Consumer Financial Protection Bureau Releases Proposed Rule on Fair Credit Reporting Act

On December 3, 2024, the U.S. Consumer Financial Protection Bureau (the CFPB) announced a notice of proposed rulemaking that seeks to significantly expand the scope of the Fair Credit Reporting Act and its implementing regulation, Regulation V (collectively, the FCRA), and to impose new requirements on covered parties, such as data brokers (the Proposed Rule).¹ If implemented as currently drafted, the Proposed Rule would increase the amount of information defined as a “consumer report” and the number of persons defined as a “consumer reporting agency.” Moreover, it would create new requirements in relation to certain permissible purposes for which a consumer reporting agency may furnish a consumer report to a party.

Comments to the Proposed Rule are due by March 3, 2025.² The incoming CFPB administration may be sympathetic to industry requests to withdraw the Proposed Rule entirely or at least to modify the Proposed Rule in a manner that provides regulatory relief and certainty on key issues. Accordingly, affected clients should strongly consider submitting comments for consideration by the incoming administration.

Objectives of the Proposed Rule

Current CFPB leadership’s overarching, stated goal in initiating the Proposed Rule is to “rein in data brokers” by ensuring they are subject to the same legal requirements as credit bureaus and background check companies.³ The CFPB highlights risks to national security, increasing consumer scams, and threats to law enforcement personnel and domestic violence survivors in justifying significant and far-reaching changes in the Proposed Rule.⁴ While the CFPB emphasizes the nefarious threats of bad actors exploiting sensitive personal information procured from data brokers,⁵ the substance of the Proposed Rule seems focused on more mundane commercial uses.

Consumer Reporting Agency

Assembling or Evaluating

The FCRA statute defines “consumer reporting agency” as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.”⁶ Any entity that meets this definition is subject to the numerous and burdensome obligations that the FCRA imposes on consumer reporting agencies. Although there is useful past guidance on the meaning of “assembling or evaluating,” the FCRA to date has not defined the term.⁷ The Proposed Rule now seeks to define the term in a way that provides a very low threshold of what it means to “assemble or evaluate” consumer report information.  

The Proposed Rule defines “assembling or evaluating” to mean when a person (1) collects, brings together, gathers, or retains consumer report information; (2) appraises, assesses, makes a judgment regarding, determines or fixes the value of, verifies, or validates consumer report information; or (3) contributes to or alters the content of consumer report information.⁸

By way of example, the Proposed Rule provides that a person assembles or evaluates consumer report information if the person

• collects such information from a consumer’s bank account and groups or categorizes it based on transaction type; 

• alters the content of such information, such as by modifying the year date fields to all reflect four, rather than two, digits to ensure consistency;

• determines the value of such information, such as by arranging search results in order of perceived relevance to users, or provides scores, color coding, or other indicia of weight or import to users;

• retains information about consumers, such as by retaining data files containing consumers’ payment histories in a database or electronic file system; or

• verifies or validates information the person has received about a consumer, such as by checking whether a consumer’s date of birth received from a third-party data provider matches the consumer’s date of birth as listed in an external database or is properly formatted regardless of whether the person takes any action to correct any errors found.⁹

Thus, “assembling or evaluating” would include any of the following: reviewing whether consumer data is properly formatted; adjusting consumer data to ensure a consistent format; retaining consumer information; and categorizing consumer information. In effect, any activity other than passing raw data from one party to another would likely constitute “assembling or evaluating.” If adopted, this approach could cause many parties that handle consumer information in an underwriting or other business transaction context that do not consider themselves to be a consumer reporting agency to become subject to the FCRA.

Consumer Reports

One critical element of analyzing whether an entity is a “consumer reporting agency” is whether the data it provides to a third party is a “consumer report.”¹⁰  The Proposed Rule would interpret this definition in four new ways:

• The definition of “consumer report” under the Proposed Rule would apply to certain types of data regardless of the purpose for which such data is used in connection with a particular product.

• The definition of “consumer report” would apply to any product that is used in any way for an FCRA permissible purpose, even if the product was not intended to be used in such a manner and the product’s provider reasonably attempted to prevent an improper use.

• The Proposed Rule proposes three potential options for the circumstances under which information of the type that is subject to the FCRA that has been deidentified falls within the definition of “consumer report.”

• The Proposed Rule adopts an interpretation by which credit report header data is a consumer report, even if provided in isolation from the substance of a consumer report.¹¹ 

Used or Expected to Be Used in Connection With an FCRA Permissible Purpose

The Proposed Rule seeks to expand the generally understood meaning of the term “is used or expected to be used” in the definition of “consumer report” by defining the term to include when 

• any person, not just the direct recipient of the information, uses the shared information for an FCRA permissible purpose regardless of whether the provider of a product reasonably expected such use or took steps to prevent misuse;¹²

• the provider expects or should expect that any recipient of the information will use the information for an FCRA permissible purpose (e.g., eligibility for consumer credit or business transactions) (this includes the reasonably anticipated uses by both the immediate recipient as well as downstream recipients); or¹³

• any of the information shared consists of a consumer’s credit history, credit score, debt payments, or income or financial tier, regardless of how such data is used in connection with a particular product.¹⁴  

In particular, the Proposed Rule’s expansion of the definition of “consumer report” to include certain types of data regardless of how such data is used with respect to a particular product or services could cause many products or services specifically designed to fall outside the FCRA to be subject to its requirements in the future. The Proposed Rule would also trigger “consumer report” treatment and its attendant significant legal risks and liabilities where any downstream recipients use the report for a permissible purpose or if the provider expects or should expect that a downstream recipient will use the information for an FCRA permissible purpose.¹⁵  As a result, a provider of information would be deemed a consumer reporting agency if any person down the chain of information flow used the information for an FCRA permissible purpose, even if reasonable controls are put in place to prevent that from occurring.

Deidentified Data

The Proposed Rule also considers when deidentified consumer report data should still be regulated under the FCRA. Currently, the FCRA does not define when consumer information is considered deidentified, but regulators do not treat deidentified consumer information as a consumer report under the FCRA. The Proposed Rule considers three alternative approaches for when a consumer reporting agency’s communication of deidentified information nonetheless should be considered a consumer report under the FCRA.¹⁶

• The first alternative considers deidentification irrelevant and not a basis to avoid application of the FCRA.

• The second alternative considers consumer report information to be subject to the FCRA if it is “still linked or linkable.”

• The third alternative proposes a “still linked or reasonably linkable” standard but includes two others. It would also provide that consumer information is subject to the FCRA if any person links the information to the consumer or if the information is used to inform a business decision about a particular consumer (e.g., whether to target market that person).¹⁷

The first alternative reflects a marked departure from how deidentified information is treated under most U.S. state data privacy laws, all of which generally exempt deidentified information. The second alternative could potentially sweep into the scope of FCRA some types of data that could still be exempt under state privacy laws, as it would treat data that is theoretically “linkable” to an individual as deidentified, without regard to the standards used in these other privacy laws that focus on the risk or likelihood that the information could be used to identify the individual whose data is at issue.¹⁸

Credit Report Header Information 

The Proposed Rule further provides that “credit header” information collected by a consumer reporting agency for purposes of preparing a consumer report is still considered a consumer report even if provided in isolation from the substance of the consumer report.¹⁹ The Proposed Rule defines credit header information to include information derived from a consumer report that is one of the following data points: name, age, date of birth, addresses, phone numbers, email addresses, Social Security number, or any similar information.²⁰

Such information is commonly used by the three major credit reporting agencies in identification, fraud, and risk products, and the Proposed Rule, if implemented as drafted, could have a significant effect on such products. Although the CFPB considered the impact of restricting access to credit header information as it relates to such products, the CFPB dismisses stakeholders’ concerns as “overstated.” The Proposed Rule indicates that the CFPB believes that many of the users would have a permissible purpose to obtain such information because the user is requesting such information in connection with an existing permissible purpose, such as verifying the identity of a job or a loan applicant.²¹

Permissible Purpose

The Proposed Rule would limit the circumstances in which a consumer reporting agency may furnish a consumer report, including in circumstances when a consumer provides their written instructions to share their consumer report.

Consumers’ Written Instructions

The FCRA provides that a consumer reporting agency has a permissible purpose to provide a consumer report to a party if it is “[i]n accordance with the written instructions of the consumer to whom it relates.”²² The Proposed Rule imposes additional requirements on the content and form of that authorization and the use of any information collected pursuant thereto. The CFPB is purportedly targeting consumer report users that rely on vague consents that are hidden from consumers within lengthy terms and conditions for which consumers cannot discern what the report might be used for and that consumers would not have consented to if they had known about such intended use.²³ The content and form requirements include the following: Consumers must provide their express written authorization, and the written authorization must identify: the consumer reporting agency; the party to whom the consumer report will be provided; the specific product, service, or use for which the consumer reporting is being obtained; data retention limits; and the manner of revocation.²⁴ The collection, use, and retention of consumer information in connection with the authorization are limited to the terms of the authorization, and authorization automatically expires after one year.²⁵ In addition, the Proposed Rule provides that targeted advertising, cross-selling, or the sale of information are not permitted secondary uses, and each requires a separate stand-alone authorization.²⁶

Such requirements are generally consistent with the requirements for consumer authorizations in the Section 1033 Personal Financial Data Rights Rule.²⁷ In fact, in the supplementary information to the Proposed Rule, the CFPB overtly states that it “is proposing to expressly provide that a consumer reporting agency furnishes a consumer report in accordance with the written instructions of the consumer for purposes of the FCRA and Regulation V if the person to whom the report is furnished is an authorized third party under [the Section 1033 final rule].”²⁸ However, this is not in the text of the Proposed Rule.

Business Transaction or Account Review

The FCRA statute provides that there is a permissible purpose to provide a consumer report to a user if the user “has a legitimate business need for the information in connection with a business transaction that is initiated by the consumer or to review an account to determine whether the consumer continues to meet the terms of the account.”²⁹ The Proposed Rule makes it explicit that use on such bases may not include marketing or solicitation. The Proposed Rule also makes it explicit that a consumer seeking information on product availability or pricing is not initiating a business transaction. Similarly, the CFPB is focused on eliminating use of consumer reports for marketing to consumers.³⁰

Advertising Through Consumer Reporting Agencies

The Proposed Rule also seeks to disrupt marketing services offered by consumer reporting agencies whereby consumer reporting agencies directly deliver advertisements in reliance on consumer report information but avoid the requirements of the FCRA by never providing the consumer report information to the customer. As a technical manner, the Proposed Rule does so by defining what it means to “furnish a consumer report” to a third party to include “facilitat[ing] a person’s use of a consumer report for the person’s financial gain.”³¹ As a result, the customer on behalf of whom an advertisement is being delivered by a consumer reporting agency is a user of a consumer report and must have a permissible purpose, which generally does not include advertising unless it is in connection with making firm offers of credit or insurance. Again, these broad reaching provisions demonstrate the CFPB’s policy focus on preventing the use of consumer reports in marketing — and given the expansions the CFPB seeks in defining a consumer report, this proposal could have far-reaching consequences on the data economy in financial services and beyond.

¹Consumer Financial Protection Bureau, Protecting Americans from Harmful Data Broker Practices (Regulation V) (December 3, 2024), available here.
²Id. at p. 1.
3Consumer Financial Protection Bureau, CFPB Proposes Rule to Stop Data Brokers from Selling Sensitive Personal Data to Scammers, Stalkers, and Spies (December 3, 2024), available here.
⁴Id.
⁵Id.
⁶15 U.S.C. § 1681a(f).
⁷See Fed. Trade Comm’n, 40 Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations, (July 2011), pg. 29, available at https://www.ftc.gov/sites/default/files/documents/reports/40-years-experience-fair-credit-reporting-act-ftc-staff-report-summary-interpretations/110720fcrareport.pdf.
⁸Proposed Rule, § 1022.5(b)(1). 
⁹Proposed Rule, § 1022.4(b)(2).
¹⁰Under the FCRA statute, a “consumer report” means “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for” credit, insurance, or employment purposes, or any other purpose authorized under the FCRA, subject to certain exceptions. 15 U.S.C. § 1681a(d).
¹¹See Proposed Rule, § 1022.4(a)-(e).
¹²Proposed Rule, § 1022.4(b).
¹³Proposed Rule, § 1022.4(c)(1).
¹⁴Proposed Rule, § 1022.4(c)(2).
¹⁵Consumer Financial Protection Bureau, Protecting Americans from Harmful Data Broker Practices (Regulation V) (December 3, 2024), pp. 28 and 35, available here.
¹⁶Proposed Rule, § 1022.4(e).
¹⁷The Proposed Rule provides the following as examples of information that is linked or reasonably linkable: (1) information that identifies a specific household; (2) information that identifies a specific ZIP+4 Code in which a consumer resides; and (3) information that includes a persistent identifier (such as a cookie identifier, an internet protocol (IP) address, a processor or device serial number, or a unique device identifier) that can be used to recognize the consumer over time and across different websites or online services. Proposed Rule, § 1022.4(e), Alternative 3.
¹⁸See, e.g., Cal. Civ. Code § 1798.140(m); Col. Rev. Stat. 6-1-1303(11) (defining “de-identified” with reference to whether information can be “reasonably” used to be linked to the individual whose data is at issue); see also, e.g., 42 U.S.C. § 164.514(b)(1) (providing that one method to deidentify protected health information under the Health Insurance Portability and Accountability Act Privacy Rule requires determination that the “risk is very small that the information could be used, alone or in combination with other reasonably available information” to identify an individual who is a subject of the information).
¹⁹See Consumer Financial Protection Bureau, Protecting Americans from Harmful Data Broker Practices (Regulation V) (December 3, 2024), p. 48, available here.
²⁰Proposed Rule, § 1022.4(d).
²¹See Consumer Financial Protection Bureau, Protecting Americans from Harmful Data Broker Practices (Regulation V) (December 3, 2024), pp. 60-61, available here.
²²15 U.S.C. § 1681b(a)(2).
²³See Consumer Financial Protection Bureau, Protecting Americans from Harmful Data Broker Practices (Regulation V) (December 3, 2024), pp. 97-100, available here.
²⁴Id. at 196-199.
²⁵Id. at 197.
²⁶Id. at 104 and 199.
²⁷See https://files.consumerfinance.gov/f/documents/cfpb_personal-financial-data-rights-final-rule_2024-10.pdf. 
²⁸See Consumer Financial Protection Bureau, Protecting Americans from Harmful Data Broker Practices (Regulation V) (December 3, 2024), p. 105, available here.
²⁹15 U.S.C. § 1681b(a)(3)(F).
³⁰See Consumer Financial Protection Bureau, Protecting Americans from Harmful Data Broker Practices (Regulation V) (December 3, 2024), pp. 109-112, available here.
³¹Proposed Rule, § 1022.10(b)(2).