for the proposed rule.
3. Description and, Where Feasible, Provision of an Estimate of the Number of Small Entities To Which the Proposed Rule Will Apply
The proposed rule would primarily affect three types of small entities: (1) entities, including data brokers, that meet or would meet (if the proposals were finalized) the definition of consumer reporting agency in FCRA section 603(f), (2) entities that furnish information to entities that would meet (if the proposals were finalized) the definition of consumer reporting agency in FCRA section 603(f), and (3) entities that use consumer reports from consumer reporting agencies or consumer information from entities that would meet the definition of consumer reporting agency if the proposed rule were finalized. Collectively, these entities would include data aggregators and data brokers, including consumer reporting agencies, as well as furnishers and financial institutions or other users.
For purposes of assessing the impacts of the proposed rule on small entities, "small entities" are defined in the RFA to include small businesses, small nonprofit organizations, and small government jurisdictions. Small businesses are those that meet standards set by the Small Business Administration (SBA) Office of Size Standards for all industries in the North American Industry Classification System (NAICS). 298
Footnotes:
298 ? See U.S. Small Bus. Admin., Table of Small Business Size Standards (effective Mar. 17, 2023) https://www.sba.gov/document/support-table-size-standards (last visited Oct. 15, 2024).
The first type of small entity that may be subject to the proposed rule are entities that meet or would meet (if the proposed rule is finalized) the definition of consumer reporting agency in FCRA section 603(f). The provisions addressing the definitions of consumer report and consumer reporting agency that could affect which entities are consumer reporting agencies would, if adopted, broaden or clarify the type of entities subject to the FCRA as consumer reporting agencies, including some small entities. The small entities that would potentially be most affected by these provisions include certain small data brokers and data aggregators. The provisions would also affect small consumer reporting agencies that specialize in providing consumer reports for purposes such as employment screening, tenant screening, checking account screening, and insurance, sometimes using consumer information purchased from the nationwide consumer reporting agencies. 299 Entities that meet the definition of consumer reporting agency in FCRA section 603(f) would be subject to several proposed provisions, such as those intended to prevent targeted marketing using consumer report information.
Footnotes:
299 ?An overview of many of the types of consumer reporting agencies is accessible at Consumer Fin. Prot. Bureau, List of consumer reporting companies, https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/ (last visited Oct. 15, 2024). This list is not intended to be all-inclusive and does not cover every company in the industry.
Furthermore, the provisions that could affect which entities are consumer reporting agencies would affect entities that furnish consumer information to entities, including data brokers, that would meet the definition of consumer reporting agency in the proposed rule if finalized. Such entities would acquire new or additional FCRA obligations if they provide consumer information to such consumer reporting agencies.
Finally, the proposed rule would affect users of consumer information. Entities that currently obtain the four data types from data brokers who currently do not consider themselves consumer reporting agencies would generally only be able to access such information for a permissible purpose under the FCRA going forward if the proposed rule is finalized. These users might look to obtain consumers' written instructions or rely upon a "legitimate business need" in order to establish a permissible purpose to access consumer reports. Proposals related to these permissible purposes would clarify the responsibilities of consumer reporting agencies and may lead to changes in the ways that users obtain consumer reports when relying upon either the "written instructions" or "legitimate business need" permissible purposes.
The SBA size standards are based on assets held, annual revenues, or number of employees. For example, consumer reporting agencies, which are primarily contained in NAICS category "Credit Bureaus" (561450), are considered small if they receive less than $41 million in annual revenues, "Credit Unions" (522130) are considered small if they have less than $850M in assets and "Directory and Mailing List Publishers" (511140) are considered small if they have fewer than 1,000 employees. 300
Footnotes:
300 ?Thee NAICS descriptions and codes used in the 2017 Economic Census are used throughout this part, rather than the NAICS descriptions and codes used in the Table of Small Business Size Standards.
Table 1 shows the estimated number of small data brokers, including consumer reporting agencies, within NAICS categories that may be subject to the proposed rule if finalized. Table 2 shows the estimated number of small current furnishers. To estimate the number of small entities in Tables 1 and 2, the CFPB used data from the December 2023 NCUA and FFIEC Call Report data, the 2017 Economic Census data from the U.S. Census Bureau, the California and Vermont data broker registries, and the CFPB's list of consumer reporting agencies. 301 The CFPB also used the North American Product Classification System (NAPCS) codes in the 2017 Economic Census to estimate the fraction of small entities within each NAICS category that sell products that are likely to be subject to the proposed rule.
Footnotes:
301 ?Because size standards are adjusted each year in part for inflation, the entity counts based on reported revenues in the 2017 Economic Census represent a potential overestimate of the number and fraction of small entities. Calculations for NAICS 522110, 522130, and 522180 are based on credit union and Call Report data from December 2023 using current SBA size standards. See Table of Small Business Size Standards, supra note 298. Calculations for all other NAICS codes are based on revenue or employee size from the latest 2017 Economic Census data by the U.S. Census Bureau. See U.S. Census Bureau, The Number of Firms and Establishments, Employment, Annual Payroll, and Receipts by Industry and Enterprise Receipts Size: 2017 (May 28, 2021), https://www2.census.gov/programs-surveys/susb/tables/2017/us_6digitnaics_rcptsize_2017.xlsx; U.S. Census Bureau, The Number of Firms and Establishments, Employment, Annual Payroll, and Receipts by State, Industry, and Enterprise Employment Size: 2017 (May 28, 2021), https://www2.census.gov/programs-surveys/susb/tables/2017/us_state_naics_detailedsizes_2017.xlsx. Calculations based on NAPCS codes are based on U.S. Census Bureau, 2017: ECN Core Statistics Economic Census, https://data.census.gov/table/ECNNAPCSPRD2017.EC1700NAPCSPRDIND.
Entities that currently consider themselves as meeting the definition of consumer reporting agency in FCRA section 603(f) are mostly contained in the NAICS category "Credit Bureaus" (561450), while a very small number may also be contained in the NAICS category "Investigation Services" (561611). The proposed rule would also clarify that some other entities meet the definition of consumer reporting agency in FCRA section 603(f). These entities may be contained in a range of additional NAICS categories, depending on what they view their primary activities to be.
[top] The types of entities listed in Table 1 include entities that meet or would meet the definition of consumer reporting agency in FCRA section 603(f) under the proposed rule. While a particular entity can only be of one type ( i.e., a particular entity can be either an existing consumer reporting agency or new consumer reporting agency) an industry NAICS code may contain both new and existing consumer reporting agencies.
On the other hand, while entities that furnish to or use consumer information from entities that are or would be consumer reporting agencies under the proposed rule if finalized could be affected by the proposed rule, these entities are not easily delineated by NAICS codes and are therefore not listed in Table 1. Instead, entities that may furnish consumer information to consumer reporting agencies (whether at baseline or as new furnishers after the proposed rule is finalized) are listed in Table 2. Similarly, because any entity that has a permissible purpose to access consumer reports is potentially a new or current user under the FCRA, users may be found in a broad array of industries. Generally, entities listed in Table 2, and entities that provide consumer information to the entities listed in Table 1 or procure information from the entities listed in Table 1, could be affected by the proposed rule.
Not all entities within each NAICS category would be affected by the proposed rule. It is possible that some small entities in these NAICS categories are already in compliance, in whole or in part, with the proposed rule at baseline. Alternatively, some small entities may not engage in activities that would be subject to the proposed rule if finalized.
To provide an estimate of the number of small entities that would likely be affected by the proposed rule, the CFPB identified an initial list of NAICS categories that may contain affected entities. The CFPB also compiled a list of data brokers and other potentially covered entities from three sources: the California Data Broker Registry (including "incomplete registrations"), the Vermont Data Broker Registry, and the CFPB's list of consumer reporting agencies. 302 The CFPB purchased from the NAICS Association a list of NAICS codes that likely apply to the firms in the compiled data broker list. To account for the possibility that not every firm in each NAICS category would be affected by the proposed rule, the CFPB used NAPCS codes to estimate the fraction of small establishments within each NAICS category that sell products that may be subject to the proposed rule if finalized, whether as small data brokers, or small entities that furnish or otherwise provide consumer information to data brokers.
Footnotes:
302 ?See supra note 238.
NAPCS are codes used by establishments to report what products they sell. Because it is possible for an entity (referred to as a "firm" in the data) to have multiple establishments, the CFPB only uses this approach to calculate a fraction of likely affected establishments and assumes that this fraction would be comparable to the fraction of likely affected entities or firms. Moreover, for estimating the number of furnishers or data providers, this approach also assumes that there is no correlation between firm size and the likelihood that consumer information is actually provided at baseline to data brokers, including consumer reporting agencies. Because companies with a larger number of consumer accounts likely have greater incentives to sell or furnish consumer information, the CFPB expects that this assumption would cause the number of furnishers or data providers to be overestimated.
To account for potential double-counting of establishments that report multiple product codes, for each NAICS code the CFPB takes the sum of the number of establishments that report selling a product (identified by the NAPCS code) that are likely to be subject to the proposed rule. The sum is then divided by the total number of establishments that report NAPCS codes within that NAICS category. The resulting fraction is then multiplied by the total number of small entities in a NAICS category to obtain an estimate of the number of small entities likely subject to the proposed rule if finalized. For some NAICS categories, the CFPB adapted the estimation approach to data availability. For NAICS categories "Commercial Banking" (522110) and "Saving Institutions and Other Depository Credit Intermediation" (522180), the estimate of the number of small entities likely affected is assumed to be the estimated number of small entities from the previous column because data on NAPCS codes was not available. 303 For NAICS categories "Lessors of Residential Buildings and Dwellings" (531110), "Offices of Real Estate Agents and Brokers" (531210) and "Residential Property Managers" (531311), the CFPB relied on industry findings and data from the 2021 Rental Housing Finance Survey of the U.S. Census Bureau to estimate the number of current small furnishers or data providers. 304 Finally, as discussed above, while a particular entity can only be of one type, an industry may contain multiple types of entities, making it possible for the same NAICS code to appear in both Tables 1 and 2.
Footnotes:
303 ?These NAICS codes are highlighted with an asterisk in Table 2.
304 ?The CFPB assumed that property managers of single-unit dwellings do not report rental payment information and referred to the TransUnion survey of property managers for an estimate of the fraction of multi-unit property managers that report rental payment information. These NAICS codes are also highlighted with a "+" in Table 2. See TransUnion, More Property Managers Embrace Rent Payment Reporting: Here's Why, https://www.transunion.com/content/dam/transunion/us/business/collateral/sheet/rent_payment_reporting_insight_guide.pdf (last visited Oct. 15, 2024); U.S. Census Bureau, Rental Housing Finance Survey (RHFS), https://www.census.gov/programs-surveys/rhfs.html (last visited Oct. 15, 2024).
Using this approach, the CFPB estimates that 80,130 small entities, including small data brokers and other small consumer reporting agencies, would be subject to the proposed rule if finalized, as summarized in Table 1. Because the CFPB does not have the information to assess with certainty which covered entity types are contained within each NAICS code, the CFPB is not able to provide a breakdown of the estimated number of affected small entities by covered entity type. As summarized in Table 2, the CFPB estimates that there are potentially 34,448 small furnishers to consumer reporting agencies. Because the CFPB cannot verify whether these small entities furnish pursuant to the FCRA at baseline, the CFPB is unable to provide a more precise estimate of the number of small furnishers that would be affected by the proposed rule or delineate which NAICS codes may contain current FCRA furnishers or data providers that may acquire new obligations as FCRA furnishers.
While the CFPB lacks the data to more precisely quantify the number of small entities that would be affected by the proposed rule if finalized, comments received during the SBREFA process indicate that small entity representatives expect many small entities to be impacted by at least one of the proposed provisions. The CFPB requests information on small entities that may be affected by the proposed rule if finalized and information that can be used to quantify potential impacts.
BILLING CODE 4810-AM-P
[top]
[Federal Register graphic "EP13DE24.080" is not available. Please view the graphic in the PDF version of this document.]
[top]
[Federal Register graphic "EP13DE24.081" is not available. Please view the graphic in the PDF version of this document.]
[top]
[Federal Register graphic "EP13DE24.082" is not available. Please view the graphic in the PDF version of this document.]
[top]
[Federal Register graphic "EP13DE24.083" is not available. Please view the graphic in the PDF version of this document.]
[top]
[Federal Register graphic "EP13DE24.084" is not available. Please view the graphic in the PDF version of this document.]
BILLING CODE 4810-AM-C
4. Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Proposed Rule, Including an Estimate of the Classes of Small Entities Which Will Be Subject to the Requirement and the Type of Professional Skills Necessary for the Preparation of the Report
Footnotes:
305 ?These NAICS codes correspond to the codes used in the 2017 Economic Census.
306 ?Table of Small Business Size Standards, supra note 298.
307 ?While under the proposed rule, newspaper entities would not be considered consumer reporting agencies based on activities that constitute publishing news concerning local, national, or international events or other matters of public interest, some establishments under the NAICS category "Newspaper Publishers" report the NAPCS code for internet advertising.
308 ?These NAICS codes correspond to the codes used in the 2017 Economic Class.
309 ?Table of Small Business Size Standards, supra note 298.
The proposed rule may impose reporting, recordkeeping, and other compliance requirements on small entities subject to the proposal. These requirements generally differ for small entities in the following three classes: (1) entities that meet or would meet (if the proposals were finalized) the definition of consumer reporting agency in FCRA section 603(f), (2) entities that furnish information to entities that would meet (if the proposals were finalized) the definition of consumer reporting agency in FCRA section 603(f), and (3) entities that use consumer reports from entities that meet or would meet (if the proposals were finalized) the definition of consumer reporting agency in FCRA section 603(f). Based on Table 1, these requirements would be imposed on an estimated 80,130 small entities that are or would be consumer reporting agencies under the proposed rule if finalized, an unknown number of users, and an unknown number of new furnishers. Based on Table 2, there are an estimated 34,448 small entities that potentially furnish consumer information to consumer reporting agencies at baseline or after the proposed rule is finalized. The CFPB requests information that can be used to estimate the number of small entities that could become new FCRA furnishers that are in NAICS categories not listed in Table 2. For the reasons discussed above, the CFPB views the estimates presented in Tables 1 and 2 as potential overestimates, as some small entities within each NAICS category might not be subject to the proposed rule. Moreover, the costs associated with the reporting, recordkeeping, and other compliance requirements would depend on whether affected entities currently comply with the FCRA. The CFPB requests information that can be used to more precisely quantify the number of small entities that would be affected by the proposed rule.
Requirements for Consumer Reporting Agencies
[top] The CFPB expects that entities that already consider themselves to meet the definition of consumer reporting agency in FCRA section 603(f) at baseline already have FCRA-compliant systems, processes, and policies and procedures. Compliance with the proposed rule would likely require some or all of these systems, processes, and policies and procedures to be updated, imposing a
The proposed rule, if finalized, would cause some small entities, such as certain data brokers, to be considered consumer reporting agencies subject to the FCRA and may clarify the application of the statute to some data aggregators and other entities. The CFPB expects that many of these small entities may not currently have FCRA-compliant systems, processes, and policies and procedures at baseline, and would need to incur one-time costs to develop them, as well as ongoing operational costs to maintain them. Because such small entities currently do not operate as though they are subject to liability under the FCRA, they would also incur increased ongoing or operational costs to manage dispute resolution and other requirements of the FCRA. One small entity representative stated that they have already invested in FCRA-compliant infrastructure, which would mitigate the additional costs that they would incur if the proposed rule was finalized. 310 Compliance for small entities that would be considered consumer reporting agencies under the proposed rule if finalized would generally require professional skills related to software development, legal expertise, compliance, and customer support. Small entities might need to work with third parties for assistance with building FCRA-compliant systems or updating existing systems. The CFPB requests information that can be used to quantify impacts to small entities that would be considered consumer reporting agencies if the proposed rule is finalized.
Footnotes:
310 ?Small Business Review Panel Report, supra note 40, at 42.
Requirements for Furnishers
Some small entities may acquire new FCRA obligations as furnishers if the entities they currently furnish consumer information to are entities that would become consumer reporting agencies under the proposed rule if finalized. Under sections 611 and 623 of the FCRA, consumers have a right to dispute incomplete or inaccurate information on their consumer reports. 311 While consumers typically initiate disputes with the relevant consumer reporting agencies, the consumer reporting agencies (and, if the proposed rule is finalized, the entities that would be considered consumer reporting agencies) must forward disputes to furnishers, who would then have the obligation to investigate the dispute and report the results of their investigation back to the consumer reporting agencies. 312 Furnishers generally must also investigate disputes that consumers directly submit to them. 313 If, upon investigating, furnishers determine that the disputed consumer information was inaccurate, furnishers are subject to obligations to relay the corrected information to consumer reporting agencies that received the inaccurate information. 314 Dispute resolution required by the FCRA may therefore impose costs on furnishers.
Footnotes:
311 ?15 U.S.C. 1681i(a)(1)(A), 1681s-2.
312 ?15 U.S.C. 1681s-2(b).
313 ? See 15 U.S.C. 1681s-2(a)(8); 12 CFR 1022.43.
314 ?15 U.S.C. 1681s-2(b)(1)(D); 12 CFR 1022.43(e)(4).
In addition, furnishers could incur potentially significant costs associated with accuracy obligations under FCRA section 623(a) and Regulation V. 315 To comply with FCRA section 623(a) and Regulation V, furnishers are required to implement accuracy policies and procedures and are not permitted to furnish information to consumer reporting agencies that do not satisfy accuracy requirements. Further discussion of these and other impacts on new furnishers due to the provisions clarifying which entities are consumer reporting agencies may be found in part VI.E, Provisions that could affect consumer reporting agency coverage.
Footnotes:
315 ? See 15 U.S.C. 1681s-2(a); 12 CFR 1022.42.
Compliance for affected small furnishers would generally require professional skills related to software development and compliance. For example, a small entity that furnishes consumer information to an entity that would be considered a consumer reporting agency under the CFPB's proposal to interpret "expected to be used" (proposed §?1022.4(c)) would then acquire new FCRA obligations as a furnisher, if the proposed rule is finalized. The furnisher would likely need to possess detailed and organized records in their databases in order to conduct a reasonable investigation of consumer disputes. Modifying their systems and databases to meet these requirements would require professional skills related to software development and compliance. Many small entities might need to hire more staff to assist with dispute resolution and work with third parties for assistance with systems updates. The CFPB does not have the data to estimate the one-time and ongoing costs of reporting, recordkeeping, and other compliance requirements for small furnishers, and requests information to quantify these costs.
Requirements for Users
Small entity users of consumer reports from consumer reporting agencies may need to update their processes and procedures in order to comply with the proposed rule. For example, small entities that rely upon the "written instructions" permissible purpose to obtain consumer report information would need to ensure that consumers are presented with a segregated consumer authorization disclosure, which may be provided by either the consumer reporting agency or the user. The disclosure would also need to identify the consumer reporting agency from which the user intends to pull the consumer's consumer report information and include the name of the person for whom the consumer is providing consent to obtain their consumer report, as well as other information that would be required to be in the disclosure. Small entity users' systems would also need to be updated to ensure consumers' written instructions are reobtained after the initial instructions lapse should continued authorization be needed, and to allow for consumers to revoke their written instructions.
[top] Some small users may be affected by proposed provisions that would increase the number of data brokers and other entities that meet the definition of consumer reporting agency under the FCRA. Specifically, small entities that currently obtain the four data types from data brokers that would be considered
5. Identification, to the Extent Practicable, of All Relevant Federal Rules Which May Duplicate, Overlap, or Conflict With the Proposed Rule
The CFPB has identified the following Federal statutes and regulations that address consumer credit eligibility and privacy issues as having provisions that may duplicate, overlap, or conflict with certain aspects of the proposed rule.
The GLBA and the CFPB's implementing regulation, Regulation P, 12 CFR part 1016, require financial institutions subject to the CFPB's jurisdiction to provide their customers with notices concerning their privacy policies and practices, among other things. They also place certain limitations on the disclosure of nonpublic personal information to nonaffiliated third parties, and on the redisclosure and reuse of such information. Other parts of the GLBA, as implemented by regulations and guidelines of certain other Federal agencies ( e.g., the FTC's Safeguards Rule and the prudential regulators' Safeguards Guidelines), set forth standards for administrative, technical, and physical safeguards with respect to financial institutions' customer information.
During the SBREFA process, some small entity representatives also stated that the CFPB should consider the potential implications of the proposals under consideration for entities' compliance with the Bank Secrecy Act and the USA PATRIOT Act. A few small entity representatives noted that the CFPB should consider the intersection between the proposals under consideration and the CFPB's PFDR rulemaking.
The CFPB requests comment on whether there are other Federal statutes or regulations that may duplicate, overlap, or conflict with the proposed rule and on methods to minimize such conflicts to the extent they might exist.
6. Description of Any Significant Alternatives to the Proposed Rule Which Accomplish the Stated Objectives of Applicable Statutes and Minimize Any Significant Economic Impact of the Proposed Rule on Small Entities
The CFPB is considering alternatives to the proposed rule that would possibly result in lower costs for small entities. These include: (1) different compliance timetables, and (2) clarifying compliance requirements for small entities. The CFPB has not identified any legal or policy basis to exempt certain or all small entities from coverage of the rule, in whole or in part, based on their small-entity status.
As discussed in part V, the CFPB is considering alternative compliance dates for the proposed rule, which may mitigate the burden on all entities, including small entities. For example, the CFPB is considering whether a final rule should take effect six months or one year after publication in the Federal Register . The CFPB requests comment on whether this compliance timetable would provide sufficient time for entities, including small entities, to comply with the provisions of the proposed rule, as well as ways the CFPB could facilitate implementation for small entities, such as by providing for a longer implementation period for small entities and what that period should be.
The CFPB is also considering clarifying compliance requirements for all entities, including small entities. In part IX, the CFPB requests comment on whether the provisions of the proposed rule are sufficiently clear and whether clarifying revisions or additional examples are needed.
7. Discussion of Impact on Cost of Credit for Small Entities
The CFPB expects that the proposal may have a limited impact on the cost of credit for small entities. One small entity representative stated during the SBREFA process that the proposed rule may affect the cost and ease of accessing credit for small entities. In particular, the written instructions provision may slow down the application process for small business loans because creditors lending to small businesses check the personal credit of the small business owner and may need to rely on the small business owner's written authorization to do so. 316 In theory, the proposed rule could increase the cost of credit for small businesses if the compliance costs discussed above are passed on to small businesses in the form of higher prices on loans from lenders. Small entity representatives did not provide further comments on potential impacts on cost of credit for small entities. The CFPB requests comment on this topic, and requests data or evidence that can be used to quantify the potential impact of the proposed rule on the cost of credit to small entities.
Footnotes:
316 ?Small Business Review Panel Report, supra note 40, at 43.
VIII. Paperwork Reduction Act
Under the Paperwork Reduction Act of 1995 (PRA), 317 Federal agencies are required to seek approval from OMB for data collection, disclosure, and recordkeeping requirements (collectively, information collection requirements) prior to implementation. Under the PRA, the CFPB may not conduct or sponsor, and, notwithstanding any other provision of law, a person is not required to respond to, an information collection unless the information collection displays a valid control number assigned by OMB. As part of its continuing effort to reduce paperwork and respondent burden, the CFPB conducts a preclearance consultation program to provide the general public and Federal agencies with an opportunity to comment on the information collection requirements in accordance with the PRA. This helps ensure that the public understands the CFPB's requirements or instructions, respondents can provide the requested data in the desired format, reporting burden (time and financial resources) is minimized, information collection instruments are clearly understood, and the CFPB can properly assess the impact of information collection requirements on respondents.
Footnotes:
317 ?44 U.S.C. 3501 et seq.
This proposed rule would amend 12 CFR part 1022 (Regulation V). The CFPB's OMB control number for Regulation V is 3170-0002, which currently expires on October 31, 2025. As described below, the proposed rule would revise existing information collections and create the following new information collection requirements in Regulation V.
[top] The proposed rule would provide that entities that sell information about a consumer's credit history, credit score, debt payments, and income or financial tier generally are consumer reporting agencies selling consumer reports, regardless of whether any specific communication of such information is used or expected to be used for FCRA
The proposed rule also would specify the conditions that would need to be satisfied for an entity to establish a "written instructions" permissible purpose to furnish or obtain a consumer report, thereby creating several new information collection requirements.
First, entities would be required to provide consumers a disclosure specifying:
• The name of the person to whom the consumer is providing consent to obtain the consumer report;
• The name of the consumer reporting agency that will furnish the consumer report;
• A brief description of the product or service that the consumer is requesting, or, when no product or service is requested, the specific use the consumer identified;
• Statements notifying the consumer about limitations on the procurement, use, and retention of their consumer report; and
• A description of an easy to access and operate method by which a consumer may revoke their consent and that the consumer will not incur any costs or penalties to revoke their consent.
The disclosure would need to be clear, conspicuous, and segregated from other material. After providing the disclosure, entities would be required to obtain the consumer's express, informed consent for their consumer report to be furnished, and the consumer's signature, either in writing or electronically, authorizing the consumer reporting agency to furnish the report. Currently, entities often obtain consumers' written instructions as part of larger terms and conditions language, and Regulation V does not currently require entities to provide consumers with specific disclosures or specify how entities must obtain consumers' consent.
Second, a written instructions permissible purpose could be established only with respect to one consumer reporting agency per disclosure, and only as reasonably necessary to provide the product or service the consumer has requested, or for the use the consumer has specified. Currently, consumer reporting agencies and users often obtain consent to furnish consumer reports to multiple users or from multiple consumer reporting agencies, respectively, in a single authorization. Therefore, if the proposal were finalized, the number of disclosures that consumer reporting agencies and consumer report users would need to provide would increase.
Third, users would only be allowed to continue accessing a consumer report for up to one year after the date on which the particular consumer consents for the report to be furnished. After one year, users would be required to reobtain the consumer's written consent if they wished to continue obtaining the consumer report. Currently, there is no explicit duration limitation in Regulation V governing consumers' written instructions.
Fourth, consumers must be provided a method by which to revoke consent for their consumer report to be furnished that is as easy to access and operate as the method by which the consumer provided consent to the furnishing of their consumer report, and consumers could not be charged any costs or penalties to revoke their consent. Currently, there are no explicit requirements or prohibitions in Regulation V related to revocation of consumers' consent.
There are estimated to be 81,922 additional respondents to the information collections contained in Regulation V (FCRA) as a result of the new requirements that would be imposed if this proposal were finalized. There are estimated to be 37,296 existing respondents (furnishers and consumer reporting agencies currently subject to Regulation V) who would have new obligations if this proposal were finalized. The CFPB estimates that there would be 7.1 million additional annual burden hours stemming from new information collections if the proposal were finalized. The collections of information contained in this proposed rule, and identified as such, have been submitted to OMB for review under section 3507(d) of the PRA. A complete description of the information collection requirements (including the burden estimate methods) is provided in the supporting statement accompanying the information collection request (ICR) that the CFPB has submitted to OMB under the requirements of the PRA. Please send your comments to the Office of Information and Regulatory Affairs, OMB, Attention: Desk Officer for the Bureau of Consumer Financial Protection. Send these comments by email to oira_submission@omb.eop.gov or by fax to 202-395-6974. If you wish to share your comments with the CFPB, please send a copy of these comments as described in the ADDRESSES section above. The ICR submitted to OMB requesting approval under the PRA for the information collection requirements contained herein is available at www.regulations.gov as well as on OMB's public-facing docket at www.reginfo.gov.
Title of Collection: Protecting Americans from Harmful Data Broker Practices (Regulation V).
OMB Control Number: 3170-0002.
Type of Review: Revision of a currently approved collection.
Affected Public: Private sector.
Estimated Number of Respondents: 81,922.
Estimated Total Annual Burden Hours: 7,127,600.
Comments are invited on:
1. Whether the collection of information is necessary for the proper performance of the functions of the CFPB, including on whether the information will have practical utility;
2. The accuracy of the CFPB's estimate of the burden of the collection of information, including the validity of the methods and the assumptions used;
3. Ways to enhance the quality, utility, and clarity of the information to be collected; and
4. Ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology.
Comments submitted in response to this notification will be included or summarized in the request for OMB approval. All comments will become a matter of public record.
If applicable, the final rule will inform the public of OMB's approval of the new information collection requirements proposed herein and adopted in the final rule. If OMB has not approved the new information collection requirements prior to publication of the final rule in the Federal Register, the CFPB will publish a separate notification in the Federal Register announcing OMB's approval prior to the effective date of the final rule.
IX. Request for Comments
The CFPB requests comment on all aspects of this proposed rule. In addition to the requests regarding specific topics in parts III through VIII, the CFPB generally requests comment on:
[top] 1. Whether each proposed provision is sufficiently clear so that entities that would be covered under a final rule could comply, or whether clarifying revisions are needed and, if so, what they are;
2. Whether additional examples regarding any of the proposed provisions would be helpful and, if so, what those examples should be;
3. Any anticipated drawbacks of any of the proposed provisions, such as any unintended negative consequences for consumers or covered entities or potential conflicts with other laws, and any alternatives that would achieve the goals of the proposed rule while reducing or avoiding such consequences or conflicts;
4. The anticipated benefits and costs of each proposed provision to consumers and to entities that would be covered if the proposed rule were adopted as proposed, and any alternatives that would reduce costs; and
5. With respect to questions 1 through 4, any considerations particular to small entities that the CFPB should consider.
X. Severability
The CFPB preliminarily intends that, if the proposed rule is finalized, and if any provision of the final rule, or any application of a provision, is stayed or determined to be invalid, the remaining provisions or applications are severable and shall continue to be in effect.
List of Subjects in 12 CFR Part 1022
Banks, Banking, Consumer protection, Credit unions, Holding companies, National banks, Privacy, Reporting and recordkeeping requirements, Savings associations.
Authority and Issuance
For the reasons set forth in the preamble, the CFPB proposes to amend Regulation V, 12 CFR part 1022, as set forth below:
PART 1022-FAIR CREDIT REPORTING (REGULATION V)
1. The authority citation for part 1022 continues to read as follows:
Authority:
12 U.S.C. 5512, 5581; 15 U.S.C. 1681a, 1681b, 1681c, 1681c-1, 1681c-3, 1681e, 1681g, 1681i, 1681j, 1681m, 1681s, 1681s-2, 1681s-3, and 1681t; Sec. 214, Pub. L. 108-159, 117 Stat. 1952.
Subpart A-General Provisions
2. Section 1022.1 is amended by revising the section heading and adding paragraph (b)(1) to read as follows:
§?1022.1 Purpose, scope, model forms and disclosures, and organization.
(b) * * *
(1) FCRA provisions implemented. This part implements only certain provisions of the FCRA. Other Federal agencies' regulations also implement only certain provisions of the FCRA. See 12 CFR part 41 (Office of the Comptroller of the Currency), 12 CFR part 222 (Board of Governors of the Federal Reserve System), 12 CFR part 334 (Federal Deposit Insurance Corporation), 12 CFR part 717 (National Credit Union Administration), and subchapter F of chapter I of title 16 (Federal Trade Commission). Statutory text contains additional requirements.
3. Section 1022.3 is amended by revising the section heading to read as follows:
§?1022.3 Definitions; in general.
4. Sections 1022.4 and 1022.5 are added to read as follows:
§?1022.4 Definition; consumer report.
(a) In general. For purposes of this part, unless explicitly stated otherwise, the term consumer report means any written, oral, or other communication of any information by a consumer reporting agency that:
(1) Bears on a consumer's creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living; and
(2) Is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for:
(i) Credit or insurance to be used primarily for personal, family, or household purposes;
(ii) Employment purposes; or
(iii) Any other purpose authorized under section 604 of the FCRA, 15 U.S.C. 1681b.
(b) Is used. Information in a communication is used for a purpose described in paragraph (a)(2) of this section if a recipient of the information uses it for such purpose.
(c) Is expected to be used. Information in a communication is expected to be used for a purpose described in paragraph (a)(2) of this section if:
(1) The person making the communication expects or should expect that a recipient of the information in the communication will use the information for such a purpose; or
(2) The information is about a consumer's:
(i) Credit history;
(ii) Credit score;
(iii) Debt payments; or
(iv) Income or financial tier.
(d) Personal identifier for a consumer. (1) A communication by a consumer reporting agency of a personal identifier for a consumer that was collected by the consumer reporting agency in whole or in part for the purpose of preparing a consumer report about the consumer is a consumer report as defined in paragraph (a) of this section, regardless of whether the communication contains any information other than the personal identifier.
(2) For purposes of this paragraph (d), a personal identifier for a consumer means:
(i) The consumer's:
(A) Current or former name or names, including any aliases;
(B) Age or date of birth;
(C) Current or former address or addresses;
(D) Current or former telephone number or numbers;
(E) Current or former email address or addresses; or
(F) Social Security number (SSN) or Individual Taxpayer Identification Number (ITIN); or
(ii) Any other personal identifier for the consumer similar to those listed in paragraph (d)(2)(i) of this section.
Alternative 1-Paragraph 4(e)
(e) De-identification of information. De-identification of information is not relevant to a determination of whether the definition of consumer report in paragraph (a) of this section is met.
Alternative 2-Paragraph 4(e)
(e) De-identification of information. De-identification of information is not relevant to a determination of whether the definition of consumer report in paragraph (a) of this section is met if the information is still linked or linkable to a consumer.
Alternative 3-Paragraph 4(e)
(e) De-identification of information. (1) In general. De-identification of information is not relevant to a determination of whether the definition of consumer report in paragraph (a) of this section is met if:
(i) The information is still linked or reasonably linkable to a consumer;
(ii) The information is used to inform a business decision about a particular consumer, such as a decision whether to target marketing to that consumer; or
(iii) A person that directly or indirectly receives the communication, or any information from the communication, identifies the consumer to whom information from the communication pertains.
[top] (2) Examples. The following are examples of information that is linked or reasonably linkable to a consumer for purposes of paragraph (e)(1)(i) of this section:
(i) Information that identifies a specific household;
(ii) Information that identifies a specific ZIP+4 Code in which a consumer resides; or
(iii) Information that includes a persistent identifier (such as a cookie identifier, an internet Protocol (IP) address, a processor or device serial number, or a unique device identifier) that can be used to recognize the consumer over time and across different websites or online services.
(f) Exclusions. Except as provided in paragraph (g) of this section, the term consumer report does not include:
(1) Subject to section 624 of the FCRA, 15 U.S.C. 1681s-3, any:
(i) Report containing information solely as to transactions or experiences between the consumer and the person making the report;
(ii) Communication of information described in paragraph (f)(1)(i) of this section among persons related by common ownership or affiliated by corporate control; or
(iii) Communication of information other than information described in paragraph (f)(1)(i) of this section among persons related by common ownership or affiliated by corporate control, if:
(A) It is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons; and
(B) The consumer is given the opportunity, before the information is initially communicated, to direct that the information not be communicated among such persons;
(2) Any authorization or approval of a specific extension of credit directly or indirectly by the issuer of a credit card or similar device;
(3) In circumstances in which a third party has requested that a person make a specific extension of credit directly or indirectly to a consumer, any report in which such person conveys his or her decision with respect to such request, if:
(i) The third party advises the consumer of the name and address of the person to whom the request was made; and
(ii) Such person makes the disclosures to the consumer required under section 615 of the FCRA, 15 U.S.C. 1681m; or
(4) A communication described in section 603(o) or (y) of the FCRA, 15 U.S.C. 1681a(o) or (y).
(g) Restriction on sharing of medical information. Except for information or any communication of information disclosed as provided in section 604(g)(3) of the FCRA, 15 U.S.C. 1681b(g)(3), the exclusions in paragraph (f) of this section do not apply with respect to information disclosed to any person related by common ownership or affiliated by corporate control, if the information is:
(1) Medical information, as that term is defined in §?1022.3(k);
(2) An individualized list or description based on the payment transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment transactions for medical products or services.
§?1022.5 Definition; consumer reporting agency.
(a) In general. For purposes of this part, unless explicitly stated otherwise, the term consumer reporting agency means any person that:
(1) For monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information about consumers for the purpose of furnishing consumer reports to third parties; and
(2) Uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.
(b) Assembling or evaluating. (1) In general. For purposes of paragraph (a)(1) of this section, a person assembles or evaluates consumer credit information or other information about consumers if the person:
(i) Collects, brings together, gathers, or retains such information;
(ii) Appraises, assesses, makes a judgment regarding, determines or fixes the value of, verifies, or validates such information; or
(iii) Contributes to or alters the content of such information.
(2) Examples. A person assembles or evaluates consumer credit information or other information about consumers for purposes of paragraph (a)(1) of this section if, for example, the person:
(i) Collects such information from a consumer's bank account and assesses it, such as by grouping or categorizing it based on transaction type;
(ii) Alters the content of information the person has received about a consumer, such as by modifying the year date fields to all reflect four, rather than two, digits to ensure consistency;
(iii) Determines the value of such information, such as when a company that hosts an online database regarding consumers' criminal histories arranges or orders search results in order of perceived relevance to users, or provides scores, color coding, or other indicia of weight or import to users;
(iv) Retains information about consumers, such as by retaining data files containing consumers' payment histories in a database or electronic file system; or
(v) Verifies or validates information the person has received about a consumer, such as by checking whether a consumer's date of birth received from a third-party data provider matches the consumer's date of birth as listed in an external database or is properly formatted regardless of whether the person takes any action to correct any errors found.
5. Subpart B is added to read as follows:
Subpart B-Permissible Purposes of Consumer Reports
Sec. 1022.10 Permissible purposes of consumer reports; in general.1022.11 Permissible purpose based on a consumer's written instructions.1022.12 Permissible purposes based on a consumer reporting agency's reasonable belief about a person's intended use.1022.13 Permissible purposes based on certain agency or other official requests.
Subpart B-Permissible Purposes of Consumer Reports
§?1022.10 Permissible purposes of consumer reports; in general.
(a) In general. Subject to section 604(c) of the FCRA, 15 U.S.C. 1681b(c), any consumer reporting agency may furnish a consumer report under the circumstances described in §§?1022.11 through 1022.13 and no other.
(b) Furnish a consumer report. For purposes of paragraph (a) of this section, a consumer reporting agency furnishes a consumer report if the consumer reporting agency:
(1) Provides the consumer report to a person; or
(2) Facilitates a person's use of the consumer report for that person's financial gain.
§?1022.11 Permissible purpose based on a consumer's written instructions.
(a) In general. A consumer reporting agency may furnish a consumer report in accordance with the written instructions of the consumer to whom the report relates.
(b) Conditions for permissible purpose based on consumer's written instructions. A consumer reporting agency furnishes a consumer report in accordance with the written instructions of the consumer only if the conditions in this paragraph (b) are satisfied.
[top] (1) C onsumer disclosure and consent. (i) The consumer reporting agency or the person to whom the consumer reporting agency will furnish the consumer report:
(A) Provides the consumer, either in writing or electronically, a disclosure that satisfies the requirements of paragraph (c) of this section;
(B) Obtains the consumer's express, informed consent to the furnishing of a consumer report in accordance with the limitation described in paragraph (b)(2) of this section; and
(C) Obtains the consumer's signature, either in writing or electronically, authorizing the consumer reporting agency to furnish the consumer report.
(ii) The consumer has not revoked consent to such furnishing.
(2) Limitation on furnishing. The consumer reporting agency furnishes the consumer report to a person only in connection with the person's provision to the consumer of a specific product or service the consumer has requested, or, if the consumer has not requested a product or service, in connection with a specific use the consumer has identified.
(3) Procurement, use, and retention. The person to whom the consumer reporting agency furnishes the consumer report:
(i) Procures, uses, or retains the consumer report, or provides the report to a third party, only as reasonably necessary to provide the product or service the consumer has requested or, if the consumer has not requested a product or service, for the specific use the consumer has identified;
(ii) Procures the consumer report no more than one year after the date on which the consumer consents to the furnishing of the report as described in paragraph (b)(1)(i)(B) of this section; and
(iii) Provides the consumer report to a third party only if the third party agrees by contract to comply with the limitations described in this paragraph (b)(3).
(4) Revocation of consent. (i) The consumer reporting agency or the person to whom the consumer reporting agency will furnish the consumer report provides the consumer a method by which to revoke consent for their report to be furnished that is as easy to access and operate as the method by which the consumer provided consent for their report to be furnished.
(ii) No person charges the consumer any costs or penalties to revoke their consent.
(c) Disclosure format and content. The disclosure required by paragraph (b)(1) of this section must be clear, conspicuous, and segregated from other material and must include:
(1) The name of the person for whom the consumer is providing consent to obtain their consumer report, which name must be readily understandable to the consumer;
(2) The name of the consumer reporting agency that will furnish the consumer report to the person identified in paragraph (c)(1) of this section, which name must be readily understandable to the consumer;
(3) A brief description of the specific product or service that the consumer is requesting from the person identified in paragraph (c)(1) of this section and in connection with which that person will use the consumer report, or, if the consumer is not requesting a product or service, the specific use for which the report will be furnished;
(4) Statements notifying the consumer of the procurement, use, and retention limitations described in paragraph (b)(3) of this section, and a statement that the person identified in paragraph (c)(1) of this section, and any third party to whom the consumer report is provided, will comply, or will be required to comply, with those limitations; and
(5) A description of the method by which the consumer may revoke consent for their consumer report to be furnished that is as easy to access and operate as the method by which the consumer provided consent for their report to be furnished, and a statement that the consumer will not incur any costs or penalties to revoke their consent.
(d) Reasonably necessary; examples. For purposes of paragraph (b)(3)(i) of this section, examples of uses of consumer reports that are not part of, or reasonably necessary to provide, any other product or service include:
(1) Targeted advertising;
(2) Cross-selling of other products or services; and
(3) The sale of information in the consumer report.
§?1022.12 Permissible purposes based on a consumer reporting agency's reasonable belief about a person's intended use.
(a) In general. A consumer reporting agency may furnish a consumer report to a person that the consumer reporting agency has reason to believe intends to use the information as follows:
(1) Credit transaction involving a consumer. In connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, that consumer.
(2) Employment purposes. For employment purposes.
(3) Insurance underwriting. In connection with the underwriting of insurance involving the consumer.
(4) Eligibility for governmental license or other benefit. In connection with a determination of the consumer's eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant's financial responsibility or status.
(5) Assessment of an existing credit obligation. As a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation.
(b) Legitimate business need. (1) In general. In addition to furnishing a consumer report to a person for any purpose described in paragraph (a) of this section, a consumer reporting agency may furnish a consumer report to a person that the consumer reporting agency has reason to believe otherwise has a legitimate business need for the information:
(i) In connection with a business transaction that is initiated by the consumer; or
(ii) To review an account to determine whether the consumer continues to meet the terms of the account.
(2) Initiated by the consumer. (i) In general. Paragraph (b)(1)(i) of this section authorizes a consumer reporting agency to furnish a consumer report to a person only if the consumer reporting agency has reason to believe that the consumer has initiated a business transaction.
(ii) Examples. (A) Business transactions initiated by a consumer. A consumer initiates a business transaction for purposes of paragraph (b)(1)(i) of this section if, for example, the consumer:
( 1 ) Applies to rent an apartment;
( 2 ) Applies to open a brokerage account or checking account; or
( 3 ) Offers to pay for merchandise by personal check.
(B) Interactions that are not business transactions initiated by a consumer. A consumer does not initiate a business transaction for purposes of paragraph (b)(1)(i) of this section by, for example, asking about the availability or pricing of products or services.
[top] (3) Solicitation or marketing. (i) In general. Paragraphs (b)(1)(i) and (ii) of this section do not authorize a consumer reporting agency to furnish a consumer report to a person if the consumer reporting agency has reason to believe the person is seeking information from the report to solicit the consumer for a transaction the consumer did not initiate or to otherwise market products or services to the consumer. For requirements related to furnishing consumer reports in connection with prescreened offers for credit or
(ii) Example; account review. Assume a consumer has a checking account with a bank. Paragraph (b)(1)(ii) of this section authorizes a consumer reporting agency to furnish a consumer report to the bank if the consumer reporting agency has reason to believe the bank needs the report to determine, as part of an account review, whether to modify the terms of the consumer's existing checking account based on whether there are credible and meaningful indicia that the consumer used the account to defraud others. However, paragraph (b)(1)(ii) of this section does not authorize the consumer reporting agency to furnish a consumer report to the bank if the consumer reporting agency has reason to believe the bank is seeking the information from the report to market other products or services to the consumer.
§?1022.13 Permissible purposes based on certain agency or other official requests.
(a) In general. A consumer reporting agency may furnish a consumer report as follows:
(1) Court order or subpoena. In response to:
(i) The order of a court having jurisdiction to issue such an order;
(ii) A subpoena issued in connection with proceedings before a Federal grand jury; or
(iii) A subpoena issued in accordance with 31 U.S.C. 5318 or 18 U.S.C. 3486.
(2) Request by child support enforcement agency. In response to a request by the head of a State or local child support enforcement agency (or a State or local government official authorized by the head of such an agency), if the person making the request certifies to the consumer reporting agency that:
(i) The consumer report is needed for the purpose of establishing an individual's capacity to make child support payments, determining the appropriate level of such payments, or enforcing a child support order, award, agreement, or judgment;
(ii) The parentage of the consumer for the child to which the obligation relates has been established or acknowledged by the consumer in accordance with State laws under which the obligation arises (if required by those laws); and
(iii) The consumer report will be kept confidential, will be used solely for a purpose described in paragraph (a)(2)(i) of this section, and will not be used in connection with any other civil, administrative, or criminal proceeding, or for any other purpose.
(3) Request related to State plans for child support. To an agency administering a State plan under 42 U.S.C. 654 for use to set an initial or modified child support award.
(4) Request related to insured depository institutions or insured credit unions. To the Federal Deposit Insurance Corporation or the National Credit Union Administration:
(i) As part of its preparation for its appointment as, or as part of its exercise of powers as, conservator, receiver, or liquidating agent for an insured depository institution or insured credit union under the Federal Deposit Insurance Act, 12 U.S.C. 1811 et seq., the Federal Credit Union Act, 12 U.S.C. 1751 et seq., or other applicable Federal or State law; or
(ii) In connection with the resolution or liquidation of a failed or failing insured depository institution or insured credit union, as applicable.
(5) Request related to government-sponsored, individually billed travel charge cards. To executive departments and agencies in connection with the issuance of government-sponsored, individually billed travel charge cards.
(b) [Reserved]
Subpart C-Affiliate Marketing
6. In §?1022.20, introductory text of paragraph (b) is republished and paragraph (b)(3) is revised to read as follows:
§?1022.20 Coverage and definitions.
(b) Definitions. For purposes of this subpart:
(3) Eligibility information. The term "eligibility information" means any information the communication of which would be a consumer report if the exclusions from the definition of consumer report in §?1022.4(f)(1) did not apply. Eligibility information does not include aggregate or blind data that does not contain personal identifiers such as account numbers, names, or addresses.
Subpart D-Medical Information
7. Section 1022.32 is amended by revising paragraphs (b) and (c) to read as follows:
§?1022.32 Sharing medical information with affiliates.
(b) In general. The exclusions from the term consumer report in §?1022.4(f) that allow the sharing of information with affiliates do not apply to a person described in paragraph (a) of this section if that person communicates to an affiliate:
(1) Medical information;
(2) An individualized list or description based on the payment transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment transactions for medical products or services.
(c) Exceptions. A person described in paragraph (a) of this section may rely on the exclusions from the term consumer report in §?1022.4(f) to communicate the information in paragraph (b) of this section to an affiliate:
(1) In connection with the business of insurance or annuities (including the activities described in section 18B of the model Privacy of Consumer Financial and Health Information Regulation issued by the National Association of Insurance Commissioners, as in effect on January 1, 2003);
(2) For any purpose permitted without authorization under the regulations promulgated by the Department of Health and Human Services pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA);
(3) For any purpose referred to in section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the Gramm-Leach-Bliley Act;
(5) In connection with a determination of the consumer's eligibility, or continued eligibility, for credit consistent with §?1022.30; or
(6) As otherwise permitted by order of the Bureau.
Subpart E-Duties of Furnishers of Information
8. In §?1022.41, introductory text is republished and paragraph (c) is revised to read as follows:
§?1022.41 Definitions.
For purposes of this subpart and appendix E of this part, the following definitions apply:
(c) Furnisher means an entity that furnishes information relating to consumers to one or more consumer reporting agencies for inclusion in a consumer report. An entity is not a furnisher when it:
(1) Provides information to a consumer reporting agency solely to obtain a consumer report in accordance with §§?1022.10 through 1022.13 and section 604(f) of the FCRA;
(2) Is acting as a consumer reporting agency as defined in §?1022.5;
[top] (3) Is a consumer to whom the furnished information pertains; or
(4) Is a neighbor, friend, or associate of the consumer, or another individual with whom the consumer is acquainted or who may have knowledge about the consumer, and who provides information about the consumer's character, general reputation, personal characteristics, or mode of living in response to a specific request from a consumer reporting agency.
Subpart H-Duties of Users Regarding Risk-Based Pricing
9. Section 1022.71 is amended by revising paragraphs (f) and (g) to read as follows:
§?1022.71 Definitions.
(f) Consumer report has the same meaning as in §?1022.4.
(g) Consumer reporting agency has the same meaning as in §?1022.5.
Subpart N-Duties of Consumer Reporting Agencies Regarding Disclosures to Consumers
10. In §?1022.130, introductory text is republished and paragraphs (c) and (d) are revised to read as follows:
§?1022.130 Definitions.
For purposes of this subpart, the following definitions apply:
(c) Consumer report has the meaning provided in §?1022.4.
(d) Consumer reporting agency has the meaning provided in §?1022.5.
Subpart O-Miscellaneous Duties of Consumer Reporting Agencies
11. Section 1022.142 is amended by revising paragraphs (a) and (b)(2) and (3) to read as follows:
§?1022.142 Prohibition on inclusion of adverse information in consumer reporting in cases of human trafficking.
(a) Scope. This section applies to any consumer reporting agency as defined in §?1022.5.
(b) * * *
(2) Consumer report has the meaning provided in §?1022.4.
(3) Consumer reporting agency has the meaning provided in §?1022.5.
Rohit Chopra,
Director, Consumer Financial Protection Bureau.
[FR Doc. 2024-28690 Filed 12-12-24; 8:45 am]
BILLING CODE 4810-AM-P