CFPB Issues Advisory to Protect Privacy When Companies Compile Personal Data: Advisory affirms that “permissible purposes” are required to use and share credit reports and background reports (press release)
Today, the Consumer Financial Protection Bureau (CFPB) issued a legal interpretation to ensure that companies that use and share credit reports and background reports have a permissible purpose under the Fair Credit Reporting Act. The CFPB’s new advisory opinion makes clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy. The advisory also reminds covered entities of potential criminal liability for certain misconduct. . . .
Over the last century, Congress enacted a number of sector-specific privacy laws to protect personal data, such as educational and health data. One law that includes privacy protections across multiple sectors is the Fair Credit Reporting Act. Congress enacted the Fair Credit Reporting Act in 1970 to ensure companies “exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.” The Fair Credit Reporting Act regulates companies that assemble dossiers on individual consumers, including credit reporting companies, tenant screeners, and other data brokers.
Among other things, the Fair Credit Reporting Act ensures fair and accurate reporting, and it requires users who buy these dossiers to have a legally permissible purpose. This ensures that companies cannot check an individual’s personal information, including their credit history, without a bona fide reason. Some common permissible purposes include using consumer reports for credit, insurance, housing, or employment decisions. For example, a bank may request a credit report in order to determine the terms on which it will offer someone a line of credit.
Today’s advisory opinion will help to hold responsible any company, or user of credit reports, that violates the permissible purpose provisions of the Fair Credit Reporting Act. Specifically, the advisory opinion makes clear:
-- Insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, which would violate consumers’ privacy rights: For example, when a credit reporting company uses name-only matching procedures, the items of information appearing on a credit report may not all correspond to a single individual. That means the user of a credit report could be provided a report about a person for whom the user does not have a permissible purpose.
-- It is unlawful to provide credit reports of multiple people as “possible matches”: Credit reporting companies may not provide reports on multiple individuals where the requester only has a permissible purpose to obtain a report on one individual. They must have adequate procedures to find the right person, or else the result may be that they provide a report on at least one wrong person.
-- Disclaimers about insufficient matching procedures do not cure permissible purpose violations: Disclaimers will not cure a failure to take reasonable steps to ensure the information contained in a credit report is only about the individual for whom the user has a permissible purpose.
-- Users of credit reports must ensure that they do not violate a person’s privacy by obtaining a credit report when they lack a permissible purpose for doing so: The Fair Credit Reporting Act strictly prohibits anyone from using or obtaining credit reports without a permissible purpose.
Advisory opinion:
https://www.consumerfinance.gov/rules-policy/final-rules/fair-credit-reporting-permissible-purposes-for-furnishing-using-and-obtaining-consumer-reports/
FRN:
https://www.federalregister.gov/d/2022-14823
Press release:
https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-advisory-to-protect-privacy-when-companies-compile-personal-data/