On December 3, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a proposed rule for public comment aimed at amending Regulation V, which implements the Fair Credit Reporting Act (FCRA). The proposed rule seeks to redefine (and, in some cases, rewrite) key terms and provisions within the FCRA, particularly focusing on the activities of purported “data brokers.”
The CFPB’s stated goal is to address the sale of consumer report information by ensuring data brokers are subject to the same regulations as consumer reporting agencies (CRAs). The CFPB cites concerns about the misuse of consumer information for financial scams, identity theft, and other harmful activities. In its press release announcing the proposed rule, the CFPB stated, “Countries of concern, like China and Russia, can purchase detailed personal information about military service members, veterans, government employees, and other Americans for pennies per person.” Additionally, the Bureau stated, “The availability of sensitive contact information poses risks to those who are targeted for their profession, such as judges, police officers, prosecutors, and other government employees. Domestic violence survivors also face grave dangers when their current addresses and phone numbers are readily available for purchase through data brokers.”
Previously, we discussed, here and here, the CFPB’s intention to expand the reach of the FCRA by rulemaking, where Director Rohit Chopra highlighted two main initiatives: (1) defining data brokers as CRAs; and (2) addressing the “confusion” around credit header data. The latest proposed rule reemphasizes both of those issues, proposing to make many data brokers subject to FCRA regulations, and deciding that communications of personal identifiers collected for preparing consumer reports, often known as “credit header” information, are considered consumer reports. However, the CFPB goes far beyond this stated goal and addresses many other areas of consumer reporting, such as imposing new requirements and restrictions on the permissible purposes available to end users to obtain consumer reports from CRAs.
The CFPB will be accepting comments on this latest proposed rule until March 3, 2025. Notably, many of the concerns raised during the CFPB Small Business Review Panel in October 2023 were not addressed in the proposed rule.
The CFPB is considering an effective date of six months to one year after the final rule is published in the Federal Register. However, with the upcoming change in administration, the CFPB may have additional motivations behind proposing this far-reaching rule at this juncture.
Summary of the Proposed Rule
The CFPB’s proposed rule aims to apply the FCRA’s definitions of “consumer report” and “consumer reporting agency” more broadly. Key provisions include:
- Expanded Definitions of “Used or Expected to Be Used”: The rule proposes a brightline test that would classify data brokers that sell information about a consumer’s credit history, credit score, debt payments, or income as CRAs, regardless of the purpose for which any specific communication of such information is used or expected to be used. The proposed rule would establish two tests for determining whether the “expected to be used” element of the definition of “consumer report” has been met. Under these tests, information in a communication is “expected to be used” for such a purpose if: (1) the person making the communication expects or should expect that a recipient of the information will use it for such a purpose; or (2) it is information about a consumer’s credit history, credit score, debt payments, or income or financial tier. Information would need to satisfy only one of the tests for the “expected to be used” element to be met.
- Expanded Definition of “Assembles” or “Evaluates”: The CFPB also proposed an expansion of the “assembles” or “evaluates” definition of a CRA. If an entity assembles or evaluates information about consumers, including by even collecting, gathering, or retaining; assessing, verifying, or validating; or contributing to or altering the content of such information, it will be considered a CRA. An example the CFPB provided in the proposed rule is a person assembles or evaluates consumer information when that person retains information about consumers. Thus, a company is at risk of being characterized as assembling or evaluating information about a consumer merely by retaining data files containing consumers’ payment histories in a database or electronic file system.
- “Credit Header” Information: The rule proposes the term “consumer report” includes a communication by a CRA of a personal identifier, i.e., name, date of birth, addresses, Social Security number, and telephone number, for a consumer that was collected by the CRA in whole or in part for the purpose of preparing a consumer report about the consumer. This would mean that a CRA could only make such a communication if the entity requesting such information has a permissible purpose under the FCRA to obtain it. This approach poses serious risk to fraud uses of consumer information that have not traditionally been treated as consumer reports.
- Re-identification Prevention: The proposed rule restates the CFPB’s interest in continuing to treat de-identified information as consumer reports subject to all of the FCRA’s protections, even if such de-identified data has also been aggregated.
- Written Instructions: The proposed rule imposes new obligations on the ability of a CRA to furnish a consumer report in accordance with the written instructions of the consumer. To obtain such authorization from the consumer, the written instructions must contain certain disclosures, be signed by the consumer, and not have been revoked by the consumer.
- Legitimate Business Needs: The proposed rule provides that the FCRA’s permissible purpose relating to legitimate business needs for consumer reports does not authorize furnishing of consumer reports for marketing. The proposed rule would not interfere with CRAs’ ability to furnish consumer reports to either prevent fraud or verify the identity of a consumer when done in connection with a permissible purpose, like credit applications, government benefits, bank account opening, and rental applications, and in compliance with the FCRA’s other requirements.
The CFPB concurrently published a Fast Factsabout the proposed rule.
Our Take
Based on the change in administration, the likelihood of this proposed rule being finalized is slim. President-Elect Trump is expected to replace Director Chopra early in his administration, which could lead to a shift in regulatory priorities and the rescinding, in whole or in part, of this proposed rule.
It may be the case, therefore, that the CFPB is proposing this rule to serve as a blueprint for state legislation, potentially leading to a patchwork of state laws that complicate compliance for data brokers.
We will be publishing more detailed blogs about each of these key provisions in the days to come.