On July 7, 2022, the Consumer Financial Protection Bureau (CFPB) issued a legal interpretation that ensures that any company that uses and shares credit reports and background reports has permissible purposes per the Fair Credit Reporting Act. The reason behind the new advisory is to protect the public’s data privacy by making it evident that companies and users of credit reports have specific obligations they must follow. Additionally, the advisory emphasizes to covered entities the potential criminal liability for certain misconduct.
CFPB Director Rohit Chopra further discussed the advisory, stressing the importance of protecting Americans’ privacy, especially when large commercial firms are using constant surveillance to monetize Americans’ data. In a statement, the Director stated, “While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.”
The Fair Credit Reporting Act was enacted by Congress in 1970, and the purpose is to provide privacy protections throughout multiple sectors. The Fair Credit Reporting Act safeguards fair and accurate reporting, and users who buy the information must have a legally permissible purpose. Examples of permissible purposes, include using consumer reports for credit, insurance, and housing or employment decisions.
The new advisory will hold any company or user of credit reports responsible if they violate the permissible purpose standard of the Fair Credit Reporting Act. The advisory notes explicitly:
- Insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose.
- It is unlawful to provide “possible matches” of credit reports of multiple people.
- Disclaimers about insufficient matching procedures do not fix a failure to take reasonable steps to ensure the permissible purpose standard.
- Users of credit reports are required to guarantee that they do not violate a person’s privacy by attaining a credit report when they lack a permissible purpose for doing so.
Further, the new advisory reminds covered companies of the criminal liability provisions that are in the Fair Credit Reporting Act. For example, a covered entity can face criminal liability for obtaining an individual’s background report under pretenses or by giving a background report to an unauthorized individual. The CFPB has continued to make strides in ensuring credit reporting companies and other entities obey the Fair Credit Reporting Act, exemplified below:
- Release an annual list of credit reporting companies so the public can hold them accountable by exercising their right to see what personal information these companies have and take action if the companies are violating the Fair Credit Reporting Act.
- Issued a bulletin to stop illicit medical debt collection and credit reporting.
- Highlighted challenges American consumers face regarding medical billing and credit reports being used as weapons to force payments of allegedly unpaid medical bills.
- Spotlighted that credit reporting companies and tenant and employment screening companies are violating the Fair Credit Reporting Act by engaging in false identification of consumers.