CFPB Issues Advisory on Personal Data Compilation
The Consumer Financial Protection Bureau on Thursday issued a legal interpretation on how companies that use and share credit reports and background reports can do so under the Fair Credit Reporting Act.
In the advisory opinion, the Bureau makes clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy. The advisory also reminds covered entities of potential criminal liability for certain misconduct.
“Americans are now subject to round-the-clock surveillance by large commercial firms seeking to monetize their personal data,” said CFPB Director Rohit Chopra. “While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.”
FCRA ensures fair and accurate reporting, and it requires users who buy these dossiers to have a legally permissible purpose. The Bureau said the advisory opinion “will help to hold responsible any company, or user of credit reports, that violates the permissible purpose provisions of the Fair Credit Reporting Act.”
Key aspects of the advisory opinion:
- Insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, which would violate consumers’ privacy rights: For example, when a credit reporting company uses name-only matching procedures, the items of information appearing on a credit report may not all correspond to a single individual. That means the user of a credit report could be provided a report about a person for whom the user does not have a permissible purpose.
- It is unlawful to provide credit reports of multiple people as “possible matches:” Credit reporting companies may not provide reports on multiple individuals where the requester only has a permissible purpose to obtain a report on one individual. They must have adequate procedures to find the right person, or else the result may be that they provide a report on at least one wrong person.
- Disclaimers about insufficient matching procedures do not cure permissible purpose violations: Disclaimers will not cure a failure to take reasonable steps to ensure the information contained in a credit report is only about the individual for whom the user has a permissible purpose.
- Users of credit reports must ensure that they do not violate a person’s privacy by obtaining a credit report when they lack a permissible purpose for doing so: The Fair Credit Reporting Act strictly prohibits anyone from using or obtaining credit reports without a permissible purpose.
The advisory opinion outlines some of the criminal liability provisions in FCRA. Covered entities can face criminal liability for obtaining a background report on an individual under false pretenses or by providing a background report to an unauthorized individual. For example, Section 620 of the Fair Credit Reporting Act imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to an unauthorized person. Violators can face criminal penalties and imprisonment.
The CFPB will continue to take steps to ensure credit reporting companies and other relevant entities adhere to the Fair Credit Reporting Act and other consumer financial protection laws. In addition to some of the steps already mentioned, the CFPB has:
- Highlighted the experiences of military families with medical billing, credit reporting, and debt collection. The CFPB’s report showed that nationwide credit reporting companies are failing to correct mistakes and inaccuracies, fueled by allegedly unpaid medical bills, on servicemembers’ credit reports.
- Spotlighted medical billing challenges faced by millions of American consumers. The CFPB’s report found that many consumers reported their credit reports being used as weapons to force payments of allegedly unpaid medical bills and that the bills are surreptitiously and unlawfully placed on their credit reports.
- Identified credit reporting companies the public can hold accountable. The CFPB released its annual list of credit reporting companies. Using the list, people can exercise their right to see what personal information these companies have, dispute inaccuracies, and take action if a firm is violating the Fair Credit Reporting Act.
- Issued a bulletin to prevent unlawful medical debt collection and credit reporting. The bulletin states that the accuracy and dispute obligations imposed by the Fair Credit Reporting Act apply with respect to debts stemming from charges that exceed the amount permitted by the No Surprises Act.
- Took action to stop the false identification of consumers by background screeners. The advisory opinion affirmed that credit reporting companies and tenant and employment screening companies are violating the Fair Credit Reporting Act if they engage in shoddy name-only matching procedures.
The Advisory Opinion can be found here.