The CFPB has proposed a rule that it promotes as ensuring that Fair Credit Reporting Act (FCRA) protections are applied to sensitive consumer information that the statute was designed to protect, including information sold by data brokers. However, the proposal is much broader than a data broker rule and could have far reaching implications, including what is considered a consumer report, who is considered a consumer reporting agency, and specific requirements to qualify for the written authorization permissible purpose that are not provided for in the FCRA.  Comments are due on March 3, 2025. 

Please see our CyberAdviser blog post on the data broker implications of the proposal. We also have reported previously on CFPB efforts to bring data brokers within the scope of the FCRA, and to expand the concept of what is a consumer report.

Consumer Report

The FCRA defines a “consumer report” as follows:

“[A]ny written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for

  1. credit or insurance to be used primarily for personal, family, or household purposes;
  2. employment purposes; or
  3. any other purpose authorized under section 604.”

The CFPB proposes to define the concepts of “is used” and “is expected to be used,” as well as add the concept that personal identifiers are consumer reports.

As proposed, information “is used” for one or more of the specified purposes if a recipient of the information uses it for such a purpose.  Additionally, as proposed, information “is expected to be used” for one or more of the specified purposes if (1) the person making the communication expects or should expect that a recipient of the information in the communication will use the information for such a purpose, or (2) the information is about a consumer’s credit history, credit score, debt payments, or income or financial tier.

With regard to personal identifiers, as proposed a communication by a consumer reporting agency of a personal identifier for a consumer that was collected by the consumer reporting agency, in whole or in part for the purpose of preparing a consumer report about the consumer, is a consumer report regardless of whether the communication contains any information other than the personal identifier.  The CFPB proposes that the following would be personal identifiers:  (1) the consumer’s (a) current or former name or names, including any aliases, (b) age or date of birth, (c) current or former address or addresses, (d) current or former telephone number or numbers, (e) current or former email address or addresses, (f) Social Security number (SSN) or Individual Taxpayer Identification Number (ITIN), and (2) any other personal identifier for the consumer similar to the listed identifiers.

The CFPB also proposes three alternatives regarding whether the de-identification of information is relevant to whether the definition of “consumer report” is met:

(1) De-identification is not relevant to such determination.

(2) De-identification is not relevant to such determination if the information is still linked or linkable to a consumer.

(3) De-identification is not relevant to such determination if:

(a) The information is still linked or reasonably linkable to a consumer;

(b) The information is used to inform a business decision about a particular consumer, such as a decision whether to target marketing to that consumer; or

(c) A person that directly or indirectly receives the communication, or any information from the communication, identifies the consumer to whom information from the communication pertains.

Proposed examples of information that is linked or reasonably linkable to a consumer are:

(a) Information that identifies a specific household;

(b) Information that identifies a specific ZIP+4 Code in which a consumer resides; or

(c) Information that includes a persistent identifier (such as a cookie identifier, an Internet Protocol (IP) address, a processor or device serial number, or a unique device identifier) that can be used to recognize the consumer over time and across different websites or online services.

These proposals, when coupled with the proposals addressed below regarding the definition of a “consumer reporting agency,” would greatly expand the reach of the FCRA and make it difficult to imagine what information report regarding a consumer would not be covered.

Consumer Reporting Agency

The FCRA defines a “consumer reporting agency” as follows:

“[A]ny person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.”

The CFPB proposes to adopt a definition of “assembling or evaluating” and also add examples of such activity. The proposed definition is as follows:

“[A] person assembles or evaluates consumer credit information or other information about consumers if the person:

(i) Collects, brings together, gathers, or retains such information;

(ii) Appraises, assesses, makes a judgment regarding, determines or fixes the value of, verifies, or validates such information; or

(iii) Contributes to or alters the content of such information.”

The proposed examples of assembling or evaluating are as follows:

“A person assembles or evaluates consumer credit information or other information about consumers . . . if, for example, the person:

(i) Collects such information from a consumer’s bank account and assesses it, such as by grouping or categorizing it based on transaction type;

(ii) Alters the content of information the person has received about a consumer, such as by modifying the year date fields to all reflect four, rather than two, digits to ensure consistency;

(iii) Determines the value of such information, such as when a company that hosts an online database regarding consumers’ criminal histories arranges or orders search results in order of perceived relevance to users, or provides scores, color coding, or other indicia of weight or import to users;

(iv) Retains information about consumers, such as by retaining data files containing consumers’ payment histories in a database or electronic file system; or

(v) Verifies or validates information the person has received about a consumer, such as by checking whether a consumer’s date of birth received from a third-party data provider matches the consumer’s date of birth as listed in an external database or is properly formatted regardless of whether the person takes any action to correct any errors found.”

The proposed expansions of information that is subject to the FCRA and who constitutes a consumer reporting agency are well beyond what would be tailored to address data brokers.  The proposals are so broad it appears the analysis of whether a party is a consumer reporting agency providing a consumer report would mainly focus on whether they are providing the information for monetary fees, dues, or on a cooperative nonprofit basis.  Credit header data and other basic contact information being used to confirm the identity of a consumer for important purposes, such as to avoid fraud or money laundering, would be a consumer report.  Additionally, there is the issue of what falls within the vague concept of financial tier.  The proposed expansions are so significant that they are matters to be addressed by Congress and not an executive agency. 

Written Authorization Permissible Purpose

Under the FCRA, a consumer reporting agency may furnish a consumer report “[i]n accordance with the written instructions of the consumer to whom it relates.”  The CFPB proposes to add significant conditions to this permissible purpose. 

As proposed, for a consumer report to be furnished pursuant to the written authorization permissible purpose:

(1) The consumer reporting agency or the person to whom the consumer reporting agency will furnish the consumer report must:

(a) provide the consumer, either in writing or electronically, with a disclosure that satisfies specified requirements addressed below;

(b) obtain the consumer’s express, informed consent to the furnishing of a consumer report in accordance with the limitation on furnishing addressed below; and

(c) obtain the consumer’s signature, either in writing or electronically, authorizing the consumer reporting agency to furnish the consumer report, and the consumer must not have revoked consent to such furnishing.

(2) The consumer reporting agency must furnish the consumer report to a person only in connection with the person’s provision to the consumer of a specific product or service that the consumer has requested, or, if the consumer has not requested a product or service, in connection with a specific use the consumer has identified.  (The required disclosure, which is addressed below, would need to identify the specific product or service, or if the consumer has not requested a product or service, the specific use identified by the consumer.)

(3) The person to whom the consumer reporting agency furnishes the consumer report:

(i) procures, uses, or retains the consumer report, or provides the report to a third party, only as reasonably necessary to provide the product or service the consumer has requested or, if the consumer has not requested a product or service, for the specific use the consumer has identified;

(ii) procures the consumer report no more than one year after the date on which the consumer consents to the furnishing of the report; and

(iii) provides the consumer report to a third party only if the third party agrees by contract to comply with such limitations.

With regard to the “reasonably necessary” element, the CFPB proposes that examples of uses of consumer reports that are not part of, or reasonably necessary to provide, any other product or service include targeted advertising, cross-selling of other products or services, and the sale of information in the consumer report.

The consumer reporting agency or the person to whom the consumer reporting agency will furnish the consumer report would need to provide the consumer with a method to revoke consent for their report to be furnished that is as easy to access and operate as the method by which the consumer provided consent for their report to be furnished.  Additionally, no person could charge the consumer any costs or penalties to revoke their consent.

The required consumer disclosure would need to be clear, conspicuous, and segregated from other material, and include:

(1) the name of the person for whom the consumer is providing consent to obtain their consumer report, which name must be readily understandable to the consumer;

(2) the name of the consumer reporting agency that will furnish the consumer report to the person to whom the consumer is providing consent, which name must be readily understandable to the consumer;

(3) a brief description of the specific product or service that the consumer is requesting from such person and in connection with which that person will use the consumer report, or, if the consumer is not requesting a product or service, the specific use for which the report will be furnished;

(4) statements notifying the consumer of the procurement, use, and retention limitations described above, and a statement that the person to whom the consumer is providing consent, and any third party to whom the consumer report is provided, will comply, or will be required to comply, with the limitations; and

(5) a description of the method by which the consumer may revoke consent for their consumer report to be furnished that is as easy to access and operate as the method by which the consumer provided consent for their report to be furnished, and a statement that the consumer will not incur any costs or penalties to revoke their consent.

The requirements are not provided for in the FCRA.  Given the significance of such requirements, if imposed, they should be imposed by Congress and not an executive agency. 

Legitimate Business Need Permissible Purpose

In addition to providing that a consumer reporting agency may furnish a consumer for certain specific purposes, the FCRA also provides that a consumer reporting agency may furnish a consumer report to a person who otherwise has a legitimate business need for the information (1) in connection with a business transaction that is initiated by the consumer, or (2) to review an account to determine whether the consumer continues to meet the terms of the account.

The CFPB proposes examples of when business transactions are and are not initiated by the consumer.  As proposed, examples of business transactions initiated by the consumer include when the consumer applies to rent an apartment, applies to open a brokerage account or checking account, or offers to pay for merchandise by personal check.  A proposed example of a situation in which a consumer does not initiate a business transaction would be when the consumer asks about the availability or pricing of products or services.

The CFPB also proposes that the legitimate business need permissible purpose does not apply if the consumer reporting agency has reason to believe the person requesting a consumer report is seeking information from the report to solicit the consumer for a transaction the consumer did not initiate or to otherwise market products or services to the consumer.

With regard to the account review aspect of the permissible purpose, the CFPB proposes that an example of a permissible purpose would be if a consumer reporting agency has reason to believe that a bank needs a consumer report to determine, as part of an account review, whether to modify the terms of the consumer’s existing checking account based on whether there are credible and meaningful indicia that the consumer used the account to defraud others.  The CFPB also proposes that the permissible purpose does not authorize the consumer reporting agency to furnish a consumer report to the bank if the consumer reporting agency has reason to believe the bank is seeking the information from the report to market other products or services to the consumer.

The CFPB is considering an effective date that is six months or one year after the final rule is published in the Federal Register. However, given the breadth of the proposal, it may not be viewed favorably by the next CFPB Director. Nonetheless, stakeholders should consider submitting comments.