CFPB targets data broker industry in proposed amendments to Fair Credit Report Act regulations

Introduction

This week, the Consumer Financial Protection Bureau (“CFPB”) unveiled proposed amendments to Regulation V, the agency’s regulations implementing the Fair Credit Reporting Act (“FCRA”), which would bring data brokers within the CFPB’s regulatory perimeter. The proposed rule would subject certain data brokers who sell consumers’ personal identifying information to the FCRA, imposing substantial new compliance obligations on those players in the data brokerage industry. The proposal would also expand the scope of the 54-year-old law by extending the meaning of “consumer report” and setting stricter requirements for the disclosure of consumer data to third parties. 

The proposed amendments to Regulation V arrive amidst a slew of other significant rulemakings and enforcement activity over the past few months by the consumer watchdog agency, which is working quickly to fulfil its regulatory agenda prior to the new presidential administration taking the reins. Because the CFPB data broker rule is only a proposed rule, it is not subject to the Congressional Review Act for potential overturn by the incoming Congress but could be withdrawn by the CFPB in the new administration. Comments on the proposed rule are due March 3, 2025. 

Targeting the data broker industry

The newly proposed regulations are primarily designed to bring certain data brokers under the ambit of the FCRA and make it harder for these entities to share financial data with third parties absent a permissible purpose under the law. CFPB Director Rohit Chopra has claimed that data brokers engage in “widespread evasion” of the FCRA, and that they “routinely sidestep the FCRA by claiming they aren’t subject to its requirements.” The agency, in its preamble to the proposed rule, argues that data broker practices raise both privacy and national security risks, such as the surveillance of military service members and government personnel, exploitation by online scammers, and violence and stalking towards law enforcement and domestic violence survivors. The CFPB has long bemoaned data brokers’ ability to operate outside of the perimeter of the FCRA, and now confronts specific data broker activity through the following mechanisms in this rule:

The rule classifies certain data brokers as consumer reporting agencies regardless of their intent when communicating consumer data. 

Under the new rule, data brokers will be treated as consumer reporting agencies (“CRAs”) if they sell information about consumers’ (a) credit history, (b) credit score, (c) debt payments (this includes non-credit obligations) and (d) income/financial tier, regardless of whether a data broker knows or believes it is furnishing a consumer report. Under the statute, “consumer report” means a communication of information by a CRA bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living that is “used or expected to be used or collected in whole or in part” for one of the FCRA-defined “permissible purposes” (e.g., to establish a consumer’s eligibility for insurance, credit, or employment). The CFPB notes that, to date, many data brokers have attempted to avoid liability under the FCRA by arguing that they do not expect the consumer information they sell to be used for a permissible purpose; rather, they sell information to be used, for example, for marketing purposes.

The new rule clarifies that if a data broker communicates information in the categories (a) through (c) listed above, even if it does not intend that information to be used for purposes of assessing a consumer’s credit worthiness, the information will nonetheless be considered a consumer report. In other words, this new rule adopts a bright-line approach that disregards intent.

To illustrate this, the CFPB provides an example of a data broker that collects or sells information about individual consumers’ travel preferences for use in marketing and sells that information to a third party. Ordinarily, if the data broker believed that the communication was purely for marketing purposes, this kind of disclosure would not be subject to the FCRA since the data broker providing this information had no expectation that the data was to be used as a consumer report. However, the CFPB clarifies that now, if the third-party recipient proceeds to use that information to establish a consumer’s eligibility for credit (or some other FCRA-related purpose), the disclosure would be a consumer report and the data broker that sold it would be treated as a CRA.  

The rule considers the sale of personal identifiers a consumer report.

Under the proposed rule, when personal identifiers such as a consumer’s name, address, phone number, Social Security number, or age are collected for a credit report, subsequent communications of this information will itself be considered a consumer report. This means that data brokers who sell routine demographic information, also known as “credit header data,” could be acting as CRAs and be subject to the FCRA just as if that information had been collected for a consumer report. Despite this, the proposed rule still allows CRAs to furnish credit header data for fraud-detection and identity verification related to a permissible purpose such as credit applications, insurance underwriting, opening accounts, and rental/mortgage applications. Overall, this broad inclusion of credit header data within the meaning of consumer reports could make it increasingly difficult for certain data brokers to share ordinary identifying information with advertisers or other companies in the absence of a permissible purpose.

The rule could largely restrict the sharing of de-identified data.  

The proposed rule contemplates three different approaches to de-identified data based on risk of re-identification, each of which would require certain forms of de-identified data to fall under the FCRA’s protections. This would further curtail data brokers’ ability to share information with third parties by placing heightened scrutiny on the communication of de-identified data. The CFPB is seeking comment on these approaches and will presumably adopt one or more in the final rule.

• Alternative 1: By far the strictest alternative, no de-identified data would be exempt from the FCRA under this approach. If a CRA provides de-identified information that would normally qualify as consumer report information, then even the de-identified data qualifies as a consumer report. This alternative would treat all de-identified data as regular identifiable data, regardless of any risk of re-identification. 
• Alternative 2: De-identified data would only constitute a consumer report if the information were still linked or linkable to a consumer. 
• Alternative 3: De-identified data would only constitute a consumer report if either (a) the information is linked or reasonably linkable to a consumer, (b) the information is used to inform a business decision about a specific consumer (i.e., targeted ads), or (c) a party that receives the CRA’s communication (in whole or in part) identifies the consumer the information belongs to.

Tightening the permissible purposes for furnishing consumer reports

Under the FCRA and Regulation V, a CRA can disclose (or “furnish”) a consumer report if the person or company seeking the report has a “permissible purpose.” The proposed rule establishes a more rigid interpretation of “furnish” and sets stricter requirements for what constitutes certain permissible purposes. The most notable changes are as follows:

The rule expands the definition of “Furnish.” 

Under the proposed rule, a CRA “furnishes” a consumer report to another person even if it does not technically transfer a report to them, so long as the CRA “facilitates” the person’s use of a consumer report for the person’s own financial gain. This would mean that an entity will have furnished a consumer report under FCRA if the recipient of the entity’s information uses that information for purposes like evaluating loan worthiness, even if the entity did not intend to share an actual consumer report to begin with. This could impact, for example, data sharing arrangements where members of a consortium access a shared pool of data.

The rule imposes much more prescriptive and rigorous consent requirements.  

One of the permissible purposes under the FCRA allows CRAs to furnish a consumer report to a third party when a consumer consents. The CFPB has raised concerns that CRA consent language is overly vague, or in hard to understand contract terms. This new rule heightens the standard for obtaining consumer consent, mandating that CRAs or their intended recipient obtain a written or electronic consumer signature, and that the CRA or party seeking the report provide a clear and conspicuous disclosure to consumers in an independent document. The rule lists a variety of content which must be included in the consent language, including the name of the recipient, the name of the CRA furnishing the report, the purpose (such as the product or service) for which the report is being shared, and the procurement, use and retention limits on the data. The consent language must also provide an easily available and operable revocation mechanism for consumers to withdraw consent. 

Under this permissible purpose, recipients of a consumer report may only obtain, use, share, and keep a consumer report insofar as it is “reasonably necessary” to provide the product, service, or use sought by the consumer. The proposed rule clarifies that targeted advertising, cross-selling of other products/services, and the sale of information in a consumer report are not deemed “reasonably necessary” under the FCRA.

The rule prohibits sharing for marketing and solicitation. 

A CRA may also furnish consumer reports when it has “reason to believe” that the person seeking the report intends to use the information for a consumer credit transaction, employment purposes, eligibility for a government license or benefit, to evaluate an existing credit obligation, or to otherwise fulfil a “legitimate business need.” A “legitimate business need” includes using a consumer report to review whether a consumer continues to meet the terms of an account, or to otherwise carry out a business transaction “initiated by a consumer.” The rule narrows the boundaries of “legitimate business needs” by establishing that (a) consumers do not “initiate a business transaction” when they ask about the availability or pricing of a product or service, and (b) furnishing a report for the purpose of soliciting a consumer or marketing products or services to a consumer does not qualify as a legitimate business need. 

Next steps 

The proposed rule is currently subject to a three-month public comment period, which will close on March 3, 2025. While a final rule would impose substantial new demands on certain data brokers, and rattle parts of the online ecosystem, this rulemaking likely faces a major uphill battle. The CFPB’s priorities as an agency could change substantially under the incoming presidential administration, which has emphasized deregulation as a top priority and has criticized the watchdog agency. Further, the Supreme Court’s recent decision in Loper Bright Enterprises v. Raimondo, which overturned the long-established broad judicial deference to agency interpretations of federal statutes, could mean that a finalized rule would have to survive a court’s own interpretation of the FCRA. It is quite possible that a court would not agree with the agency’s reading of the decades-old law, nor agree with the broad extension of the FCRA to other data brokers. Beyond that, the CFPB also continues to face legal threats to its own authority, putting its very existence into question. The final scope of this regulation, therefore, remains to be seen.

Authored by Jasmeet Ahuja, Elizabeth Boison, Roshni Patel, Aaron Lariviere, and Ryan Campbell.