[Federal Register Volume 89, Number 240 (Friday, December 13, 2024)]
[Proposed Rules]
[Pages 101402-101462]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-28690]
[[Page 101401]]
Vol. 89
Friday,
No. 240
December 13, 2024
Part VII
Consumer Financial Protection Bureau
-----------------------------------------------------------------------
12 CFR Part 1022
Protecting Americans From Harmful Data Broker Practices (Regulation V);
Proposed Rule
��Federal Register / Vol. 89, No. 240 / Friday, December 13, 2024 /
Proposed Rules��
[[Page 101402]]
-----------------------------------------------------------------------
CONSUMER FINANCIAL PROTECTION BUREAU
12 CFR Part 1022
[Docket No. CFPB-2024-0044]
RIN 3170-AB27
Protecting Americans From Harmful Data Broker Practices
(Regulation V)
AGENCY: Consumer Financial Protection Bureau.
ACTION: Proposed rule; request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Consumer Financial Protection Bureau (CFPB) is issuing a
proposed rule for public comment to amend Regulation V, which
implements the Fair Credit Reporting Act (FCRA). The proposed rule
would implement the FCRA's definitions of consumer report and consumer
reporting agency as well as certain of the FCRA's provisions governing
when consumer reporting agencies may furnish, and users may obtain,
consumer reports. The proposed rule is designed to, among other things,
ensure that the FCRA's protections are applied to sensitive consumer
information that the statute was enacted to protect, including
information sold by data brokers.
DATES: Comments must be received on or before March 3, 2025.
ADDRESSES: You may submit comments, identified by Docket No. CFPB-2024-
0044 or RIN 3170-AB27, by any of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments. A brief summary of
this document will be available at https://www.regulations.gov/docket/CFPB-2024-0044.
Email: [email protected]. Include
Docket No. CFPB-2024-0044 or RIN 3170-AB27 in the subject line of the
message.
Mail/Hand Delivery/Courier: Comment Intake--Protecting
Americans from Harmful Data Broker Practices (Regulation V), c/o Legal
Division Docket Manager, Consumer Financial Protection Bureau, 1700 G
Street NW, Washington, DC 20552.
Instructions: The CFPB encourages the early submission of comments.
All submissions should include the agency name and docket number or
Regulatory Information Number (RIN) for this rulemaking. Because paper
mail is subject to delay, commenters are encouraged to submit comments
electronically. In general, all comments received will be posted
without change to https://www.regulations.gov.
All submissions, including attachments and other supporting
materials, will become part of the public record and subject to public
disclosure. Proprietary information or sensitive personal information,
such as account numbers or Social Security numbers, or names of other
individuals, should not be included. Submissions will not be edited to
remove any identifying or contact information.
FOR FURTHER INFORMATION CONTACT: George Karithanom, Regulatory
Implementation and Guidance Program Analyst, Office of Regulations, at
202-435-7700 or https://reginquiries.consumerfinance.gov/. If you
require this document in an alternative electronic format, please
contact [email protected].
SUPPLEMENTARY INFORMATION: Data brokers, including consumer reporting
agencies, collect information about, among other things, the credit,
criminal, employment, and rental histories of hundreds of millions of
Americans. They analyze and package this information into reports used
by creditors, insurers, landlords, employers, and others to make
decisions about consumers. This collection, assembly, evaluation,
dissemination, and use of vast quantities of often highly sensitive
personal and financial data about consumers poses a significant threat
to consumer privacy. It can also threaten national security and
facilitate numerous tangible consumer harms, such as financial scams
and the identification of victims for stalking and harassment.
Congress enacted the Fair Credit Reporting Act (FCRA) \1\ in part
to protect consumer privacy by regulating the communication of consumer
information by consumer reporting agencies. The statute subjects such
communications, which are referred to as consumer reports, to certain
requirements and limitations, and it affords certain protections to
consumers. For example, the FCRA imposes clear bright-line rules
permitting people to obtain consumer reports from consumer reporting
agencies only for certain specified purposes, known as permissible
purposes, and forbidding consumer reporting agencies from furnishing
consumer reports to users who lack a permissible purpose. In addition,
consumers have various rights under the FCRA, such as the right to
dispute the accuracy of information in their file and to be notified
when, for example, a creditor, landlord, or employer relies on consumer
report information to make a negative decision about the consumer's
application for credit, housing, or employment.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 1681 et seq.
---------------------------------------------------------------------------
In recent years, the consumer reporting marketplace has evolved in
ways that imperil Americans' privacy. There is an emerging consensus
that intrusive surveillance and aggregation of sensitive data about
consumers can create conditions for harming national security by
exposing information that could be exploited by countries of
concern.\2\ Stalkers and domestic abusers can also obtain sensitive
contact information from data brokers to contact or locate people who
do not wish to be contacted or located, such as domestic violence
survivors. In addition, vast troves of sensitive data, including, for
example, individualized data about a consumer's finances, are bought
and sold, without consumers' knowledge or consent, by data brokers who
believe that the FCRA does not apply to them or to some of their
activities. This data can be leveraged to scam or defraud people. Data
brokers evading coverage under the FCRA include traditional consumer
reporting agencies and recent market entrants using new business models
and technologies to collect and analyze consumer information on an
unprecedented scale. The CFPB is proposing this rule to address when a
data broker is covered by the FCRA, and to protect Americans from the
harms and invasions of privacy created by certain data broker
activities that violate the FCRA.
---------------------------------------------------------------------------
\2\ See, e.g., E.O. No. 14117, 89 FR 15421 (Feb. 28, 2024);
Justin Sherman et al., Data Brokers and the Sale of Data on U.S.
Military Personnel: Risks to Privacy, Safety, and National Security
(Nov. 2023) (hereinafter Duke Report on Data Brokers and Military
Personnel Data), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf.
---------------------------------------------------------------------------
I. Summary of the Proposed Rule
The CFPB proposes to implement the FCRA's definitions of consumer
report and consumer reporting agency in several respects to ensure that
the FCRA's protections apply to all data brokers that transmit the
types of consumer information that Congress designed the statute to
protect, and to the types of activities that Congress designed the
statute to regulate. For example, the proposed rule:
Provides that data brokers that sell information about a
consumer's credit history, credit score, debt payments (including on
non-credit obligations), or income or financial tier generally are
consumer reporting agencies selling consumer reports, regardless of the
[[Page 101403]]
purpose for which any specific communication of such information is
used or expected to be used;
Provides that a communication by a consumer reporting
agency of a portion of the consumer report that consists of personal
identifiers such as the consumer's name, address, or age, is a consumer
report if the information was collected for the purpose of preparing a
consumer report about the consumer;
Includes provisions intended to prevent privacy harms
associated with the re-identification of de-identified consumer report
information;
Provides that a communication by a consumer reporting
agency of information about a consumer is a consumer report if the
information is used for an FCRA-covered purpose, regardless of whether
there is evidence that the consumer reporting agency knew or expected
that the information would be used for such a purpose;
Provides that an entity that otherwise meets the
definition of consumer reporting agency is a consumer reporting agency
if it assembles or evaluates information about consumers, including by
collecting, gathering, or retaining; assessing, verifying, or
validating; or contributing to or altering the content of such
information.
The CFPB also proposes to address certain aspects of FCRA section
604(a) regarding permissible purposes to furnish and obtain consumer
reports. These proposals are designed to ensure that consumer reports
are furnished for permissible purposes under the FCRA, and for no other
reasons. For example, the proposed rule:
Provides that a consumer reporting agency furnishes a
consumer report to a person when the consumer reporting agency
facilitates the person's use of the consumer report for the person's
financial gain, even if the consumer reporting agency does not
technically transfer the consumer report to the person;
Provides that the FCRA provision that authorizes a
consumer reporting agency to furnish a consumer report in accordance
with the written instructions of the consumer can be used to obtain a
consumer report for any reason specified by a consumer, but only if the
consumer signs a separate authorization that is not hidden in fine
print and that discloses certain information to the consumer, including
the reason for obtaining the report; and
Provides that the FCRA's permissible purpose relating to
legitimate business needs for consumer reports does not authorize
furnishing of consumer reports for marketing.
The proposal would not interfere with consumer reporting agencies'
ability to furnish consumer reports to either prevent fraud or verify
the identity of a consumer when done in connection with a permissible
purpose, like credit applications, government benefits, bank account
opening, and rental applications, and in compliance with the FCRA's
other requirements.
II. Background
A. History and Purposes of the FCRA
Congress enacted the FCRA, one of the first data privacy laws in
the world, in 1970. The FCRA's enactment was the culmination of
multiple Congressional investigations into the growing data
surveillance industry.\3\ By the late 1960s, the industry was already
of ``vast size and scope.'' \4\ It involved: (1) the collection by
private entities, known as consumer reporting agencies, of information
about tens of millions of American consumers, including information
about ``their employment, income, billpaying record, marital status,
habits, character and morals''; \5\ (2) the assembly and evaluation of
this information by consumer reporting agencies in order to create
elaborate dossiers about individual consumers; and (3) the sale of
those dossiers to a range of entities, including to potential creditors
and employers, who used them to make eligibility determinations about
consumers.\6\
---------------------------------------------------------------------------
\3\ See generally Robert M. McNamara Jr., The Fair Credit
Reporting Act: A Legislative Overview, 22 J. Public Law 67, 77-88
(1973) (hereinafter Fair Credit Reporting Act: A Legislative
Overview).
\4\ 115 Cong. Rec. S2410 (daily ed. Jan. 31, 1969) (statement of
Sen. William Proxmire) (``For example, the Associated Credit Bureaus
of America have over 2,200 members serving 400,000 creditors in
36,000 communities. These credit bureaus maintain credit files on
more than 110 million individuals and in 1967 they issued over 97
million credit reports.'').
\5\ 115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement of
Sen. William Proxmire).
\6\ See generally 115 Cong. Rec. S2410-11 (daily ed. Jan. 31,
1969) (statement of Sen. William Proxmire).
---------------------------------------------------------------------------
Before the FCRA's passage, the consumer reporting industry was
subject to ``an almost complete lack of regulation,'' \7\ leaving
consumers largely powerless to protect themselves from a wide range of
serious harms.\8\ Congressional hearings revealed an industry shrouded
in secrecy. Many consumer reporting agencies prohibited consumer report
users from disclosing to consumers that information in a consumer
report was the reason for an adverse decision, such as the denial of
credit, or the name of the consumer reporting agency that prepared the
report on which the user relied.\9\ According to one contemporary
commentator, ``[w]hether the consumer ever discovered the cause of his
being rejected was largely a matter of an educated guess or
clairvoyance bordering on blind luck.'' \10\ But even if a consumer
knew the reason for an adverse decision and the name of the consumer
reporting agency, this often was not enough: consumers were not always
permitted to access their files or dispute inaccurate information.\11\
And even if a consumer overcame these obstacles and managed to file a
dispute, the investigations conducted by consumer reporting agencies
were often standardless and shoddy, in part because many consumer
reporting agencies deemed investigations too costly to conduct.\12\
---------------------------------------------------------------------------
\7\ S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969).
\8\ See generally Fair Credit Reporting Act: A Legislative
Overview, supra note 3, at 77-88; S. Rep. No. 517, 91st Cong., 1st
Sess. 3-4 (1969); 115 Cong. Rec. S2410-14 (daily ed. Jan. 31, 1969)
(statement of Sen. William Proxmire).
\9\ S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969); 115 Cong.
Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen. William
Proxmire).
\10\ Fair Credit Reporting Act: A Legislative Overview, supra
note 3, at 79.
\11\ S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969); 115 Cong.
Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen. William
Proxmire).
\12\ Fair Credit Reporting Act: A Legislative Overview, supra
note 3, at 81-82; S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969);
115 Cong. Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen.
William Proxmire).
---------------------------------------------------------------------------
Congressional hearings further revealed that many consumer
reporting agencies at that time exhibited only a marginal commitment to
accuracy. Consumer reports sometimes included information that was
false or incomplete or that pertained to the wrong consumer
altogether.\13\ Indeed, consumer reporting agencies often disclaimed
the accuracy of their reports, portraying themselves as mere
transmitters of information without responsibility for ensuring that
the information was correct.\14\ Because consumers generally were
unable to see the information for themselves and have it corrected, the
harms that flowed from the communication of inaccurate, incomplete,
irrelevant, and outdated information could be intractable.
---------------------------------------------------------------------------
\13\ 115 Cong. Rec. S2411-12 (daily ed. Jan. 31, 1969)
(statement of Sen. William Proxmire).
\14\ Fair Credit Reporting Act: A Legislative Overview, supra
note 3, at 80.
---------------------------------------------------------------------------
Congressional hearings also revealed that the consumer reporting
industry posed significant privacy risks to consumers, and the
legislative history suggests that Congress was concerned about the
invasion of consumer privacy generally, as well as the specific harms
[[Page 101404]]
that flow from such invasions.\15\ Consumer reporting agencies
possessed huge quantities of sensitive information about tens of
millions of Americans, but there were no ``public standards to [e]nsure
that the information [was] kept confidential and used only for its
intended purpose''--a fact that the primary sponsor of the FCRA,
Senator William Proxmire, described as ``disturbing.'' \16\ As a
result, it was relatively easy for one person to obtain confidential
information about another person. In one example, a reporter was able
to obtain 10 out of 20 reports requested at random from 20 consumer
reporting agencies by using the name of a fictitious company under the
guise of offering credit.\17\ As Senator Proxmire noted in introducing
the bill that would become the FCRA, these threats to consumer privacy
were only likely to increase with ``[t]he growing accessibility of this
information through computer- and data-transmission techniques.'' \18\
---------------------------------------------------------------------------
\15\ 115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement
of Sen. William Proxmire).
\16\ Id.
\17\ S. Rep. No. 517, 91st Cong., 1st Sess. 4 (1969); 115 Cong.
Rec. S2413 (daily ed. Jan. 31, 1969) (statement of Sen. William
Proxmire).
\18\ 115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement
of Sen. William Proxmire).
---------------------------------------------------------------------------
Congress sought to address these and other consumer harms in the
FCRA. In enacting the statute, it found that consumer reporting
agencies played a ``vital role'' in assembling and evaluating consumer
information to meet the needs of commerce, but that rules were
necessary to ensure that consumer reporting agencies conduct their
activities in a manner that is ``fair and equitable to the consumer,
with regard to the confidentiality, accuracy, relevancy, and proper
utilization'' of that information.\19\ Accordingly, the FCRA
established a framework with four principal pillars: (1) a bright-line
prohibition on using or disseminating consumer reports unless for one
of the limited permissible purposes identified by Congress; (2) a
requirement that consumer reporting agencies follow reasonable
procedures to assure the maximum possible accuracy of consumer reports;
(3) a consumer right to dispute inaccurate or incomplete information
and have it corrected; and (4) a consumer right to see the information
that a consumer reporting agency possesses about the consumer. In the
years since its passage in 1970, the FCRA has been amended many times,
including to expand the statute's reach so that it now imposes
obligations not just on consumer reporting agencies and consumer report
users, but also on the entities that furnish information to consumer
reporting agencies.\20\
---------------------------------------------------------------------------
\19\ FCRA section 602, 15 U.S.C. 1681 (Congressional findings
and statement of purpose).
\20\ See, e.g., Fair & Accurate Credit Transactions Act of 2003,
Public Law 108-159 (2003); Consumer Credit Reporting Reform Act of
1996, Public Law 104-208 (1996).
---------------------------------------------------------------------------
The CFPB's Regulation V, 12 CFR part 1022, generally implements the
FCRA. In 2003, Congress granted the Federal Trade Commission (FTC) and
several other Federal agencies rulemaking authority for certain FCRA
provisions.\21\ For some provisions the authority was joint; for others
it was exclusive to a particular agency. Over the next several years,
the FTC and those agencies issued multiple rules implementing various
provisions of the statute.\22\ With the passage of the Consumer
Financial Protection Act of 2010 (CFPA), Congress transferred
rulemaking authority for most provisions of the FCRA to the CFPB.\23\
---------------------------------------------------------------------------
\21\ See Fed. Trade Comm'n, 40 Years of Experience with the Fair
Credit Reporting Act: An FTC Staff Report with Summary of
Interpretations, at 5-6 (July 2011) (hereinafter FTC 40 Years Staff
Report), https://www.ftc.gov/sites/default/files/documents/reports/40-years-experience-fair-credit-reporting-act-ftc-staff-report-summary-interpretations/110720fcrareport.pdf.
\22\ See, e.g., 74 FR 31484 (July 1, 2009); 69 FR 63922 (Nov. 3,
2004); 69 FR 35467 (June 24, 2004).
\23\ See Dodd-Frank Wall Street Reform and Consumer Protection
Act (Dodd-Frank Act), Public Law 111-203, section 1088, 124 Stat.
1376, 2086 (2010); see also Dodd-Frank Act sections 1024, 1025, and
1061, 124 Stat. 1987 (codified at 12 U.S.C. 5514, 5515, and 5581).
Authority over FCRA sections 615(e) and 628, 15 U.S.C. 1681m(e) and
1681w, is limited to the Federal banking agencies and the National
Credit Union Administration, the FTC, the Commodity Futures Trading
Commission, and the U.S. Securities and Exchange Commission. In
addition, section 1029 of the Dodd-Frank Act generally excludes from
the transfer of authority to the CFPB rulemaking authority over a
motor vehicle dealer that is predominantly engaged in the sale and
servicing of motor vehicles, the leasing and servicing of motor
vehicles, or both. 12 U.S.C. 5519(a) and (c).
---------------------------------------------------------------------------
B. Goals of the Rulemaking
Protecting Consumer Information in the Data Broker Market
Today, Americans regularly engage in activities that reveal
personal information about themselves, often without realizing it. They
may, for example, visit a website, download an app, charge an item to a
credit card, use a loyalty card at a grocery store or pharmacy, order
goods online, subscribe to a newspaper or magazine, or make a donation.
In each instance, the entity with whom the consumer interacts might
collect information about the consumer. These entities might sell the
consumer's information to other entities with whom the consumer does
not have a relationship, or they might keep or reuse the information
for themselves. Entities that collect, aggregate, sell, resell,
license, enable the use of, or otherwise share consumer information
with other parties are commonly known as data brokers.\24\
---------------------------------------------------------------------------
\24\ See 88 FR 16951, 16952-53 (Mar. 21, 2023).
---------------------------------------------------------------------------
Different data brokers compile and sell different types of consumer
information.\25\ Much of the information is private and highly
sensitive, such as information about a consumer's finances, income,
physical and mental health, sexual orientation, religious affiliation,
and political preferences, as well as information about the websites
and apps the consumer visits or uses, the stores the consumer
frequents, the products the consumer buys, and the consumer's location
throughout the day.\26\ Data brokers obtain this information from a
variety of sources, including retailers, websites and apps, newspaper
and magazine publishers, and financial service providers, as well as
cookies and similar technologies that gather information about
consumers' online activities.\27\ Other information is publicly
available, such as criminal and civil record information maintained by
Federal, State, and local courts and governments, and information
available on the internet, including information posted by consumers on
social media.\28\ The volume of data collected, bought,
[[Page 101405]]
and sold by data brokers is enormous. Some of the nation's largest data
brokers boast that they possess information about hundreds of millions
of American consumers consisting of billions of data points, with some
data updated instantaneously.\29\
---------------------------------------------------------------------------
\25\ See generally Urbano Reviglio, The Untamed and Discreet
Role of Data Brokers in Surveillance Capitalism: A Transnational and
Interdisciplinary Overview, 11 Internet Policy Review 3 (Aug. 4,
2022), https://policyreview.info/articles/analysis/untamed-and-discreet-role-data-brokers-surveillance-capitalism-transnational-and; Fed. Trade Comm'n, Data Brokers: A Call for Transparency and
Accountability, at 11-18, 24, B3-B6 (May 2014) (hereinafter FTC Data
Broker Report), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.
\26\ See Am. Compl. For Permanent Inj. and Other Relief ]] 72-
76, 97-106, FTC v. Kochava, Inc., No. 2:22-cv-00377-BLW (D. Idaho
June 5, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/26AmendedComplaint%28unsealed%29.pdf; Joanne Kim, Duke Sanford Cyber
Policy Program, Data Brokers & the Sale of Americans' Mental Health
Data (Feb. 2023) (hereinafter Duke Report on Data Brokers and Mental
Health Data), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/02/Kim-2023-Data-Brokers-and-the-Sale-of-Americans-Mental-Health-Data.pdf; FTC Data Broker Report, supra note
25; Staff of S. Comm. on Com., Sci., & Transp., A Review of the Data
Broker Industry: Collection, Use, and Sale of Consumer Data for
Marketing Purposes, at ii, 13-21 (Dec. 18, 2013), https://www.commerce.senate.gov/services/files/0D2B3642-6221-4888-A631-08F2F255B577.
\27\ See, e.g., Alfred Ng & Jon Keegan, Who is Policing the
Location Data Industry?, The Markup (Feb. 24, 2022), https://themarkup.org/the-breakdown/2022/02/24/who-is-policing-the-location-data-industry; FTC Data Broker Report, supra note 25, at 11-14.
\28\ See FTC Data Broker Report, supra note 25, at 11-13.
\29\ Justin Sherman, Duke Sanford Cyber Policy Program, Data
Brokers and Sensitive Data on U.S. Individuals: Threats to American
Civil Rights, National Security, and Democracy, at 4-8 (2021)
(hereinafter Duke Report on Data Brokers and Sensitive Data),
https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2021/08/Data-Brokers-and-Sensitive-Data-on-US-Individuals-Sherman-2021.pdf.
---------------------------------------------------------------------------
Certain data brokers compile the information they collect into
reports about individual consumers, which they sell to third parties
for use in assessing a consumer's eligibility for credit, employment,
or insurance. Data brokers may also use the information, or the
inferences they have drawn from that information, to create elaborate
dossiers about consumers for targeted marketing purposes. For example,
a data broker may use information about a consumer's income, location,
purchases, or health condition to classify the consumer--including, for
instance, as ``Financially Challenged,'' ``Modest Wages,'' ``Working-
class Mom,'' ``Senior Products Buyer,'' or ``Consumer[ ] with Clinical
Depression''--and then sell lists of such consumers to advertisers.\30\
In addition, data brokers may use the information they collect to
develop and maintain their own products, such as ``people search''
engines and other online lookup tools, to build proprietary algorithms,
to test and run advertising campaigns, and to train machine learning
systems.\31\ Some data brokers simply sell the consumer information
they collect to individual purchasers, including to other data brokers
and members of the general public.
---------------------------------------------------------------------------
\30\ See Duke Report on Data Brokers and Mental Health Data,
supra note 26, at 14; FTC Data Broker Report, supra note 25, at 20-
21.
\31\ See, e.g., Will Knight, Generative AI Is Making Companies
Even More Thirsty for Your Data, Wired (Aug. 10, 2023), https://www.wired.com/story/fast-forward-generative-ai-companies-thirsty-for-your-data/.
---------------------------------------------------------------------------
Government agencies, technology and privacy experts, consumer
advocates, and others have identified a range of consumer harms posed
by data brokers that treat consumer information as though it is not
subject to the FCRA.\32\ As discussed further in part IV, the data
broker industry can threaten national security. For example, countries
of concern can obtain from data brokers the financial information of
active military members, such as income and level of indebtedness, to
compromise or blackmail them in an effort to obtain sensitive national
security information. The data broker industry also is used to
facilitate a range of financial scams. For example, fraudsters can
obtain from data brokers lists of people with income below a certain
threshold, which can be used to pitch predatory and unlawful products
to families in financial distress. The highly sensitive information
collected and sold by data brokers also is an attractive target for
other bad actors. For example, thieves can obtain information from data
brokers that enables them to steal people's identities and open new
accounts or drain existing ones. And stalkers, harassers, and other
criminals can use sensitive information obtained from data brokers to
contact people who do not wish to be contacted, such as domestic
violence survivors.
---------------------------------------------------------------------------
\32\ See, e.g., Elec. Privacy Info. Ctr., Disrupting Data Abuse:
Protecting Consumers from Commercial Surveillance in the Online
Ecosystem (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf; Duke
Report on Data Brokers and Sensitive Data, supra note 29; FTC Data
Broker Report, supra note 25.
---------------------------------------------------------------------------
To date, however, many data brokers have attempted to avoid
liability under the FCRA by arguing that they are not consumer
reporting agencies selling consumer reports, as those terms are defined
in the statute. Many data brokers have made these arguments even though
they collect, assemble, evaluate, or sell the same information as other
consumer reporting agencies--and even though their activities pose the
same risks to consumers that motivated the FCRA's passage. As explained
further below, the proposed rule provides that the FCRA's definitions
of consumer reporting agency and consumer report cover a wide range of
data brokers and data broker activities under the FCRA. If the proposed
rule is finalized, one practical effect would be that additional data
brokers would be prohibited from selling information for non-FCRA
purposes, thus limiting the transmission of information that is used to
market products to consumers--and to scam, defraud, stalk, or harass
them.
Protecting Consumer Information From Unauthorized Disclosure by
Consumer Reporting Agencies
The CFPB also has observed that consumer reporting agencies
continue to engage in practices that may be harmful to consumers. The
consumer credit reporting industry has consistently been a major source
of consumer complaints to the CFPB. Complaints about credit or consumer
reporting represented roughly 80 percent of consumer complaints
submitted to the CFPB during 2023, far more than any other category of
consumer product or service.\33\ Indeed, credit or consumer reporting
has been the most-complained-about category of consumer financial
product or service to the CFPB every year since 2017.\34\ One ongoing
area of concern for the CFPB is consumer reporting agencies engaging in
practices that may threaten consumer privacy.
---------------------------------------------------------------------------
\33\ Consumer Fin. Prot. Bureau, Consumer Response Annual
Report, at 11 (Mar. 2024), https://files.consumerfinance.gov/f/documents/cfpb_cr-annual-report_2023-03.pdf (noting that the CFPB
received approximately 1.3 million credit or consumer reporting
complaints in 2023, a 34 percent increase compared to 2022).
\34\ Consumer Fin. Prot. Bureau, Consumer Response Annual
Report, at 11 (Mar. 2023), https://files.consumerfinance.gov/f/documents/cfpb_2022-consumer-response-annual-report_2023-03.pdf;
Consumer Fin. Prot. Bureau, Consumer Response Annual Report, at 3
(Mar. 2022), https://files.consumerfinance.gov/f/documents/cfpb_2021-consumer-response-annual-report_2022-03.pdf; Consumer Fin.
Prot. Bureau, Consumer Response Annual Report, at 9 (Mar. 2021),
https://files.consumerfinance.gov/f/documents/cfpb_2020-consumer-response-annual-report_03-2021.pdf; Consumer Fin. Prot. Bureau,
Consumer Response Annual Report, at 9 (Mar. 2020), https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2019.pdf; Consumer Fin. Prot. Bureau, Consumer Response
Annual Report, at 9 (Mar. 2019), https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2018.pdf; Consumer
Fin. Prot. Bureau, Consumer Response Annual Report, at 9 (Mar.
2018), https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2017.pdf.
---------------------------------------------------------------------------
As discussed above, privacy was a key motivating factor for passage
of the FCRA, and the FCRA protects consumer privacy in multiple ways,
including by strictly limiting the circumstances under which consumer
reporting agencies may disclose consumer information. For example, FCRA
section 604, entitled ``Permissible purposes of consumer reports,''
identifies an exclusive list of permissible purposes for which consumer
reporting agencies may furnish consumer reports, including in
accordance with the written instructions of the consumer to whom the
report relates and for purposes relating to credit, employment, and
insurance.\35\ The FCRA's
[[Page 101406]]
permissible purpose provisions are central to the statute's protection
of consumer privacy. The CFPB is concerned that sensitive consumer
information that the statute was designed to protect is being furnished
by consumer reporting agencies to users that do not have a permissible
purpose under the FCRA to obtain the information, thereby threatening
consumers' privacy, and causing reputational, emotional, economic, and
physical harm to consumers. These threats have grown more acute as
advances in technology have facilitated the easy sharing of such
consumer information online.
---------------------------------------------------------------------------
\35\ 15 U.S.C. 1681b(a). Other sections of the FCRA identify
additional limited circumstances under which consumer reporting
agencies are permitted or required to disclose certain information
to government agencies. See FCRA sections 608, 626, and 627, 15
U.S.C. 1681f, 1681u, 1681v; see also, e.g., FTC v. Manager, Retail
Credit Co., Miami Beach Branch Off., 515 F.2d 988, 994-95 (D.C. Cir.
1975) (holding that 15 U.S.C. 1681s(a) authorizes the FTC to obtain
consumer reports in FCRA enforcement investigations). Further, the
Debt Collection Improvement Act of 1996, Public Law 104-134, 110
Stat. 1321, section 31001(m)(1), allows the head of an executive,
judicial, or legislative agency to obtain a consumer report under
certain circumstances relating to debt collection. See 31 U.S.C.
3711(h). The proposed rule is not intended to alter the additional
circumstances in which government agencies may obtain consumer
report information.
---------------------------------------------------------------------------
For example, consumer reporting agencies sell personal identifiers
collected for the purpose of preparing consumer reports--often known as
``credit header'' information--to third parties who may not have an
FCRA-permissible purpose to obtain the information. The sale by
consumer reporting agencies of personal identifiers, which may include
sensitive information such as a consumer's Social Security number,
contributes to the availability of such information for purchase
online, potentially by fraudsters and other persons seeking to dox and
expose consumers' personal information or otherwise exploit or harm
consumers. The proposed rule would take steps to address this problem
by providing that the term ``consumer report'' includes communications
by a consumer reporting agency of personal identifiers that were
collected for the purpose of preparing consumer reports and that such
information therefore can be sold by consumer reporting agencies only
to users who have a permissible purpose to obtain it.
The CFPB is also aware that consumer reporting agencies offer and
sell to users who do not have an FCRA permissible purpose a variety of
products that include information that has been drawn from consumer
reporting databases and that has been aggregated or otherwise
purportedly de-identified to try to mask the identities of the
individual consumers to whom the information relates. This information
may be sold or made available, for example, for use in marketing
campaigns, even though advertising and marketing generally are not
permissible purposes under the FCRA.\36\ As with the sale of personal
identifiers, the sale of purportedly de-identified information about
consumers to users who do not have an FCRA permissible purpose to
obtain it contributes to the proliferation of sensitive consumer
information available for purchase online. The CFPB is concerned that
advances in technology have made, and will continue to make, it easier
for users to combine data and identify consumers within purportedly de-
identified data sets, and that the sale of such information by consumer
reporting agencies thus threatens the privacy of consumer information
in the very ways Congress designed the FCRA to prevent. The CFPB
proposes three possible alternatives to address this problem and
clarify when a communication by a consumer reporting agency of
information about a consumer is a consumer report.
---------------------------------------------------------------------------
\36\ An exception exists for the purpose of making firm offers
of credit or insurance. FCRA section 604(c)(1)(B), 15 U.S.C.
1681b(c)(1)(B). In addition, a consumer reporting agency may provide
a consumer report to a user ``in accordance with the written
instructions of the consumer'' to whom the report relates. FCRA
section 604(a)(2), 15 U.S.C. 1681b(a)(2).
---------------------------------------------------------------------------
In addition to general concerns regarding the privacy of consumers'
sensitive information, the CFPB is concerned that consumer reporting
agencies are monetizing consumer report information for use in
marketing in ways that the FCRA prohibits. As noted, marketing and
advertising generally are not permissible purposes for furnishing or
obtaining consumer reports. Nevertheless, as technology has advanced,
consumer reporting agencies have begun to employ techniques and
business models designed to evade this restriction. The proposed rule
would address these developments and would emphasize that the FCRA's
legitimate business need permissible purpose does not authorize
consumer reporting agencies to furnish consumer reports to users for
solicitation or marketing purposes.
The CFPB additionally proposes to specify what is needed to
establish a permissible purpose based on the written instructions of a
consumer. This proposed provision is intended to ensure that consumer
reporting agencies and consumer report users do not abuse the written
instructions permissible purpose by purportedly obtaining consumer
consent to furnish or obtain a consumer report pursuant to disclosures
buried within lengthy terms and conditions or otherwise presented to
the consumer in a manner that interferes with the consumer's ability to
make informed decisions.
C. Outreach and Engagement
Request for Information
On March 15, 2023, the CFPB issued a Request for Information (RFI)
regarding the data broker industry and business practices involving the
collection and sale of consumer information.\37\ The RFI sought
information about new business models that sell consumer data and about
consumer harm that could result from such business models. The CFPB
received over 7,000 comments in response to the RFI. The comments
helped to inform the CFPB's approach to the proposed rule.
---------------------------------------------------------------------------
\37\ 88 FR 16951 (Mar. 21, 2023) (hereinafter CFPB Data Broker
RFI).
---------------------------------------------------------------------------
Small Business Review Panel
Pursuant to the Small Business Regulatory Enforcement Fairness Act
of 1996 (SBREFA),\38\ the CFPB issued an Outline of Proposals and
Alternatives under Consideration in connection with this proposal in
September 2023.\39\ The CFPB convened a Small Business Review Panel
(Panel) on October 16, 2023, and held Panel meetings on October 18 and
19, 2023. Representatives from 16 small businesses were selected as
small entity representatives for the SBREFA process. These entities
represented small businesses that the CFPB determined would likely be
directly affected by one or more of the proposals under consideration.
On December 15, 2023, the Panel completed the Final Report of the Small
Business Review Panel on the CFPB's Proposals and Alternatives Under
Consideration for the Consumer Reporting Rulemaking.\40\ The CFPB also
invited and received feedback on the proposals under consideration from
others, including stakeholders other than small entity representatives,
although this feedback was not included in the Small Business Review
Panel Report.\41\ The CFPB has considered the
[[Page 101407]]
feedback from small entity representatives and other stakeholders, as
well as the findings and recommendations of the Small Business Review
Panel, in preparing this proposed rule. Panel recommendations regarding
specific proposals under consideration are addressed in part IV.
---------------------------------------------------------------------------
\38\ Public Law 104-121, 110 Stat. 857 (1996).
\39\ Consumer Fin. Prot. Bureau, Small Business Advisory Review
Panel For Consumer Reporting Rulemaking--Outline of Proposals and
Alternatives Under Consideration (Sept. 15, 2023) (hereinafter Small
Business Review Panel Outline or Outline), https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-rule-sbrefa_outline-of-proposals.pdf.
\40\ Consumer Fin. Prot. Bureau, Final Report of the Small
Business Review Panel on the CFPB's Proposals and Alternatives Under
Consideration for the Consumer Reporting Rulemaking (Dec. 15, 2023)
(hereinafter Small Business Review Panel Report or Panel Report),
https://files.consumerfinance.gov/f/documents/cfpb_sbrefa-final-report_consumer-reporting-rulemaking_2024-01.pdf.
\41\ Feedback received on the Small Business Review Panel
Outline will be placed on the public docket for this rulemaking.
---------------------------------------------------------------------------
This proposed rule does not address feedback received as part of
the SBREFA process about proposals that were under consideration
regarding medical debt collection information. Those proposals under
consideration were addressed in the CFPB's proposed rule regarding
consumer reporting of medical information.\42\ This proposed rule also
does not address feedback received as part of the SBREFA process about
proposals that were under consideration regarding data security and
data breaches, disputes involving legal matters, and disputes involving
systemic issues. Those topics are not included in this proposed rule.
---------------------------------------------------------------------------
\42\ 89 FR 51692 (June 18, 2024) (hereinafter CFPB Medical Debt
Proposed Rule).
---------------------------------------------------------------------------
Interagency and Stakeholder Consultations
Consistent with section 1022(b)(2)(B) of the CFPA, the CFPB has
consulted with the appropriate prudential regulators and other Federal
agencies, including regarding consistency with any prudential, market,
or systemic objectives administered by these agencies. The CFPB has
also consulted with officials from certain State agencies. In addition,
the CFPB has discussed the proposed rule with, and considered written
feedback submitted by, a range of interested stakeholders. The CFPB
discusses throughout this document feedback received through these
various channels that is relevant to the proposed rule.
III. Legal Authority
The CFPB is proposing to amend Regulation V pursuant to its
authority under the FCRA and the CFPA. Section 1022(b)(1) of the CFPA
authorizes the CFPB to prescribe rules ``as may be necessary or
appropriate to enable the [CFPB] to administer and carry out the
purposes and objectives of the Federal consumer financial laws, and to
prevent evasions thereof.'' \43\ The FCRA is a Federal consumer
financial law, except with respect to sections 615(e) and 628.\44\
Accordingly, the CFPB has authority under CFPA section 1022(b)(1) to
issue regulations to administer and carry out the purposes and
objectives of the FCRA and to prevent evasion thereof, except with
respect to sections 615(e) and 628.
---------------------------------------------------------------------------
\43\ 12 U.S.C. 5512(b)(1).
\44\ CFPA section 1002(14), 12 U.S.C. 5481(14) (defining
``Federal consumer financial law'' to include the ``enumerated
consumer laws'' and the provisions of the CFPA); CFPA section
1002(12), 12 U.S.C. 5481(12) (defining ``enumerated consumer laws''
to include the FCRA, except with respect to sections 615(e) and
628).
---------------------------------------------------------------------------
FCRA section 621(e) provides that, except with respect to sections
615(e) and 628, the CFPB ``shall prescribe such regulations as are
necessary to carry out the purposes of [the FCRA].'' \45\ Specifically,
FCRA section 621(e) provides that the CFPB ``may prescribe regulations
as may be necessary or appropriate to administer and carry out the
purposes and objectives'' of the FCRA.\46\ The stated purpose of the
FCRA is to ensure that ``consumer reporting agencies adopt reasonable
procedures for meeting the needs of commerce for consumer credit,
personnel, insurance, and other information in a manner which is fair
and equitable to the consumer, with regard to the confidentiality,
accuracy, relevancy, and proper utilization of such information.'' \47\
Except with respect to sections 615(e) and 628, the CFPB accordingly
has authority to issue regulations ``necessary or appropriate to
administer and carry out'' the provisions of the FCRA consistent with
this purpose.\48\ FCRA section 621(e) further provides that the CFPB
may prescribe regulations as may be necessary and appropriate to
prevent evasions of the FCRA or to facilitate compliance therewith.\49\
---------------------------------------------------------------------------
\45\ 15 U.S.C. 1681s(e).
\46\ Id.
\47\ FCRA section 602(b), 15 U.S.C. 1681(b).
\48\ See Loper Bright Enters. v. Raimondo, 144 S. Ct. 2244, 2263
(2024) (explaining that Congress's use of the term ``appropriate''
``leaves agencies with flexibility'' in regulating (citation
omitted)).
\49\ Cf. Consumer Fin. Prot. Bureau v. Townstone Fin., Inc., 107
F.4th 768, 776 (7th Cir. 2024) (``In endowing the Board with
authority to prevent `circumvention or evasion,' Congress indicated
that the [Equal Credit Opportunity Act] must be construed broadly to
effectuate its purpose of ending discrimination in credit
applications.'').
---------------------------------------------------------------------------
The CFPB has considered this proposed rule in the context of its
legal authority under the FCRA and the CFPA and has developed the
proposed provisions by relying on its expertise in understanding and
developing policy regarding the consumer reporting market. The CFPB has
preliminarily determined that each of the proposed provisions is
consistent with the purpose of the FCRA and is authorized under FCRA
section 621(e) and CFPA section 1022(b)(1). Pursuant to FCRA section
621(e), any final rule prescribed by the CFPB would apply to all
persons subject to the FCRA, except as described in section 1029(a) of
the CFPA.\50\
---------------------------------------------------------------------------
\50\ The CFPB also notes that, subject to certain exceptions,
the FCRA states that it ``does not annul, alter, affect, or exempt
any person subject to [the FCRA] from complying with the laws of any
State with respect to the collection, distribution, or use of any
information on consumers, or for the prevention or mitigation of
identity theft, except to the extent that those laws are
inconsistent with any provision of this subchapter, and then only to
the extent of the inconsistency.'' 15 U.S.C. 1681t(a); see also
Davenport v. Farmers Ins. Grp., 378 F.3d 839, 842 (8th Cir. 2004)
(``The FCRA makes clear that it is not intended to occupy the entire
regulatory field with regard to consumer reports''). Therefore,
State laws that are not inconsistent with the FCRA--including State
laws that are more protective of consumers than the FCRA--are
generally not preempted. See 87 FR 41042 (July 11, 2022).
---------------------------------------------------------------------------
As noted in proposed Sec. 1022.1(b)(1) regarding the scope of
Regulation V, the regulation implements only certain provisions of the
FCRA. In this rulemaking, the CFPB proposes to implement for the first
time in Regulation V the definitions of consumer report and consumer
reporting agency in FCRA section 603(d) and (f) and the permissible
purposes of consumer reports as set forth in FCRA section 604(a).\51\
Unless specifically noted otherwise, the CFPB's mere restatement of
statutory language is not intended to affect the status quo regarding
caselaw or judicial or other interpretations that exist with respect to
such restated language. Explaining the scope of Regulation V in
proposed Sec. 1022.1(b)(1) and restating certain statutory text should
facilitate compliance with the statute, but the CFPB requests comment
on the proposed approach.
---------------------------------------------------------------------------
\51\ The proposed rule does not restate all of FCRA sections 603
and 604. Among other provisions in those sections, the proposed rule
does not restate FCRA section 604(c) regarding credit or insurance
transactions that are not initiated by the consumer.
---------------------------------------------------------------------------
IV. Discussion of the Proposed Rule
Subpart A--General Provisions
Section 1022.4 Definition; Consumer Report
In general, a consumer report under the FCRA is a written, oral, or
other communication by a consumer reporting agency of any information
that: (1) bears on at least one of seven specified factors relating to
a consumer; and (2) is used or expected to be used or collected in
whole or in part for the purpose of serving as a factor in establishing
the consumer's eligibility for credit or insurance, for employment
purposes, or for any other purpose authorized under FCRA section 604
(i.e., the section that establishes permissible purposes of consumer
reports). The seven factors relating to a consumer specified in the
definition of consumer report are a
[[Page 101408]]
consumer's creditworthiness, credit standing, credit capacity,
character, general reputation, personal characteristics, or mode of
living.\52\ The CFPB proposes Sec. 1022.4 to implement and interpret
the FCRA definition of consumer report.
---------------------------------------------------------------------------
\52\ FCRA section 603(d), 15 U.S.C. 1681a(d).
---------------------------------------------------------------------------
Proposed Sec. 1022.4(a), (f), and (g) restate the FCRA definition
with minor wording and organizational changes for clarity.\53\ Proposed
Sec. 1022.4(a)(1) restates the ``bears on'' prong of the definition,
proposed Sec. 1022.4(a)(2) restates the purposes listed in the
definition, and proposed Sec. 1022.4(f) and (g) restate provisions
addressing exclusions from the definition. The CFPB proposes Sec.
1022.4(b) through (e) to address whether and when the communication of
certain consumer information constitutes a consumer report, with the
goal of ensuring the FCRA's protections are applied to such
information. The CFPB also proposes to revise several provisions in
existing Regulation V that cross-reference the definition of consumer
report in FCRA section 603(d) to instead cross-reference the definition
in proposed Sec. 1022.4.\54\
---------------------------------------------------------------------------
\53\ In restating FCRA section 603(d)(2)(D), proposed Sec.
1022.4(f) cross-references FCRA section 603(y) rather than FCRA
section 603(x) because the CFPA re-designated FCRA section 603(x) as
FCRA section 603(y). See 15 U.S.C. 1681a, n.1; Fed. Trade Comm'n,
Fair Credit Reporting Act, 15 U.S.C. 1681, at 2 n.1 (Sept. 2018),
https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf (noting that
``(o) or (x)'' in FCRA section 603(d)(2)(D) ``[s]hould be read as
`(o) or (y)' '').
\54\ These provisions are Sec. Sec. 1022.20(b)(3), 1022.32(b),
1022.71(f), 1022.130(c), and 1022.142(b)(2). If this proposal and
the CFPB's Medical Debt Proposed Rule, supra note 42, are both
finalized, the CFPB intends to revise in the same way cross-
references to the terms ``consumer report'' and ``consumer reporting
agency'' in Sec. 1022.38, as proposed to be added to Regulation V
by the Medical Debt Proposed Rule.
---------------------------------------------------------------------------
Is Used or Expected To Be Used
Proposed Sec. 1022.4(b) and (c) address the phrase ``is used or
expected to be used'' and surrounding elements of the statutory
definition of consumer report. The proposed provisions address whether
and when the applicable information is used (proposed Sec. 1022.4(b))
or is expected to be used (proposed Sec. 1022.4(c)) for one of the
purposes specified in the definition--that is, for the purpose of
serving as a factor in establishing a consumer's eligibility for
consumer credit or insurance, for employment purposes, or for any other
purpose authorized under FCRA section 604. The CFPB proposes these
provisions to ensure that the FCRA's protections apply to certain
communications of consumer information, including by incentivizing
entities that sell consumer information to monitor the uses to which
such information is put and by ensuring that certain types of consumer
information are within the scope of the FCRA regardless of how any
particular communication of that information is used.
As explained further below, the FCRA's definition of the term
``consumer report'' presents several interpretive questions relevant to
this proposed rule. First, what is the item that might be ``used or
expected to be used'' for the relevant purpose--the specific
``communication'' (i.e., the actual transmittal of data) or the
``information'' contained within that communication (i.e., the facts
that the communication describes)? Courts have tended to focus their
analysis on the specific communication, although it is unclear how many
courts have been presented with the alternative.\55\ Second, given that
the phrase is in the passive voice, by whom might a communication or
information be ``used or expected to be used'' to qualify as a consumer
report--the specific recipient of the communication or a broader
population of parties? Again, courts have tended to consider the
activities of the specific user in the case at issue, but it is unclear
whether courts have been presented with the alternative.\56\ Third,
whose expectations are relevant in determining whether a communication
of information is ``expected to be used'' for a particular purpose--the
person making the communication or someone else? And fourth, are that
person's subjective expectations all that matter, or, as courts have
held, does the analysis also consider what the person objectively
should expect?
---------------------------------------------------------------------------
\55\ See, e.g., Comeaux v. Brown & Williamson Tobacco Co., 915
F.2d 1264, 1273-74 (9th Cir. 1990) (``The plain language of section
1681a(d) reveals that a credit report will be construed as a
`consumer report' under the FCRA if the credit bureau providing the
information expects the user to use the report for a purpose
permissible under the FCRA . . . .'' (second emphasis added)); cf.
Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d 988, 994 (D.
Nev. 2021) (applying the series-qualifier and nearest-reasonable-
referent cannons to conclude that, under the definition of consumer
report, ``it is the information in the communication, not the
communication itself, that must be of the kind that is used or
expected to be used or collected in whole or in part for the
purposes of serving as a favor [sic] in credit, employment, or
insurance decisions or other reasons allowed under the FCRA'').
\56\ See, e.g., Comeaux, 915 F.2d at 1273-74.
---------------------------------------------------------------------------
With these interpretive questions in mind, the CFPB is proposing
provisions to administer and carry out the statutory scheme, prevent
evasion of the FCRA's requirements, and ensure that the statute's
protections apply to communications of consumer information that raise
concerns the FCRA was designed to address. In doing so, the CFPB is
also proposing particular approaches to resolving the interpretive
questions set forth above. First, the CFPB proposes to treat ``used or
expected to be used'' as modifying ``information'' rather than
``communication.'' Grammatically, the term to which ``used or expected
to be used'' refers should also be the term to which ``collected''
refers, and a consumer reporting agency does not ``collect''
communications. Second, the CFPB proposes to interpret ``used'' to
include use by persons other than the direct recipient of a
communication. If ``used or expected to be used'' referred only to how
the direct recipient used or was expected to use the information in a
communication, then the recipient's use or expected use for a non-
permissible purpose would not violate the statute because, by virtue of
that use or expected use, the communication would not be a consumer
report.\57\ Moreover, if the analysis focused only on the initial
recipient, the statute would be easy to evade by passing information
through intermediaries before it reached the ultimate user. Third, the
CFPB proposes to interpret ``expected to be used'' to refer to the
expectations of the person communicating the information, which is
consistent with longstanding case law and is a natural reading of the
statutory language. Fourth, the CFPB proposes to interpret ``expected
to be used'' to consider both what that person subjectively expected
and what that person objectively should have expected about the use of
the transmitted information. This interpretation is consistent with
past agency and judicial interpretations and would emphasize that
persons cannot sell consumer information and attempt to avoid coverage
by willfully ignoring the purposes for which the information will be
used.
---------------------------------------------------------------------------
\57\ The communication of the information could still be a
consumer report if the information was collected for a purpose
described in FCRA section 603(d)(1), in which case it could be
furnished only to a recipient with a permissible purpose.
---------------------------------------------------------------------------
Since the FCRA's enactment in 1970, applications of the law have
often undermined one of the statute's core commitments: protecting
consumer privacy. The CFPB proposes to implement the statute in a
manner that respects Congress's concern with limiting the purchase and
sale of sensitive consumer information and restores the full meaning of
the statute's permissible purpose provisions.
[[Page 101409]]
The CFPB uses these threshold principles, described in more detail
below, to guide the following proposals.
4(b) Is Used
Proposed Sec. 1022.4(b) interprets the phrase ``is used'' in the
definition of consumer report. It provides that information in a
communication is used for a purpose described in proposed Sec.
1022.4(a)(2) if a recipient of the information uses the information for
such purpose. The proposal would clarify that the purpose for which
information in a communication is used can cause the communication to
be a consumer report, regardless of whether the person communicating
the information collected it or expected it to be used for that
purpose.
This interpretation derives from a straightforward reading of the
statute. As summarized above, section 603(d)(1) of the FCRA defines a
consumer report as a communication of information by a consumer
reporting agency bearing on any of seven, specified consumer factors
that is ``[1] used or [2] expected to be used or [3] collected'' in
whole or in part for a purpose described in proposed Sec.
1022.4(a)(2). The principle that a statute must be construed to ``give
effect, if possible, to every clause and word'' \58\ requires that the
phrase ``is used'' be given a meaning independent of ``expected to be
used'' and ``collected.'' \59\ The CFPB's proposed interpretation does
so.
---------------------------------------------------------------------------
\58\ Williams v. Taylor, 529 U.S. 362, 404 (2000) (quoting
United States v. Menasche, 348 U.S. 528, 538-39 (1955)); see also
Duncan v. Walker, 533 U.S. 167, 174 (2001) (discussing rule against
surplusage).
\59\ Similarly, the series-qualifier cannon requires reading the
phrase ``in whole or in part'' as modifying each word or phrase in
the series (i.e., ``is used,'' ``expected to be used,'' and
``collected'') rather than just the final one (i.e., ``collected'').
See Facebook, Inc. v. Duguid, 592 U.S. 395, 402 (2021) (describing
the series-qualifier canon); United States v. MyLife.com, Inc., 499
F. Supp. 3d 757, 764 (C.D. Cal. 2020) (finding that the complaint
adequately pled that the defendant's reports ``were used or expected
to be used in whole or in part for a FCRA purpose'').
---------------------------------------------------------------------------
The proposed interpretation is consistent with guidance previously
issued by FTC staff explaining that a report that is not otherwise a
consumer report may become a consumer report if it is subsequently used
by the recipient for an FCRA-covered purpose.\60\ That guidance also
suggests that a communication of consumer information that is actually
used for an FCRA-covered purpose might not be a consumer report if the
person making the communication could not have reasonably expected the
information to be used in such a way.\61\ Under the CFPB's proposed
interpretation, however, a report including information that ``is
used'' for a purpose described in proposed Sec. 1022.4(a)(2) (and that
satisfies the other elements of the definition of consumer report) is a
consumer report, irrespective of whether the person furnishing the
report could have reasonably expected that use or took steps to prevent
it.
---------------------------------------------------------------------------
\60\ FTC 40 Years Staff Report, supra note 21, at 22.
\61\ See id. (``If the entity supplying the report has taken
reasonable steps to [e]nsure that the report is not used for such a
purpose, and if it neither knows of, nor can reasonably anticipate
such use, the report should not be deemed a consumer report by
virtue of uses beyond the entity's control.'').
---------------------------------------------------------------------------
Proposed Sec. 1022.4(b) also would clarify another aspect of the
phrase ``is used'' in the FCRA's definition of consumer report. In the
definition, the phrase ``for the purpose of serving as a factor in
establishing the consumer's eligibility,'' which follows the phrase
``is used,'' lacks a subject, making it unclear whose use of the
information matters in determining whether information is used for a
purpose described in proposed Sec. 1022.4(a)(2). Proposed Sec.
1022.4(b) would clarify that information is used for a purpose
described in proposed Sec. 1022.4(a)(2) if anyone, not merely the
direct recipient of the communication, uses the information for such a
purpose.
Interpreting the phrase ``is used'' to encompass not just the
immediate recipient of the information but also downstream users is
necessary to carry out the purposes of the statute and prevent evasion.
If all that mattered was what the immediate recipient would do with the
information, a person could potentially avoid FCRA coverage even if the
person had actual knowledge that the entity to which it communicated
the information was selling the information to a downstream recipient
who planned to use it for a purpose described in proposed Sec.
1022.4(a)(2). Indeed, under such an interpretation, a person could
potentially use intermediaries to ensure that they never sold
information directly to a recipient who would use it for such a
purpose, even if the person knew that was how the information would
eventually be used. The CFPB's proposed interpretation is consistent
with case law holding that the ``is used'' element of the definition of
consumer report is satisfied if anyone--not just the initial recipient
of the communication--uses the information for a purpose described in
proposed Sec. 1022.4(a)(2).\62\
---------------------------------------------------------------------------
\62\ Ernst v. Dish Network, LLC, 49 F. Supp. 3d 377, 383
(S.D.N.Y. 2014) (``This means that if anyone uses, expects to use or
collects the information for [a permissible purpose], the statutory
definition of `consumer report' is satisfied.'') (emphasis added);
see also Henderson v. Corelogic Nat'l Background Data, LLC, 161 F.
Supp. 3d 389, 397-98 (E.D. Va. 2016).
---------------------------------------------------------------------------
As a practical matter, this would mean that a person that sells
information that is used for a purpose described in proposed Sec.
1022.4(a)(2) would become a consumer reporting agency, regardless of
whether the person knows or believes that the communication of that
information is legally considered a consumer report, assuming the other
elements of the definition of consumer reporting agency are satisfied.
In other words, so long as a person acts for the purpose of furnishing
a report that is or becomes a consumer report as that term is defined
in proposed Sec. 1022.4, that person is a consumer reporting agency; a
person need not know or believe it is furnishing a consumer report as
that term is defined under the FCRA. For example, consider an entity
that collects information about individual consumers' travel
preferences for use in marketing and sells that information to a third
party for marketing purposes with the belief that the communication of
that information is not a consumer report. If the third party actually
uses the information to establish a consumer's eligibility for credit,
the report would be a consumer report (assuming the other elements of
that definition were satisfied). The entity that sold the information
would then be a consumer reporting agency (assuming the other elements
of that definition were satisfied) because it intended to communicate
to the third party the information that was in fact used for an FCRA-
covered purpose, even if it did not believe that it was furnishing
consumer reports. The CFPB proposes that this conclusion flows from the
definition of consumer reporting agency in FCRA section 603(f).
In addition to being consistent with the regulatory text, this
reading of the statute better prevents entities from evading FCRA
coverage by disclaiming intent to furnish consumer reports. A
requirement that a person selling consumer information is a consumer
reporting agency only if it believes that its communications meet the
FCRA's definition of consumer report would incentivize willful
ignorance and undermine the purpose of the statute. The CFPB's
interpretation, by contrast, provides a clear, bright-line rule that
should be more difficult for entities, particularly data brokers, to
evade. For that reason, it is more consistent with
[[Page 101410]]
the broad remedial purpose of the FCRA.\63\
---------------------------------------------------------------------------
\63\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial
statute that must be read in a liberal manner in order to effectuate
the congressional intent underlying it''); Guimond v. Trans Union
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that
the FCRA's ``consumer oriented objectives support a liberal
construction'' of the statute).
---------------------------------------------------------------------------
The CFPB proposes Sec. 1022.4(b) as an interpretation of the
phrase ``is used.'' The CFPB also preliminarily concludes that proposed
Sec. 1022.4(b) is necessary to prevent evasion of the FCRA by entities
that sell consumer information and ignore the uses to which that
information is put by initial and downstream recipients.\64\ The CFPB
requests comment on whether the proposed interpretation is likely to
incentivize entities to monitor more carefully how a communication of
consumer information ultimately is used, any potential alternatives to
prevent entities from evading coverage under the FCRA, and any
compliance challenges associated with the proposed interpretation.
---------------------------------------------------------------------------
\64\ See supra part II.B, Goals of the Rulemaking, Protecting
Consumer Information in the Data Broker Market.
---------------------------------------------------------------------------
4(c) Is Expected To Be Used
Proposed Sec. 1022.4(c) would establish two tests for determining
whether information is expected to be used for a purpose described in
proposed Sec. 1022.4(a)(2). Under these tests, information in a
communication is expected to be used for such a purpose if: (1) the
person making the communication expects or should expect that a
recipient of the information will use it for such a purpose; or (2) it
is information about a consumer's credit history, credit score, debt
payments, or income or financial tier. Information would need to
satisfy only one of the tests for the ``expected to be used'' element
of the definition of consumer report to be met. If either test were
satisfied, the communication of the information would be a consumer
report and the person communicating the information would be a consumer
reporting agency, assuming the other elements of those definitions were
met. As a result, the person's sale of the information would be subject
to the FCRA.
4(c)(1)
Under the first test, described in proposed Sec. 1022.4(c)(1),
information in a communication is expected to be used for a purpose
described in proposed Sec. 1022.4(a)(2) if the person making the
communication expects or should expect that a recipient of the
information in the communication will use the information for such a
purpose.\65\ Proposed Sec. 1022.4(c)(1) would clarify four aspects of
the meaning of the phrase ``expected to be used.''
---------------------------------------------------------------------------
\65\ Regulation V, 12 CFR 1022.3(l) defines person to mean ``any
individual, partnership, corporation, trust, estate cooperative,
association, government or governmental subdivision or agency, or
other entity.''
---------------------------------------------------------------------------
Information Is Expected To Be Used
The ``expected to be used'' element of the definition of consumer
report does not identify what item must be ``expected to be used'' for
a purpose described in proposed Sec. 1022.4(a)(2). A consumer report
is a ``communication'' of certain ``information'' about a consumer, so
the phrase could reasonably refer to the communication itself (i.e.,
the actual transmittal of data), or the information contained within
the communication (i.e., the facts that the communication describes).
Proposed Sec. 1022.4(c) clarifies that, under the first test, the
relevant inquiry is whether the information in a communication is
expected to be used for a purpose described in proposed Sec.
1022.4(a)(2). This proposed interpretation follows directly from the
statutory language. As relevant here, the FCRA defines a consumer
report as a communication of information by a consumer reporting agency
``which is used or expected to be used or collected in whole or in
part'' for a purpose described in proposed Sec. 1022.4(a)(2).
Grammatically, the term to which ``expected to be used'' refers should
also be the term to which ``collected in whole or in part'' refers.
Consumer reporting agencies collect information, not communications.
Accordingly, under the CFPB's proposed interpretation, the term
``expected to be used'' refers to information.\66\
---------------------------------------------------------------------------
\66\ See Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d
988, 994 (D. Nev. 2021) (applying the series-qualifier and nearest-
reasonable-referent cannons to conclude that, under the definition
of consumer report, ``it is the information in the communication,
not the communication itself, that must be of the kind that is used
or expected to be used or collected in whole or in part for the
purposes of serving as a favor [sic] in credit, employment, or
insurance decisions or other reasons allowed under the FCRA'').
---------------------------------------------------------------------------
Person Communicating the Information
The ``expected to be used'' element of the FCRA's definition of
consumer report is phrased in the passive voice; it does not identify
the subject whose expectations are relevant in determining whether a
communication of information is a consumer report. Proposed Sec.
1022.4(c)(1) rephrases this element of the definition in the active
voice to clarify that, under the first test, the expectations of the
person communicating the information determine whether the information
is expected to be used for a particular purpose. In other words, the
proposal clarifies that a communication of information is a consumer
report if the person communicating the information expects the
information to be used for a purpose described in proposed Sec.
1022.4(a)(2) and the other elements of that definition are met. This
proposed interpretation, which is consistent with longstanding case
law, is a natural reading of the statutory language and makes sense in
the context of the statute.\67\ It is also necessary to prevent evasion
by entities, such as data brokers, that have sufficient information to
know that the consumer data they sell is likely being used for
eligibility determinations.
---------------------------------------------------------------------------
\67\ See, e.g., Fralish v. Transunion, LLC, No. 3:20-CV-969 JD,
2021 WL 4990003, at *3 (N.D. Ind. Oct. 26, 2021) (``Information
constitutes a `consumer report' if the consumer reporting agency
which prepares and sends the report `expects' the report to be used
for one of the `consumer purposes' set forth by the FCRA.'');
Ippolito v. WNS, Inc., 864 F.2d 440, 449 (7th Cir. 1988) (``[A]
consumer may establish that a particular credit report is a
`consumer report' falling within the coverage of the FCRA if . . .
the consumer reporting agency which prepares the report `expects'
the report to be used for one of the `consumer purposes' set forth
in the FCRA.''); Heath v. Credit Bureau of Sheridan, Inc., 618 F.2d
693, 696 (10th Cir. 1980) (explaining that `` `expected to be used'
would seem to refer to what the reporting agency believed'').
---------------------------------------------------------------------------
Knowledge Standard
The FCRA does not define the term ``expected.'' Proposed Sec.
1022.4(c)(1) would clarify that, under the first test, information is
expected to be used for a purpose described in proposed Sec.
1022.4(a)(2) if the person communicating the information subjectively
expects that it will be used for such a purpose, or if the person
objectively should expect that it will be used for such a purpose.
Interpreting the phrase ``expected to be used'' to encompass a
person's subjective and objective expectations is consistent with FTC
staff's longstanding view that the definition of consumer report covers
uses of information that the person can reasonably anticipate.\68\ And
it is consistent with case law holding that a person's reasonable
expectations about how information
[[Page 101411]]
will be used can establish whether the person is providing consumer
reports.\69\
---------------------------------------------------------------------------
\68\ FTC 40 Years Staff Report, supra note 21, at 22 (``If the
entity supplying the report has taken reasonable steps to [e]nsure
that the report is not used for such a purpose, and if it neither
knows of, nor can reasonably anticipate such use, the report should
not be deemed a consumer report . . . .'' (emphasis added)).
\69\ See, e.g., Harrington v. ChoicePoint Inc., No. CV 05-1294
MRP JWJX, 2005 WL 7979032, at *5 (C.D. Cal. Sept. 15, 2005) (holding
that consumer reporting agency ``should have expected the
information it disclosed would be used for FCRA purposes'' despite
the entity's contractual language with users barring such uses);
Mem. & Order at *6, Roybal v. Equifax, No. 2:05-CV-01207-MCE-KJM,
2008 WL 4532447 (E.D. Cal. Oct. 9, 2008) (allowing an FCRA claim
based on inaccuracies in the reporting of a joint account because
that information ``could reasonably have been expected to be used''
in establishing consumer's eligibility for credit); cf. Intel Corp.
Inv. Pol'y Comm. v. Sulyma, 589 U.S. 178 (2020) (``[T]he law will
sometimes impute knowledge--often called `constructive' knowledge--
to a person who fails to learn something that a reasonably diligent
person would have learned.'').
---------------------------------------------------------------------------
Interpreting ``expected to be used'' in this way also is necessary
to carry out the purposes of the FCRA and prevent evasion. If all that
mattered was how a person subjectively expected the information to be
used, the statute would reward willful ignorance: a person could
potentially avoid FCRA coverage by, for example, choosing not to ask or
deciding not to monitor how recipients of the information intended to
use it. The proposed interpretation is therefore consistent with the
statute's purpose.\70\
---------------------------------------------------------------------------
\70\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial
statute that must be read in a liberal manner in order to effectuate
the congressional intent underlying it''); Guimond v. Trans Union
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that
the FCRA's ``consumer oriented objectives support a liberal
construction'' of the statute).
---------------------------------------------------------------------------
The proposed interpretation also makes sense in the context of the
statute as a whole. Elsewhere in the FCRA, Congress imposed
requirements that refer only to a person's actual knowledge. For
example, FCRA section 605 requires the exclusion of certain information
from a consumer report if, among other things, the consumer reporting
agency ``has actual knowledge that the information is related to a
veteran's medical debt.'' \71\ If Congress had intended the meaning of
``expected to be used'' to turn only on the person's actual, subjective
expectations in the same way, it would have said so.\72\
---------------------------------------------------------------------------
\71\ 15 U.S.C. 1681c(a)(7), (8) (emphasis added).
\72\ See DHS v. MacLean, 574 U.S. 383, 392 (2015) (``Congress
generally acts intentionally when it uses particular language in one
section of a statute but omits it in another.'').
---------------------------------------------------------------------------
In enforcement actions and guidance documents, other regulators
have identified a non-exhaustive list of factors that may be relevant
to determining whether a person should expect that information will be
used for an FCRA-covered purpose. These factors include, for example,
whether the person screens potential users before allowing them to
access information, whether the person advertises its information for
non-FCRA-covered uses only, and whether the person maintains procedures
to monitor and audit how its information is used.\73\ The CFPB requests
comment on whether it would be helpful to identify in Regulation V
factors that are or may be relevant to determining whether a person
should expect that information will be used for an FCRA-covered
purpose, and, if so, what those factors might be. The CFPB also
requests comment on whether it would be helpful to identify the steps a
person must or should take to ensure that the consumer information it
sells is not used for an FCRA-covered purpose, absent which the person
would be deemed to expect that the consumer information will be used
for such a purpose.
---------------------------------------------------------------------------
\73\ See, e.g., Compl. ] 9, United States v. Instant Checkmate,
Inc., No. 3:14-CV-00675-H-JMA (S.D. Cal. Mar. 24, 2014), https://www.ftc.gov/system/files/documents/cases/140409instantcheckmatecmpt.pdf (alleging that Instant Checkmate, in
its marketing and advertising, including through its Google Ad Words
campaign, ``promoted the use of its reports as a factor in
establishing a person's eligibility for employment or housing'');
Compl. for Civil Penalties, Permanent Inj. & Other Equitable Relief
] 13, United States v. ChoicePoint (N.D. Ga. Jan. 30, 2006), https://www.ftc.gov/sites/default/files/documents/cases/2006/01/0523069complaint.pdf (alleging that ChoicePoint failed to adequately
verify or authenticate the identities and qualifications of
prospective users of its database).
---------------------------------------------------------------------------
Downstream Recipients
The phrase ``for the purpose of serving as a factor in establishing
the consumer's eligibility,'' which follows the phrase ``expected to be
used'' in the definition, lacks a subject, making it unclear whose use
of the information matters in determining whether information is
expected to be used for a purpose described in proposed Sec.
1022.4(a)(2). For the same reasons described in the discussion of
proposed Sec. 1022.4(b), proposed Sec. 1022.4(c)(1) would clarify
that, under the first test, information is expected to be used for a
purpose described in proposed Sec. 1022.4(a)(2) if the person
communicating the information expects or should expect that any
recipient of the information will use it for such a purpose.
As discussed above, the CFPB proposes Sec. 1022.4(c)(1) as an
interpretation of the phrase ``expected to be used.'' The CFPB also
proposes Sec. 1022.4(c)(1) pursuant to its authority to prevent
evasions of the FCRA. The CFPB preliminarily concludes that proposed
Sec. 1022.4(c)(1) is necessary to prevent evasion of the FCRA by
entities that sell consumer information and ignore the uses to which
that information is put by initial and downstream recipients.\74\
---------------------------------------------------------------------------
\74\ See supra part II.B, Goals of the Rulemaking, Protecting
Consumer Information in the Data Broker Market.
---------------------------------------------------------------------------
4(c)(2)
Under the second test, described in proposed Sec. 1022.4(c)(2),
the CFPB preliminarily concludes that entities that sell consumer
information generally expect certain types of that information to be
used in the market at large for a purpose described in proposed Sec.
1022.4(a)(2), because those types of information are typically used for
such a purpose. Specifically, under proposed Sec. 1022.4(c)(2), a
person selling any of four types of information about a consumer--
credit history, credit score, debt payments, and income or financial
tier--for any purpose generally would qualify as a consumer reporting
agency selling consumer reports because those information types are
typically used to underwrite loans. Accordingly, the person's conduct
would be governed by the FCRA's restrictions and requirements,
including provisions that protect the privacy and promote the accuracy
of consumer data.
As discussed in part II, the data broker industry poses a range of
significant harms to consumers and the nation. These include national
security harms.\75\ As the U.S. Department of Justice (DOJ) has
observed, countries of concern can use Americans' sensitive personal
data ``to engage in malicious cyber-enabled activities and malign
foreign influence, and to track and build profiles on U.S. individuals,
including members of the military and Federal employees and
contractors, for illicit purposes such as blackmail and espionage.''
\76\ They can also use that data ``to collect information on activists,
academics, journalists, dissidents, political figures, or members of
non-governmental organizations or marginalized communities in order to
intimidate such persons; curb political opposition; limit freedoms of
expression, peaceful assembly, or association; or enable other forms of
suppression of civil liberties.'' \77\
---------------------------------------------------------------------------
\75\ See, e.g., The White House, Fact Sheet: President Biden
Issues Executive Order to Protect Americans' Sensitive Personal Data
(Feb. 28, 2024), https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/.
\76\ 89 FR 15780, 15781 (Mar. 5, 2024) (U.S. Dep't of Just.
Advance Notice of Proposed Rulemaking seeking comment on topics
related to the implementation of E.O. 14117).
\77\ Id.
---------------------------------------------------------------------------
[[Page 101412]]
Recent research funded by the U.S. Military Academy at West Point
has highlighted the gravity of the threat posed by data brokers who
sell information about the activities and private lives of United
States military personnel, veterans, government employees, and their
families.\78\ With virtually no vetting, researchers were able to
purchase individually identified information about active-duty military
members' income, net worth, and credit rating--information that could
be used by foreign adversaries to identify individuals for purposes of
coercion, blackmail, or espionage.\79\ Data brokers also facilitate the
targeting of military members and government employees by allowing
buyers to purchase lists that match multiple categories, such as lists
that include individuals who fall into the ``Intelligence and
Counterterrorism'' category and the ``Behind on Bills'' category.\80\
As President Biden noted in a February 2024 executive order addressing
foreign access to Americans' data, ``[t]he continuing effort of certain
countries of concern to access Americans' sensitive personal data and
United States Government-related data constitutes an unusual and
extraordinary threat . . . to the national security and foreign policy
of the United States.'' \81\
---------------------------------------------------------------------------
\78\ See Duke Report on Data Brokers and Military Personnel
Data, supra note 2.
\79\ Id. at 5.
\80\ Consumer Fin. Prot. Bureau, Prepared Remarks of CFPB
Director Rohit Chopra at the White House on Data Protection and
National Security (Apr. 2, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-white-house-on-data-protection-and-national-security/.
\81\ E.O. No. 14117, 89 FR 15421 (Feb. 28, 2024).
---------------------------------------------------------------------------
The data broker industry also poses unique harms to individuals in
financially precarious situations. Fraudsters can use information from
data brokers to target individuals likely to purchase predatory
financial products. For example, some data brokers sell consumer lists
with titles such as ``Rural and Barely Making It,'' ``Retiring on
Empty: Single,'' and ``Credit Crunched: City Families.'' \82\ As the
Senate Committee on Commerce, Science, and Transportation observed over
a decade ago, these lists ``appeal to companies that sell high-cost
loans and other financially risky products to populations more likely
to need quick cash.'' \83\ The purchase and sale of consumers'
financial information can also be used to perpetrate outright scams
against low-income individuals and individuals in financially
precarious situations. In 2015, for example, the FTC brought suit
against a data broker operation that sold payday loan applicants'
financial information to phony internet merchants and fraudsters who
used the information to debit consumers' bank accounts for financial
products that the consumers never actually purchased.\84\
---------------------------------------------------------------------------
\82\ S. Comm. on Com., Sci., & Transp., Off. of Oversight &
Investigations Majority Staff, A Review of the Data Broker Industry:
Collection, Use, and Sale of Consumer Data for Marketing Purposes,
at 5 (Dec. 18, 2013), https://www.commerce.senate.gov/services/
files/0d2b3642-6221-4888-a631-08f2f255b577.
\83\ Id.
\84\ Compl. for Permanent Inj. and Other Equitable Relief, Fed.
Trad Comm'n v. Sequoia One, LLC, No. 2:15-cv-01512-JCM-CWH (D. Nev.
Aug. 7, 2015), https://www.ftc.gov/system/files/documents/cases/150812sequoiaonecmpt.pdf; Fed. Trade Comm'n, FTC Charges Data
Brokers with Helping Scammer Take More Than $7 Million from
Consumers' Accounts (Aug. 12, 2015), https://www.ftc.gov/news-events/news/press-releases/2015/08/ftc-charges-data-brokers-helping-scammer-take-more-7-million-consumers-accounts.
---------------------------------------------------------------------------
The data broker industry also poses data security risks. The highly
sensitive consumer information collected and sold by data brokers is an
attractive target for hackers and identity thieves. In recent years,
cyber criminals have stolen from data brokers information about
hundreds of millions of Americans,\85\ some of which has been made
available for sale.\86\ Purchasers can use this information to open new
financial accounts in consumers' names, drain existing accounts, obtain
loans, seek employment, apply for government benefits, and send
``phishing'' communications to family and friends. According to the
DOJ, in 2021 nearly 24 million U.S. residents over 16 had experienced
identity theft in the past 12 months, with financial losses of over $16
billion.\87\
---------------------------------------------------------------------------
\85\ See, e.g., Brian Krebs, NationalPublicData.com Hack Exposes
a Nation's Data, Krebs on Security (Aug. 15, 2024), https://krebsonsecurity.com/2024/08/nationalpublicdata-com-hack-exposes-a-nations-data/; Justin Sherman, Duke Sanford School of Public Policy,
Data Brokers and Data Breaches (Sept. 27, 2022), https://techpolicy.sanford.duke.edu/blogroll/data-brokers-and-data-breaches;
Brian Krebs, Hacked Data Broker Accounts Fueled Phone COVID Loans,
Unemployment Claims, Krebs on Security (Aug. 6, 2020), https://krebsonsecurity.com/2020/08/hacked-data-broker-accounts-fueled-phony-covid-loans-unemployment-claims/; Lily Hay Newman, 1.2 Billion
Records Found Exposed Online in a Single Server, Wired (Nov. 22,
2019), https://www.wired.com/story/billion-records-exposed-online;
Stacy Cowley, Equifax to Pay at Least $650 Million in Largest-Ever
Data Breach Settlement, N.Y. Times (July 22, 2019), https://www.nytimes.com/2019/07/22/business/equifax-settlement.html.
\86\ See, e.g., Brian Krebs, National Public Data Published Its
Own Passwords, Krebs on Security (Aug. 19, 2024), https://krebsonsecurity.com/2024/08/national-public-data-published-its-own-passwords/; Brian Krebs, Data Broker Giants Hacked by ID Theft
Service, Krebs on Security (Sept. 25, 2013), https://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/.
\87\ Erika Harrell & Alexandra Thompson, Bureau of Just. Stat.,
U.S. Dep't of Just., NCJ 306474, Victims of Identity Theft, 2021, at
1 (Oct. 2023), https://bjs.ojp.gov/document/vit21.pdf.
---------------------------------------------------------------------------
In addition, the data broker industry poses risks to the personal
safety of American consumers. For example, domestic abusers and others
can use data from data brokers to stalk, harass, and commit
violence.\88\ Other bad actors can use data broker information to dox
consumers, expose their personal information, and subject them to
distress, embarrassment, shame, and stigma.\89\ Moreover, the data
broker industry threatens consumers' right to privacy--the right to be
left alone, free from wrongful intrusions into private activities.\90\
Surveys suggest that many consumers would be concerned to know that
information about their personal lives was being bought and sold
without their consent and outside their control by entities with whom
they have no
[[Page 101413]]
relationship and whose actions they cannot trace.\91\ And the data
broker industry raises questions of fundamental fairness to consumers.
The consumer profiles that data brokers compile and sell can determine
what offers, benefits, and opportunities consumers receive.\92\ Yet
those profiles, often based on data of dubious veracity and sometimes
merely on inferences drawn from that data, are typically constructed
without consumers' knowledge, input, or permission, creating a
significant risk that they contain inaccurate, incomplete, or outdated
information that consumers are often powerless to correct.
---------------------------------------------------------------------------
\88\ See, e.g., Letter from Amy Klobuchar & Lisa Murkowski,
Sens., U.S. Senate, to Hon. Rebecca K. Slaughter, Acting Chair, Fed.
Trade Comm'n (Mar. 4, 2021), https://www.klobuchar.senate.gov/
public/_cache/files/5/e/5e1e58a4-4b38-49e8-9a8b-37ea1604d9b9/
A6F005737B2A977445475E4E0C2E3685.ftc-privacy-and-domestic-violence-
letter-final_-signed.pdf (expressing ``serious concerns regarding
recent reports that data brokers are publicizing the location and
contact information of victims of domestic violence, sexual
violence, and stalking''); Esther Salas, My Son Was Killed Because
I'm a Federal Judge, N.Y. Times (Dec. 8, 2020), https://www.nytimes.com/2020/12/08/opinion/esther-salas-murder-federal-judges.html (recounting instance in which aggrieved litigant
obtained Federal judge's address from data broker); Mara
Hvistendahl, I Tried to Get My Name Off People-Search Sites. It Was
Nearly Impossible., Consumer Reports (Aug. 20, 2020), https://www.consumerreports.org/personal-information/i-tried-to-get-my-name-off-peoplesearch-sites-it-was-nearly--a0741114794/ (recounting
domestic abuse victim's effort to delete her information from data
broker databases so that her abuser could not obtain it); Remsburg
v. Docusearch, Inc., No. Civ. 00-211-B, 2002 WL 844403, at *2-3
(D.N.H. Apr. 25, 2002) (describing stalker's use of data broker
information to locate victim).
\89\ See, e.g., Joseph Cox & Emanuel Maiberg, Fiverr Freelancers
Offer to Dox Anyone With Powerful U.S. Data Tool, 404 Media (July 2,
2024), https://www.404media.co/fiverr-freelancers-offer-to-dox-anyone-with-powerful-u-s-data-tool-tloxp/; Joseph Cox, The Secret
Weapon Hackers Can Use to Dox Nearly Anyone in America for $15, 404
Media (Aug. 22, 2023), https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/?curator=TechREDEF.
\90\ Cf. In re Facebook, Inc. Internet Tracking Litig., 956 F.3d
589, 603-04 (9th Cir. 2020) (observing that ``[t]echnological
advances . . . provide access to a category of information otherwise
unknowable and implicate privacy concerns in a manner different from
traditional intrusions as a ride on horseback is different from a
flight to the moon'' (internal quotation marks and citations
omitted)); FTC v. Kochava, Inc., 715 F. Supp. 3d 1319, 1324 (D.
Idaho 2024) (noting that the Supreme Court has recognized ``the
unique threat that modern technology can pose to privacy rights''
(citing Carpenter v. United States, 585 U.S. 296 (2018)).
\91\ See, e.g., Brooke Auxier et al., Americans and Privacy:
Concerned, Confused and Feeling Lack of Control Over Their Personal
Information, Pew Rsch. Ctr. (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/; cf. Tiffany Johnson et al., It's All Personal: A Study
on Consumer Attitudes Towards Data Collection & Usage, PCH Consumer
Insights, at 3 (Nov. 15, 2023), https://insights.pch.com/img/data-ethics-design.pdf (identifying data types that consumers regard as
``personal'').
\92\ See FTC Data Broker Report, supra note 25, at 31 (noting
that score produced by data brokers ``could be used to determine the
types of offers consumers may receive, the number of offers, or even
the level of customer service provided to specific individuals'').
---------------------------------------------------------------------------
Notwithstanding these harms, for years many data brokers have
attempted to avoid liability under the FCRA by arguing that the
``expected to be used'' portion of the statute's definition of consumer
report is satisfied only if the person selling the communication
expects that the buyer will use the communication for a purpose
described in FCRA section 603(d)(1), such as to assess the consumer's
eligibility for credit. According to this argument, if the seller
expects that the buyer will use the communication for another purpose,
such as to market products, the ``expected to be used'' portion of the
definition is not satisfied. And as long as the communication was not
actually used, and the information in the communication was not
collected, for a purpose described in FCRA section 603(d)(1), this
argument provides that there is no consumer report and the FCRA does
not apply. Where courts have been presented with certain fact patterns,
such as where the data broker took steps to monitor and prohibit the
sale of data for FCRA uses, this has sometimes served as an adequate
defense. However, it is unclear whether courts have been squarely
presented with an alternative approach to the issue.\93\
---------------------------------------------------------------------------
\93\ See, e.g., Ippolito v. WNS, Inc., 864 F.2d 440, 450-51 (7th
Cir. 1988) (focusing on the purchaser's conduct in determining
whether the entity that sold a report expected that it would be used
for an FCRA-covered purpose).
---------------------------------------------------------------------------
Construing the phrase ``expected to be used'' in this way leads to
a result contrary to the FCRA's stated objective in section 602(a)(4)
of ``respect[ing] . . . the consumer's right to privacy.'' Section
604's prohibition on furnishing consumer reports for non-permissible
purposes, such as marketing outside of the prescreening context, is
evaded by the very acts that section 604 purportedly prohibits. This is
because, as the FCRA defines the term ``consumer report'' in section
603(d)(1)(C), a communication of information is not a consumer report
unless it is used or expected to be used for a permissible purpose in
the first place--i.e., for a purpose ``authorized under section
[604].'' This reading of ``expected to be used'' would render section
604's prohibitions a nullity with respect to the furnishing of consumer
reports for non-permissible purposes, except for the fact that a
communication of information could still be a consumer report if the
information was ``collected in whole or in part'' for a permissible
purpose. Under this reading, if an entity collects information for a
permissible purpose, it cannot provide that same information for an
impermissible purpose.
But it would shortchange the FCRA's privacy-protecting objectives
to conclude that consumer information collected by a consumer reporting
agency for a purpose authorized under section 604 is subject to all of
the FCRA's restrictions, including prohibitions on uses outside of what
section 604 authorizes, while identical consumer information collected
by a data broker solely for a purpose not authorized under section 604
is subject to none of the FCRA's restrictions. Under such an
interpretation, for example, Congress would have prohibited a consumer
reporting agency that collects consumers' income information for use by
banks in making credit eligibility decisions from selling that
information for marketing purposes (or any other non-permissible
purpose), but it would have permitted a data broker that collects the
exact same income information solely for purposes Congress did not
authorize in the FCRA to sell the information for those purposes. This
has led to the unregulated proliferation of the very types of consumer
information that the FCRA's framers intended to protect.\94\
---------------------------------------------------------------------------
\94\ See 115 Cong. Rec. S2413 (Jan. 31, 1969) (statement of
FCRA's primary sponsor expressing concern about companies that
maintain ``files on millions of Americans, including their
employment, income, billpaying record, marital status, habits,
character and morals'' without adequate regulations restricting the
files' use).
---------------------------------------------------------------------------
Proposed Sec. 1022.4(c)(2) would avoid this result and conform
with Congress's intent to protect consumers' right to privacy by
providing that certain types of information about consumers--namely,
credit history, credit score, debt payments, and income or financial
tier--are expected to be used for a purpose described in proposed Sec.
1022.4(a)(2) even if the specific communication in which the
information is conveyed is not itself used or expected to be used for
such a purpose.
The CFPB proposes that the text of FCRA section 603(d)(1) alone may
support proposed Sec. 1022.4(c)(2). In contrast to prior case law that
did not consider this approach, the CFPB preliminarily determines that
the part of the definition of consumer report referring to what the
sender ``expects'' could be construed as referring not to how the
sender expects the ``communication'' or report will be used, but rather
to how the sender expects the ``information'' within the report will be
used.\95\ ``Information'' is defined as ``knowledge obtained from
investigation, study, or instruction; intelligence, news; facts,
data.'' \96\ Accordingly, whether information ``is expected to be
used'' for a particular purpose may depend, in part, on how the facts
in a communication might be used in the future, even if they are
provided by other entities in different ``communications'' or reports.
---------------------------------------------------------------------------
\95\ Cf. Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d
988, 994 (D. Nev. 2021).
\96\ See Information, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/information (last visited Oct.
15, 2024).
---------------------------------------------------------------------------
The CFPB preliminarily concludes that a data broker selling
information about a consumer's credit history, credit score, debt
payments (including on non-credit obligations), or income or financial
tier should know that such information is typically used in determining
a consumer's eligibility for credit, and therefore should expect that
such information will be used for an FCRA purpose. According to FICO,
for example, its credit scores are used in 90 percent of all lending
decisions.\97\ Moreover, in assessing a consumer's eligibility for a
mortgage loan, the nation's largest lenders consider, among other
things, a prospective borrower's income (often by reviewing a
consumer's W-2 statements, tax returns, and pay stubs), as well as the
borrower's credit history and level of indebtedness
[[Page 101414]]
(often by reviewing multiple or merged consumer reports).\98\ Indeed,
the government-sponsored entities that purchase a substantial portion
of residential mortgage loans \99\ require lenders to obtain a
consumer's credit report and score, and consider a consumer's income
and recurring debt payments, before making a loan.\100\ And the CFPB's
ability-to-repay rules require lenders to consider similar
information.\101\
---------------------------------------------------------------------------
\97\ Basic Facts About FICO Scores, FICO, https://www.fico.com/en/latest-thinking/fact-sheet/basic-facts-about-fico-scores (last
visited Oct. 30, 2024).
\98\ See, e.g., What Documents Are Needed to Apply for a
Mortgage?, Chase, https://www.chase.com/personal/mortgage/education/financing-a-home/mortgage-application (last visited Oct. 30, 2024);
How to Apply for a Mortgage, Bank of America, https://www.bankofamerica.com/mortgage/learn/how-to-apply-for-a-mortgage/
(last visited Oct. 30, 2024); Home-Buying & Mortgage Process, US
Bank, https://www.usbank.com/home-loans/mortgage/first-time-home-buyers/mortgage-process.html (last visited Oct. 30, 2024);
Importance of Credit, Debt, and Savings When Buying a House, Wells
Fargo, https://www.wellsfargo.com/mortgage/learning/getting-started/importance-of-credit-debt-savings-in-homebuying/ (last visited Oct.
15, 2024); Hanna Kielar, Qualifying For A Mortgage: The Basics,
Rocket Mortgage (Apr. 10, 2024), https://www.rocketmortgage.com/learn/mortgage-qualification.
\99\ See Fed. Hous. Fin. Agency, FHFA Statistics, What Types of
Mortgages Do Fannie Mae and Freddie Mac Acquire? (Apr. 14, 2021),
https://www.fhfa.gov/blog/statistics/what-types-of-mortgages-do-fannie-mae-and-freddie-mac-acquire (listing enterprise share of
mortgage originations by year).
\100\ See, e.g., Fannie Mae, Selling Guide: Fannie Mae Single
Family, at B3 (June 5, 2024), https://singlefamily.fanniemae.com/media/39241/display; Freddie Mac, Seller/Servicer Guide, at Series
5000, https://guide.freddiemac.com/app/guide/series/5000 (last
visited Oct. 30, 2024).
\101\ Regulation Z, 12 CFR 1026.43(c).
---------------------------------------------------------------------------
As a practical matter, if proposed Sec. 1022.4(c)(2) were
finalized, then, under FCRA section 604, data brokers and similar
entities that otherwise met the definition of a consumer reporting
agency could not sell reports containing a consumer's credit history,
credit score, debt payments, or income or financial tier to anyone who
lacked a permissible purpose to obtain them, such as a company that
intended to use the reports for marketing purposes outside of the
statute's pre-screening provisions.\102\ Such entities also would need
to comply with the FCRA's other prohibitions and requirements for
consumer reporting agencies, such as the requirement in FCRA section
607 to follow reasonable procedures to assure maximum possible accuracy
of the information in their reports, and the requirements in FCRA
sections 609 and 611 to disclose certain information to consumers and
to investigate consumers' disputes.\103\
---------------------------------------------------------------------------
\102\ 15 U.S.C. 1681b.
\103\ 15 U.S.C. 1681e, 1681g, 1681i.
---------------------------------------------------------------------------
If proposed Sec. 1022.4(c)(2) is finalized, a substantial number
of additional data brokers operating today likely will qualify as
consumer reporting agencies selling consumer reports under the FCRA,
resulting in improved consumer protections and a substantial reduction
in the volume of consumer information being bought and sold for non-
permissible purposes, such as marketing. In addition, proposed Sec.
1022.4(c)(2), if finalized, should make it more difficult for bad
actors to purchase consumer information from data brokers and threaten
national security or facilitate financial scams and fraud. In these
ways, proposed Sec. 1022.4(c)(2) would further the FCRA's broad
remedial purpose \104\ and Congress's intent to protect consumers'
right to privacy and to provide greater protections for particularly
sensitive consumer information.\105\
---------------------------------------------------------------------------
\104\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial
statute that must be read in a liberal manner in order to effectuate
the congressional intent underlying it''); Guimond v. Trans Union
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that
the FCRA's ``consumer oriented objectives support a liberal
construction'' of the statute).
\105\ See 15 U.S.C. 1681(a).
---------------------------------------------------------------------------
In the Small Business Review Panel Outline, the CFPB described a
proposal under consideration that would have provided that information
in a communication is expected to be used for an FCRA purpose if the
information is the type of information typically used for such a
purpose. The Small Business Review Panel recommended that the CFPB
consider how best to provide guidance on the types of information about
consumers that are typically used for an FCRA purpose. Proposed Sec.
1022.4(c)(2) is limited to the four types of information listed in that
section: a consumer's credit history, credit score, debt payments, and
income or financial tier. This limitation creates a bright-line rule
that is responsive to the Small Business Review Panel's feedback, and
that should simplify compliance and enforcement and reduce market
uncertainty. The CFPB requests comment on whether it would be helpful
to provide further guidance defining the four types of information
listed in proposed Sec. 1022.4(c)(2).
The CFPB notes that proposed Sec. 1022.4(c)(2) would cover, for
example, a list of people with income or credit scores above or below a
certain number or within a certain range, even if a consumer's precise
income or credit score is not specified. If all other elements of the
definitions of consumer report and consumer reporting agency were
satisfied, the list would be a series of consumer reports and the
entity communicating the list would be a consumer reporting agency. In
addition, the CFPB reiterates that information would need to satisfy
only one of the tests in proposed Sec. 1022.4(c) for the ``expected to
be used'' element of the definition of consumer report to be met. In
other words, the communication of information that is not specifically
listed in proposed Sec. 1022.4(c)(2)--including, for example, criminal
records, employment information, eviction history, and alternative data
\106\--could still be a consumer report if the person communicating the
information expects or should expect that a recipient of the
information in the communication will use the information for an FCRA
purpose.
---------------------------------------------------------------------------
\106\ See generally 82 FR 11183 (Feb. 21, 2017) (request for
information about the use or potential use of alternative data in
the credit process).
---------------------------------------------------------------------------
The CFPB proposes Sec. 1022.4(c)(2) as an administrable, bright-
line rule for certain categories of information to implement the phrase
``expected to be used'' in the FCRA's definition of consumer report.
The CFPB also proposes Sec. 1022.4(c)(2) pursuant to its authority to
prescribe regulations necessary to carry out the purposes of the FCRA
and prevent evasion. It is likely that a substantial number of data
brokers sell the types of information listed in proposed Sec.
1022.4(c)(2), and that a substantial number of the entities that buy
such information from data brokers in fact use it for FCRA purposes--
including to make credit eligibility determinations. Nevertheless, many
data brokers attempt to avoid the legal obligations of the FCRA by
remaining ignorant of how their data ultimately is used, in some
instances by selling data without inquiring into the buyer's identity
or intended use of the data, in other instances by ignoring certain
uses or disclaiming liability for them, and in other instances by
selling data to intermediary entities that sell it further
downstream.\107\ These practices--data brokers' sale of information
that is typically used for credit eligibility determinations and data
brokers' minimal oversight of the uses to which that information is
[[Page 101415]]
put \108\--have created a unique likelihood that the information sold
by data brokers will be used by downstream buyers to evaluate a
consumer's eligibility for credit.\109\ Data brokers collect, buy, and
sell the same types of data that consumer reporting agencies assemble
and disseminate, and the data broker industry poses many of the same
risks that the FCRA was designed to address.\110\ Yet many data brokers
have attempted to evade coverage under the statute. One purpose of
proposed Sec. 1022.4(c)(2) is to prevent further evasion.
---------------------------------------------------------------------------
\107\ See, e.g., Duke Report on Data Brokers and Military
Personnel Data, supra note 2, at 25-29; Compl. For Permanent Inj.,
Monetary Relief, Other Equitable Relief, and Civil Penalties, FTC v.
Instant Checkmate, LLC, No. 3:23-cv-01674 TWR (MSB) (S.D. Cal. Sept.
11, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/truthfinder_complaint.pdf; Press Release, Fed. Trade Comm'n, FTC
Warns Data Broker Operations of Possible Privacy Violations (May 7,
2013), https://www.ftc.gov/news-events/news/press-releases/2013/05/ftc-warns-data-broker-operations-possible-privacy-violations.
\108\ See, e.g., Duke Report on Data Brokers and Sensitive Data,
supra note 29, at 4-8; FTC Data Broker Report, supra note 25, at B1-
B5.
\109\ See 15 U.S.C. 1681a(d)(1)(A) through (C) and 1681b(a)(3).
\110\ See 115 Cong. Rec. S2413 (Jan. 31, 1969).
---------------------------------------------------------------------------
The CFPB requests comment on proposed Sec. 1022.4(c)(2) and other
possible approaches to implementing the definition of consumer report,
as well as on the potential impacts of each approach, including on
whether they would advance the privacy interests of consumers and
protect consumers from data misuses and abuses. In addition, the CFPB
requests comment on the possible effects, if proposed Sec.
1022.4(c)(2) is finalized, on entities that furnish data to, purchase
data from, or rely on the services of entities that would qualify as
consumer reporting agencies selling consumer reports.
4(d) Personal Identifiers for a Consumer
Proposed Sec. 1022.4(d) relates to certain personal identifiers
for a consumer that are often referred to as ``credit header''
information. Personal identifiers typically appear at the top of
consumer reports and include, for example, names, date of birth,
addresses, Social Security number (SSN), and telephone number. In Sec.
1022.4(d)(1), the CFPB proposes to provide that the term ``consumer
report'' includes a communication by a consumer reporting agency of a
personal identifier for a consumer that was collected by the consumer
reporting agency in whole or in part for the purpose of preparing a
consumer report about the consumer. This would mean that a consumer
reporting agency could only make such a communication if the user had a
permissible purpose under the FCRA to obtain it. Proposed Sec.
1022.4(d)(2) sets forth an enumerated list of information that would
constitute personal identifiers for a consumer. The CFPB proposes Sec.
1022.4(d) to prevent the misuse of personal identifiers collected by
consumer reporting agencies to prepare consumer reports and to prevent
evasions of the FCRA.
How Personal Identifiers Are Treated Today
The FTC has addressed personal identifiers collected by consumer
reporting agencies in various contexts over the last few decades and
has generally taken a fact-specific approach in determining whether
communications of identifying information by consumer reporting
agencies are consumer reports. For example, in 2000, the FTC determined
in an administrative opinion that age was consumer report information
when communicated by a consumer reporting agency,\111\ but that various
other types of personal identifiers were not, based on evidence in a
proceeding regarding whether the different types of information bore on
the seven factors specified in the definition of consumer report and
how they were used or expected to be used.\112\ In its 2011 staff
report, the FTC indicated that demographic and identifying information
about consumers such as name and address generally is not considered
consumer report information under the FCRA, unless it is used for
eligibility determinations.\113\ The FTC stated that a report limited
to identifying information does not constitute a consumer report if it
does not bear on any of the seven factors specified in the definition
and is not used to determine eligibility.\114\
---------------------------------------------------------------------------
\111\ In re Trans Union Corp., FTC Docket No. 9255, at 31 (Feb.
10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (``[T]he record shows
that an individual's age does bear on their credit capacity and is
used in credit granting decisions. . . . The record . . .
demonstrates that lenders use age information as a factor in credit
granting decisions. Further, age clearly bears on credit capacity
where state laws restrict contracting with minors. Therefore, age
information falls within the definition of a consumer report and its
disclosure by a CRA to target marketers violates the FCRA.'')
(citations omitted); see also 65 FR 33645, 33668 n.35 (May 24, 2000)
(noting that age is consumer report information).
\112\ In re Trans Union Corp., FTC Docket No. 9255, at 30-31
(Feb. 10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (concluding that
(1) name, mother's maiden name, generational designator, telephone
number, and SSN were not consumer report information because the
evidence presented in the proceeding did not show that they bore on
any of the seven factors specified in the definition of consumer
report, and (2) address was not consumer report information because,
while it might bear on creditworthiness, the evidence presented in
the proceeding did not show that address was used or expected to be
used as a credit eligibility factor in scoring or as a credit
criterion in prescreening).
\113\ FTC 40 Years Staff Report, supra note 21, at 1 n.4.
\114\ Id. at 21. The 2011 staff report indicated, for example,
that ``[t]elephone and other directories that only provide names,
addresses, and phone numbers, are not `consumer reports,' because
the information is not collected to be used or expected to be used
in evaluating consumers for credit, insurance, employment, or other
purposes.'' The FTC recognized, however, that a list of consumers'
names and addresses is a series of consumer reports if the list is
assembled or defined by reference to characteristics or other
information that is also used (even in part) in eligibility
decisions. For example, the FTC noted that ``a list comprised solely
of consumer names and addresses, but compiled based on the criterion
that every name on the list has at least one active trade line,
updated within six months, is a series of consumer reports.'' Id.
---------------------------------------------------------------------------
In finalizing its initial privacy regulation under the Gramm-Leach-
Bliley Act (GLBA), the FTC explained that, to the extent that a
consumer reporting agency's communication of ``credit header''
information is not a consumer report, GLBA and its implementing
regulation limit consumer reporting agencies' redisclosure of
information furnished by financial institutions pursuant to the GLBA's
consumer reporting exception, which allows financial institutions to
share nonpublic personal information with a consumer reporting agency
in accordance with the FCRA without providing consumers notice and an
opportunity to opt out of such sharing.\115\ Specifically, the FTC
explained that GLBA and its implementing regulation do not allow a
consumer reporting agency that receives information pursuant to this
exception to redisclose the information to ``individual reference
services, direct marketers, or any other party that does not have a
permissible purpose to obtain that information as part of a consumer
report.'' \116\ The FTC noted, however, that consumer reporting
agencies may be able to sell consumer identifying information if they
receive the information from financial institutions outside of a GLBA
exception.\117\
---------------------------------------------------------------------------
\115\ 65 FR 33646, 33668 (May 24, 2000) (citing 15 CFR
313.15(a)(5), which the CFPB later restated in Regulation P as 12
CFR 1016.15(a)(5)).
\116\ 65 FR 33646, 33668 (May 24, 2000) (declining requests that
the FTC create a new exception to the reuse and redisclosure
limitations that would allow consumer reporting agencies to sell
``credit header'' information); see also Trans Union LLC v. FTC, 295
F.3d 42 (D.C. Cir. 2002) (rejecting challenges to FTC privacy rule,
including to its handling of header information).
\117\ 65 FR 33646, 33668-69 (May 24, 2000).
---------------------------------------------------------------------------
Courts considering communications of personal identifiers by
consumer reporting agencies have generally concluded that such
communications are not consumer reports, largely on the ground that the
information does not bear on the factors specified in the
definition.\118\ However, similar to the
[[Page 101416]]
FTC's guidance, some decisions have recognized that communications of
identifying information may meet the FCRA definition of consumer report
in specific circumstances.\119\
---------------------------------------------------------------------------
\118\ See, e.g., Gray v. Experian Info. Sols. Inc., No. 8:23-CV-
981-WFJ-AEP, 2023 WL 6895993, at *3-4 (M.D. Fla. Oct. 19, 2023);
Bickley v. Dish Network, LLC, 751 F.3d 724, 729 (6th Cir. 2014); Ali
v. Vikar Mgmt. Ltd., 994 F. Supp. 492, 497, 499 (S.D.N.Y. 1998);
Dotzler v. Perot, 914 F. Supp. 328, 330-31 (E.D. Mo. 1996), aff'd,
124 F.3d 207 (8th Cir. 1997).
\119\ Steinmetz v. LexisNexis, No. 2:19-CV-00070-RFB-DJA, 2020
WL 2198974, at *3 (D. Nev. May 5, 2020) (noting that ``it is not
inconceivable that information like one's birthdate could be
relevant for determining eligibility for certain consumer credit
products'').
---------------------------------------------------------------------------
Consumer reporting agencies and other industry stakeholders have
generally taken the position that personal identifiers are not subject
to the FCRA at all.\120\ Consumer reporting agencies thus currently
sell ``credit header'' information for purposes that are not
permissible purposes under the FCRA.\121\ For example, such information
appears to be offered for sale for purposes not authorized under
section 604, such as marketing \122\ that is not done in accordance
with the statute's prescreening or written instructions
provisions.\123\
---------------------------------------------------------------------------
\120\ See, e.g., Comment from stakeholder Equifax, Re: CFPB's
Small Business Advisory Review Panel for Consumer Reporting
Rulemaking--Outline of Proposals and Alternatives Under
Consideration, at 2 (Nov. 6, 2023) (``Credit header information,
such as name, current and former addresses, Social Security number,
date of birth, and phone number, does not meet the current,
definitional standard for a consumer report.''). Indeed, an industry
trade association has erroneously suggested that the FTC has
categorically excluded identifying information from the definition
of consumer report. Comment from stakeholder CDIA, Re: CFPB's Small
Business Advisory Review Panel for Consumer Reporting Rulemaking--
Outline of Proposals and Alternatives Under Consideration, at 13
(Nov. 6, 2023) (``The FTC's long-standing and unambiguous
interpretation of the FCRA is that identifying information (i.e.,
credit header information) does not constitute a consumer
report.'').
\121\ See, e.g., What Is Credit Header?, Tracers (Oct. 22,
2020), https://www.tracers.com/blog/what-is-credit-header/ (``You
can see how beneficial all of this information can be if you're a
business trying to reach out to brand new or existing customers.
This type of data isn't regulated under the Fair Credit Reporting
Act because it's not part of a customer's credit history, which
means you can use it in a variety of ways for your business's
benefit.'').
\122\ See, e.g., Introducing Acxiom Auto 360: Data Solution for
OEMs and Car Dealerships, Acxiom, https://www.acxiom.com/auto-360/
(last visited Oct. 30, 2024) (``What if you needed only one,
incredibly powerful data-marketing tool? One solution using best-in-
industry capabilities combining household data sets with credit
header data and adding insights to influence a customer's next
buying decision.'').
\123\ FCRA section 604(c)(1)(B) permits consumer reporting
agencies to furnish consumer reports in connection with credit or
insurance transactions not initiated by the consumer under certain
conditions, including that the consumer reporting agency must allow
consumers to opt out of the prescreening process, the user must
provide a firm offer of credit or insurance to consumers whose
information they receive, and both the consumer reporting agency and
the user must comply with notice requirements. FCRA section
604(a)(2) permits consumer reporting agencies to furnish a consumer
report in accordance ``with the written instructions of the consumer
to whom it relates.''
---------------------------------------------------------------------------
Implementing the FCRA's Definition of the Term ``Consumer Report''
The CFPB proposes Sec. 1022.4(d) pursuant to its authority under
FCRA section 621(e)(1) to ``prescribe regulations as may be necessary
or appropriate to administer and carry out the purposes and
objectives'' of the FCRA, including the definition of consumer report
in FCRA section 603(d). As noted above, a consumer report under the
FCRA is, in general, a communication by a consumer reporting agency of
any information that: (1) bears on at least one of seven specified
factors; and (2) is used or expected to be used or collected in whole
or in part for the purpose of serving as a factor in establishing a
consumer's eligibility for credit, insurance, or employment purposes or
for any other purpose authorized under FCRA section 604. The CFPB
preliminarily concludes that a consumer reporting agency's
communication of a personal identifier for a consumer that the consumer
reporting agency collected for the purpose of preparing a consumer
report about the consumer meets both prongs of the definition and,
therefore, that a communication of such information by a consumer
reporting agency is a consumer report.
The CFPB preliminarily concludes that personal identifiers for a
consumer bear on one or more of the seven factors specified in the
definition of consumer report. Those factors are a consumer's
creditworthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living.
Webster's dictionary defines ``characteristic'' as ``a
distinguishing trait, quality, or property.'' \124\ A consumer's names
(including aliases), age or date of birth, addresses, telephone
numbers, email addresses, and SSN or Individual Taxpayer Identification
Number (ITIN) are all themselves personal characteristics of the
consumer because they are personal traits, qualities, or properties
that serve to distinguish the consumer.\125\
---------------------------------------------------------------------------
\124\ See Characteristic, Merriam-Webster.com Dictionary,
https://www.merriam-webster.com/dictionary/characteristic (last
visited Oct. 30, 2024).
\125\ See, e.g., Moreland v. CoreLogic SafeRent LLC, No. SACV
13-470 AG ANX, 2013 WL 5811357, at *4 (C.D. Cal. Oct. 25, 2013)
(``Where a person lives is a fundamental `personal characteristic [
].' '').
---------------------------------------------------------------------------
Personal identifiers for a consumer also can bear on the specified
factors in other ways. For example, a consumer's current and former
names and aliases may bear on the consumer's mode of living by
revealing family associations, marital history, and the names the
consumer has chosen to use. Similarly, email addresses that the
consumer uses or has used may, for example, provide information about
the consumer's educational or employment associations. Addresses and
telephone numbers provide information about where a consumer has lived,
how often they have moved, and whether they receive mail at a post
office box, which are part of the consumer's mode of living. The fact
that no SSN is provided for a consumer or that another identification
number (such as an ITIN or a matricula consular number) is provided can
reveal information about the consumer's immigration status, which is a
personal characteristic and bears on the consumer's mode of living.
Additionally, the mere fact that a particular consumer reporting
agency or type of consumer reporting agency has personal identifiers
for a consumer can itself bear on one or more of the factors specified
in the definition of consumer report. For example, the fact that a
nationwide consumer reporting agency has personal identifiers for a
consumer suggests that it has credit records about the consumer and the
consumer is not ``credit invisible,'' which goes to the consumer's
credit capacity or credit standing. Similarly, the fact that a
particular type of specialty consumer reporting agency has personal
identifiers for a consumer might suggest that the consumer rents rather
than owns their home; has applied for individually underwritten life or
health insurance; has had claims filed against their homeowner's or
automobile insurance policies; or has a telecommunication, pay TV, or
utility account.\126\
---------------------------------------------------------------------------
\126\ See, e.g., Consumer Fin. Prot. Bureau, List of Consumer
Reporting Companies (2024), https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/companies-list/ (last visited Oct. 15, 2024) (``Most
tenant screening companies won't have information on you unless you
apply for rental housing or otherwise authorize a landlord or
property manager to obtain a report from them.''); Request Your MIB
Underwriting Services Consumer File, MIB Group, https://www.mib.com/request_your_record.html (last visited Oct. 15, 2024) (``You will
not have an MIB Underwriting Services Consumer File unless you have
applied for individually underwritten life or health insurance in
the last seven years.''); Natalie Todoroff & Jessa Claeys, What are
CLUE reports in insurance? Bankrate (Sept. 3, 2024), https://www.bankrate.com/insurance/homeowners-insurance/clue-report/
(describing information included in CLUE reports); NCTUE empowers
you to take control of your credit, NCTUE Consumers, https://nctue.com/consumers/ (last visited Oct. 15, 2024).
---------------------------------------------------------------------------
The CFPB also preliminarily determines that personal identifiers
collected by consumer reporting agencies to prepare consumer reports
meet the second prong of the definition
[[Page 101417]]
of consumer report because they are used or expected to be used or
collected in whole or in part for the purpose of serving as a factor in
establishing the consumer's eligibility for consumer credit or
insurance, employment purposes, or other purposes authorized under FCRA
section 604. The personal identifiers at issue in this proposal are
only information that comes from entities that are already consumer
reporting agencies that furnish consumer reports, and the question is
whether such entities can take the sensitive contact information that
they collect to prepare consumer reports and sell it for purposes not
authorized under the FCRA. In that fact pattern, the CFPB preliminarily
determines that the sensitive contact information was ``collected in
whole or in part'' to populate consumer reports to furnish to clients
that use it for a permissible purpose. Proposed Sec. 1022.4(d) does
not address data brokers that sell contact information that was not
collected for the purpose of preparing consumer reports.
Moreover, every time any information from a consumer report, such
as income or employment history, is used as a factor in determining
eligibility for an FCRA purpose, a personal identifier for the consumer
must also be used. Otherwise, it would be impossible for users to be
sure that the information used from the consumer report relates to the
correct consumer.
Indeed, personal identifiers provided by consumer reporting
agencies can be critical in assessing whether applicable requirements
are met. For example, employers may be required for certain positions
to ensure that prospective employees do not appear on a sex offender
registry and may use names and other personal identifiers from consumer
reporting agencies to do so. Similarly, financial institutions and
others may use names and other personal identifiers in determining
whether an applicant for credit or other products or services is on the
list of Specially Designated Nationals maintained by the Office of
Foreign Assets Control (OFAC) or one of OFAC's other sanctions lists,
to ensure that OFAC's regulations do not prohibit them from approving
the transaction.\127\
---------------------------------------------------------------------------
\127\ See generally Off. of Foreign Assets Control, U.S. Dep't
of Treas., FFIEC, BSA/AML Manual: Office of Foreign Assets Control--
Overview, https://bsaaml.ffiec.gov/manual/OfficeOfForeignAssetsControl/01 (last visited Oct. 15, 2024); Cortez
v. Trans Union, LLC, 617 F.3d 688, 707-08 (3rd Cir. 2010) (``Trans
Union invites us to conclude that information that goes to the very
legality of a credit transaction is somehow not `a factor in
establishing the consumer's eligibility . . . for credit.'. . . . It
is difficult to imagine an inquiry more central to a consumer's
`eligibility' for credit than whether federal law prohibits
extending credit to that consumer in the first instance. The
applicability of the FCRA is not negated merely because the
creditor/dealership could have used the OFAC Screen to comply with
the USA PATRIOT Act, as well as deciding whether it was legal to
extend credit to the consumer.''); Off. of Foreign Assets Control,
U.S. Dep't of Treas., Frequently Asked Question #46 (Sept. 10,
2002), https://ofac.treasury.gov/faqs/46 (last visited Oct. 15,
2024) (discussing what to provide as a denial reason on an adverse
action notice if a loan meets an institution's underwriting
standards but is a true ``hit'' on the Specially Designated
Nationals list).
---------------------------------------------------------------------------
Personal identifiers provided by consumer reporting agencies can
also serve as a factor in eligibility determinations in other ways. For
example, age may be specifically considered in determining whether a
consumer meets requirements for credit and insurance products and
services. Minors, for example, may be ineligible to even enter into
contracts under State law, and some products such as reverse mortgages
are only offered to seniors.\128\ Age also can determine whether an
applicant is eligible for a particular employment position or for
benefits such as Social Security retirement benefits and Supplemental
Security Income.\129\ Similarly, whether a consumer has an SSN can
affect eligibility for employment, Social Security benefits, and
certain other government benefits.\130\
---------------------------------------------------------------------------
\128\ Fed. Trade Comm'n, Reverse Mortgages (Aug. 2022), https://consumer.ftc.gov/articles/reverse-mortgages (noting that you cannot
legally commit to a regular mortgage until you are 18, unless you
have a co-signer, and that you must be 62 or older to get a reverse
mortgage); cf. In re Trans Union Corp., FTC Docket No. 9255, at 31
(Feb. 10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (explaining
various ways in which age had been used in credit granting
decisions).
\129\ See, e.g., Soc. Sec. Admin., Retirement Benefits, at 2-4
(2024), https://www.ssa.gov/pubs/EN-05-10035.pdf (explaining age
restrictions for Social Security retirement benefits); Soc. Sec.
Admin., Supplemental Security Income (SSI) Eligibility Requirements
(2024), Understanding SSI--SSI Eligibility (ssa.gov).
\130\ Soc. Sec. Admin., Social Security Numbers for Noncitizens
(Apr. 2023), https://www.ssa.gov/pubs/EN-05-10096.pdf (``You need an
SSN to work, collect Social Security benefits, and receive other
government services.'').
---------------------------------------------------------------------------
Address information provided by consumer reporting agencies can
also play a role in eligibility determinations. For example, many
financial service providers and insurance companies are only licensed
to operate in particular States and therefore can only offer their
products or services to consumers residing in those jurisdictions.
Federally regulated lenders are also prohibited from making a mortgage
loan to a consumer if a property is not covered by flood insurance and
is located in a Special Flood Hazard area where flood insurance is
available.\131\ Employment positions may be limited to residents of
certain localities.
---------------------------------------------------------------------------
\131\ 42 U.S.C. 4012a(b).
---------------------------------------------------------------------------
In light of all of these considerations, the CFPB preliminarily
concludes that communications by consumer reporting agencies of
personal identifiers for a consumer that are collected by a consumer
reporting agency for the purpose of preparing consumer reports about
the consumer are consumer reports. FCRA section 608 further supports
this interpretation by specifically permitting consumer reporting
agencies to share ``identifying information respecting any consumer,
limited to his name, address, former addresses, places of employment,
or former places of employment'' with a governmental agency
notwithstanding the permissible purpose requirements for consumer
reports.\132\ If identifying information were entirely excluded from
the definition of consumer report as industry has suggested, there
would have been no need for Congress to craft FCRA section 608 to
expressly allow sharing of certain identifying information with
government agencies.
---------------------------------------------------------------------------
\132\ 15 U.S.C. 1681f.
---------------------------------------------------------------------------
Proposed Sec. 1022.4(d) Would Promote the FCRA's Goals and Prevent
Misuse of Personal Identifiers
Proposed Sec. 1022.4(d) would promote the FCRA's goals of ensuring
accuracy and fairness in consumer reporting by ensuring that personal
identifiers collected by consumer reporting agencies for the purpose of
preparing consumer reports are subject to all of the FCRA's protections
that apply to consumer reports. A primary purpose of the FCRA is ``to
protect consumers from the transmission of inaccurate information about
them, and to establish credit reporting practices that utilize
accurate, relevant, and current information in a confidential and
responsible manner.'' \133\ The CFPB has long recognized how important
personal identifiers are in ensuring the accuracy of consumer
reports.\134\ Specifying that such information is a consumer report
when it is communicated on its own by a consumer reporting agency would
ensure that consumers receive notice when adverse actions are taken
based on the information, thereby alerting
[[Page 101418]]
consumers to inaccuracies in their personal identifiers as well as
increasing visibility for consumers into users' decision-making. It
would also help confirm that consumers have a right to dispute
incorrect personal identifiers maintained by consumer reporting
agencies and have their information corrected.\135\ For example, there
may be consumers who are being denied credit, insurance, employment, or
benefits due to an address or SSN discrepancy resulting from erroneous
information and who would benefit from an adverse action notice so they
can identify and clear up the error.
---------------------------------------------------------------------------
\133\ Guimond v. Trans Union Credit Info. Co., 45 F.3d 1329,
1333 (9th Cir. 1995) (citations omitted).
\134\ For example, the CFPB highlighted in an advisory opinion
regarding name-only matching the importance of consumer reporting
agencies' matching procedures in ensuring accuracy. 86 FR 62468
(Nov. 10, 2021). However, even the best matching procedures cannot
prevent mistakes if the identifying information maintained by
consumer reporting agencies is itself wrong.
\135\ In the absence of a bright-line rule regarding personal
identifiers, at least one consumer reporting agency has taken the
position that consumer reporting agencies have no obligation to
investigate consumer disputes about inaccurate identifying
information that they use in generating consumer reports,
notwithstanding the fact that the FCRA clearly requires them to do
so. See Brief of Amici Curiae, Consumer Fin. Prot. Bureau and Fed.
Trade Comm'n in Supp. of Plaintiff-Appellant, Nelson v. Experian
Info. Sols., Inc., No. 4:21-cv-00894-CLM (11th Cir. filed Mar. 29,
2024), https://files.consumerfinance.gov/f/documents/cfpb_amicus-brief-nelson-v-experian_2024-03.pdf.
---------------------------------------------------------------------------
Providing that the term ``consumer report'' includes personal
identifiers collected by consumer reporting agencies to prepare
consumer reports would also protect consumers' privacy by limiting
access to such information to entities that have one of the purposes
recognized by Congress in the FCRA. As discussed elsewhere in this
document, recent studies by Duke University have found that data
brokers are openly and explicitly advertising for sale sensitive
demographic and other information about U.S. individuals, including
active-duty members of the military, their families, and veterans,
which can be used to identify and compromise or blackmail them in order
to obtain sensitive military information, threatening national
security.\136\ Personal identifiers may include sensitive information,
including SSNs and driver's license numbers, as well as addresses and
telephone numbers for people who do not wish to be located, such as
domestic violence survivors seeking to stay safe from their abusers.
Consumer groups have noted that, because consumer reporting agencies
sell ``credit header'' information, this information has become readily
available for purchase online. They have expressed concern that this
online marketplace for ``credit header'' information is used for
doxing, identity theft, harassment, and physical violence.\137\
Investigative reporting by 404 Media indicates that criminals have
obtained access to ``credit header'' information and are selling
unfettered access to such data to other criminals.\138\
---------------------------------------------------------------------------
\136\ Duke Report on Data Brokers and Military Personnel Data,
supra note 2; Duke Report on Data Brokers and Sensitive Data, supra
note 29.
\137\ See, e.g., Comment from stakeholders Just Futures Law,
Consumer Action, and six other nonprofits, Re: CFPB's Small Business
Advisory Review Panel for Consumer Reporting Rulemaking--Outline of
Proposals and Alternatives Under Consideration, at 2 (Nov. 6, 2023).
\138\ Joseph Cox, The Secret Weapon Hackers Can Use to Dox
Nearly Anyone in America for $15, 404 Media (Aug. 22, 2023), https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/?curator=TechREDEF (``This is the result of a secret weapon
criminals are selling access to online that appears to tap into an
especially powerful set of data: the target's credit header. . . .
Through a complex web of agreements and purchases, that data
trickles down from the credit bureaus to other companies who offer
it to debt collectors, insurance companies, and law enforcement. A
404 Media investigation has found that criminals have managed to tap
into that data supply chain, in some cases by stealing former law
enforcement officer's identities, and are selling unfettered access
to their criminal cohorts online.''); see also Joseph Cox & Emanuel
Maiberg, Fiverr Freelancers Offer to Dox Anyone With Powerful U.S.
Data Tool, 404 Media (July 2, 2024), https://www.404media.co/fiverr-freelancers-offer-to-dox-anyone-with-powerful-u-s-data-tool-tloxp/
(``Dozens of sellers on the freelancing platforming Fiverr claim to
have access to a powerful data tool used by private investigators,
law enforcement, and insurance firms which contains personal data on
much of the U.S. population. The sellers are then advertising the
ability to dig through that data for prospective buyers, including
uncovering peoples' Social Security numbers for as little as $30,
according to listings viewed by 404 Media. . . . The advertised tool
is TLOxp, maintained by the credit bureau TransUnion, and can also
provide a target's unlisted phone numbers, utilities, physical
addresses, and more.'').
---------------------------------------------------------------------------
Except for certain information that may be released to government
agencies under specific FCRA provisions, the proposal would curtail
consumer reporting agencies' ability to furnish without a permissible
purpose personal identifiers that had been collected for the purpose of
preparing consumer reports. The proposal would thus reduce the ability
of consumer reporting agencies to disclose sensitive contact
information that ultimately could be accessed and used by stalkers,
doxxers, domestic abusers, and other lawbreakers, as discussed above.
While the storage of Americans' sensitive data may be necessary to
facilitate lending, employment background checks, and other beneficial
uses prescribed under the FCRA, it cannot be used to facilitate crimes.
Impacts on Other Current Uses of Personal Identifiers
The Small Business Review Panel recommended that the CFPB consider
the impacts on current uses of ``credit header'' information
(including, e.g., for identity verification, fraud prevention and
detection, employment background checks, other investigations, and
digital advertising) and ways to mitigate any negative effects if
communications of ``credit header'' information are consumer
reports.\139\ Small entity representatives and others have noted that
``credit header'' information has numerous beneficial uses. For
example, it is often used currently to comply with legal obligations
related to identity verification. These obligations include customer
identification programs and anti-money laundering compliance
obligations pursuant to the USA PATRIOT Act and the Bank Secrecy Act,
which are designed to prevent and detect money laundering and the
financing of terrorism.\140\ According to industry trade associations,
``credit header'' information is also used for other purposes, such as
identifying and locating people in a range of contexts, including
missing children, victims of natural disasters, and responsible parties
and witnesses in insurance claims investigations and civil and criminal
matters.\141\ Other uses cited include investigating human trafficking,
ensuring that packages are sent to the correct address, preventing
online purchase fraud, and ensuring age-restricted content and
merchandise is not available to minors.
---------------------------------------------------------------------------
\139\ Small Business Review Panel Report, supra note 40, at 47-
48 & section 9.3.3.
\140\ For example, section 326 of the USA PATRIOT Act requires
the U.S. Department of Treasury's Financial Crimes Enforcement
Network (FinCEN) to prescribe regulations that require financial
institutions to establish programs for account opening that include:
(1) verifying the identity of any person seeking to open an account,
to the extent reasonable and practicable; (2) maintaining records of
the information used to verify the person's identity, including
name, address, and other identifying information; and (3)
determining whether the person appears on any lists of known or
suspected terrorists or terrorist organizations provided to the
financial institution by any government agency. 31 U.S.C. 5318(l).
\141\ Other examples cited include identifying and locating
owners of lost or stolen property, heirs, pension beneficiaries,
organ and tissue donors, suspects, terrorists, fugitives, tax
evaders, and parents and ex-spouses with delinquent child or spousal
support obligations.
---------------------------------------------------------------------------
Industry stakeholders have expressed concern that treating ``credit
header'' information as consumer report information may increase costs,
result in delays where time is of the essence, and cause consumer
frustration, while undermining efforts to combat money laundering,
terrorism, and other crimes. However, it appears that many of these
predictions overstate the consequences of reading the FCRA's definition
of consumer report to include communications of personal identifiers
collected by consumer reporting
[[Page 101419]]
agencies to prepare consumer reports. If the proposal is finalized,
identifying information would still be available in various ways. Many
current uses of such information, such as confirming an applicant meets
the minimum age requirement for a job or a loan, fall within specific
permissible purposes. If an entity has a permissible purpose under FCRA
section 604(a)(3) to obtain a consumer report, the entity can also use
the consumer report for identity verification and fraud prevention
activities conducted in connection with that permissible purpose. For
example, a creditor has a permissible purpose to use consumer report
information for identity verification and fraud prevention if such
activities are conducted in connection with a credit transaction that
involves an extension of credit to the consumer or review or collection
of a credit account of the consumer.\142\ A court order or a subpoena
can also provide an FCRA permissible purpose.\143\ Additionally, a
consumer's written instructions can provide a permissible purpose, such
as for any identity verification or fraud prevention activities that
are not conducted in connection with another permissible purpose.\144\
---------------------------------------------------------------------------
\142\ FCRA section 604(a)(3)(A), 15 U.S.C. 1681b(a)(3)(A).
\143\ FCRA section 604(a)(1), 15 U.S.C. 1681b(a)(1).
\144\ See infra discussion of proposed Sec. 1022.11.
---------------------------------------------------------------------------
Furthermore, proposed Sec. 1022.4(d) would not affect access to
identifying information from any sources that are not subject to the
FCRA. Proposed Sec. 1022.4(d) would not, for example, affect the
status or availability of an ordinary telephone directory or of any
other repository of identifying information that is not collected for
the purpose of preparing consumer reports. Other data sources could
include, for example, public records directly from a government entity,
such as property records, voter registrations, and professional license
filings.\145\
---------------------------------------------------------------------------
\145\ See discussion of government-run databases in the
discussion of proposed Sec. 1022.5 below.
---------------------------------------------------------------------------
Proposed Sec. 1022.4(d) also would not affect the status or
availability of identifying information obtained from financial
institutions for purposes other than to prepare consumer reports.\146\
The GLBA and Regulation P generally require financial institutions to
provide consumers with notice and a right to opt out of the sharing of
their nonpublic personal information with non-affiliated third parties,
but an exception to these requirements provides that financial
institutions can share such information ``to protect against or prevent
actual or potential fraud, unauthorized transactions, claims, or other
liability.'' \147\
---------------------------------------------------------------------------
\146\ To the extent any repository included identifying
information obtained from financial institutions, it would need to
comply with the restrictions and requirements of the GLBA and its
implementing regulations, including the limitations on reuse and
redisclosure. See, e.g., 15 U.S.C. 6802(c); 12 CFR 1016.11.
\147\ 15 U.S.C. 6802(e)(3)(B); 12 CFR 1016.15(a)(2)(ii). A
financial institution may provide identifying information to a non-
affiliated third party for purposes of identity verification and
fraud prevention pursuant to this exception, and Regulation P's
reuse and redisclosure provisions would allow the recipient of such
information to redisclose the information to other non-affiliated
third parties for the same purposes. 15 U.S.C. 6802(c); 12 CFR
1016.11(a)(1)(iii), (c)(3) (providing that information received
pursuant to an exception, such as the fraud exception, may generally
only be used or disclosed in the ordinary course of business to
carry out the activity covered by the exception under which the
recipient received the information). As long as the information was
not received under Regulation P's exception to the notice and opt
out requirements to allow disclosure of nonpublic personal
information for consumer reporting purposes (see 12 CFR
1016.15(a)(5)(i), allowing financial institutions to provide
consumers' nonpublic information to consumer reporting agencies in
accordance with the FCRA), or otherwise collected, expected to be
used, or used for the purpose of serving as a factor in establishing
the consumer's eligibility for an FCRA permissible purpose, the
communication of such data would not be a consumer report under
proposed Sec. 1022.4(d).
---------------------------------------------------------------------------
Some stakeholders have raised questions about the impact that this
proposed intervention might have on government agencies' access to
identifying information originating from consumer reporting agencies
for law enforcement and other purposes. Government agencies, including
local, Tribal, State, and Federal law enforcement, access personal
identifiers for numerous beneficial uses. These include for
facilitating access to and administering government benefits,
identifying and ruling out suspects for criminal investigations,
identifying witnesses, and other uses that may serve the public
interest.
Law enforcement and other government agencies currently obtain data
from a broad range of sources and proposed Sec. 1022.4(d) would not
affect many of these sources, such as government-run databases
addressed below in the discussion of proposed Sec. 1022.5. To the
extent that government agencies currently use information that would be
affected by proposed Sec. 1022.4(d), they would continue to be able to
access such information in a variety of ways if the proposed rule were
finalized. For example, FCRA section 608 provides that a consumer
reporting agency may furnish to a governmental agency the name,
address, former addresses, places of employment, or former places of
employment of any consumer even if no permissible purpose exists. FCRA
sections 626 and 627 also provide that, under specified circumstances,
consumer reporting agencies must provide certain consumer reporting
information to the FBI and a consumer report and all other information
in a consumer's file to certain government agencies for
counterintelligence or counterterrorism purposes.\148\ If government
agencies required additional information beyond what is available
pursuant to FCRA sections 608, 626, and 627, access could be obtained
through a court order, a subpoena, a consumer's written instructions,
or any other permissible purpose.
---------------------------------------------------------------------------
\148\ 15 U.S.C. 1681u, 1681v.
---------------------------------------------------------------------------
While personal identifiers would remain available to law
enforcement and other government agencies through these various
channels, the CFPB recognizes the value of government agencies' access
to personal identifiers in efficient, consolidated, and timely ways.
The CFPB therefore requests comment on proposed Sec. 1022.4(d) and how
best to maintain government agencies' access to personal identifiers in
order to ensure that the beneficial uses described above can continue
as usual. In particular, the CFPB requests comment on a potential
exemption from Sec. 1022.4(d) for communications consisting
exclusively of personal identifiers that are solely furnished to, or
solely used to furnish to, local, Tribal, State, and Federal
governments.
The CFPB is also continuing to consider the potential impacts of
proposed Sec. 1022.4(d) on the other areas identified by the Small
Business Review Panel. The CFPB requests comment on those impacts and
on ways to mitigate any potentially negative impacts.
Preventing Evasions of the FCRA
In addition to proposing Sec. 1022.4(d) pursuant to the CFPB's
authority to ``prescribe regulations as may be necessary or appropriate
to administer and carry out the purposes and objectives'' of the FCRA,
the CFPB also proposes Sec. 1022.4(d) pursuant to its rulemaking
authority under FCRA section 621(e) to prevent evasions of, and to
facilitate compliance with, the FCRA. Proposed Sec. 1022.4(d) would
facilitate compliance with the FCRA by establishing a clear, bright-
line rule on how the FCRA applies to personal identifiers. It also
would help to prevent evasions of the FCRA where consumer reporting
agencies willfully or otherwise ignore how the personal identifiers
they sell are used or expected to be used or
[[Page 101420]]
wrongly assume such information cannot bear on the specified factors.
The absence of a bright-line rule regarding personal identifiers
could raise more compliance concerns and make the rule more susceptible
to evasions than proposed Sec. 1022.4(d)'s categorical approach. As
noted above, the FTC's staff guidance in the 40 Years Staff Report
indicated that identifying information can be consumer report
information if it bears on any of the seven factors identified in the
FCRA and is used to determine eligibility.\149\ Rather than engaging in
the communication-by-communication analysis required under the FTC's
approach, many consumer reporting agencies and trade associations have
instead taken the position that communication of personal identifiers
is never a consumer report. Indeed, although the FTC recognized decades
ago that communications of age information drawn from consumer
reporting databases fall within the definition of a consumer
report,\150\ consumer reporting agencies have continued to include age
information, such as full or partial dates of birth, in the ``credit
header'' information they sell to entities that have no permissible
purpose under the FCRA, incorrectly claiming that such information is
not covered by the FCRA.\151\ As technology advances, uses of
identifying information in eligibility determinations are likely to
expand and develop in ways that may not be visible to regulators and
consumers, amplifying the concern that consumer reporting agencies may
violate the FCRA in the absence of a bright-line rule regarding
personal identifiers. The CFPB preliminarily determines that proposed
Sec. 1022.4(d)'s categorical approach with respect to personal
identifiers is necessary to facilitate compliance with the FCRA and to
prevent evasion of the FCRA by consumer reporting agencies that sell
personal identifiers without adequately considering whether the
information they are selling constitutes a consumer report.
---------------------------------------------------------------------------
\149\ FTC 40 Years Staff Report, supra note 21, at 21.
\150\ In re Trans Union Corp., FTC Docket No. 9255, at 31 (Feb.
10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (concluding based on
the evidence presented that ``age information falls within the
definition of a consumer report''); see also 65 FR 33645, 33668 n.35
(May 24, 2000) (noting that the FTC's 2000 decision determined that
age is consumer report information).
\151\ See, e.g., Matt Wiley, What Is Header Data?, Equifax (Feb.
22, 2021), https://www.equifax.com/business/blog/-/insight/article/what-is-header-data/); CLEAR Enhancements Overview, Thomson Reuters,
https://legal.thomsonreuters.com/content/dam/ewp-m/documents/legal/en/pdf/fact-sheets/clear-enhancements-2021.pdf (announcing inclusion
of full Equifax ``credit header'' information regarding date of
birth in CLEAR database) (last visited Oct. 15, 2024); Letter from
Ron Wyden, Sen., U.S. Senate, to Rohit Chopra, Director, CFPB (Dec.
8, 2021), https://www.wyden.senate.gov/imo/media/doc/CFPB%20Letter%20120821.pdf (describing sale of ``credit header''
information from the National Consumer Telecom and Utilities
Exchange including date of birth).
---------------------------------------------------------------------------
The CFPB requests comment on whether, in lieu of adopting the
approach of proposed Sec. 1022.4(d), a final rule should provide that
a communication by a consumer reporting agency of personal identifiers
can be a consumer report if the information meets the two-prong test in
proposed Sec. 1022.4(a)'s definition of consumer report. If the CFPB
adopted this alternative approach in a final rule, the final rule could
provide illustrative examples of communications by consumer reporting
agencies of personal identifiers that are consumer reports, such as
communications of age or address information. The CFPB requests comment
on examples that might be helpful to include if it were to adopt this
alternative approach in a final rule.
4(e) De-Identification of Information
Proposed Sec. 1022.4(e) addresses when a consumer reporting
agency's communication of de-identified information should be
considered a consumer report. Industry participants often assume that
information drawn from a consumer reporting database is not a consumer
report if the information has been aggregated or otherwise stripped of
identifying information. However, information that has been aggregated
or otherwise purportedly de-identified can often be used to re-identify
individuals and to target individuals to receive or not receive
marketing or used in other ways that may violate consumer privacy. The
CFPB is considering a range of options to address the risk of re-
identification of consumer report information that has been de-
identified.\152\ The CFPB therefore proposes three alternative versions
of Sec. 1022.4(e). The proposed alternatives are all designed to
further the FCRA's goal of ensuring the privacy of consumer
information, including by preventing targeted marketing using
purportedly de-identified consumer reporting information that could be
re-identified. Each alternative would have varying effects on the use
of de-identified information as discussed below.
---------------------------------------------------------------------------
\152\ In the Small Business Review Panel Outline, the CFPB
indicated that it was considering proposals to clarify whether and
when ``aggregated or anonymized'' consumer report information
constitutes or does not constitute a consumer report. Small Business
Review Panel Outline, supra note 39, at 11. The CFPB is using the
terms ``de-identified information'' and ``de-identification'' in
this proposal because it believes these terms capture information
that has been stripped of identifiers, through aggregation or other
means, and therefore can encompass information that has been
aggregated or anonymized or both. The term ``de-identified'' is
similar to the term ``anonymized'' that was used in the Outline but
more aptly conveys that there is a possibility that data may be re-
identified.
---------------------------------------------------------------------------
FCRA section 603(d)(1) defines consumer report, in part, as a
``communication of . . . information by a consumer reporting agency
bearing on a consumer's credit worthiness, credit standing, credit
capacity, character, general reputation, personal characteristics, or
mode of living.'' \153\ FCRA section 603(c) defines a consumer as ``an
individual.'' \154\ Interpreting these terms, the FTC 40 Years Staff
Report states that ``information may constitute a consumer report even
if it does not identify the consumer by name if it could `otherwise
reasonably be linked to the consumer.' '' \155\ Extrapolating from that
statement, many stakeholders today believe that a communication of
information by a consumer reporting agency is not a consumer report if
the information is not linked or reasonably linkable to a specific
individual. Many stakeholders also often seem to assume that
information is not reasonably linkable when in fact it is.
---------------------------------------------------------------------------
\153\ 15 U.S.C. 1681a(d)(1).
\154\ 15 U.S.C. 1681a(c).
\155\ FTC 40 Years Staff Report, supra note 21, at 21.
---------------------------------------------------------------------------
In light of advances in technology and current industry practices,
the CFPB is concerned that the reasonably linkable standard articulated
in the FTC 40 Years Staff Report alone may not be sufficiently
protective of consumer reporting information that, while nominally de-
identified, may in fact be re-identifiable. The CFPB is aware that, in
many cases, consumers may be re-identified with relative ease from
purportedly de-identified datasets.\156\ Indeed, there have been
numerous reports over the years of supposedly de-identified data being
re-identified and revealing potentially sensitive personal information
such as web browsing
[[Page 101421]]
activity,\157\ medical information,\158\ and sexual orientation.\159\
For example, in one well-publicized case, researchers were able to
identify individuals from anonymized Netflix data with the help of
publicly available information.\160\ More recently, scientists reported
developing an algorithm capable of identifying ``99.98 percent of
Americans from almost any available data set with as few as 15
attributes, such as gender, ZIP code or marital status.'' \161\
Presumably, the potential to re-identify data that has been de-
identified will only increase as artificial intelligence and data
analytics technologies continue to improve.\162\ In the FCRA context,
concerns about potential re-identification of data that have been de-
identified are particularly pronounced due to the sensitivity of
consumer report information and the privacy goals that prompted
Congress to enact the statute.
---------------------------------------------------------------------------
\156\ See Kristen Cohen, Fed. Trade Comm'n, Location, Health,
and Other Sensitive Information: FTC Committed to Fully Enforcing
the Law Against Illegal Use and Sharing of Highly Sensitive Data
(July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal; The White House, Exec. Off. of the
President, Big Data: Seizing Opportunities, Preserving Values, at 8
(May 2014), https://obamawhitehouse.archives.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf; Fed. Trade
Comm'n, Protecting Consumer Privacy in an Era of Rapid Change:
Recommendations for Businesses and Policymakers, at iv, 18-22 (Mar.
2012) (hereinafter 2012 FTC Privacy Report), https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers; see also Fed Trade Comm'n,
FTC Staff Report: Self-Regulatory Principles for Online Behavioral
Advertising: Tracking, Targeting, and Technology, at 20-21 (Feb.
2009), https://www.ftc.gov/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising.
\157\ See Press Release, Fed. Trade Comm'n, FTC Order Will Ban
Avast from Selling Browsing Data for Advertising Purposes, Require
It to Pay $16.5 Million Over Charges the Firm Sold Browsing Data
After Claiming Its Products Would Block Online Tracking (Feb. 22,
2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over (browsing history combined with
persistent identifiers could be re-identified and connected to
individual consumers).
\158\ Chris Culnane et al., Health Data in an Open World: A
Report on Re-Identifying Patients in the MBS/PBS Dataset and the
Implications for Future Releases of Australian Government Data (Dec.
18, 2017), https://arxiv.org/pdf/1712.05627.
\159\ Marisa Iati & Michelle Boorstein, Case of High-Ranking
Cleric Allegedly Tracked on Grindr App Poses Rorschach Test for
Catholics, Wash. Post (July 21, 2021), https://www.washingtonpost.com/religion/2021/07/21/catholic-official-grindr-reaction/.
\160\ Letter from Maneesha Mithal, Assoc. Dir., Div. of Privacy
& Identity Prot., Fed. Trade Comm'n, to Reed Freeman, Counsel for
Netflix, Morrison & Foerster LLP, at 2 (Mar. 12, 2010), https://www.ftc.gov/legal-library/browse/cases-proceedings/closing-letters/netflix-inc.
\161\ Gina Kolata, Your Data Were `Anonymized'? These Scientists
Can Still Identify You, N.Y. Times (July 23, 2019), https://www.nytimes.com/2019/07/23/health/data-privacy-protection.html; see
generally Paige Collings, Debunking the Myth of `Anonymous' Data,
Elec. Frontier Found. (Nov. 10, 2023), https://www.eff.org/deeplinks/2023/11/debunking-myth-anonymous-data.
\162\ See 2012 FTC Privacy Report, supra note 156, at 20.
---------------------------------------------------------------------------
The CFPB is aware that consumer reporting agencies offer and sell a
variety of products that include information that has been drawn from
consumer reporting databases and that has been aggregated or otherwise
purportedly de-identified.\163\ Some of these products include
information that has been aggregated at a household or neighborhood
level (e.g., a ZIP Code or ZIP-plus-four Code segmentation); others may
include information aggregated according to specific behavioral
characteristics (e.g., consumers who shop at high-end retailers). Given
the potential ease with which household and other data can be re-
identified, the sale of these types of data raises concerns that
sensitive consumer reporting information may be disclosed in
circumstances where no FCRA permissible purpose exists, such as for
marketing. In light of these concerns, the CFPB is proposing three
alternative versions of Sec. 1022.4(e) and, as noted below, requests
comment on how each alternative, or combinations thereof, would affect
current uses of de-identified information drawn from consumer reporting
databases.
---------------------------------------------------------------------------
\163\ See, e.g., Robinson + Yu, Knowing the Score: New Data,
Underwriting, and Marketing in the Consumer Credit Marketplace, A
Guide for Financial Inclusion Stakeholders, at 2, 17-19 & tbl. 10
(Oct. 2014), https://www.upturn.org/static/files/Knowing_the_Score_Oct_2014_v1_1.pdf (providing examples of
aggregated marketing scores and noting that such scores ``have
become a primary way for credit bureaus to sell, and for creditors
and other actors to use, consumers' credit histories to market to
them with greater precision''); FTC Data Broker Report, supra note
25, at 19-21 (describing the creation of lists of consumers who
share similar characteristics, including lists that segment
consumers based on their financial status, e.g., underbanked, credit
worthiness, and upscale retail card holder); In re Trans Union, 129
FTC 417, 493-94 (2000), https://www.ftc.gov/system/files/documents/commission_decision_volumes/volume-129/vol129complete_0.pdf
(discussing a ZIP-plus-four aggregation, i.e., an average of the
credit data of a geographical area covering 5 to 15 households
divided by the number of people in the area who have credit
reports).
---------------------------------------------------------------------------
Proposed Alternative One
The first proposed version of Sec. 1022.4(e) is a bright-line
approach under which de-identification of information would not be
relevant to a determination of whether the definition of consumer
report is met. Under this alternative, a consumer reporting agency's
communication of de-identified information that would constitute a
consumer report if the information were not de-identified would be a
consumer report, regardless of the measures taken to de-identify the
information. While different methods of de-identification, including
different methods of aggregation, may present varying levels of re-
identification risk, this alternative would set a bright-line rule that
de-identification of information in a communication does not affect
whether the communication is a consumer report. Of the three proposed
alternatives, this would be the most protective of consumer privacy and
would place the greatest restriction on information sharing. This
alternative could address concerns about consumer reporting information
being used for differentiated marketing and pricing, such as sending or
not sending advertisements to certain consumers based on aggregated
indicators of the financial well-being of their neighborhood. This
approach would also provide a bright line for supervisory and
enforcement purposes that would make it easier to identify and prove
violations. However, it would also constrict or eliminate the
availability of de-identified information from consumer reporting
databases for policy analysis and development, research, advocacy work,
model and risk score development, and market monitoring. For example,
the National Mortgage Database (NMDB), which the CFPB and the Federal
Housing Finance Agency (FHFA) jointly established, uses de-identified
information from a nationwide consumer reporting agency to facilitate
Federal agencies' monitoring of the U.S. mortgage markets. Such
information would no longer be available to assist with such monitoring
if the first alternative version of proposed Sec. 1022.4(e) were
finalized. Under this alternative, a consumer reporting agency could
generally only disclose information drawn from a consumer reporting
database for a purpose that is permissible under the FCRA, regardless
of the extent to which the information is de-identified.
Proposed Alternative Two
The second proposed version of Sec. 1022.4(e) would provide that
de-identification of information is not relevant to a determination of
whether the definition of consumer report in Sec. 1022.4(a) is met if
the information is still linked or linkable to a consumer. Under this
alternative, a consumer reporting agency's communication of de-
identified information that would constitute a consumer report if the
information were not de-identified is a consumer report if the
information is still linked or linkable to a consumer. The Office of
Management and Budget (OMB), the National Institute of Standards and
Technology, and various other Federal agencies have used similar
``linked or linkable'' standards in defining ``personally identifiable
[[Page 101422]]
information.'' \164\ For example, the U.S. Securities and Exchange
Commission's crowdfunding regulation defines ``personally identifiable
information'' as ``information that can be used to distinguish or trace
an individual's identity, either alone or when combined with other
personal or identifying information that is linked or linkable to a
specific individual.'' \165\ The ``linked or linkable'' test in the
second proposed version of Sec. 1022.4(e) would be similar to the
``linked or reasonably linkable'' standard in the third proposed
version of Sec. 1022.4(e) (discussed below) but omits the word
``reasonably'' and therefore would be more protective of consumer
privacy and more restrictive of information flows.
---------------------------------------------------------------------------
\164\ E.g., 6 CFR 37.3 (defining personally identifiable
information in Department of Homeland Security's regulation on Real
ID Driver's Licenses and Identification Cards); 45 CFR 75.2
(defining personally identifiable information for purposes of
uniform administrative requirements, cost principles, and audit
requirements for Department of Health and Human Services awards); M-
17-12, Memorandum for Heads of Exec. Dep'ts & Agencies from Shaun
Donovan, Off. of Mgmt. & Budget, at 8 (Jan. 3, 2017), https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf (defining personally identifiable
information for purposes of Federal agency data breaches); U.S. Gen.
Servs. Admin., Order CIO 2180.2, GSA Rules of Behavior for Handling
Personally Identifiable Information (PII) (Oct. 8, 2019), https://www.gsa.gov/directives-library/gsa-rules-of-behavior-for-handling-personally-identifiable-information-pii-2; Erika McCallister et al.,
Nat'l Inst. of Standards and Tech., U.S. Dep't of Com., Special
Publ'n 800-122, Guide to Protecting the Confidentiality of
Personally Identifiable Information (PII) at ES-1 (Apr. 2010),
https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=904990; U.S.
Dep't of Def., DoD 5400.11-R, Dep't of Def. Privacy Program, at 9
(May 14, 2007), https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/540011r.pdf.
\165\ 17 CFR 227.305.
---------------------------------------------------------------------------
Proposed Alternative Three
The third proposed version of Sec. 1022.4(e) would provide that
de-identification of information is not relevant to a determination of
whether the definition of consumer report is met if at least one of the
conditions set forth in proposed Sec. 1022.4(e)(1)(i) through (iii) is
met. The CFPB designed this proposed alternative to allow uses of de-
identified data that present less risk for consumers, such as research
conducted by academic institutions and government agencies, to
continue, while nonetheless ensuring the FCRA's protections apply where
appropriate (for example, to sales of de-identified consumer report
information when such information is re-identified). Under this
alternative, a consumer reporting agency's communication of de-
identified information that would constitute a consumer report if the
information were not de-identified is a consumer report if at least one
of the conditions set forth in proposed Sec. 1022.4(e)(1)(i) through
(iii) is met. The CFPB could finalize any of the conditions alone or in
combination. The conditions in a final rule thus could include one or
more of the following: (i) the information is still linked or
reasonably linkable to a consumer; (ii) the information is used to
inform a business decision about a particular consumer, such as a
decision whether to target marketing to that consumer; or (iii) a
person that directly or indirectly receives the communication, or any
information from the communication, identifies the consumer to whom
information from the communication pertains.
Using the ``linked or reasonably linkable'' standard set forth in
proposed Sec. 1022.4(e)(1)(i) as a condition in the third proposed
version would be the most consistent with how the FTC has approached
the issue of de-identified information under the FCRA.\166\ A
reasonableness test also is embedded in various other Federal
provisions that address personally identifiable information or other
types of information in identifiable form, such as the Family
Educational Rights and Privacy Act (FERPA) and the Health Insurance
Portability and Accountability Act (HIPAA).\167\ Additionally, the
comprehensive privacy laws that various States have enacted incorporate
a ``linked or reasonably linkable'' approach in defining ``personal
data'' or similar concepts.\168\ While almost any piece of data
theoretically could be linked to a consumer, a reasonableness standard
would consider whether such a link is practical or likely in light of
current technology and context, and could evolve over time as
technology advances. Including ``reasonably'' in the condition might
help to ensure that the rule does not unnecessarily limit the use of
data that does not pose a meaningful risk to consumers, such as
research conducted by government and academic institutions. On the
other hand, it might make Sec. 1022.4(e) more difficult to enforce
than the first and second proposed alternatives, particularly if the
examples and other conditions in the third proposed alternative are not
finalized.
---------------------------------------------------------------------------
\166\ FTC 40 Years Staff Report, supra note 21, at 21.
\167\ See 34 CFR 99.3 (defining personally identifiable
information for purposes of FERPA to include ``information that,
alone or in combination, is linked or linkable to a specific student
that would allow a reasonable person in the school community, who
does not have personal knowledge of the relevant circumstances, to
identify the student with reasonable certainty''); 45 CFR 160.103
(defining individually identifiable health information for purposes
of the HIPPA as ``information that is a subset of health
information, including demographic information collected from an
individual . . . [t]hat identifies the individual; or [w]ith respect
to which there is a reasonable basis to believe the information can
be used to identify the individual'').
\168\ See, e.g., Cal. Civ. Code section 1798.140(v)(1) (defining
personal information as ``information that identifies, relates to,
describes, is reasonably capable of being associated with, or could
reasonably be linked, directly or indirectly, with a particular
consumer or household''); Colo. Rev. Stat. section 6-1-1303(17)
(defining personal data as ``information that is linked or
reasonably linkable to an identified or identifiable individual''
and providing that the term ``[d]oes not include de-identified data
or publicly available information''); Va. Code section 59.1-575
(similar).
---------------------------------------------------------------------------
The third proposed version includes in Sec. 1022.4(e)(2) three
examples of information that would be considered linked or reasonably
linkable to a consumer. The three examples are intended to clarify the
``linked or reasonably linkable'' condition in proposed Sec.
1022.4(e)(1)(i) and to ensure the condition is read in a way that is
protective of consumer privacy. The examples could help to clarify when
information that has nominally been aggregated or otherwise stripped of
identifiers is reasonably linkable to a consumer. The first two
examples, in proposed Sec. 1022.4(e)(2)(i) and (ii), are information
that identifies a specific household or that identifies a specific
ZIP+4 Code in which a consumer resides. The risk of re-identification
of information is extremely high when data is provided at the household
level, as households may contain a small number of occupants, and
household data may be merged with other available sources of
information to tease out information about specific occupants.
Similarly, the ZIP+4 Code denotes a highly specific delivery segment
for U.S. mail and can identify a small population, such as the people
who live on one side of a block or in a specific building or house or
who use a specific Post Office box.\169\ Data provided about consumers
in a specific ZIP+4 Code thus raise similar concerns about potential
re-identification as data identifying a specific household.
---------------------------------------------------------------------------
\169\ U.S. Postal Serv., Postal Facts: 41,704 ZIP Codes, https://facts.usps.com/42000-zip-codes/; U.S. Postal Serv., The United
States Postal Service: An American History, at 68 (2022), https://about.usps.com/publications/pub100.pdf?_gl=1*2lqbsa*_gcl_au*Njg4MjQ2MzU4LjE3MTU4OTA3MDM.*_ga*MTkzNTkxMDUwNy4xNzE1ODkwNzAz*_ga_3NXP3C8S9V*MTcxNTg5MDcwMy4xLjAuMTcxNTg5MDcwMy4wLjAuMA.
---------------------------------------------------------------------------
The third example, in proposed Sec. 1022.4(e)(2)(iii), relates to
persistent identifiers, such as a cookie identifier, an internet
Protocol (IP) address, a
[[Page 101423]]
processor or device serial number, or a unique device identifier.\170\
Improper collection or misuse of persistent identifiers can raise
substantial privacy concerns.\171\ Persistent identifiers that can be
used to recognize the consumer over time and across different websites
or online services would be considered ``reasonably linkable'' to a
consumer under the third proposed version because of the risk that they
could be used to identify a specific consumer.
---------------------------------------------------------------------------
\170\ Proposed Sec. 1022.4(e)(2)(iii) is similar to part of the
definition of personal information in the FTC's regulation
implementing the Children's Online Privacy Protection Act. See 16
CFR 312.2 (defining personal information to include ``[a] persistent
identifier that can be used to recognize a user over time and across
different websites or online services'' and noting that ``[s]uch
persistent identifier includes, but is not limited to, a customer
number held in a cookie, an internet Protocol (IP) address, a
processor or device serial number, or unique device identifier'').
\171\ See, e.g., Press Release, Fed. Trade Comm'n, Developer of
Apps Popular with Children Agrees to Settle FTC Allegations It
Illegally Collected Kids' Data without Parental Consent (June 4,
2020), https://www.ftc.gov/news-events/news/press-releases/2020/06/developer-apps-popular-children-agrees-settle-ftc-allegations-it-illegally-collected-kids-data (collection of persistent identifiers
to track users to deliver targeted advertising in violation of
Children's Online Privacy Protection Act); Press Release, Fed. Trade
Comm'n, Google and YouTube Will Pay Record $170 Million for Alleged
Violations of Children's Privacy Law (Sept. 4, 2019), https://www.ftc.gov/news-events/news/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations-childrens-privacy-law
(same); Press Release, Fed. Trade Comm'n, Online Advertiser Settles
FTC Charges ScanScout Deceptively Used Flash Cookies to Track
Consumers Online (Nov. 8, 2011), https://www.ftc.gov/news-events/news/press-releases/2011/11/online-advertiser-settles-ftc-charges-scanscout-deceptively-used-flash-cookies-track-consumers
(misrepresentations of consumers' ability to control online tracking
through persistent identifiers); Press Release, Fed. Trade Comm'n,
FTC Puts an End to Tactics of Online Advertising Company That
Deceived Consumers Who Wanted to ``Opt Out'' from Targeted Ads (Mar.
14, 2011), https://www.ftc.gov/news-events/news/press-releases/2011/03/ftc-puts-end-tactics-online-advertising-company-deceived-consumers-who-wanted-opt-out-targeted-ads (same).
---------------------------------------------------------------------------
The second condition in the third proposed alternative, as set
forth in proposed Sec. 1022.4(e)(1)(ii), is if the information is used
to inform a business decision about a particular consumer. Including
this condition would mean, for example, that a consumer reporting
agency's communication of income information from a consumer reporting
database that is aggregated at the ZIP Code level would be a consumer
report if the aggregated information was used to target marketing to a
particular consumer who lives in that ZIP Code (such as by sending a
mailing to an address). The proposal also would help to prevent the use
of consumer report information to facilitate targeted advertising, such
as in generating ``look-alike'' audiences, where an entity might use
information--such as consumer characteristics, behaviors, and credit
history--from an existing audience to determine the types of offers to
present to a different audience bearing the same or similar identified
characteristics. The CFPB preliminarily determines that such use of
consumer reporting information to facilitate targeted marketing is
counter to the FCRA's purpose to limit the ways in which such sensitive
data can be used. The CFPB is concerned that such marketing techniques
might be used to unfairly exclude certain types of consumers from
particular offers or to single them out for less favorable offers or
terms. The business decision condition would not affect the use of de-
identified consumer reporting information to develop scoring or other
models, since model development does not involve a business decision
about a particular consumer for purposes of proposed Sec.
1022.4(e)(1)(ii). As noted below, the CFPB requests comment on whether
business decision condition would prevent the use of de-identified
consumer reporting information for any potentially beneficial uses and,
if so, whether the CFPB should take any steps to address that.
The final condition included in the third proposed version, as set
forth in proposed Sec. 1022.4(e)(1)(iii), is if a person that directly
or indirectly receives the communication, or any information from it,
identifies the consumer to whom information pertains. This condition
would address the concern that subsequent users may be able to re-
identify data that has been nominally de-identified. Finalizing this
condition would give consumer reporting agencies a strong incentive to
ensure de-identified consumer report information is not re-identified
through a number of tactics, including contractual limitations,
stronger due diligence on the recipients of de-identified consumer
report information, or technological means to prevent re-identification
because, if either the initial recipient or a downstream recipient of
such information identifies the consumer to whom the information
pertains, the communication would be deemed a consumer report subject
to all of the FCRA's protections.
The Small Business Review Panel recommended that, in evaluating
whether and when the communication of aggregated consumer report
information constitutes a consumer report, the CFPB should continue to
consider both the consumer harms it is seeking to prevent and whether
the CFPB's definition might preclude the continued use of aggregated
consumer reporting data for purposes like internal account reviews by
financial institutions and economic research by government agencies and
others. Some small entity representatives noted that such data
currently are used for many reasons other than marketing, such as by
financial institutions to refine their credit and pricing policies to
avoid losses and offer consumers the most competitive pricing possible.
As discussed above, the CFPB has proposed a range of alternatives. The
CFPB recognizes that the proposed alternatives that are likely to more
fully address consumer harms related to privacy, including targeted
marketing, are also likely to have impacts on other uses of aggregated
or otherwise de-identified information. In contrast, the CFPB
preliminarily determines that proposed alternative three would not
impact the uses of aggregated consumer reporting data that the Small
Business Review Panel raised but requests comment on whether that is
the case. As noted below, the CFPB also requests comment on the extent
to which each alternative would protect consumer privacy and preclude
use of aggregated or otherwise de-identified information for beneficial
purposes.
The CFPB proposes the alternative versions of Sec. 1022.4(e)
pursuant to its authority under FCRA section 621(e) to ``prescribe
regulations as may be necessary or appropriate to administer and carry
out the purposes and objectives'' of the FCRA because information that
purportedly has been de-identified through aggregation or other means
nevertheless can bear on a consumer where it is derived from identified
information and can be re-identifiable. The CFPB also proposes Sec.
1022.4(e) pursuant to its authority under FCRA section 621(e) to
prevent evasions of, and to facilitate compliance with, the FCRA.
Permitting the sale of purportedly de-identified consumer reporting
information to entities that lack a permissible purpose may allow
market participants to evade the FCRA's permissible purpose
restrictions where the information can be re-identified. Because it is
not possible to know ex ante with certainty whether a particular item
of de-identified information will be re-identified, it may be necessary
to include within the consumer report definition some communications of
de-identified consumer reporting information that never will be re-
identified in practice in order to ensure that the definition covers
all such communications that will be re-identified.
[[Page 101424]]
The CFPB requests comment on the likelihood that de-identified
information drawn from consumer reporting databases will be re-
identified and on the extent to which such information is currently
used for marketing purposes. The CFPB also requests comment on the
extent to which such information is used for purposes that may be
beneficial for consumers, such as research or policy analysis and
development, and whether other data sources exist that could be used
for any or all of those purposes if a final rule were to constrict the
availability of de-identified information drawn from consumer reporting
databases.
The CFPB also requests comment on the three alternative versions of
proposed Sec. 1022.4(e), and on which of the three if any (or
combinations thereof), it should adopt in a final rule and, if it
adopts the third alternative version, on what condition(s) it should
adopt. If the CFPB adopts the third alternative version with the linked
or reasonably linkable condition, the CFPB also requests comment on
whether it should finalize the examples of information that is
reasonably linkable in proposed Sec. 1022.4(e)(2) and on whether, as
part of the ``reasonably linkable'' condition, it should consider any
other additional, more specific, or alternative requirements or
examples, such as ones that affirm the ability of government and
academic institutions to conduct research using de-identified
information.\172\ The CFPB also requests comment on whether there are
any other conditions that it should consider as part of the proposed
third alternative for when de-identified information is or is not a
consumer report. The CFPB also requests comment on the extent to which
each of the three proposed alternatives would (1) protect consumer
privacy and curtail targeted marketing using information drawn from
consumer reporting databases and (2) preclude use of aggregated or
otherwise de-identified information for any purposes that are
beneficial. In addition, the CFPB requests comment on whether there are
other approaches, in addition to the three alternative versions of
proposed Sec. 1022.4(e), that it should consider for addressing when a
consumer reporting agency's communication of de-identified information
is a consumer report.
---------------------------------------------------------------------------
\172\ The CFPB seeks comment on whether it should consider
adding any portions of the three-prong test for a reasonably
linkable standard that the FTC articulated in a 2012 privacy report
or any other additional or more specific requirements to the
reasonably linkable standard. See 2012 FTC Privacy Report, supra
note 156, at 18-21. Although the FTC did not develop its three-prong
standard specifically to apply in the FCRA context, the CFPB seeks
comment on whether some or all of the test's elements could be
relevant to the reasonably linkable standard in this rulemaking. If
applied in the FCRA context, such a test could, for example, provide
that the following three conditions would need to be met for data
not to be reasonably linkable: (1) the consumer reporting agency
must take reasonable measures to ensure that the data are de-
identified; (2) the initial recipient must publicly commit not to
try to re-identify the data; and (3) any downstream recipients must
be contractually prohibited from trying to re-identify the data.
Similar three-prong tests appear in some State laws defining the
term ``de-identified'' and in proposed Federal legislation on data
privacy. See, e.g., Cal. Civ. Code section 1798.140(m); Utah Code
Ann. section 13-61-101(14); Press Release, Energy & Com. Chair
Rodgers, Committee Chairs Rodgers, Cantwell Unveil Historic Draft
Comprehensive Data Privacy Legislation (Apr. 7, 2024), https://energycommerce.house.gov/posts/committee-chairs-rodgers-cantwell-unveil-historic-draft-comprehensive-data-privacy-legislation.
---------------------------------------------------------------------------
Section 1022.5 Definition; Consumer Reporting Agency
In general, a consumer reporting agency under FCRA section 603(f)
is a person that regularly engages in assembling or evaluating consumer
credit or other information about consumers for the purpose of
furnishing consumer reports to third parties. To be a consumer
reporting agency, the person must undertake these activities for
monetary fees, dues, or on a cooperative nonprofit basis and must use a
means of interstate commerce to prepare or furnish the reports. The
CFPB proposes Sec. 1022.5 to implement and interpret this definition.
Proposed Sec. 1022.5(a) restates the FCRA definition with minor
wording and organizational changes for clarity. Proposed Sec.
1022.5(b) interprets the phrase ``assembling or evaluating.'' The CFPB
also proposes to revise several provisions in existing Regulation V
that currently cross-reference the definition of consumer reporting
agency in FCRA section 603(f) to instead cross-reference the definition
in proposed Sec. 1022.5.\173\
---------------------------------------------------------------------------
\173\ These provisions are 12 CFR 1022.41(c)(2); 1022.71(g);
1022.130(d); and 1022.142(a), (b)(3). If this proposal and the
Medical Debt Proposed Rule, supra note 42, are both finalized, the
CFPB intends to revise in the same way cross-references to the terms
``consumer report'' and ``consumer reporting agency'' in Sec.
1022.38, as proposed to be added to Regulation V by the Medical Debt
Proposed Rule.
---------------------------------------------------------------------------
As discussed in the analysis of proposed Sec. 1022.4(b) and (c),
if certain other provisions of the CFPB's proposed rule are finalized,
many additional data broker products will qualify as consumer reports,
and the data brokers who sell those products will qualify as consumer
reporting agencies (assuming they satisfy the other elements of that
definition). For example, if proposed Sec. 1022.4(c)(2) is finalized,
all data brokers that sell information about a consumer's credit
history, credit score, debt payments, or income or financial tier
generally will qualify as consumer reporting agencies selling consumer
reports.\174\
---------------------------------------------------------------------------
\174\ This would include, for example, enrollment management
companies that sell or use financial data, including information
about income and creditworthiness, to help educational institutions
set tuition prices and scholarship award amounts. See, e.g., Lilah
Burke, Why colleges are using algorithms to determine financial aid
levels, Higher Ed Dive (Sept. 5, 2023), https://www.highereddive.com/news/colleges-enrollment-algorithms-aid-students/692601/. An enrollment management company could also
qualify as a consumer reporting agency if a recipient of the
information uses it for an FCRA purpose (such as credit
underwriting), see proposed Sec. 1022.4(b), or if the company
expects or should expect that a recipient of the information will
use it for such a purpose, see proposed Sec. 1022.4(c)(1).
---------------------------------------------------------------------------
However, the proposed rule would not turn into consumer reporting
agencies a range of non-data broker entities that have long been
outside the FCRA's scope. For example, newspapers and similar entities
that publish news or information that concerns local, national, or
international events or other matters of public interest would not be
consumer reporting agencies based on those activities--even if their
reporting includes information about a consumer's credit history,
credit score, debt payments, or income or financial tier--because they
do not assemble or evaluate information about consumers for the purpose
of furnishing consumer reports to third parties.\175\ Rather, these
entities assemble or evaluate information on consumers for the purpose
of reporting news to the public. Their incidental reporting of an
information type listed in proposed Sec. 1022.4(c)(2) does not change
that their purpose is to report news to the public. The same analysis
would apply when such information appears in a book, blog post, motion
picture, or podcast episode: the presence of that information would not
turn the publisher of the book, post, movie, or podcast into a consumer
reporting agency because the publisher is not acting for the purpose of
furnishing consumer reports.\176\ This interpretation
[[Page 101425]]
is logical given the protections accorded to the press by the First
Amendment.
---------------------------------------------------------------------------
\175\ See Barge v. Apple Computer, Inc., 164 F.3d 617 (2d Cir.
1998) (unpublished table decision) (holding that a newspaper article
was not a consumer report provided by a consumer reporting agency).
\176\ Additionally, a person that does not engage in the
practice of assembling or evaluating consumer information ``for
monetary fees, dues, or on a cooperative nonprofit basis'' is not a
consumer reporting agency under FCRA section 603(f) and proposed
Sec. 1022.5(a). Thus, even if a person produces what would
otherwise appear to be a consumer report, the person is not a
consumer reporting agency if it does not charge for the report. This
requirement provides an additional reason why news organizations,
website operators, and other sources that make information available
to the public for free are not consumer reporting agencies under the
proposed interpretation.
---------------------------------------------------------------------------
Likewise, this proposal is not intended to alter the longstanding
interpretation of the FCRA that a government agency or government-run
database that provides information only to other branches of the
government is not a consumer reporting agency--regardless of the
purposes for which it provides information or the types of information
it provides--because no information is provided to third parties. For
example, as FTC staff have stated, although the Office of Personnel
Management collects data on current and potential Federal employees and
transmits it to other government agencies, the Office of Personnel
Management ``is not a CRA . . . because the recipient is another
governmental branch and not a `third party.' '' \177\
---------------------------------------------------------------------------
\177\ FTC 40 Years Staff Report, supra note 21, at 31. It is
also the case that many of these databases do not charge a fee to
users. See supra note 176.
---------------------------------------------------------------------------
Nor is this proposal intended to alter the longstanding
interpretation that the FCRA's consumer reporting agency requirements
generally do not apply to government agencies or government-run
databases that provide information to the public, such as the Federal
Public Access to Court Electronic Records (PACER) website. These
entities are required by statute to carry out certain information-
sharing purposes, and treating them as consumer reporting agencies
would run counter to those statutes and the FCRA itself.\178\ Further,
the FCRA imposes obligations on consumer reporting agencies--such as
FCRA section 609(a)'s requirement to disclose information in consumers'
files at their request and section 605(a)'s requirement to exclude most
information more than seven years old--that may be incompatible with
the operations of these entities.\179\ Treating these entities as
consumer reporting agencies also could lead to absurd results, such as
potentially turning the entities or individuals who provide information
to them into furnishers under the FCRA.\180\
---------------------------------------------------------------------------
\178\ Ollestad v. Kelley, 573 F.2d 1109, 1111 (9th Cir. 1978);
see also FTC 40 Years Staff Report, supra note 21, at 31; FTC
Informal Staff Opinion Letter to Copple (June 10, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-copple-06-10-98; FTC Informal Staff Opinion Letter to Pickett (July
10, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-pickett-07-10-98; FTC Informal Staff
Opinion Letter to Goeke (June 9, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-goeke-06-09-98.
\179\ 15 U.S.C. 1681g(a) and 1681c(a).
\180\ See FTC 40 Years Staff Report, supra note 21, at 8-10.
---------------------------------------------------------------------------
5(b) Assembling or Evaluating
In General
Proposed Sec. 1022.5(b) interprets the phrase ``assembling or
evaluating'' in the definition of consumer reporting agency. Proposed
Sec. 1022.5(b)(1) would clarify that a person assembles or evaluates
consumer credit information or other information about consumers if the
person: (1) collects, brings together, gathers, or retains such
information; (2) appraises, assesses, makes a judgment regarding,
determines or fixes the value of, verifies, or validates such
information; or (3) contributes to or alters the content of such
information. Proposed Sec. 1022.5(b)(2) provides examples of conduct
that would constitute assembling or evaluating under the interpretation
in proposed Sec. 1022.5(b)(1). The CFPB proposes Sec. 1022.5(b) as an
interpretation of the FCRA's definition of consumer reporting agency
and to facilitate compliance with the statute.
The FCRA does not define the terms ``assembling'' and
``evaluating.'' But the FCRA is a remedial statute \181\ with a focus
on ensuring the accuracy of information in consumer reports. FCRA
section 602(b) provides that the purpose of the FCRA is to require
consumer reporting agencies to adopt reasonable procedures to meet the
needs of commerce for information about consumers in a manner that is
fair and equitable to the consumer with regard to accuracy and other
factors.\182\ In light of this purpose, the CFPB preliminarily
determines that Congress intended for the terms ``assembling'' and
``evaluating'' to be interpreted broadly \183\ to protect consumers.
Whenever an entity assembles or evaluates consumer information, the
entity may introduce inaccuracies into consumer reports that can harm
consumers. Consumer reports play an important role in key aspects of
consumers' lives such as credit, housing, and employment. Accuracy in
consumer reports therefore is of vital importance to consumers and the
consumer reporting system. Consistent with these FCRA purposes, the
CFPB proposes Sec. 1022.5(b) to clarify that assembling or evaluating
encompasses the activities described in the proposed regulatory text.
Proposed Sec. 1022.5(b) should also facilitate compliance by
interpreting key terms that are undefined in the FCRA.
---------------------------------------------------------------------------
\181\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial
statute that must be read in a liberal manner in order to effectuate
the congressional intent underlying it''); Guimond v. Trans Union
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that
the FCRA's ``consumer oriented objectives support a liberal
construction'' of the statute).
\182\ See, e.g., 115 Cong. Rec. 2410, 2411 (1969) (The FCRA's
principal Congressional sponsor described ``inaccurate or misleading
information'' as ``perhaps the most serious problem in the credit
reporting industry.''); 15 U.S.C. 1681(a)(1) (``The banking system
is dependent upon fair and accurate credit reporting. Inaccurate
credit reports directly impair the efficiency of the banking system,
and unfair credit reporting methods undermine the public confidence
which is essential to the continued functioning of the banking
system.'').
\183\ Interpreting assembling or evaluating broadly is
consistent with FTC staff opinion letters and legislative history.
See, e.g., FTC Informal Staff Opinion Letter to LeBlanc (June 9,
1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-leblanc-06-09-98 (``[I]t is clear from a review of
the legislative history that Congress intended for the FCRA to cover
a very broad range of `assembling' or `evaluating' activities.'').
---------------------------------------------------------------------------
The activities identified in proposed Sec. 1022.5(b) are
consistent with dictionary definitions of assemble or evaluate, which
plainly encompass a wide range of activity. Dictionary definitions of
assemble include ``to bring together'' \184\ and ``to gather, collect,
convene.'' \185\ Dictionary definitions of evaluate include ``to
determine or fix the value of'' \186\ and ``[t]o determine the
importance, effectiveness, or worth of; assess.'' \187\
---------------------------------------------------------------------------
\184\ See Assemble, Merriam-Webster.com Dictionary Online,
https://www.merriam-webster.com/dictionary/
assemble#:~:text=1,fit%20together%20the%20parts%20of (last visited
Oct. 15, 2024).
\185\ See Assemble, Oxford English Dictionary Online, https://www.oed.com/dictionary/assemble_v1 (last visited Oct. 15, 2024).
\186\ See Evaluate, Merriam-Webster.com Dictionary Online,
https://www.merriam-webster.com/dictionary/evaluate (last visited
Oct. 15, 2024).
\187\ See Evaluate, Am. Heritage Dictionary of the English
Language Online (2022), https://www.ahdictionary.com/word/search.html?q=evaluate (last visited Oct. 15, 2024).
---------------------------------------------------------------------------
The activities identified in proposed Sec. 1022.5(b)(1) are also
consistent with longstanding FTC staff guidance regarding the meaning
of the terms ``assemble'' and ``evaluate.'' FTC staff have opined that
assembling as used in the definition of consumer reporting agency
means, for example, ``gathering, collecting, or bringing together
consumer information such as data obtained from [consumer reporting
agencies] or other third parties, or items provided by the consumer in
an application.'' \188\ And FTC staff have opined that evaluating
encompasses a broad range of activities, including ``appraising,
assessing, determining or
[[Page 101426]]
making a judgment on . . . information.'' \189\ For example, FTC staff
noted that, ``[i]f an intermediary contributes to (or takes an action
that determines) the content of the information conveyed to'' a third
party, the intermediary is ``assembling or evaluating'' the
information.\190\
---------------------------------------------------------------------------
\188\ FTC 40 Years Staff Report, supra note 21, at 29.
\189\ Id.
\190\ FTC Informal Staff Opinion Letter to Islinger (June 9,
1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-islinger-06-09-98.
---------------------------------------------------------------------------
Proposed Sec. 1022.5(b)(1) is also consistent with how courts have
interpreted assembling and evaluating. For example, one court opined
that assembling requires only ``that the assembler gather or group the
information''; it does not require the entity assembling the
information to change the information's contents.\191\ Thus, for
example, when an entity gathered arrest data from sheriff's offices and
``grouped [the arrest data] together into a database,'' the court
deemed that ``action sufficient to satisfy the `assemble' requirement
of FCRA.'' \192\ Another court found that the terms ``assembling'' and
``evaluating'' applied to the activities of a background screening
agency that combined a criminal history report that the agency had not
created with the results of a personal interview.\193\ Similarly, a
court found that an entity assembled consumer information when it
combined a list of open judgments and other public records information
pertaining to consumers.\194\
---------------------------------------------------------------------------
\191\ Lewis v. Ohio Pro. Elec. Network LLC, 190 F. Supp. 2d
1049, 1057-58 (S.D. Ohio 2002) (noting that ``one who assembles
information does not necessarily change its contents'').
\192\ Id.
\193\ Poore v. Sterling Testing Sys., Inc., 410 F. Supp. 2d 557,
569 (E.D. Ky. 2006); see also Adams v. Nat'l Eng'g Serv. Corp., 620
F. Supp. 2d 319, 324-28 (D. Conn. 2009).
\194\ McGrath v. Credit Lenders Serv. Agency, Inc., No. CV 20-
2042, 2022 WL 580566, at *6 & n.9 (E.D. Pa. Feb. 25, 2022).
---------------------------------------------------------------------------
Proposed Examples of Assembling or Evaluating
Proposed Sec. 1022.5(b)(2) provides five non-exhaustive examples
of when a person assembles or evaluates consumer credit information or
other information about consumers for purposes of the proposed
interpretation of assembling or evaluating in Sec. 1022.5(b)(1). These
examples only illustrate when a person assembles or evaluates for
purposes of the definition of consumer reporting agency and do not
address the other elements of that definition. In order to be a
consumer reporting agency, a person would need to meet every element of
that definition.
The first example, in proposed Sec. 1022.5(b)(2)(i), illustrates
that a person assembles or evaluates when the person collects
information from a data source and then groups or categorizes it,
regardless of whether the person alters or changes the information.
When a person groups or categorizes information, the person necessarily
assesses or makes a judgment regarding the information to determine in
which group or category the information belongs. The example thus
provides that a person assembles or evaluates when the person collects
information from a consumer's bank account and assesses it, such as by
grouping or categorizing it based on transaction type. The CFPB
understands that data aggregators often engage in such activities. The
CFPB understands, for instance, that, when a data aggregator collects
information from a consumer's bank account, the data aggregator may
apply its own taxonomy to group or categorize the collected
information. To take just one factual scenario, a data aggregator that
collects bank account information pursuant to consumer authorization in
connection with a loan application may group or categorize deposits or
withdrawals by type of income or expense, such as ``rent'' and ``loan
repayment,'' prior to sharing it with the lender. In doing so, the data
aggregator assembles or evaluates the information.
The second example, in proposed Sec. 1022.5(b)(2)(ii), illustrates
that a person assembles or evaluates when the person alters or modifies
the content of consumer information, including for formatting purposes.
For example, when a person collects consumer information from multiple
sources, the formats in which the information is received may not be
uniform, e.g., the person may receive date fields with four digits for
the year from one data source and receive date fields with two digits
for the year from a different data source. The proposed example
provides that a person assembles or evaluates when the person modifies
date fields in this circumstance to ensure consistency.
The third example, in proposed Sec. 1022.5(b)(2)(iii), illustrates
that a person assembles or evaluates consumer information when the
person determines the value of such information, such as by arranging
or ordering it based on perceived relevance to the user. For example,
when entities bring together online search results related to consumer
information, they may need to determine the value of the information to
make decisions about how the results will be ordered. Entities can use
a variety of methods, such as algorithms or an individual's judgment,
to make such decisions. Regardless of the method, under proposed Sec.
1022.5(b)(1), a person that makes a judgment about the order in which
to display search results has assembled or evaluated the information.
The proposed example thus provides that a person assembles or evaluates
when the person hosts a searchable online database regarding consumers'
criminal histories and orders search results in order of perceived
relevance to the user.
The fourth example, in proposed Sec. 1022.5(b)(2)(iv), illustrates
that a person assembles or evaluates consumer information when the
person retains information about consumers. Given that retention of
consumer information typically involves gathering information, it is
consistent with the plain meaning of the statutory term ``assemble.''
Similarly, retention of information typically involves a periodic
evaluation of which data to retain, in what manner, and for how long.
The proposed example thus provides that a person assembles or evaluates
when it retains information about a consumer, such as by retaining data
files containing consumers' payment histories in a database or
electronic file system.
The fifth example, in proposed Sec. 1022.5(b)(2)(v), illustrates
that a person assembles or evaluates consumer information when the
person verifies or validates information received about a consumer.
Verification and validation of information involve assessing
information for errors to ensure accuracy and determining the
trustworthiness of the information. For example, when a person verifies
or validates that a consumer's date of birth received from a third
party matches the consumer's date of birth as listed in an external
database or is properly formatted, the person assesses the data for any
errors or incompleteness. A person verifying or validating data would
be assembling or evaluating the data regardless of whether the person
takes action to correct any errors it finds.
The Small Business Review Panel recommended that, given the CFPB's
intent to define the phrase assembling or evaluating, the CFPB should
further clarify the activities that fall within that phrase.\195\ The
details in proposed Sec. 1022.5(b), including the examples in proposed
Sec. 1022.5(b)(2), are responsive to the Panel's recommendation to
provide a more bright-line definition for when entities, such as data
brokers that facilitate consumer-authorized data
[[Page 101427]]
sharing, are assembling or evaluating for purposes of the definition of
consumer reporting agency. The Panel also recommended that the CFPB
should, in developing its proposal regarding assembling or evaluating,
take into consideration its Personal Financial Data Rights rulemaking.
The CFPB has considered its proposed interpretation of assembling or
evaluating in light of that rulemaking and acknowledges concerns
expressed by small entity representatives that an expansive
interpretation of assembling or evaluating may cause some entities,
like data aggregators, to stop transmitting consumer data to avoid
becoming consumer reporting agencies. The CFPB requests comment on this
issue.
---------------------------------------------------------------------------
\195\ Small Business Review Panel Report, supra note 40, at 47.
---------------------------------------------------------------------------
Pursuant to a Panel recommendation, the CFPB also requests comment
on the implications of its proposed interpretation of assembling or
evaluating for technology providers and platforms used by consumer
reporting agencies and others in mortgage lending and other industries.
Noting that assembling or evaluating is just one component of the
definition of consumer reporting agency, the CFPB generally requests
comment on the kinds of entities that could be covered as consumer
reporting agencies if the proposed definition of assembling or
evaluating were finalized.
Subpart B--Permissible Purposes of Consumer Reports
The CFPB proposes Sec. Sec. 1022.10 through 1022.13 to implement
FCRA section 604(a), which describes circumstances under which a
consumer reporting agency may furnish a report, referred to as
permissible purposes of consumer reports. Except as specifically
discussed in the analysis of subpart B below, the CFPB proposes to
restate the statutory provisions with only minor wording or
organizational changes for clarity. Relatedly, the CFPB proposes to
revise the cross-reference to FCRA section 604(a) in Sec.
1022.41(c)(1) in existing Regulation V to instead cross-reference the
permissible purposes of consumer reports as set forth in proposed Sec.
1022.10 through Sec. 1022.13.
Section 1022.10 Permissible Purposes of Consumer Reports; In General
10(a) In General
FCRA section604(a) provides that, subject to FCRA section 604(c), a
consumer reporting agency may furnish a consumer report only under
specific enumerated circumstances, i.e., permissible purposes. The CFPB
proposes to implement this general provision in Sec. 1022.10(a) with
only minor wording or organizational changes for clarity.
10(b) Furnish a Consumer Report
Proposed Sec. 1022.10(b) would address what it means for a
consumer reporting agency to ``furnish'' a consumer report, as that
term is used in FCRA section 604(a) and proposed Sec. 1022.10(a).
10(b)(1)
Proposed Sec. 1022.10(b)(1) states that a consumer reporting
agency furnishes a consumer report if it provides the consumer report
to a person. The FCRA does not define either the term ``furnish'' or
the phrase ``furnish a consumer report.'' However, the ordinary meaning
of the term ``furnish'' is ``to provide'' or ``supply.'' \196\ The CFPB
proposes Sec. 1022.10(b)(1) to implement the term consistent with
these definitions and the FCRA's purposes.
---------------------------------------------------------------------------
\196\ See Furnish, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/furnish (last visited Oct. 15,
2024).
---------------------------------------------------------------------------
10(b)(2)
A core pillar of the FCRA is the limitation in section 604(a) on
the dissemination of consumer reports except for one of the permissible
purposes identified by Congress. For instance, except in narrowly
defined circumstances, consumer reporting agencies generally are
prohibited from furnishing a consumer report to a third party for
marketing or advertising purposes. Consistent with the FCRA's
prohibition on the use of consumer report information for non-
permissible purposes, proposed Sec. 1022.10(b)(2) provides that the
term ``furnish'' includes instances where a consumer reporting agency
does not technically transfer a consumer report but facilitates a
person's use of any information in the consumer report for that
person's financial gain. The proposed provision would thus further the
FCRA's general prohibition on the use of consumer report information
for marketing and advertising purposes without a permissible purpose
and prevent evasion thereof, regardless of whether the report is
provided to the user.
The CFPB understands that, despite the general prohibition in the
FCRA, some consumer reporting agencies use information from consumer
reports to present advertisements to consumers from third parties. For
example, a merchant might want to advertise to an audience of consumers
based on income, credit score, education, and credit usage ratio. The
merchant might provide the relevant attributes of the target audience
to a consumer reporting agency, which might use its consumer report
data to identify that audience. Then, the consumer reporting agency or
its service provider might deliver the merchant's advertisement to
consumers in the target audience. The consumer reporting agency might
believe that, because it is not technically transferring the consumer
report to the merchant in this scenario but rather is using a
workaround to allow the merchant to still obtain the financial benefit
of the consumer report information, no consumer report has been
furnished and, therefore, that the activity is permissible under the
FCRA.
However, this business model is incompatible with the goals of the
FCRA's general prohibition on the use of consumer reports for marketing
or advertising purposes. The FCRA's prescreening provision strictly
limits the use of consumer reports for marketing or advertising
purposes unless the consumer authorizes such use. Congress provided
that, absent such authorization, consumer reporting agencies must allow
consumers to opt out of the prescreening process, third parties must
provide firm offers of credit or insurance to consumers whose
information they receive, and both consumer reporting agencies and
third parties must comply with notice requirements.\197\ However, some
entities have used the business model described above to deliver
advertisements to consumers without these statutory protections. This
business model allows third parties to advance their private financial
interests as if they had delivered advertising in compliance with the
prescreening provision. The proposed provision would make clear that
consumer reporting agencies cannot use technological and contractual
workarounds to profit off consumers' sensitive consumer report
information in circumstances that fall outside the FCRA's permissible
purposes, and that run counter to the protections Congress intended to
provide under the FCRA.
---------------------------------------------------------------------------
\197\ 15 U.S.C. 1681b(c), (e), 1681m(d).
---------------------------------------------------------------------------
Not only can the business model described above run counter to the
FCRA's statutory limitations on when consumer reporting agencies may
furnish a consumer report, but it also undermines the FCRA's core
interest in protecting consumer privacy against certain types of
marketing.\198\ If the advertisement is unwanted, then its delivery
alone is an intrusion on the
[[Page 101428]]
consumer's right to be left alone. And modern advertising poses
additional privacy harms. Most advertising is delivered online,\199\
and online advertisement business models may reveal personal
information to a third party. For example, online advertisements could
allow a third party to determine if a consumer visiting the third
party's website has navigated there through an advertisement delivered
by a consumer reporting agency or its service provider.\200\ This could
enable the third party to connect the consumer's identifying
information, such as their IP address or browser fingerprint, to the
consumer report criteria used to target the advertisement, thereby
revealing sensitive consumer reporting information about particular
consumers.\201\ Indeed, this information is similar to what a third
party would gain through prescreening under FCRA section 604(c)(2)--
where the third party knows the consumer report criteria of the
advertisement's audience and receives the consumer's identifying
information from the consumer reporting agency--but without any of the
protections or restrictions that Congress intended to afford under that
provision.\202\ In contrast, using consumer report information for
other purposes, such as academic research, may pose less risk of re-
identification because it involves third parties that are generally
interested in researching broader economic trends in order to try to
advance public welfare rather than initiating a business relationship
with an individual consumer. More broadly, the use of consumers'
sensitive financial information in an advertising system, often
involving many intermediaries with limited accountability, contributes
to a commercial surveillance apparatus that harms people by invading
their privacy.\203\
---------------------------------------------------------------------------
\198\ 115 Cong. Rec. 2415 (Jan. 31, 1969) (Senator Proxmire, who
introduced the FCRA, believed it would ``preclude the furnishing of
information . . . to market research firms or to other business
firms who are simply on fishing expeditions.'').
\199\ Digital advertising in the United States--statistics &
facts, Statista (June 18, 2024), https://www.statista.com/topics/1176/online-advertising/#topicOverview.
\200\ See, e.g., Learn about final URLs and tracking templates,
Google, https://support.google.com/google-ads/answer/6273460?hl=en
(last visited Oct. 15, 2024); URL Tracking with Upgraded URLs,
Microsoft (Mar. 19, 2023), https://learn.microsoft.com/en-us/advertising/guides/url-tracking-upgraded-urls?view=bingads-13.
\201\ A similar possibility for linking a consumer to the
consumer report criteria used to target the advertisement exists for
marketing and advertising delivered by mail, if for example the
mailed advertisement contains a QR code or other method for the
consumer to navigate to a specific page on the third party's website
created for a particular advertising campaign.
\202\ 15 U.S.C. 1681b(c)(2).
\203\ See Michelle Faverio, Key Findings About Americans and
Data Privacy, Pew Rsch. Ctr. (Oct. 18, 2023), https://www.pewresearch.org/short-reads/2023/10/18/key-findings-about-americans-and-data-privacy/ (finding that 61 percent of respondents
feel skeptical that anything they do to manage their privacy online
will make much difference).
---------------------------------------------------------------------------
Proposed Sec. 1022.10(b)(2) would provide that, consistent with
the FCRA's purposes and Congress' intent to strictly limit use of
consumer reports for marketing or advertising purposes, the phrase
``furnish a consumer report'' includes facilitating a third party's use
of any information from the consumer report for the third party's
financial gain. Under proposed Sec. 1022.10(b)(2), if a consumer
reporting agency engages in the business model described above by
allowing a third party to seek financial gain from consumer report
information, regardless of whether such information is transmitted to
the third party, the information is a consumer report, and the consumer
reporting agency would have furnished it to a third party. Proposed
Sec. 1022.10(b)(2) would thus help ensure that consumer reporting
agencies do not use technological or contractual maneuvers to enable
third parties to use consumer report information for marketing or
advertising in a manner not permitted under the FCRA.
The CFPB proposes Sec. 1022.10(b)(2) to implement FCRA section
604(a). Proposed Sec. 1022.10(b)(2) provides that a consumer reporting
agency furnishes a consumer report if it facilitates a person's use of
the consumer report for the person's financial gain. The CFPB
preliminarily determines that this approach is necessary or appropriate
to carry out the protections afforded under the statute. The CFPB also
preliminarily determines that proposed Sec. 1022.10(b)(2) is necessary
or appropriate to prevent evasion. In allowing prescreening (subject to
the consumer's opt-out rights), Congress endeavored to balance the
privacy invasion created by the use of sensitive consumer report
information for marketing and advertising without the consumer's
consent with the potential benefit to consumers of a firm offer of
credit or insurance.\204\ The CFPB preliminarily determines that
proposed Sec. 1022.10(b)(2) reflects the balance Congress intended to
strike. Proposed Sec. 1022.10(b)(2) specifically addresses uses of
consumer report information that further a third party's profit-seeking
activity because the CFPB has preliminarily determined that those uses
present the greatest risk of evasion at this time. Specifically,
facilitating a person's use of a consumer report for that person's
financial gain presents a significant risk of evasion of the FCRA's
limitations on the use of consumer reports for marketing or
advertising.
---------------------------------------------------------------------------
\204\ See S. Rep. No. 103-209, at 13-14 (1993); Trans Union
Corp. v. FTC, 267 F.3d 1138, 1143 (D.C. Cir. 2001) (``Congress
apparently believe[d] that people are more willing to reveal
personal information in return for guaranteed offers of credit than
for catalogs and sales pitches.'').
---------------------------------------------------------------------------
The Small Business Review Panel recommended that the CFPB consider
whether the proposal could permit targeted marketing in situations
where there might be low risk of consumer harm. The CFPB notes that the
proposal would not limit either the use of non-consumer reports for
advertising purposes or the use of consumer reports pursuant to written
instructions or for prescreening purposes in compliance with FCRA
section 604(c). But the CFPB preliminarily determines that using
consumer reports for general advertising purposes is a harmful practice
that the statute prohibits.
The CFPB requests comment on proposed Sec. 1022.10(b)(2),
including on the proposal's impact on purposes other than marketing and
advertising where consumer reporting agencies might facilitate the use
of consumer reports for a third party's financial gain without directly
transferring the reports to the third party. The CFPB also requests
comment on examples a final rule could provide to further clarify when
a consumer reporting agency ``facilitates the use'' of a consumer
report and when such use would be for a person's ``financial gain.''
Proposed Sec. 1022.10(b)(2) would not prohibit academics, nonprofit
organizations, and government agencies from seeking the assistance of
consumer reporting agencies in analyzing consumer report information or
delivering surveys to consumers based on consumer report information.
Such entities generally do not use consumer reports for financial gain.
However, the CFPB requests comment on whether other beneficial uses of
consumer reports might be prohibited by proposed Sec. 1022.10(b)(2),
and on alternatives that would accomplish the goals of proposed Sec.
1022.10(b) while preserving those uses.
Section 1022.11 Permissible Purpose Based on a Consumer's Written
Instructions
Proposed Sec. 1022.11 would implement the written instructions
permissible purpose in FCRA section 604(a)(2). FCRA section 604(a)(2)
provides that a consumer reporting agency may furnish a consumer report
in accordance with the written instructions of the consumer to whom it
relates. Proposed Sec. 1022.11 implements FCRA section 604(a)(2) by
specifying the conditions that would need to be satisfied for a
consumer
[[Page 101429]]
reporting agency to furnish a consumer report under this permissible
purpose. The CFPB also proposes Sec. 1022.11 to prevent evasion of
FCRA section 604's restrictions and to further the consumer privacy
purposes of the permissible purpose provisions in FCRA section 604.
The conditions, which are set forth in proposed Sec. 1022.11(b),
include, among other provisions, a disclosure requirement; limitations
on the procurement, use, and retention of consumer reports obtained
pursuant to a consumer's written instructions; and a requirement
regarding revocation. While either the consumer reporting agency or the
person to whom the consumer report will be furnished would be
authorized to obtain the consumer's express consent to the furnishing
of the consumer report and to provide the required disclosure, the
consumer reporting agency ultimately would be responsible for ensuring
that it furnishes a consumer report in accordance with FCRA section
604(a)(2) and proposed Sec. 1022.11.\205\ Proposed Sec. 1022.11(b)
and (c) align closely with the requirements for third-party
authorization in subpart D of the CFPB's Personal Financial Data Rights
final rule.\206\
---------------------------------------------------------------------------
\205\ To use or obtain a consumer report, a user is
independently responsible for ensuring it has one of the permissible
purposes in FCRA section 604. See FCRA section 604(f), 15 U.S.C.
1681b(f).
\206\ 89 FR 90838 (Nov. 18, 2024) (hereinafter PFDR Rule).
---------------------------------------------------------------------------
Meaning of ``In Accordance With the Written Instructions of the
Consumer''
The CFPB preliminarily determines that proposed Sec. 1022.11 is
``necessary or appropriate to administer and carry out the purposes and
objectives'' of the FCRA as stated in FCRA section 621(e)(1). The CFPB
proposes that the phrase ``in accordance with the written instructions
of the consumer'' requires, at a minimum, that the consumer
affirmatively directs a consumer reporting agency to furnish their
consumer report to a third party, that the consumer is informed of and
reasonably expects the scope of the use of their consumer report, and
that the consumer retains control over such access and use. The term
``instruction'' means ``a direction,'' an ``authoritative order,'' or a
``command.'' \207\ The phrase ``in accordance with'' means to ``agree
with'' or ``follow.'' \208\ Taken together, Congress's use of the term
``written instructions'' suggests that, for the written instructions
permissible purpose to apply, the consumer must provide affirmative,
written direction for a consumer reporting agency to furnish a consumer
report to a third party, and the consumer report must be furnished and
used in accordance with those instructions.
---------------------------------------------------------------------------
\207\ See Instructions, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/instructions (last visited Oct.
15, 2024) (defining ``instructions'' to mean ``a direction calling
for compliance: order''). See also Instruction, Oxford English
Dictionary Online, https://www.oed.com/dictionary/instruction_n?tab=meaning_and_use#387233 (last visited Oct. 15,
2024) (``An authoritative order to be obeyed; an oral or written
command. Frequently in plural or as a mass noun: orders,
directives'').
\208\ See In accordance with, Merriam-Webster.com Dictionary,
https://www.merriam-webster.com/dictionary/in%20accordance%20with
(last visited Oct. 15, 2024) (defining ``in accordance with'' to
mean ``in a way that agrees with or follows (something, such as a
rule or request)'').
---------------------------------------------------------------------------
Similarly, the CFPB preliminarily determines that FCRA section
604(a)(2) also requires that the consumer is informed of and can
reasonably anticipate at the very least how their consumer report will
be used, including by whom, for how long, and for what purposes. It
stands to reason that a consumer report cannot meaningfully be provided
``in accordance with the consumer's written instructions'' if the
consumer does not understand or cannot reasonably anticipate how their
consumer report will be used. Such an interpretation of the written
instructions permissible purpose is also in accordance with FTC staff
guidance, which has previously cautioned against purported
``instructions'' that are based on language that is ``not a
sufficiently specific instruction from the consumer to authorize a
[consumer reporting agency] to provide a consumer report.'' \209\
Broad, lengthy, or otherwise confusing consent forms are inadequate to
meet the statute's requirement that the consumer be informed and able
to reasonably anticipate how their consumer report will be used.
---------------------------------------------------------------------------
\209\ FTC 40 Years Staff Report, supra note 21, at 43 n.1.
---------------------------------------------------------------------------
Finally, a consumer's ability to direct the furnishing and use of
their consumer report suggests that the consumer must have the power to
revoke such consent. Accordingly, the CFPB proposes that the written
instructions permissible purpose requires that a consumer may revoke
any prior consent without interference.
The CFPB also preliminarily determines that interpreting the
written instructions permissible purpose to require the consumer's
affirmative, knowing, and revocable consent is consistent with the
overall structure and purpose of the FCRA's permissible purpose
provisions. As stated in FCRA section 602(a)(4), Congress enacted the
FCRA to, among other things, ``[e]nsure that consumer reporting
agencies exercise their grave responsibilities with . . . respect for
the consumer's right to privacy.'' \210\ As courts have also
recognized, ``[a] major purpose of the [FCRA] is the privacy'' of
consumer data.\211\ A central component of how the FCRA protects
consumer privacy is by limiting the circumstances under which consumer
reporting agencies may disclose consumer information. Specifically,
FCRA section 604 identifies an exclusive list of permissible purposes
for which consumer reporting agencies may furnish consumer reports,
including, in section 604(a)(2), in accordance with the written
instructions of the consumer to whom the report relates. Section 604(a)
states that a consumer reporting agency may furnish consumer reports
under these circumstances ``and no other.'' \212\
---------------------------------------------------------------------------
\210\ See S. Rep. No. 91-517, at 1 (1969) (The statute was
enacted to ``prevent an undue invasion of the individual's right of
privacy in the collection and dissemination of credit
information.'').
\211\ Trans Union Corp. v. FTC, 81 F.3d 228, 234 (D.C. Cir.
1996).
\212\ See also supra note 35 (discussing other provisions
establishing additional limited circumstances under which consumer
reporting agencies are permitted or required to disclose certain
information to government agencies).
---------------------------------------------------------------------------
The phrase ``[i]n accordance with the written instructions of the
consumer'' should be construed in a manner that is consistent with the
central role FCRA section 604 plays in protecting consumer privacy. The
CFPB preliminarily determines that, if the written instructions
permissible purpose is construed to allow consumer reporting agencies
to furnish, or third parties to obtain, a consumer report in
circumstances in which the consumer does not understand that their
consumer report will be furnished, to whom, or for what purposes, it
would undermine the core consumer privacy purposes of the permissible
purpose provisions.\213\ Therefore, the CFPB preliminarily determines
that, consistent with the purposes of the FCRA, FCRA section 604(a)(2)
requires a demanding standard of consent that does not subvert a
consumer's intent.
---------------------------------------------------------------------------
\213\ The CFPB notes that, in addition to section 604(a)(2), the
FCRA includes other permissible purpose provisions requiring
consumer authorization or consent in various circumstances. See,
e.g., FCRA section 604(b)(2)(A), 15 U.S.C. 1681b(b)(2)(A), and FCRA
section 604(c)(1)(A), 15 U.S.C. 1681b(c)(1)(A). The CFPB is not
addressing the scope or meaning of those provisions in this
document.
---------------------------------------------------------------------------
Finally, the conditions set forth in proposed Sec. 1022.11 are
also necessary to prevent evasion of the written instructions
permissible purpose. The CFPB is concerned that companies are evading
the written instructions permissible purpose by purportedly
[[Page 101430]]
obtaining consumer consent to furnish or procure consumer reports
through vague authorizations buried in lengthy terms and conditions, as
a result of which consumers likely do not understand that they are
providing consent or understand the scope of such consent. For example,
the CFPB understands that many credit card issuers include, as part of
lengthy account agreements, language granting themselves the ongoing
authority to obtain and use consumer reports for reasons unrelated to
underwriting and servicing the account, such as sending the consumer
new marketing offers. Similarly, the CFPB understands that some
entities that provide credit monitoring services include language in
customer service agreements that consumers must sign prior to receiving
the services that grants the credit monitoring service provider the
authority to use the consumer report to provide unsolicited
advertisements to the consumer for other financial products or services
on behalf of a third party.
The CFPB preliminarily concludes that such agreements are not in
accordance with the written instructions of the consumer because the
consumer likely is not informed or able to reasonably anticipate such
uses of their consumer reports when signing up for such products. For
example, research suggests consumers often do not understand how
companies will use their behavioral or transactional data, even when
such use is purportedly obtained pursuant to consumer consent.\214\
Moreover, research also indicates that, as a general matter, consumers
often affirmatively do not want their personal or financial data to be
accessed or used,\215\ providing further evidence that consumers are
not affirmatively and knowingly directing that such information be
shared. Often, when companies include terms and conditions that grant
themselves access to consumer reports, the terms set few or no limits
on the duration of the access and with whom or for what purposes the
company can further share a consumer report with third parties.\216\ As
a result, consumers are not informed about the scope of the consent
they are purportedly providing.
---------------------------------------------------------------------------
\214\ See Ramy El-Dardiry et al., Brave New Data: Policy
Pathways for the Data Economy in an Imperfect World, CPB Netherlands
Bureau for Econ. Policy Analysis, at 10 (July 2021), https://www.cpb.nl/sites/default/files/omnidownload/CPB-uk-Policy-Brief-Brave-new-datah.pdf (``Consumers cannot see what companies are doing
with their data, nor can they read all of the data terms of use or
oversee the consequences.'').
\215\ See, e.g., Colleen McClain et al., How Americans View Data
Privacy: The Role of Technology Companies, AI and Regulation--Plus
Personal experiences with Data Breaches, Passwords, Cybersecurity
and Privacy Policies, Pew Rsch. Ctr., at 15 (Oct. 18, 2023), https://www.pewresearch.org/internet/wp-content/uploads/sites/9/2023/10/PI_2023.10.18_Data-Privacy_FINAL.pdf (stating that ``81 [percent of
consumers] say they feel very or somewhat concerned with how
companies use the data they collect about them'').
\216\ See, e.g., Krystal Scanlon, Even financial services
businesses want a piece of the ad pie now, Digiday (June 3, 2024),
https://digiday.com/marketing/even-financial-services-businesses-want-a-piece-of-the-ad-pie-now/ (describing increasing push for
financial services companies to include advertising and data mining
in standard contracts); Brogan v. Fred Beans Chevrolet, Inc., 855 F.
App'x 825, 827 (3d Cir. 2021) (consumer alleged that he did not
understand at the time he signed a contract that his consumer report
would be furnished to multiple banks over a longer period of time).
See also Malbrough v. State Farm Fire & Cas. Co., No. Civ. A. 96-
1540, 1997 WL 159511, at *4-5 (E.D. La. Mar. 31, 1997) (noting that
misrepresentations or misunderstanding could cause a consumer's
written instructions to be invalid).
---------------------------------------------------------------------------
Proposed Conditions Implementing Written Instructions Permissible
Purpose
As discussed above, the CFPB preliminarily determines that the
written instructions permissible purpose should be interpreted to mean
that a consumer is informed of and reasonably expects the scope of a
given use, and the consumer retains control over such use. Proposed
Sec. 1022.11 sets forth conditions intended to ensure that these core
components of FCRA section 604(a)(2) are satisfied and to prevent
evasion thereof.
In proposing Sec. 1022.11, the CFPB has considered its PFDR
rulemaking, and particularly the authorized third-party provisions in
that rulemaking. Similar to the aims of the written instructions
permissible purpose in the FCRA, the PFDR Rule seeks to ensure that the
consumer understands and clearly directs how and for what purpose their
data will be used by a third party.\217\ In addition, the CFPB
recognizes that certain entities that are subject to the PFDR Rule may
also have obligations under the FCRA. For example, certain companies
seeking to become authorized third parties under the PFDR Rule may also
be required to comply with the FCRA as users of consumer reports from
consumer reporting agencies because they are using the services of
aggregators that are consumer reporting agencies to obtain consumer-
permissioned data. Certain of these companies may be obtaining consumer
reports pursuant to the FCRA written instructions permissible purpose.
In light of these interactions and the similarities between the FCRA
written instructions permissible purpose and the requirements for
authorized third parties under the PFDR Rule, the CFPB has carefully
considered as part of this proposal the legal, research, and policy
considerations described in the PFDR rulemaking and proposes to align
the requirements of Sec. 1022.11 with the PFDR Rule requirements for
authorized third parties.
---------------------------------------------------------------------------
\217\ See PFDR Rule, supra note 206 (describing limits on third-
party collection, use, and retention of covered data).
---------------------------------------------------------------------------
Proposed Sec. 1022.11 sets forth conditions intended to ensure
that these core components of FCRA section 604(a)(2) are satisfied and
to prevent evasion thereof.
Consumer Disclosure and Consent
Proposed Sec. 1022.11(b)(1) would require, among other things,
that the consumer provide express, informed consent to the furnishing
of their report. The proposed provision would require the consumer
reporting agency or person to whom the consumer report will be provided
to give the consumer a disclosure setting forth the key terms and scope
of how their report will be used. As set forth in proposed Sec.
1022.11(c), the disclosure must be clear, conspicuous, and segregated
from other material, and include the name of the person the report will
be obtained from; who the report will be provided to; the product or
service, or specific use, for which the consumer report will be
furnished or obtained; limitations on the scope of such use; and how a
consumer may revoke consent. Together, these proposed provisions are
designed to ensure that the consumer has provided affirmative
``instructions'' regarding the furnishing and use of their consumer
report and to provide the consumer with information necessary to be
informed and form reasonable expectations about how their report will
be used in the future.
Reasonably Necessary to a Consumer's Requested Product, Service, or Use
The CFPB is proposing several conditions intended to ensure that
consumer reports furnished pursuant to written instructions are
furnished in connection with a specific product, service, or use the
consumer has actually requested (proposed Sec. 1022.11(b)(2)), and
that once consent is obtained, the user of the report procures, uses,
retains, or shares the report with a third party only as reasonably
necessary to provide the product or service requested by the consumer,
or the specific use \218\ the
[[Page 101431]]
consumer has identified (proposed Sec. 1022.11(b)(3)).
---------------------------------------------------------------------------
\218\ An example of a specific use requested by the consumer
that is not a product or service is when a consumer requests the
furnishing of a consumer report to a potential business partner.
---------------------------------------------------------------------------
When obtaining a product or service, consumers might provide
written instructions to furnish their consumer report if doing so is
necessary to obtain the benefits of the sought-after product or
service. For example, a consumer could provide written instructions to
an entity that provides credit monitoring to obtain their consumer
report so that the entity could provide the consumer with the credit
monitoring service they desire. In such cases, the consumer's reason
for allowing the consumer report to be furnished is that they want to
receive the credit monitoring service. However, in such circumstances,
the consumer likely does not expect (much less affirmatively intend to
authorize) that their consumer report will be used for purposes other
than credit monitoring--such as to provide targeted marketing to the
consumer.\219\ Consistent with the CFPB's proposed interpretation of
the written instructions permissible purpose, proposed Sec.
1022.11(b)(2) and (3) are intended to ensure that the furnishing of the
consumer report is in accordance with the consumer's affirmative
instructions and intent, that the consumer is informed about the scope
of such use, and that such use aligns with the consumer's reasonable
expectations. The proposed provisions are also designed to prevent
evasion of the written instructions permissible purpose by ensuring
that each product or service (or use, if not in connection with a
product or service) is authorized by one, separate written instruction.
For example, a company could otherwise evade the written instructions
permissible purpose when it obtains written instructions in connection
with one product or service, but then exploits such consent through
obscure and lengthy terms and conditions language to use consumer
reports for purposes other than as reasonably necessary to provide the
product or service the consumer requested.
---------------------------------------------------------------------------
\219\ See generally Yosuke Uno et al., The Economics of Privacy:
A Primer Especially for Policymakers, at 8-9, Bank of Japan, Working
Paper Series No.21-E-11 (Aug. 6, 2021), https://www.boj.or.jp/en/research/wps_rev/wps_2021/data/wp21e11.pdf (surveying research
demonstrating that consumers generally do not understand the scope
or risks of sharing private data even after having agreed to do so).
---------------------------------------------------------------------------
Proposed Sec. 1022.11(d) provides examples of uses of consumer
reports that would not be reasonably necessary to provide a product or
service. For example, proposed Sec. 1022.11(d) provides that certain
activities--such as targeted advertising, cross-selling of other
products or services, or the sale of information in the consumer
report--are not part of, or reasonably necessary to provide, any other
product or service.\220\ When a consumer seeks a particular product or
service--such as signing up for a credit monitoring service--the use of
a consumer report for the types of purposes described in proposed Sec.
1022.11(d) is generally not contemplated or reasonably expected by the
consumer, and is instead a tactic used by companies to evade the
permissible purpose limitations, including the strict limitations on
use of consumer reports for marketing purposes.\221\ In such
circumstances, any ``consent'' to such purposes would be unknowingly or
reluctantly provided and accordingly not sufficient to meet the
requirement that the consumer report be shared at the affirmative
direction of the consumer. Having said that, companies are free to
procure separate written instructions for different products or
services, which the CFPB preliminarily concludes would ensure consumers
are truly providing informed consent.
---------------------------------------------------------------------------
\220\ The proposed rule would not prevent a user from engaging
in an activity described in proposed Sec. 1022.11(d) as a stand-
alone product or service. To the extent that the consumer seeks such
a product or service and the consumer's consumer report is
reasonably necessary to provide that product or service, the
consumer report could be furnished or obtained pursuant to the
consumer's written instructions consistent with, and subject to,
proposed Sec. 1022.11.
\221\ See supra notes 36 and 197 and accompanying text.
---------------------------------------------------------------------------
Duration Limitations
Proposed Sec. 1022.11(b)(3)(ii) would prevent a user from
procuring a consumer report more than one year after the date on which
the consumer provides consent for the consumer reporting agency to
furnish the report. The CFPB recognizes that some products or services,
such as credit monitoring, require consumer reporting agencies to
repeatedly furnish consumer reports over time, and, if separate written
instructions were required each time the consumer report were
furnished, consumers as well as persons offering these services could
be frustrated or burdened. On the other hand, for products and services
that rely on standing instructions to furnish consumer reports, such as
credit monitoring, instructions with no or lengthy duration limits may,
over time, result in the consumer report being used outside the
consumer's knowledge and reasonable expectations. The CFPB
preliminarily determines that the proposed limitation of one year
reasonably balances these concerns and serves as an effective check
against consumer reports being furnished for longer periods than the
consumer needs or wants.\222\ After the one-year period has elapsed, if
the consumer wishes to continue to receive the requested product or
service, the consumer would be able to provide new consent to the
furnishing of the report as described in proposed Sec.
1022.11(b)(1)(i).
---------------------------------------------------------------------------
\222\ Pursuant to proposed Sec. 1022.11(b)(3)(i), a user would
be limited to procuring, using, or retaining a consumer report for
less than a year if these activities were not reasonably necessary
to provide the product or service the consumer requested or for the
specific use the consumer identified. For example, a product or
service or specific use the consumer identified that requires only
one instance of access to a consumer report, such as furnishing a
consumer report to a potential business partner, would not authorize
the consumer reporting agency to continue to furnish, or the
potential business partner to obtain, more than one consumer report.
---------------------------------------------------------------------------
Revocation
A final condition included in proposed Sec. 1022.11 is a
consumer's right to revoke consent previously granted. Specifically,
proposed Sec. 1022.11(b)(4) would require that the consumer is
provided a method to revoke consent that is as easy to access and
operate as the method by which the consumer initially provided consent
to the furnishing of their consumer report. The proposal would also
provide that a consumer could not be charged any costs or penalties to
revoke consent.
As discussed above, the CFPB preliminarily determines that the text
of FCRA section 604(a)(2) supports this proposed provision. The notion
of a consumer providing ``instructions'' suggests that the consumer is
able to revoke such instructions. For the right to revocation to be
meaningful, the method of revocation should be familiar and easily
accessible to the consumer and should not involve additional costs or
penalties to the consumer.
Facilitation of Compliance for Authorized Third Parties Under the PFDR
Rule
As described above, the CFPB has carefully considered the PFDR
rulemaking in developing this proposal. To facilitate compliance for
entities that would seek to comply with both proposed Sec. 1022.11 and
the PFDR Rule, the CFPB is proposing to expressly provide that a
consumer reporting agency furnishes a consumer report in accordance
with the written instructions of the consumer for purposes of the FCRA
and Regulation V if the person to whom the report is furnished is an
authorized third party under subpart D of the PFDR Rule. The CFPB
anticipates that this proposal, if finalized, would be
[[Page 101432]]
reflected in the regulatory text of the FCRA final rule.\223\
---------------------------------------------------------------------------
\223\ See PFDR Rule, supra note 206. The PFDR Rule is not yet in
effect. As a result, this proposed method of compliance with Sec.
1002.11 has not been included in the proposed regulatory text here.
---------------------------------------------------------------------------
Small Business Review Panel Recommendations
The conditions set forth in proposed Sec. 1022.11 are responsive
to the Small Business Review Panel's recommendations related to the
written instructions permissible purpose.\224\ For example, proposed
Sec. 1022.11(b) and (c), which would require that consumers be
presented with a clear and conspicuous description of who may obtain
their consumer report and how it will be used, is responsive to the
Panel's recommendation that the proposal maximize consumer
understanding. Similarly, proposed Sec. 1022.11(b)(1)(i)(B), which
would require a consumer reporting agency or the person to whom the
consumer report will be furnished to obtain the consumer's signature,
either in writing or electronically, is responsive to the Panel's
recommendation that the CFPB permit consumers' written instructions to
be obtained electronically or through more traditional methods.
Finally, as discussed above, the CFPB's proposal is responsive to the
Panel's recommendation to ensure that the written instructions
permissible purpose proposal does not conflict with other regulatory
frameworks for consumer authorization of data sharing.
---------------------------------------------------------------------------
\224\ Small Business Review Panel Report, supra note 40, at 48.
---------------------------------------------------------------------------
The Panel also recommended that the CFPB consider an alternative
approach of requiring that, upon a consumer's request, users delete
consumer reports previously obtained, rather than obtain one-time-use
consumer authorizations.\225\ The CFPB considered this approach but has
preliminarily determined that it would be insufficient to establish a
written instructions permissible purpose under the statute. As
discussed above, the CFPB preliminarily determines that, under FCRA
section 604(a)(2), the consumer must provide affirmative, knowing, and
revocable consent for a consumer reporting agency to furnish their
consumer report to a third party. Requiring entities that have obtained
consumer reports to delete them upon the consumer's request would not
achieve this result. Putting the burden on consumers to affirmatively
take steps to request deletion of their sensitive data, rather than
putting the responsibility on the consumer reporting agency and user to
limit their provision and use of such reports as originally
``instructed'' by the consumer, would be inconsistent with the FCRA's
statutory language and purposes. The CFPB also notes that proposed
Sec. 1022.11(b)(3)(ii) does not contemplate a one-time-use consumer
authorization but allows a consumer's written instructions to permit
access for up to one year so long as access to a consumer's consumer
report remains reasonably necessary to provide the consumer's requested
product or service or use.
---------------------------------------------------------------------------
\225\ Id.
---------------------------------------------------------------------------
Finally, consistent with the Panel's recommendation, the CFPB
requests public comment on the appropriate scope and duration of a
consumer's written instructions, as well as whether the consumer
reporting agency or the person to whom the consumer report will be
furnished should be required to memorialize or confirm consumers'
written instructions.
Section 1022.12 Permissible Purposes Based on a Consumer Reporting
Agency's Reasonable Belief About a Person's Intended Use
The CFPB proposes Sec. 1022.12 to incorporate into Regulation V
the permissible purposes listed in FCRA section 604(a)(3)(A) through
(F).\226\ As noted above, FCRA section 604(a) permits a consumer
reporting agency to furnish a consumer report under specific enumerated
circumstances and no other. The permissible purposes in FCRA section
604(a)(3)(A) through (E) cover circumstances in which a consumer
reporting agency has reason to believe that a person intends to use the
information in the consumer report for certain purposes related to
credit, employment, insurance, license or benefit eligibility, and
valuing or assessing credit or prepayment risks associated with
existing credit obligations. These permissible purposes are restated in
proposed Sec. 1022.12(a)(1) through (5) without interpretation. The
permissible purpose in FCRA section 604(a)(3)(F) is implemented in
proposed Sec. 1022.12(b), as discussed below.
---------------------------------------------------------------------------
\226\ 15 U.S.C. 1681b(a)(3)(A) through (F).
---------------------------------------------------------------------------
12(b) Permissible Purpose Based on Legitimate Business Need
Proposed Sec. 1022.12(b) would implement and interpret the
legitimate business need permissible purpose in FCRA section
604(a)(3)(F). FCRA section 604(a)(3)(F) provides that a consumer
reporting agency may furnish a consumer report to a person which it has
reason to believe has a legitimate business need for the information in
two scenarios: (1) in connection with a business transaction that is
initiated by the consumer (the consumer-initiated transaction prong)
and (2) to review an account to determine whether the consumer
continues to meet the terms of the account (the account review prong).
The CFPB proposes to restate both prongs in Sec. 1022.12(b)(1) and to
provide clarifications and examples in Sec. 1022.12(b)(2) and (3).
Among other things, proposed Sec. 1022.12(b) would highlight that the
legitimate business need permissible purpose does not authorize use of
consumer report information for marketing.
Consumer-Initiated Transactions
Proposed Sec. 1022.12(b)(2) would clarify that the consumer-
initiated transaction prong of the legitimate business need permissible
purpose authorizes a consumer reporting agency to furnish a consumer
report to a person only if the consumer reporting agency has reason to
believe that the consumer has initiated a business transaction.
Proposed Sec. 1022.12(b)(2) sets forth examples to illustrate the
types of interactions between a consumer and a prospective user that
would and would not establish a consumer-initiated transaction. Among
other things, the examples clarify that a consumer may interact with a
business without initiating a transaction, such as by asking about the
availability or pricing of products or services. The CFPB preliminarily
determines that the examples in proposed Sec. 1022.12(b)(2) would
facilitate compliance with the FCRA for consumer reporting agencies
furnishing consumer reports to users pursuant to the consumer-initiated
transaction prong of the legitimate business need permissible purpose
and prevent evasion of the FCRA. The proposed examples are consistent
with prior interpretations by FTC staff.\227\
---------------------------------------------------------------------------
\227\ See, e.g., FTC 40 Years Staff Report, supra note 21, at
14, 48 (citing 1990 comment 604(3)(E)-3); FTC Informal Staff Opinion
Letter to Greenblatt (Oct. 27, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-greenblatt-10-27-98; FTC Informal Staff Opinion Letter to Kaiser (July 16, 1998),
https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-kaiser-07-16-98; FTC Informal Staff Opinion Letter to Coffey
(Feb. 11, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-coffey-02-11-98.
---------------------------------------------------------------------------
Solicitation or Marketing
As discussed elsewhere in this document, the CFPB is concerned
about reports of unauthorized use of consumer report information for
marketing purposes. Proposed Sec. 1022.12(b)(3) would emphasize that
neither prong of the legitimate business need permissible
[[Page 101433]]
purpose authorizes a consumer reporting agency to furnish a consumer
report to a person if the consumer reporting agency has reason to
believe the person is seeking information from the report to solicit
the consumer for a transaction the consumer did not initiate or to
otherwise market products or services to the consumer. Proposed Sec.
1022.12(b)(3) also includes an example to illustrate this point, as
well as a cross-reference to FCRA section 604(c) related to prescreened
offers for credit or insurance transactions, which permits the release
of consumer report information for marketing. The plain language of the
FCRA, legislative history, and prior agency guidance and caselaw make
clear that Congress did not intend for the legitimate business need
permissible purpose to be exploited for marketing purposes.
The proposal is supported by the plain language of the FCRA. With
respect to the consumer-initiated transaction prong of the legitimate
business need permissible purpose, FCRA section 604(a)(3)(F)(i)
provides that a consumer reporting agency may furnish a consumer report
to a person that the consumer reporting agency has reason to believe
has a legitimate business need for the information in connection with a
business transaction that is initiated by the consumer. FCRA section
604(a)(3)(F)(i) does not, by its plain language, authorize a consumer
reporting agency to furnish a consumer report to a person that the
consumer reporting agency has reason to believe is seeking the
information from the report to solicit a consumer for a transaction
that the consumer did not initiate or to otherwise market products or
services to the consumer. Similarly, FCRA section 604(a)(3)(F)(ii) does
not authorize account reviews for marketing purposes; instead, by its
plain language, it merely authorizes reviews to determine whether the
consumer continues to meet the terms of the account.
Under the FCRA, a person is prohibited from using a consumer report
for a purpose that is not authorized under FCRA section 604, and the
permissible purposes authorized by FCRA section 604 do not include
solicitation or marketing (except as permitted under the statute's
prescreening and written instructions provisions). FCRA section 604(f)
provides that a person shall not use or obtain a consumer report unless
the report is obtained for a permissible purpose and that purpose is
certified by the prospective user. FCRA section 607(a) requires
prospective users to certify the purposes for which the information is
sought and that ``the information will be used for no other purpose.''
\228\ The legitimate business need permissible purpose thus does not
authorize a consumer reporting agency to furnish a consumer report to a
person if the consumer reporting agency has reason to believe the
person is seeking information from the report for solicitation and
marketing purposes. Moreover, a person that obtains a consumer report
under either prong of the legitimate business need permissible purpose
may not then use the consumer report for solicitation or marketing.
---------------------------------------------------------------------------
\228\ 15 U.S.C. 1681e(a).
---------------------------------------------------------------------------
Where Congress did permit consumer reporting agencies to disclose
certain consumer report information for marketing, it did so explicitly
and mandated specific guardrails to protect consumers. The FCRA's
prescreening provisions authorize consumer reporting agencies to
furnish a consumer report in connection with credit or insurance
transactions not initiated by the consumer but provide specific
limitations in these circumstances, as discussed above.\229\ Congress
would have imposed similar safeguards for the legitimate business need
permissible purpose if Congress had intended for the legitimate
business need permissible purpose to authorize solicitation and
marketing.
---------------------------------------------------------------------------
\229\ See supra note 197 and accompanying text.
---------------------------------------------------------------------------
The legislative history is also instructive. Senate Report 103-209
explains that ``[t]he permissible purpose created by this provision . .
. is limited to an account review for the purpose of deciding whether
to retain or modify current account terms. It does not permit access to
consumer report information for the purpose of offering unrelated
products or services.'' \230\
---------------------------------------------------------------------------
\230\ S. Rep. No. 103-209, at 11 (1993) (discussing S.783, a
predecessor bill that included language later adopted in the 1996
FCRA amendments).
---------------------------------------------------------------------------
The D.C. Circuit recognized that targeted marketing did not fall
within the legitimate business need permissible purpose, even under the
original version of this permissible purpose that broadly referred to a
``legitimate business need for the information in connection with a
business transaction involving the consumer.'' \231\ In doing so, the
court noted that protecting the privacy of consumer report information
is a major purpose of the FCRA and explained that such information
should be kept private unless a ``consumer could be expected to wish
otherwise or, by entering into some relationship with a business, could
be said to implicitly waive the [FCRA]'s privacy to help further that
relationship.'' \232\
---------------------------------------------------------------------------
\231\ 15 U.S.C. 1681b(3)(E) (1994) (emphasis added); Trans Union
Corp. v. FTC, 81 F.3d 228, 233-34 (D.C. Cir. 1996).
\232\ Trans Union Corp. v. FTC, 81 F.3d 228, 234 (D.C. Cir.
1996).
---------------------------------------------------------------------------
Prior FTC staff interpretations have similarly concluded that
marketing is not authorized by the legitimate business need permissible
purpose. For example, the FTC 40 Years Staff Report explains that the
account review prong provides a permissible purpose to banks that have
a legitimate need to consult a current customer's consumer report in
order to determine whether the terms of a consumer's current non-credit
(savings or checking) accounts should be modified, but it does not
allow consumer reporting agencies to provide businesses with consumer
reports to market other products or services.\233\
---------------------------------------------------------------------------
\233\ FTC 40 Years Staff Report, supra note 21, at 42, 48-49
(citing FTC Informal Staff Opinion Letter to Gowen (Apr. 29, 1999),
https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-gowen-04-29-99).
---------------------------------------------------------------------------
With respect to the proposal related to the legitimate business
need permissible purpose discussed during the Small Business Review
Panel meeting, the Panel recommended that the CFPB consider clarifying
in general how the proposal under consideration would relate to or
impact other FCRA permissible purposes.\234\ To clarify, the proposed
legitimate business need provisions interpret solely the FCRA section
604(a)(3)(F) legitimate business need permissible purpose.
---------------------------------------------------------------------------
\234\ Small Business Review Panel Report, supra note 40, at 48 &
section 9.3.6.
---------------------------------------------------------------------------
Section 1022.13 Permissible Purposes Based on Certain Agency or Other
Official Requests
The CFPB proposes Sec. 1022.13 to incorporate into Regulation V
the permissible purposes listed in FCRA section 604(a)(1),
604(a)(3)(G), and 604(a)(4) through (6).\235\ As noted above, FCRA
section 604(a) permits a consumer reporting agency to furnish a
consumer report under specific enumerated circumstances and no other.
The permissible purposes in the FCRA sections incorporated in proposed
Sec. 1022.13 cover circumstances under which a consumer reporting
agency may furnish a consumer report in connection with certain agency
or other official requests. These permissible purposes are restated in
proposed Sec. 1022.13(a)(1) through (5).
---------------------------------------------------------------------------
\235\ 15 U.S.C. 1681b(a)(1), 1681b(a)(3)(G), 1681b(a)(4) through
(6).
---------------------------------------------------------------------------
FCRA section 604(a)(3)(G) sets forth a permissible purpose related
to government-sponsored individually billed travel charge cards. In the
statute, this permissible purpose is grouped with the permissible
purposes based on
[[Page 101434]]
a consumer reporting agency's reasonable belief about a person's
intended use, which the CFPB otherwise proposes to incorporate into
Regulation V in proposed Sec. 1022.12. The CFPB proposes to
incorporate FCRA section 604(a)(3)(G) into Regulation V in proposed
Sec. 1022.13 because the permissible purpose appears most similar in
kind to those that appear in FCRA section 604(a)(5) and (6) and does
not fit grammatically within the structure of FCRA section 604(a)(3).
Proposed Sec. 1022.13(a)(5) provides that a permissible purpose exists
for a consumer reporting agency to furnish a consumer report to an
executive department or agency in connection with the issuance of a
government-sponsored, individually billed travel charge card.\236\ The
CFPB requests comment on the proposed approach.
---------------------------------------------------------------------------
\236\ Consistent with proposed Sec. 1022.13(a)(5), the FTC 40
Years Staff Report notes that ``[s]ection 604(a)(3)(G) allows CRAs
to provide consumer reports to `executive departments and agencies
in connection with the issuance of government sponsored
individually-billed travel charge cards.' '' FTC 40 Years Staff
Report, supra note 21, at 49.
---------------------------------------------------------------------------
V. Proposed Effective Date
The CFPB requests comment on an effective date for the proposed
rule. For example, the CFPB is considering whether a final rule should
take effect six months or one year after publication in the Federal
Register. Consistent with recommendations of the Small Business Review
Panel, the CFPB specifically requests comment on whether either a six-
month or one-year implementation period would provide sufficient time
for entities, including small entities, that are not currently
complying with the FCRA to begin to do so. The CFPB also requests
comment on whether either a six-month or one-year implementation period
would provide sufficient time for vendors to complete the work
necessary to assist small entities in coming into compliance with any
final rule. The CFPB further requests comment on ways that it might
facilitate implementation for small entities, such as by providing for
a longer implementation period for small entities and what that period
should be.
VI. CFPA Section 1022(b) Analysis
The CFPB is considering the potential benefits, costs, and impacts
of the proposed rule in accordance with section 1022(b)(2)(A) of the
Consumer Financial Protection Act of 2010 (CFPA).\237\ The CFPB
requests comment on the analysis presented below, as well as
submissions of information and data that could inform its consideration
of the impacts of the proposed rule. This section contains an analysis
of the benefits and costs of the proposed rule for consumers, consumer
reporting agencies, and other covered persons.
---------------------------------------------------------------------------
\237\ 12 U.S.C. 5512(b)(2)(A).
---------------------------------------------------------------------------
A. Statement of Need
By enacting the FCRA in 1970, Congress sought to ensure the
accuracy, fairness, and privacy of consumer information collected,
maintained, and furnished by consumer reporting agencies. In recent
years, the consumer reporting marketplace has evolved in ways that
imperil Americans' privacy. Today, Americans regularly engage in
activities that reveal personal information about themselves, often
without realizing it. Entities with whom the consumer interacts might
collect, aggregate, and sell information about the consumer to other
entities with whom the consumer does not have a relationship, such as
data brokers. Technological advancements have also made it increasingly
feasible to re-identify consumers in datasets that have otherwise been
de-identified, and at times even identify consumers from aggregated
data. In the FCRA context, these concerns about re-identification of
data are particularly pronounced due to the sensitivity of consumer
report information and the privacy goals that prompted Congress to
enact the statute. The CFPB is concerned that some of these data are
shared by consumer reporting agencies with users who do not have an
FCRA permissible purpose, or who otherwise use consumer report
information for marketing in ways that the FCRA prohibits. In addition,
many data brokers attempt to avoid liability under the FCRA by arguing
that they are not consumer reporting agencies selling consumer reports.
Consequently, they do not treat the consumer information they sell as
subject to the requirements of the FCRA, even though they collect,
assemble, evaluate, and sell the same information as other consumer
reporting agencies--and even though their activities pose the same
risks to consumers that motivated the FCRA's passage.
Under this current state of the world, the activities of data
brokers, including consumer reporting agencies, potentially harm
consumers. Inaccurate information can cause consumers to be denied
access to products, services, or opportunities that they would have
qualified for had the information been accurate; often, consumers are
unaware of these inaccuracies and, even if they are aware, may lack
recourse to dispute such inaccuracies. The proliferation of sensitive
information being exchanged in the data broker marketplace, often
without consumers' knowledge or consent, harms consumer privacy. While
consumers theoretically may be willing to part with their private
information for a price, this choice is not typically provided in the
activities that would be subject to the proposed rule. Moreover,
sensitive consumer information can be used to target certain consumers
for identity theft, fraud, or predatory scams, potentially causing
consumers significant monetary losses.
The proposed rule would mitigate these consumer harms by addressing
the definitions of consumer reporting agency and consumer report and
certain responsibilities of consumer reporting agencies. This would
help safeguard consumer information and help ensure it is only used as
permitted by the FCRA. The provisions in the proposed rule would cause
many additional data brokers to be subject to the FCRA and necessitate
that they and other consumer reporting agencies modify their operations
and activities to be in compliance with the FCRA.
B. Baseline
In evaluating the proposed rule's impacts, the CFPB considers the
impacts against a baseline in which the CFPB takes no action. This
baseline includes existing regulations, State and Federal laws, and the
current state of the marketplace. In particular, the baseline includes
current industry practices and current applications of the law.
C. Data and Evidence
The CFPB's analysis of costs, benefits, and impact is informed by
information and data from a range of sources. As discussed in part
II.C, the CFPB convened a Small Business Review Panel on October 16,
2023, and held Panel meetings on October 18 and 19, 2023, to gather
input from small businesses. The discussions at the Panel meetings and
the comment letters submitted by small entity representatives during
this process were presented in the Small Business Review Panel Report
completed in December 2023. The CFPB also invited and received feedback
on the proposals under consideration from other stakeholders, including
stakeholders who were not small entity representatives. To estimate the
number of entities that may be subject to the proposed rule, the CFPB
used the December 2022 National Credit Union Administration (NCUA) and
Federal Financial Institutions Examination Council (FFIEC) Call Report
data, the 2017 Economic Census data from the U.S. Census Bureau, the
California and
[[Page 101435]]
Vermont data broker registries, and the CFPB's list of consumer
reporting agencies.\238\ The impact analysis is further informed by
academic research, reports on research by industry and trade groups,
practitioner studies, comments received in response to the CFPB's Data
Broker RFI, and letters received by the CFPB. Where used, these
specific sources are cited in this analysis.
---------------------------------------------------------------------------
\238\ See Off. of the Att'y Gen., State of Cal. Dep't of Just.,
Data Broker Registry, https://oag.ca.gov/data-brokers (list of data
brokers registered in California) (last visited Oct. 15, 2024); Vt.
Sec'y of State, Data Broker Search, https://bizfilings.vermont.gov/online/DatabrokerInquire/ (list of data brokers registered in
Vermont) (last visited Oct. 15, 2024). See Consumer Fin. Prot.
Bureau, List of consumer reporting companies, https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/ (last visited Oct. 15, 2024). The
CFPB's list of consumer reporting agencies is not intended to be
all-inclusive and does not cover every company in the industry.
---------------------------------------------------------------------------
D. Coverage of the Proposed Rule
Part VII.B.3 provides a discussion of the estimated number and
types of entities potentially affected by the proposed rule.
E. Potential Benefits and Costs of the Proposed Rule to Consumers and
Covered Persons
The CFPB discusses the potential benefits and costs to consumers
and covered persons of each of the main provisions of the proposed rule
below. For purposes of this discussion, the CFPB has grouped proposed
provisions that the CFPB expects would have similar benefits and costs
though notes that some provisions could be grouped in multiple
categories due to their potential effects. The discussion will note
where the CFPB expects provisions would have both distinct and
overlapping impacts. Provisions have been grouped as follows:
Provisions addressing the definitions of consumer report
and consumer reporting agency that could affect which entities are
consumer reporting agencies (``consumer reporting agency coverage'').
These are:
[cir] Proposed Sec. 1022.4(b), addressing the phrase ``is used''
in the definition of consumer report;
[cir] Proposed Sec. 1022.4(c), addressing the phrase ``expected to
be used'' in the definition of consumer report; and
[cir] Proposed Sec. 1022.5(b), addressing the phrase ``assembling
or evaluating'' in the definition of consumer reporting agency.
Provisions addressing the definition of consumer report
that could affect what constitutes a consumer report (``consumer report
coverage''). These are:
[cir] Proposed Sec. 1022.4(d), addressing certain personal
identifiers for a consumer that are often referred to as ``credit
header'' information; and
[cir] Proposed Sec. 1022.4(e), addressing when a consumer
reporting agency's communication of de-identified information is a
consumer report.
Provisions clarifying the FCRA's general prohibition on
using consumer report information for marketing and advertising. These
are:
[cir] Proposed Sec. 1022.10(b)(1) and (2), addressing what it
means for a consumer reporting agency to furnish a consumer report; and
[cir] Proposed Sec. 1022.12(b)(3), highlighting that the
legitimate business need permissible purpose does not authorize use of
consumer report information for marketing.
Provisions clarifying certain responsibilities of consumer
reporting agencies. These are:
[cir] Proposed Sec. 1022.11, clarifying the written instructions
permissible purpose; and
[cir] Proposed Sec. 1022.12(b)(2), clarifying the consumer-
initiated transaction prong of the legitimate business need permissible
purpose.
In this discussion, the CFPB focuses on direct costs and benefits.
However, the CFPB acknowledges that the covered persons that would be
affected by the proposed rule operate in interconnected industries, and
that costs may be passed through beyond the entity initially impacted.
For instance, to the extent that the proposed rule would increase costs
to consumer reporting agencies, those consumer reporting agencies may
respond by increasing the cost of consumer reports. The CFPB estimates
that the cost of a single credit report for an individual is between
$18 to $30.\239\ A data broker in the baseline that does not consider
itself to be a consumer reporting agency but may indeed be covered by
the FCRA could also experience cost increases they would pass along to
users. Some data brokers currently charge less than a dollar per
record, several dollars for a search, or under $30 for monthly access
to an unlimited number of reports.\240\ The costs each of these
entities incur as a result of the rule would likely differ in
magnitude, leading to differences in the change in future pricing for
their products if the rule is finalized. Covered persons with consumer-
facing businesses may pass these costs on to consumers in the form of
higher prices as well. The CFPB does not separately discuss each
instance but acknowledges the possibility of pass through. Because this
is speculative and the CFPB does not have data that would allow it to
estimate the likelihood and amount of any industry-to-industry or
industry-to-consumer pass through in the consumer reporting industry
and related industries, the CFPB requests comment on this issue.
---------------------------------------------------------------------------
\239\ See Press Release, Rohit Chopra, Consumer Fin. Prot.
Bureau, Prepared Remarks of CFPB Director Rohit Chopra at the
Mortgage Bankers Association (May 20, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-mortgage-bankers-association.
\240\ An online search of people-search sites in August 2024
revealed at least one data broker that was selling unlimited person
and location reports for $28.33 per month. Separately, some
researchers have reported prices of information from data brokers
for less than a dollar. See Justin Sherman, People Search Data
Brokers, Stalking, and `Publicly Available Information' Carve-Outs,
The Lawfare Inst. (Oct. 30, 2023), https://www.lawfaremedia.org/article/people-search-data-brokers-stalking-and-publicly-available-information-carve-outs.
---------------------------------------------------------------------------
In addition, the CFPB acknowledges that it does not possess data to
quantify the magnitude of many of the potential effects of the proposed
rule. The CFPB requests information and comment that would enable it to
quantify such impacts.
Provisions That Could Affect Consumer Reporting Agency Coverage
The proposed rule would clarify that certain entities, such as many
additional data brokers, are covered by the FCRA. The effect of
proposed Sec. 1022.4(b) would be that a person that sells information
that is used for a purpose described in proposed Sec. 1022.4(a)(2)
would become a consumer reporting agency, regardless of whether the
person knows or believes that the communication of that information is
legally considered a consumer report, assuming the other elements of
the definition of consumer reporting agency are satisfied. In addition,
the effect of proposed Sec. 1022.4(c) addressing the phrase ``expected
to be used'' in the definition of consumer report would be to require
many companies, such as additional data brokers, that currently sell
information about consumers' credit history, credit score, debt
payments (including on non-credit obligations), or income or financial
tier to comply with the FCRA. The CFPB proposes that an entity selling
any of these four data types--credit history, credit score, debt
payments, and income or financial tier--for any purpose generally would
qualify as a consumer reporting agency selling consumer reports,
because these information types are typically used to
[[Page 101436]]
underwrite loans.\241\ Proposed Sec. 1022.5(b) addressing the phrase
``assembling or evaluating'' in the definition of consumer reporting
agency would make clear that certain data aggregators that are engaged
in assembling or evaluating consumer information are consumer reporting
agencies (assuming the other elements of that definition are
satisfied).
---------------------------------------------------------------------------
\241\ For brevity, information about a consumers' credit
history, credit score, debt payments, and income or financial tier
are referred to throughout this discussion as the ``four data
types.''
---------------------------------------------------------------------------
Since marketing is not a permissible purpose, other than in the
limited circumstances expressly provided for in the FCRA, data brokers
would generally be unable to sell the four data types to target
marketing to consumers. As described in more detail in Provisions to
reduce the use of consumer report information for marketing and
advertising, data brokers sometimes employ the four data types to place
consumers into categories. Many of these categories reflect sensitive
information and potentially inaccurate inferences about consumers, such
as that the consumer is ``financially challenged,'' is ``behind on
bills,'' or is an ``upscale retail card holder.'' \242\ Data brokers
then sell lists of these consumers to advertisers who are interested in
targeting certain types of consumers.
---------------------------------------------------------------------------
\242\ See Duke Report on Data Brokers and Mental Health Data,
supra note 26, at 14; FTC Data Broker Report, supra note 25, at 20-
21; Consumer Fin. Prot. Bureau, Prepared Remarks of CFPB Director
Rohit Chopra at the White House on Data Protection and National
Security (Apr. 2, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-white-house-on-data-protection-and-national-security/.
---------------------------------------------------------------------------
Potential Benefits to Consumers of Provisions That Could Affect
Consumer Reporting Agency Coverage
The provisions that could impact which entities are consumer
reporting agencies would extend the responsibilities of the FCRA to
additional entities. This would have the net effect of reducing the
overall supply of available consumer information for sale and transfer
for non-permissible purposes. Additional entities would bear the
responsibilities and limitations of consumer reporting agencies under
the FCRA, thus overall reducing the available amount of consumer
information, including particularly sensitive data such as consumers'
credit history and income.
This overall reduction in the supply of available consumer
information could confer privacy benefits on consumers in several ways.
First, consumers might intrinsically value privacy in the sense of
being generally uneasy about their data being shared. The revelation of
personal information about consumers can lead to a variety of non-
monetary costs, such as distress, embarrassment, shame, and
stigma.\243\ The availability of personal information could also lead
to stalking, harassment, and doxing, where a consumer's private
information is publicly published with malicious intent.\244\ There is
existing evidence that consumers feel unaware of how their personal
data is being used and that this could cause concern. On surveys,
consumers report feeling that they are ``concerned, lack control and
have a limited understanding about how the data collected about them is
used.'' \245\ Several empirical studies have documented by revealed
preference the existence and magnitude of such intrinsic
valuations.\246\ Consumers are concerned about financial data and
maintaining the privacy of these data.\247\ For example, a 2021 survey
found that 94 percent of banked consumers preferred that their primary
financial institution not share their financial data with other
companies for marketing purposes.\248\
---------------------------------------------------------------------------
\243\ See, e.g., Am. Compl. For Permanent Inj. & Other Relief ]]
97-106, FTC v. Kochava, Inc., No. 2:22-cv-00377-BLW (D. Idaho June
5, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/26AmendedComplaint%28unsealed%29.pdf; Charles Duhigg, How Companies
Learn Your Secrets, N.Y. Times (Feb. 16, 2012), https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html (recounting
instance in which a retailer developed a ``pregnancy predictor
model'' and sent coupons for baby supplies to a consumer, thereby
revealing to members of the consumer's household that she was
pregnant, a fact that she had kept private).
\244\ A 2012 survey conducted by the National Network to End
Domestic Violence found that 54 percent of victim service agencies
surveyed reported that they work with victims whose stalker used
public information gathered online to stalk the victim. At least
half of victim service agencies also reported working with victims
on help with safety and privacy strategies on using their cell phone
and other privacy-related practices. See Safety Net Project, New
Survey: Technology Abuse & Experiences of Survivors and Victim
Service Agencies, Nat'l Network to End Domestic Violence (Apr. 29,
2014), https://www.techsafety.org/blog/2014/4/29/new-survey-technology-abuse-experiences-of-survivors-and-victim-services.
\245\ See, e.g., Colleen McClain et al., How Americans View Data
Privacy, Pew Rsch. Ctr. (Oct. 18, 2023), https://www.pewresearch.org/internet/2023/10/18/views-of-data-privacy-risks-personal-data-and-digital-privacy-laws/.
\246\ See, e.g., Tesary Lin, Valuing Intrinsic and Instrumental
Preferences for Privacy, 41 (4) Mktg. Sci. (May 13, 2022), https://pubsonline.informs.org/doi/epdf/10.1287/mksc.2022.1368; Huan Tang,
The Value of Privacy: Evidence from Online Borrowers (Dec. 2019),
https://wpcarey.asu.edu/sites/default/files/2021-11/huan_tang_seminar_paper.pdf.
\247\ See, e.g., Consumer Reports, American Experiences Survey:
A Nationally Representative Multi-Mode Survey (Dec. 2023), https://article.images.consumerreports.org/image/upload/v1704482298/prod/content/dam/surveys/Consumer_Reports_AES_December-2023.pdf; Michelle
Cao, National Telecomm. and Info. Admin., U.S. Dep't of Com., Nearly
Three-Fourths of Online Households Continue to Have Digital Privacy
and Security Concerns (Dec. 13, 2021), https://www.ntia.gov/blog/2021/nearly-three-fourths-online-households-continue-have-digital-privacy-and-security-concerns; Dan Murphy et al., Financial Data:
The Consumer Perspective (June 30, 2021), https://finhealthnetwork.org/research/financial-data-the-consumer-perspective/.
\248\ Dan Murphy et al., Financial Data: The Consumer
Perspective (June 30, 2021), https://finhealthnetwork.org/research/financial-data-the-consumer-perspective/.
---------------------------------------------------------------------------
Consumers' data might be used (or they may fear that it could be
used) by careless or malicious actors to directly harm them. This could
include identity theft, of which many instances occur in the U.S. every
year.\249\ Personal data could also be used to target vulnerable
consumers with pitches for predatory financial products and scams.\250\
Consumers may also fear that their personal data could be used to
discriminate against them according to a personal characteristic. The
proposed rule would mitigate the risk of consumer report information
being used to target consumers, as data brokers would be prohibited
from selling the four data types to those lacking a permissible
purpose.
---------------------------------------------------------------------------
\249\ The DOJ estimates that 23.9 million U.S. residents 16 or
older (9 percent of the population) had experienced identify theft
in the past 12 months in 2021. See Press Release, U.S. Bureau of
Just. Stat., Victims of Identity Theft, 2021 (Oct. 12, 2023),
https://bjs.ojp.gov/press-release/victims-identity-theft-
2021#:~:text=As%20of%202021%2C%20about%201,email%20or%20social%20medi
a%20account.
\250\ The FTC reported that consumers lost more than $10 billion
to fraud in 2023. See Press Release, Fed. Trade Comm'n, As
Nationwide Fraud Losses Top $10 Billion in 2023, FTC Steps Up
Efforts to Protect the Public (Feb. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public.
---------------------------------------------------------------------------
Consumers' data, in particular data about income and financial
tier, could also be purchased by entities to engage in more targeted
and precise forms of price discrimination. Price discrimination occurs
when an entity charges differentiated prices to consumers based, at
least in part, on their willingness to pay.\251\ While price
discrimination may lead to higher revenue and profits for firms, it
would come at the expense of consumers who would obtain less surplus in
the market (the difference between the price and the price the consumer
was willing to pay). Firms can currently purchase or use consumers'
financial data to charge them higher prices or present targeted offers
to achieve such an effect. For
[[Page 101437]]
example, enrollment management companies use consumer financial
information to predict the probability that students would enroll given
different net tuition prices, which educational institutions could use
for pricing decisions.\252\ The potential for price discrimination
using consumer data is an increasing concern across consumer protection
agencies.\253\ The proposed rule could have the effect of reducing the
likelihood of price discrimination to the extent that consumers' data
are used, or have the potential to be used, for price discrimination at
baseline.
---------------------------------------------------------------------------
\251\ See, e.g., Alessandro Acquisti et al., The Economics of
Privacy, 54(2) J. of Econ. Literature 442 (June 2016), https://www.aeaweb.org/articles?id=10.1257/jel.54.2.442.
\252\ See, e.g., Educ. Advisory Board (EAB) Webinar
Presentation, Optimizing Pricing and Aid Dollars for Graduate and
Adult Students (Sept. 12, 2024), https://pages.eab.com/rs/732-GKV-655/images/ALR-GradFAO092024-update-PDF?version=0?x_id=&utm_source=prospect&utm_medium=presentation&utm_campaign=alr-faowebinar-0924&utm_term=&utm_content=inline; EAB,
Enroll360, Enrollment Management Solution for Higher Education,
https://eab.com/solutions/enroll360/ (last visited Nov. 4, 2024);
Enrollment Management Association, Recruiting Private School
Students With PROSPECT (Oct. 27, 2021), https://www.enrollment.org/articles/recruiting-private-school-students-with-prospect.
\253\ See, e.g., Fed. Trade Comm'n Staff, Behind the FTC's
Inquiry into Surveillance Pricing Practices, FTC Tech. Blog (July
23, 2024), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/07/behind-ftcs-inquiry-surveillance-pricing-practices#ftn_3.
---------------------------------------------------------------------------
Valuing the benefits to consumers from increased privacy is
difficult. It is common to find that consumers express a stated
preference for digital privacy. Empirical studies have estimated
consumers' willingness to pay for privacy through methods that elicit
revealed preferences. While many find a positive valuation on privacy,
the empirical estimates are highly varied and range from positive but
quite low, to estimates that are much more significant in
magnitude.\254\ Studies have also found large differences in this
valuation across consumers. This variation in the estimated value of
privacy complicates a quantitative estimate of the proposed rule's
benefits to consumers' privacy.
---------------------------------------------------------------------------
\254\ To illustrate the breadth of estimates, Tesary Lin, for
example, finds that consumers are willing to accept, on average, $10
to share a demographic profile, while Huan Tang finds that consumers
are willing to pay on average $32 to hide a social network ID and
employer contact information on a loan application. See Tang, Lin
supra note 246. In contrast, Athey et al. find that half of their
subjects were willing to disclose contact information of their close
friends in exchange for pizza. See Susan Athey et al., The Digital
Privacy Paradox: Small Money, Small Costs, Small Talk, Stanford
Graduate Sch. of Bus. (Feb. 13, 2017), https://gsb-faculty.stanford.edu/susan-athey/files/2022/04/digital_privacy_paradox_02_13_17.pdf.
---------------------------------------------------------------------------
An additional complication with placing a direct value on privacy
is the observation that, despite stated preferences for privacy,
consumers tend to freely share their data. This can be seen by the
proliferation of online data sharing through social networks. Some
studies have also documented that consumers can be induced to share
data with quite small incentives.\255\ The difference between stated or
realized preferences for privacy and the other evidence of a
willingness to share data has been referred to as the ``privacy
paradox,'' though there are multiple potential explanations, including
consumers' confusion about how their data is used, consumers not having
fixed preferences over privacy, and that systems can be designed to
result in the oversharing of data even if consumers do value privacy
highly.\256\
---------------------------------------------------------------------------
\255\ Athey, supra note 254.
\256\ See, e.g., Daron Acemoglu et al., Too Much Data: Prices
and Inefficiencies in Data Markets, 14(4) Am. Econ. J.
Microeconomics 218 (Nov. 2022), https://www.aeaweb.org/articles?id=10.1257/mic.20200200&&from=f; Alessandro Acquisti et
al., What is Privacy Worth?, 42(2) J. of Legal Studies 249 (June
2013), https://www.cmu.edu/dietrich/sds/docs/loewenstein/WhatPrivacyWorth.pdf.
---------------------------------------------------------------------------
The CFPB does not have data to quantify these privacy benefits to
consumers, which are in some ways unquantifiable. This includes the
benefits from reducing harms that arise from sensitive information
about consumers being sold without a permissible purpose. Examples of
these harms that are expected to be reduced include those related to
financial scams; fraud and identity theft; and stalking, harassment,
and doxing. The CFPB requests information and comment on these issues.
Scammers can use data from data brokers, including the four data
types, to facilitate scams and predatory behavior. For example,
fraudsters can obtain lists of people with income below a certain
threshold and use that information to pitch predatory and unlawful
products to families in financial distress. Data brokers have marketed
financial-related lists including those with names such as ``Bad
Credit--Card Declines,'' ``Paycheck to Paycheck Consumers,''
``Suffering Seniors,'' ``Cash Cows--Underbanked File,'' and
``Bankruptcy Filers,'' among others.\257\ The information in these
lists have included ``both explicit and implied signals about consumer
financial behavior.'' \258\ In helping identify vulnerable targets for
scammers, these lists have helped to facilitate concrete financial
harms. For instance, the DOJ charged one data broker, Macromark, in
relation to its dissemination of such lists of potential victims for
fraudulent mass-mailing schemes.\259\ Macromark admitted that the lists
it provided to clients engaged in fraud resulted in losses to victims
of at least $9.5 million.\260\ The CFPB expects that the reduced
transmission of the four data types would likely benefit consumers by
making it more difficult to target people for such fraudulent schemes.
The CFPB requests comment on the potential benefit to consumers due to
reduced fraud as a result of the proposed rule.
---------------------------------------------------------------------------
\257\ CFPB Data Broker RFI, Comments of U.S. Public Interest
Research Group (PIRG) and Center for Digital Democracy (CDD), at 8,
Docket No. CFPB-2023-0020, Comment ID 2023-0020-3412 (July 2023),
https://www.regulations.gov/comment/CFPB-2023-0020-3412.
\258\ Id. at 9.
\259\ Press Release, Off. of Pub. Affs., U.S. Dep't of Just.,
List Brokerage Firm Pleads Guilty To Facilitating Elder Fraud
Schemes (Sept. 28, 2020), https://www.justice.gov/opa/pr/list-brokerage-firm-pleads-guilty-facilitating-elder-fraud-schemes.
\260\ Id.
---------------------------------------------------------------------------
In addition to these privacy gains, the CFPB expects consumers
would benefit through their ability, under the FCRA, to receive adverse
action notices and address inaccuracies in consumer reports sold by
entities that do not currently operate as consumer reporting agencies.
As a result of their ability to address and correct inaccuracies,
consumers may also benefit through improved outcomes in the decisions
that are made based on this more-accurate information. For example,
many risk mitigation services that are used to detect fraudulent
applications or suspicious activities at financial institutions will be
subject to the provisions in the FCRA designed to promote accuracy. To
the extent these services rely on information in the baseline from data
brokers that do not currently comply with the FCRA's accuracy
requirements, the improved accuracy of information subject to the FCRA
could increase the accuracy of such services. In turn, this could
reduce the number of consumers who are denied accounts or other access
to financial services as a result of decisions based on inaccurate
information used for risk mitigation.
Potential Benefits to Covered Persons of Provisions That Could Affect
Consumer Reporting Agency Coverage
Covered persons would benefit from provisions of the proposed rule
that could affect consumer reporting agency coverage through an
anticipated reduction in fraud and identity theft. For example, by
requiring many companies, such as data brokers, that currently sell one
of the four data types to comply with the FCRA, the CFPB expects the
risk of data being obtained by unauthorized parties and used to commit
fraud and identity theft to decrease. Therefore, covered persons,
[[Page 101438]]
such as banks, would benefit, as they typically face costs associated
with fraud and identity theft.
Potential Costs to Consumers of Provisions That Could Affect Consumer
Reporting Agency Coverage
Proposed Sec. 1022.4(c) would restrict the use of the four data
types to permissible purposes. The CFPB is not aware of consumer
products and services facilitated by the four data types for non-
permissible purposes or the extent that consumers may experience
increased costs and/or reductions in service. Similarly, proposed Sec.
1022.5(b) may increase costs for certain data aggregators, online
databases, and other entities that would satisfy the proposed consumer
reporting agency definition but do not currently comply with the FCRA.
Depending on other market factors, companies might pass-through the
increase in input costs partially or in full to the price of consumer
products or services. It is also possible that consumers would incur
costs due to changes or reductions in services and products made
available by users of the current data. The CFPB requests comment on
the types of products and services, if any, that would be impacted and
on the expected impact to consumers.
Potential Costs to Covered Persons of Provisions That Could Affect
Consumer Reporting Agency Coverage
This proposed rule would have significant impacts on the business
models of firms that currently use the four data types for activities
not permitted under the FCRA. For instance, with certain exceptions,
entities that sell consumers' income data generally would be consumer
reporting agencies under the proposal, and thus generally would no
longer be permitted to sell such income information for use in
marketing. These users of the four data types would face costs
associated with finding alternative data to substitute into their
business models. To the extent that these alternatives are not as
effective as the four data types, these firms would potentially
experience decreased revenues. Alternatively, if users of the four data
types opt to try to continue using the four data types for non-
permissible purposes, they generally would need to rely upon the
written instructions provision in order to have a permissible purpose.
Thus, they would incur technological and legal costs to create systems
and procedures to obtain consumers' written instructions, as well as
ongoing costs associated with proving that they have obtained
consumers' written instructions in compliance with the proposed rule.
To the extent that consumers would be unwilling to provide their
written instructions to allow use of their consumer report data, these
firms would potentially experience decreased revenues.
One industry that would be particularly impacted by this proposal
is the digital advertising ecosystem. When consumers browse online,
they interface with programmatic advertisements that are bought and
sold individually via an automated, instantaneous auction process that
leverages data from a range of sources, including cookies, device IDs,
browsing history, demographics, and other personal data. There are a
variety of business types that help facilitate this digital ecosystem.
To the extent that any of these entities rely on the four data types,
they would generally qualify as consumer reporting agencies selling
consumer reports. Thus, these entities would generally be unable to
sell services that use this data for non-permissible purposes like
advertising. Given this, these entities could face impacts to their
businesses, such as costs associated with adjustments to targeting
algorithms to avoid using the four data types. To the extent that ad
algorithms not relying on the four data types are less effective at
targeting ads, entities may also experience a loss in revenues. In
particular, firms generally would no longer be able to provide the
service of specifically targeting ads to people based on their income
or financial tier.
Proposed Sec. 1022.5(b) addressing the phrase ``assembling or
evaluating'' could also impact data aggregators that provide
information or products, for non-permissible purposes, that involve
assembling or evaluating consumer information. To the extent data
aggregators engage in these activities, they may face costs associated
with adjusting their business practices to comply with the FCRA. The
CFPB does not have data on the extent to which data aggregators engage
in these practices, and requests comment on this issue.
In addition, entities that the proposed rule would clarify are
consumer reporting agencies under the proposed rule but that do not
currently comply with the FCRA would incur both one-time costs to
develop FCRA-compliant systems, processes, policies, and procedures, as
well as ongoing costs to maintain them. For example, such entities
would be required to comply with the FCRA's dispute resolution and
accuracy requirements. During the SBREFA process, small entity
representatives argued that investigating disputes, if and when they
were to arise, would be very costly due to increased staffing,
technical, and legal costs.\261\ Some data broker small entity
representatives asserted that they would face compliance costs so high
that they might cease operation.\262\ The CFPB does not have data
allowing it to quantify these one-time and ongoing costs and requests
comment on this issue.
---------------------------------------------------------------------------
\261\ Small Business Review Panel Report, supra note 40, at 17.
\262\ Id. at 19.
---------------------------------------------------------------------------
The FCRA includes a private right of action, so entities newly
considered to be consumer reporting agencies could incur costs related
to FCRA litigation. These entities would also face ongoing compliance
costs, for example those associated with ensuring that they are only
furnishing consumer reports for FCRA section 604 permissible purposes.
These entities would also likely need to retain personnel with
professional skills related to software development, general and
operational management, legal expertise, and customer support. The CFPB
does not have data indicating the magnitude of these costs and requests
comment on this issue.
Entities newly considered to be consumer reporting agencies would
face costs associated with credentialing and monitoring recipients'
actual use of the consumer reports that they furnish. The CFPB does not
have data indicating the magnitude of these costs and requests comment
on this issue.
Under the proposed rule, entities that provide data to other
entities that would newly be considered consumer reporting agencies
could, depending on the facts and circumstances, qualify as furnishers
subject to the FCRA. Furnishers would incur one-time costs to develop
FCRA-compliant systems, processes, policies, and procedures, as well as
ongoing costs to maintain them. Entities newly considered to be
furnishers could also experience increased legal expenses, to the
extent that they face litigation associated with disputes. Indeed,
furnishers would likely need to retain personnel with skills related to
software development, general and operational management, legal
expertise, and customer support. If the ongoing cost of furnishing in
compliance with the FCRA exceeds the benefits companies currently
receive from furnishing, those entities may cease furnishing
information to consumer reporting agencies.
[[Page 101439]]
Provisions Addressing What Constitutes a Consumer Report
The proposed rule would address when communications by consumer
reporting agencies constitute consumer reports. Proposed Sec.
1022.4(d) would provide that any communication by a consumer reporting
agency of a personal identifier for a consumer that was collected in
whole or in part by a consumer reporting agency for the purpose of
preparing a consumer report about the consumer (also known as ``credit
header'' information) is a consumer report, therefore limiting the sale
of this information to FCRA permissible purposes.
The three alternative versions of proposed Sec. 1022.4(e)
regarding de-identified information would effectively limit the sale of
aggregated or otherwise de-identified data derived from a consumer
reporting database by specifying when this information constitutes a
consumer report, and thus may only be sold for FCRA permissible
purposes.
Proposed Alternative One would provide that de-
identification of information is not relevant to a determination of
whether the definition of consumer report is met. This alternative
would mean that a consumer reporting agency's communication of consumer
report information would still constitute a consumer report even if the
consumer report information was de-identified.
Proposed Alternative Two would instead provide that de-
identification of information is not relevant to a determination of
whether the definition of consumer report is met if the data is
``linked or linkable'' to an individual consumer.
Proposed Alternative Three would provide that de-
identification of information is not relevant to a determination of
whether the definition of consumer report is met if at least one of the
specific conditions listed is met, including that the information is
``still linked or reasonably linkable'' to a consumer, is ``used to
inform a business decision about a particular consumer,'' or ultimately
is used to identify the consumer in practice. This proposed alternative
was designed to permit research using de-identified data so long as it
is not re-identified. The CFPB is requesting comment as to which
condition or combinations of conditions should be included in a final
rule consistent with that goal and whether any additional conditions
should be added if the third alternative approach is finalized.
Although Proposed Alternative One would technically be a more
stringent restriction on the use of de-identified consumer report
information than Proposed Alternative Two, because almost any data from
a consumer report could theoretically be linked to a consumer, the
ultimate impacts appear to be similar. Thus, Proposed Alternatives One
and Two would have qualitatively similar benefits and costs for
consumers and covered persons by eliminating a broad range of current
uses of de-identified consumer report information. For example,
Proposed Alternative One would prohibit researchers from government and
other reputable entities from obtaining de-identified consumer report
data for research on topics including the state of consumer finances,
as research is not an FCRA permissible purpose, and Proposed
Alternative Two would likely have a similar effect. In contrast,
Proposed Alternative Three generally would not prohibit researchers
from obtaining de-identified consumer report data for use in research,
and the CFPB requests comment on which conditions under this
alternative would allow for research to continue.
Potential Benefits to Consumers of Provisions Addressing What
Constitutes a Consumer Report
A consequence of the proposed definition of consumer report is that
additional information would be treated as having FCRA protections and
limitations on sharing as compared to the baseline. This would confer
privacy benefits to consumers similar to those discussed above
regarding clarifying which entities are consumer reporting agencies.
Defining personal identifiers obtained from a consumer reporting agency
as consumer report information, for example, would reduce the ability
of entities to share and sell that information and would likely have
the net effect of reducing the total amount of consumers' private
information available in the marketplace.
Reduction of this sensitive information in the marketplace, such as
contact information, including phone numbers, could have benefits for
consumers by decreasing the risk of these data being obtained by
unauthorized parties for uses that can harm consumers, such as for
fraudulent purposes. Though the CFPB does not have information to
quantify this reduction in risk, the FTC reported that consumers lost
$10 billion to fraud and scams in 2023, and that the second most
commonly reported contact method by scammers was contacting people by
phone, leading to the highest per person reported median loss of
$1,480.\263\ Certain consumer populations may experience distinct
impact from scammers. For example, elder fraud is a significant
subcategory of fraud that can be facilitated by the unauthorized use of
contact information. The FBI's Internet Crime Complaint Center (IC3)
reported that call center schemes overwhelmingly target older adults
and consumers over the age of 60 lost more to these scams than any
other age group.\264\ In 2023, ``total losses reported to the IC3 by
those over the age of 60 topped $3.4 billion, an almost 11% increase in
reported losses from 2022.'' \265\ To the extent that financial fraud
and identity theft is facilitated by such sensitive consumer
information from consumer reporting agencies, the CFPB expects that
limiting transmission of this information to permissible purposes would
reduce unauthorized access by fraudsters, which could reduce incidences
of fraud and the associated losses to consumers. The CFPB requests
information that can be used to quantify the expected changes in fraud
or identity theft related to this information.
---------------------------------------------------------------------------
\263\ See Press Release, Fed. Trade Comm'n, As Nationwide Fraud
Losses Top $10 Billion in 2023, FTC Steps Up Efforts to Protect the
Public (Feb. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public.
\264\ See Press Release, Fed. Bureau of Investigation Los
Angeles, U.S. Dep't of Just., FBI Releases 2023 Elder Fraud Report
with Tech Support Scams Generating the Most Complaints and
Investment Scams Proving the Costliest (May 2, 2024), https://www.fbi.gov/contact-us/field-offices/losangeles/news/fbi-releases-2023-elder-fraud-report-with-tech-support-scams-generating-the-most-complaints-and-investment-scams-proving-the-costliest.
\265\ See Fed. Bureau of Investigation, U.S. Dep't of Just.,
2023 Elder Fraud Report (Dec. 12, 2023), https://www.ic3.gov/AnnualReport/Reports/2023_IC3ElderFraudReport.pdf.
---------------------------------------------------------------------------
Reducing the flow of personal identifiers that are available for
purchase may also benefit consumers who may become targets for doxing,
stalking, harassment, or violence as a result of their contact
information being made available by data brokers. These include
consumers who are targeted for their profession, such as abortion care
providers, military service members, judges, prosecutors, police
officers, and other members of law enforcement.\266\
[[Page 101440]]
Additionally, a DOJ report found that about 3.4 million people aged 16
or older were victims of stalking in 2019,\267\ and a study by the
National Network to End Domestic Violence found that over half of
victim service agencies surveyed reported that they work with victims
whose stalker used public information gathered online to stalk
them.\268\ The survey did not specify if the information was obtained
through data brokers but previous court cases have documented how a
stalker can use data broker services to locate and harm their
victims.\269\ While it is difficult to quantify the costs to consumers
who experience these harms, stalking can cause victims to experience
``higher rates of depression, anxiety, insomnia and social dysfunction
than people in the general population.'' \270\ Given that, at baseline,
consumers' personal information is widely proliferated and sold online,
sometimes for as little as $0.95 per record,\271\ the CFPB expects the
use of this data for stalking, harassment, and doxing would be reduced
under the proposed rule to the extent that sensitive personal
identifiers from consumer reports are being used to facilitate these
activities in the baseline. The CFPB requests information that can be
used to quantify the benefits to consumers as it relates to these data
and any reduction in these harms.
---------------------------------------------------------------------------
\266\ See CFPB Data Broker RFI, Comment from Digital Defense
Fund, The National Network of Abortion Funds, and Apiary for
Practical Support (July 17, 2023), CFPB Data Broker RFI, Comment ID
2023-0020-3946, https://www.regulations.gov/comment/CFPB-2023-0020-3946; Herbert B. Dixon & James L. Anderson, The Evolving Nature of
Security Threats to Judges, Am. Bar Ass'n (Aug. 4, 2023), https://www.americanbar.org/groups/judicial/publications/judges_journal/2023/summer/evolving-nature-security-threats-to-judges/; Esther
Salas, My Son Was Killed Because I'm a Federal Judge, N.Y. Times
(Dec. 8, 2020), https://www.nytimes.com/2020/12/08/opinion/esther-salas-murder-federal-judges.html.
\267\ Rachel E. Morgan & Jennifer L. Truman, Bureau of Just.
Stat., U.S. Dep't of Just., Stalking Victimization, 2019 (Feb.
2022), https://www.justice.gov/d9/2023-06/2022%20Report%20to%20Congress%20on%20Stalking.pdf.
\268\ See Safety Net Project, New Survey: Technology Abuse &
Experiences of Survivors and Victim Service Agencies, Nat'l Network
to End Domestic Violence (Apr. 29, 2014), https://www.techsafety.org/blog/2014/4/29/new-survey-technology-abuse-experiences-of-survivors-and-victim-services.
\269\ See, e.g., Remsburg v. Docusearch, Inc., No. Civ. 00-211-
B, 2002 WL 844403, at *2-3 (D.N.H. Apr. 25, 2002).
\270\ Stalking Prevention, Awareness, and Resource Center,
Stalking Fact Sheet (Jan. 2019), https://www.stalkingawareness.org/wp-content/uploads/2019/01/SPARC_StalkngFactSheet_2018_FINAL.pdf.
\271\ See, e.g., Justin Sherman, People Search Data Brokers,
Stalking, and `Publicly Available Information' Carve-Outs, The
Lawfare Inst. (Oct. 30, 2023), https://www.lawfaremedia.org/article/people-search-data-brokers-stalking-and-publicly-available-information-carve-outs.
---------------------------------------------------------------------------
Likewise, clarifying that consumer information that has been de-
identified, whether through aggregation or other means, may constitute
a consumer report additionally could limit the sharing and sale of
consumers' data relative to baseline. Aggregation and other methods
have been longstanding approaches to preventing the disclosure of
information linked to a specific individual that can be used to
identify a consumer, even among government agencies.\272\ However,
recent research has illuminated how even carefully aggregated data may
still present a risk of being identified, depending on the context. For
example, research from the U.S. Census Bureau has shown how information
linked to specific individuals can at times be obtained from publicly
available aggregate-level information.\273\ In many other examples,
researchers have been able to re-identify individuals from seemingly
de-identified data.\274\ To the extent that consumers can be re-
identified from the aggregated or otherwise de-identified data
currently derived from consumer reporting databases at baseline, the
proposed rule may benefit consumers by reducing the amount of personal
information obtained about them. The benefits would be similar to those
discussed above related to the overall reduction in the supply of
consumer information. The CFPB does not have data to quantify these
benefits to consumers and requests information and comment on these
issues.
---------------------------------------------------------------------------
\272\ Report on Statistical Disclosure Limitation Methodology,
Fed. Comm. on Stat. Methodology (Exec. Off. of the President of
U.S., OMB, Working Paper No. 22, Dec. 2005), https://nces.ed.gov/FCSM/pdf/SPWP22_rev.pdf.
\273\ John M. Abowd & Michael B. Hawes, 21st Century Statistical
Disclosure Limitation: Motivations and Challenges, at 8 (U.S. Census
Bureau, Working Paper No. ced-wp-2023-002, Mar. 03, 2023), https://www.census.gov/library/working-papers/2023/adrm/ced-wp-2023-002.html.
\274\ See, e.g., Jane Henriksen-Bulmer & Sheridan Jeary, Re-
identification attacks--A systemic literature review, 36(6)(B) Int'l
J. of Info. Mgmt. (Dec. 2016), https://www.sciencedirect.com/science/article/abs/pii/S0268401215301262.
---------------------------------------------------------------------------
Providing that communications of personal identifiers by consumer
reporting agencies are consumer reports would also benefit consumers by
confirming they have protection under the FCRA when personal
identifiers are used to make certain decisions that bear on them. For
example, personal identifiers are purchased from consumer reporting
agencies by data brokers in order to provide end users with identity
verification services designed to prevent financial fraud. When these
entities rely on outdated personal identifiers or otherwise introduce
inaccuracies into these data, it could result in false positives that
can impact a consumer's access to financial products and services. In
recent years, reports of financial fraud have increased along with
reports of increased account closures (``debanking'') and denial of
services to consumers.\275\ Additionally, consumers who are denied
financial services may turn to other more costly financial
alternatives, such as check cashing, or miss out on the benefits of
building credit. \276\ By providing that communications of personal
identifiers on their own by consumer reporting agencies are consumer
reports, the proposed rule would apply the FCRA's accuracy provisions
to data brokers who receive personal identifiers from consumer
reporting agencies to provide risk mitigation services. While the CFPB
does not have data to quantify the impact that inaccurate information
plays in the decisions resulting from risk mitigation services provided
by such data brokers, the CFPB expects that by improving the accuracy
of such information, the proposed rule could mitigate the associated
harms of such decisions based on inaccurate information. The CFPB
requests comment on the role personal identifiers play in risk
mitigation services and the associated impacts for consumers.
---------------------------------------------------------------------------
\275\ See, e.g., Press Release, Fed. Trade Comm'n, As Nationwide
Fraud Losses Top $10 Billion in 2023, FTC Steps Up Efforts to
Protect the Public (Feb. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public; Tara Siegel Bernard & Ron
Lieber, Banks Are Closing Customer Accounts, With Little
Explanation, N.Y. Times (Apr. 8, 2023), https://www.nytimes.com/2023/04/08/your-money/bank-account-suspicious-activity.html;
Kristine Lazar, On Your Side: Bank customers report unexpected
account closures, CBS News (July 17, 2023) https://www.cbsnews.com/losangeles/news/on-your-side-bank-customers-report-unexpected-account-closures/.
\276\ Tyler Desmond & Charles Sprenger, Estimating the Cost of
Being Unbanked, Fed. Rsrv. Bank of Boston (Spring 2007), https://www.bostonfed.org/-/media/Documents/cb/PDF/article9.pdf.
---------------------------------------------------------------------------
In addition, users of reports consisting solely of personal
identifiers purchased from consumer reporting agencies would be
required to send adverse action notices to consumers in situations
where an adverse action is taken against a consumer based on the
information. Consumers would benefit from receiving such adverse action
notices to the extent that it alerts them to potentially incorrect
information and their right to dispute such information, and prompts
them to address adverse actions that may have resulted, such as denial
of government benefits or bank accounts due to an inability to verify
the identity of the consumer. The CFPB does not have data to quantify
how often users of personal identifiers provide adverse action notices
based on this information at baseline and requests comment on these
issues.
[[Page 101441]]
Potential Benefits to Covered Persons of Provisions Addressing What
Constitutes a Consumer Report
Many financial institutions use risk mitigation services provided
by data brokers to detect fraudulent applicants and suspicious activity
to reduce the cost of fraud against the financial institution, or fraud
against consumers that the financial institution must cover pursuant to
the Electronic Fund Transfer Act or payment network rules. The proposed
rule would ensure the FCRA's protections apply to these risk mitigation
services if the data broker purchased personal identifiers from the
consumer reporting agencies. These data brokers would be required to
comply with FCRA provisions applicable to consumer reporting agencies,
including the legal requirement to maintain policies and procedures to
assure maximum possible accuracy.\277\ In addition, consumers would
receive greater notice and ability to dispute inaccurate personal
identifiers used for risk mitigation purposes if proposed Sec.
1022.4(d) is finalized. To the extent that correction of inaccurate
reports increases as a result of the proposed rule, covered persons
that rely on these services would benefit from the improved accuracy of
risk mitigation. For example, financial institutions that use data
brokers that purchase personal identifiers from consumer reporting
agencies for identity verification services would have better
information to detect fraudulent applications. By improving the
accuracy of information used for risk mitigation, the CFPB also expects
the proposed rule to reduce costs to financial institutions, which
currently expend resources, incur fraud losses, or may lose business
due to decisions resulting from inaccurate data used in risk mitigation
in the baseline.\278\ The CFPB does not have data to quantify these
benefits and requests information and comment on these issues.
---------------------------------------------------------------------------
\277\ 15 U.S.C. 1681e.
\278\ David Vergara, The banking industry's multi-billion dollar
fraud problem and how to solve it, Bank Admin. Inst. (Jan. 16,
2019), https://www.bai.org/banking-strategies/the-banking-industrys-multi-billion-dollar-problem/.
---------------------------------------------------------------------------
The CFPB does not anticipate that any covered persons would benefit
from any of the three alternative versions of proposed Sec. 1022.4(e).
Potential Costs to Consumers of Provisions Addressing What Constitutes
a Consumer Report
Regarding proposed Sec. 1022.4(d), at baseline, personal
identifiers from consumer reporting agencies are used in a variety of
activities, some of which involve FCRA permissible purposes and some of
which do not. Personal identifiers from consumer reporting agencies are
used for risk mitigation activities, such as identity verification and
fraud prevention, which overlap but can be distinct from each other.
Generally, entities will have a permissible purpose to purchase
personal identifiers from consumer reporting agencies for risk
mitigation services on current or prospective customers, either because
there is an applicable permissible purpose or the user is able to
obtain the consumer's written instruction. The CFPB requests comment on
the extent to which risk mitigation strategies and services that use
personal identifiers from consumer reporting agencies could be impacted
under the proposal and subsequent impacts on consumers.
In some instances, law enforcement agencies purchase personal
identifiers from consumer reporting agencies via data brokers. However,
law enforcement currently obtains personal identifiers from a broad
range of other sources, and proposed Sec. 1022.4(d) would not affect
many of these sources.\279\ If law enforcement is able to obtain
necessary information pursuant to these other sources, or through other
sources that are not subject to the FCRA, the CFPB expects the impacts
of the proposed rule to law enforcement would be small and seeks
comment on whether there would be any subsequent impacts to consumers.
Furthermore, as noted above, the CFPB is requesting comment on a
potential exemption from proposed Sec. 1022.4(d) for communications
consisting exclusively of personal identifiers that are solely
furnished to, or solely used to furnish to, local, Tribal, State, or
Federal governments, which would likely ameliorate this impact.
---------------------------------------------------------------------------
\279\ See supra pp. 4-6, Part I: Summary of the Proposed Rule.
---------------------------------------------------------------------------
Consumers could also face impacts related to use of de-identified
data by entities that develop and test financial models if the first or
second alternative version of proposed Sec. 1022.4(e) is finalized.
For example, financial institutions and other entities use de-
identified consumer reporting agency data to develop, test, and
validate credit, fraud, and similar risk-management models (such as
VantageScore and FICO scores), develop and test products, manage credit
portfolios, and for other purposes. While existing risk-management
scores that have already been developed could still be used if the
proposed rule were finalized, without access to de-identified consumer
report data, entities would be unable to test and improve such scores
as they currently do. Similarly, entities attempting to develop new
models would not be able to do so using de-identified consumer report
data. To the extent that risk-management scores created without access
to de-identified consumer report data are less accurate in predicting
consumers' ability to repay than existing scores, there could be
downstream effects on processes and products that rely upon such
metrics. While financial institutions would be able to rely on consumer
reporting agencies, particularly nationwide consumer reporting
agencies, to develop risk-management scores, reduced competition in
developing risk-management scores could impose costs on consumers in
the form of higher prices and less accurate scores. Small entity
representatives noted during the Small Business Review Panel that, if
creditors could not use de-identified data for their own models, they
would need to tighten their credit policies or increase pricing, both
of which would harm consumers, particularly those who do not have
access to traditional financial products and services.\280\ The CFPB
requests information on the potential impacts to risk-management models
and the subsequent impacts to consumers.
---------------------------------------------------------------------------
\280\ Small Business Review Panel Report, supra note 40, at 25.
---------------------------------------------------------------------------
Consumers may also lose benefits from research, policymaking, or
market monitoring activities that rely on de-identified information.
Currently, consumer reporting agencies regularly sell de-identified
information from their consumer reporting databases to government
agencies, nonprofits, and academic institutions to facilitate research.
Research using de-identified consumer report information has become
increasingly common, as it allows policymakers to identify current
trends in consumer welfare and identify emerging financial risks to
consumers. For example, the CFPB uses its Consumer Credit Information
Panel (CCIP), a comprehensive, national 1-in-50 longitudinal sample of
de-identified credit records, sourced from one of the three nationwide
consumer reporting agencies, to conduct economic research, monitor
financial markets, and inform rulemakings that support consumers in the
financial marketplace. Similarly, the CFPB and FHFA jointly fund and
manage the National Mortgage Database (NMDB), a de-identified
nationally representative five percent sample of closed-end first-lien
residential
[[Page 101442]]
mortgages in the United States.\281\ The FHFA not only relies on the
NMDB to fulfill its mandate to conduct a monthly mortgage market survey
but also uses the database to benefit consumers through activities such
as evaluating impacts of borrower counseling and loan modification
programs.\282\ Many nonprofits (e.g., Eviction Lab, Urban Institute,
FinRegLab) and academic institutions (e.g., University of California,
Indiana University) use similar de-identified data from the nationwide
consumer reporting agencies to conduct research on a wide array of
topics, such as the effect of government policies on consumer access to
credit.\283\
---------------------------------------------------------------------------
\281\ Fed. Hous. Fin. Agency, National Mortgage Database
Program, https://www.fhfa.gov/programs/national-mortgage-database-program (last visited Oct. 15, 2024). The core data in NMDB is de-
identified data drawn from the files of Experian, one of the three
national credit bureaus. Fed. Hous. Fin. Agency, Technical Report 1:
National Mortgage Database Technical Documentation, at 1-2 (Dec. 28,
2022), https://www.fhfa.gov/sites/default/files/documents/NMDB-Technical-Documentation-20221228.pdf.
\282\ 12 U.S.C. 4544(c)(1); see also Fed. Hous. Fin. Agency,
National Mortgage Database Program, https://www.fhfa.gov/programs/national-mortgage-database-program (last visited Oct. 15, 2024).
\283\ Univ. of Cal. Consumer Credit Panel (UC-CCP), California
Policy Lab, https://www.capolicylab.org/data-resources/university-of-california-consumer-credit-panel/, (last visited Oct. 15, 2024).
---------------------------------------------------------------------------
Under the first alternative version of proposed Sec. 1022.4(e),
government agencies, nonprofits, and academic institutions would
generally no longer be able to obtain de-identified data from consumer
reporting databases and numerous other sources, as they do not
generally have an FCRA permissible purpose to do so; the second
alternative would have similar effects where the de-identified data is
linkable back to individual consumers. To the extent that consumers
currently benefit from such research, consumers would face costs
associated with its prohibition under the first and second proposed
alternatives.
Depending on which conditions are finalized and how they are
implemented, the third alternative could also impact government
agencies' and other researchers' ability to engage in research
practices that use de-identified data from consumer reporting agencies
going forward. To the extent that consumers and covered persons receive
value from these research activities that use de-identified information
from consumer reporting databases, a version of the de-identified data
provision that would prohibit these practices would impose costs on
consumers by eliminating the benefits of that research. The CFPB
requests information on the potential impacts to research activities
and the subsequent impacts to consumers.
Potential Costs to Covered Persons of Provisions Addressing What
Constitutes a Consumer Report
The provisions relating to personal identifiers and de-identified
data purchased from consumer reporting agencies could reduce the
ability of consumer reporting agencies to sell current products or
services, potentially reducing their revenues. For example, consumer
reporting agencies sell de-identified consumer report data to
government agencies, nonprofits, and academic institutions for use in
research and policy work, as well as to financial institutions and
other entities for a variety of finance-related modeling purposes.
Revenues from such sales could be reduced or eliminated, depending on
the version of the de-identified data provision that is finalized. The
CFPB is aware that some nationwide consumer reporting agencies sell
personal identifiers and de-identified consumer report information but
does not have information to determine the extent to which other
entities that meet the definition of consumer reporting agency engage
in similar practices.
Additionally, entities that currently use de-identified consumer
report data for credit and other financial models could face impacts
and costs associated with the loss of or change to this data access,
such as those noted in the above discussion on costs to consumers.
Examples of costs include, but are not limited to, operational costs to
adjust their processes and models, costs associated with finding
alternative data, and potential business and revenue impacts to the
extent these changes are not as effective as the current models that
use de-identified consumer report data. The CFPB requests information
from entities on the use cases of de-identified data for these purposes
and the potential impacts on entities of the alternatives under
consideration.
Some data brokers that purchase personal identifiers from consumer
reporting agencies for resale would themselves be considered consumer
reporting agencies. Those firms would have similar additional costs as
described above in the section pertaining to costs to covered persons
of provisions that could affect consumer reporting agency coverage. For
example, these firms would be subject to FCRA compliance requirements
for how consumer report information can be used and distributed. The
CFPB requests information and comment that can be used to quantify
potential revenue losses and compliance costs to these entities.
Some consumer reporting agencies sell personal identifiers to
financial institutions for their in-house risk mitigation activities,
including identity verification or fraud detection, or to users who
provide risk mitigation services to financial institutions. For
example, financial institutions use credit header data for identity
verification when a consumer applies for a loan, opens a checking
account, or applies for a credit limit increase.\284\ Users of personal
identifiers for identity verification services could continue to obtain
identifying information drawn from a consumer reporting database if
they have an FCRA permissible purpose. For example, if an entity has a
permissible purpose under FCRA section 604(a)(3) to obtain a consumer
report, a consumer reporting agency could provide that entity with a
consumer report for identity verification conducted in connection with
that permissible purpose (such as a creditor seeking to confirm the
identity of an applicant in connection with a loan application). In
other cases, users could obtain a consumer's written instructions.
However, the CFPB received feedback from the Small Business Review
Panel that obtaining written instructions might lead to increased
operational costs, slow down consumer-initiated transactions, or cause
confusion among customers.\285\ The CFPB does not have information to
quantify these potential costs but preliminarily determines that some
of the cost to entities that would rely on the written instructions
permissible purpose could be minimized by obtaining a consumer's
written instructions electronically. The CFPB requests comment on this
issue.
---------------------------------------------------------------------------
\284\ Small Business Review Panel Report, supra note 40, at 22.
\285\ Id. at 23.
---------------------------------------------------------------------------
If the proposal is finalized, consumer reporting agencies would
generally not be able to provide personal identifiers that they collect
for the purpose of preparing consumer reports to entities that want to
use the information for identity verification in connection with a
transaction that is not a permissible purpose, absent written
instructions from the consumer. Given that identity verification is
primarily conducted by entities on their customers or prospective
customers who submit an application to the entity, the CFPB expects
that many users of personal identifiers from consumer reports will be
able to obtain written instructions in
[[Page 101443]]
the absence of other permissible purposes, thus mitigating impacts on
their use. However, in cases where an entity that would otherwise use
personal identifiers from consumer reporting agencies for risk
mitigation services does not have a permissible purpose and does not
obtain a consumer's written instructions, the user could face costs
such as identifying and integrating alternative sources of personal
identifiers for identity verification if the proposed rule is
finalized. If these users fail to identify suitable alternative data
sources, impacted entities might instead require consumers to take
additional validation steps before they approve an action. These
additional validation steps may impose costs on impacted entities, such
as operational costs to conduct additional checks, the cost of
acquiring additional verification tools, and potential loss of consumer
transactions or relationships related to the increased friction imposed
on a consumer. The CFPB is requesting comment on whether there are
entities that conduct identity verification without a permissible
purpose or the ability to obtain written instructions (such as data
brokers that use personal identifiers purchased from consumer reporting
agencies to perform risk mitigation services on behalf of companies
regarding consumers who are not the companies' customers) and if so,
what impact this rule would have on those services and what obstacles
or costs may be associated with obtaining suitable alternatives from
other sources (such as directly from financial institutions).
Debt collectors may also use data brokers that purchase personal
identifiers from consumer reporting agencies to locate consumers to
collect unpaid debts on credit accounts at baseline. If the personal
identifier proposal is finalized, debt collectors collecting on such
credit accounts could continue to use personal identifiers purchased
from consumer reporting agencies in compliance with the FCRA under FCRA
section 604(a)(3)(A). The CFPB received feedback from the Small
Business Review Panel that some debt collectors would increase reliance
on litigation as a collection tool.\286\ Since collecting on a credit
account is a permissible purpose under the FCRA, the CFPB does not have
information on the likelihood of debt collectors changing collection
approaches or other costs related to the rule and requests comment.
---------------------------------------------------------------------------
\286\ Small Business Review Panel Report, supra note 40, at 24.
---------------------------------------------------------------------------
Provisions To Reduce the Use of Consumer Report Information for
Marketing and Advertising
The proposed rule includes provisions intended to further the
FCRA's general prohibition on the use of consumer report information
for marketing and advertising without a permissible purpose, i.e.,
without compliance with the FCRA's prescreening provisions set out in
FCRA section 604(c) or the consumer's written instructions under FCRA
section 604(a)(2). Under proposed Sec. 1022.10(b)(2), if a consumer
reporting agency facilitates a third party's use of consumer report
information for that person's financial gain, regardless of whether
such information is transmitted to the third party, the consumer
reporting agency has furnished the consumer report to a third party for
purposes of FCRA section 604 and proposed Sec. 1022.10(a). In
addition, proposed Sec. 1022.12(b)(3) would highlight that the
legitimate business need permissible purpose in FCRA section
604(a)(3)(F) does not authorize use of consumer report information for
marketing. Given that proposed Sec. 1022.12(b)(3) does not change the
baseline, the CFPB does not anticipate any significant impacts of this
provision. Additionally, while not the focus of this analysis, proposed
Sec. 1022.4(e) regarding when de-identified consumer information
constitutes a consumer report, discussed above, may also deter the use
of consumer report information for marketing and advertising without a
permissible purpose.
Potential Benefits to Consumers of Provisions To Reduce the Use of
Consumer Report Information for Marketing and Advertising
To the extent that entities rely on consumer reporting agencies to
facilitate their use of consumer report information to target marketing
to consumers without receiving such information and without a
permissible purpose, the proposed rule would prevent such marketing.
Specifically, the proposals would cause consumer reporting agencies to
cease facilitating advertisers' ability to target ads based on consumer
report information, except in limited circumstances (i.e., with
consumer authorization or under the limited circumstances permitted by
the FCRA for firm offers of credit or insurance). While companies may
instead use alternative data that could proxy for consumer report
information so as to avoid FCRA restrictions, alternative data may be
prohibitively expensive or of lower quality.\287\ To the extent that
companies fail to identify suitable proxies for consumer report
information, the proposed rule could reduce the amount of targeted
marketing presented to consumers.
---------------------------------------------------------------------------
\287\ See, e.g., Eric Farkas, How accurate third-party data
leads the way for advertisers, Experian (Jan. 5, 2024), https://www.experian.com/blogs/marketing-forward/how-accurate-third-party-data-leads-the-way-for-advertisers/.
---------------------------------------------------------------------------
Reductions in targeted marketing and advertising based on consumer
report information could result in benefits to consumer privacy. Some
existing research suggests that consumers can find targeted advertising
intrusive and may even respond negatively if the targeting is made more
salient.\288\ Researchers have also found evidence that consumers value
the European Union's General Data Protection Regulation's right to
object to profiling provision, which provides consumers a limited
ability to object to companies using their personal data for marketing
purposes.\289\ To the extent consumers find targeted advertising based
on consumer report information intrusive, then consumers may benefit
from any reduction in this type of targeted marketing stemming from the
proposed rule.
---------------------------------------------------------------------------
\288\ Avi Goldfarb & Catherine Tucker, Online Display
Advertising: Targeting and Obtrusiveness, 30(3) Mktg. Sci. (Feb. 9,
2011), https://pubsonline.informs.org/doi/10.1287/mksc.1100.0583.
\289\ Maciej Sobolewski & Michal Palinski (2017), How much to
consumers value on-line privacy? Welfare assessment of new data
protection regulation (GDPR) (Univ. of Warsaw, Faculty of Econ.
Sci., Working Papers No. 17/2017 (246) 2017), https://www.wne.uw.edu.pl/files/7915/1505/9038/WNE_WP246.pdf.
---------------------------------------------------------------------------
It is also possible for marketing based on consumer report
information to negatively impact consumers. For example, targeted
marketing based on financial characteristics, such as income, credit
score, or payment of debts, might enable the targeting of consumers in
financial distress with advertisements for predatory products and
services, which may result in financial or other harms to consumers.
Firms could also use consumer report information, for example, to
target only expected higher-income consumers and prevent lower-income
consumers from seeing advertisements for products that may benefit
them. To the extent the proposed provisions affect targeted advertising
based on these types of characteristics, the proposed rule may benefit
consumers. Consistent with the discussion above about price
discrimination, advertising based on income or financial tier can lead
to consumers being offered products at prices closer to the consumer's
willingness to pay, resulting in higher
[[Page 101444]]
revenue for companies but lower consumer surplus. The CFPB requests
information that can be used to quantify these potential benefits to
consumers of reductions in marketing and advertising based on consumer
report information, as well as information that can be used to quantify
the amount of marketing or advertising presented to consumers that
depends on consumer reporting agencies facilitating use of consumer
report information.
Potential Benefits to Covered Persons of Provisions To Reduce the Use
of Consumer Report Information for Marketing and Advertising
The CFPB does not anticipate that any covered persons would benefit
from the provisions in the proposed rule intended to reduce the use of
consumer report information for marketing and advertising.
Potential Costs to Consumers of Provisions To Reduce the Use of
Consumer Report Information for Marketing and Advertising
To the extent that the proposed provisions impact targeted
advertising or marketing by reducing companies' ability to rely on
consumer report information, such as income and financial tier, for
targeted marketing, they may impose some costs on consumers. For
consumers, advertising can serve an informative purpose.\290\ In
targeting consumers based on personalized information (including
consumer report information such as income or financial tier) for
profit-maximizing purposes, companies may be informing certain
consumers of products or discounts that they would be interested in,
and potentially would not have known about otherwise. While the
proposed rule would not prohibit companies from using targeting
algorithms, the reduced ability to rely on consumer report information
for targeted marketing could reduce the amount and usefulness of the
marketing consumers receive. However, these potential costs to
consumers would be small if targeted marketing based on consumer report
information currently has limited value for consumers. The CFPB is not
aware of research that examines whether using consumer report
information specifically in targeting algorithms affects the amount and
degree to which ads meet consumer preferences. Existing empirical
research concerning the value of targeted marketing, in general, to
consumers is mixed.\291\ The CFPB does not have information to quantify
the value to consumers of targeted advertising that uses consumer
report information, or the change in value that could result if this
use were to cease under the proposed rule, and requests information on
the potential impact to consumers.
---------------------------------------------------------------------------
\290\ See, e.g., Yehuda Kotowitz & Frank Mathewson, Informative
Advertising and Welfare, 69(3), The American Econ. Review 284 (June
1979), https://www.jstor.org/stable/1807364.
\291\ See, e.g., Erik Brynjolfsson et al., The Consumer Welfare
Effects of Online Ads: Evidence from a 9-year Experiment (NBER
Working Paper No. 32846, Aug. 2024), https://www.nber.org/papers/w32846; Eduardo Schnadower Mustri et al., Behavioral Advertising and
Consumer Welfare, Soc. Sci. Rsch. Network (Mar. 23, 2023), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4398428; Navdeep S.
Sahni & Charles Zhang, Are Consumers Averse to Sponsored Messages?
The Role of Search Advertising in Information Discovery, Stanford
Univ. Graduate Sch. of Bus. Rsch. Paper No. 3441786 (Mar. 27, 2022),
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3441786.
---------------------------------------------------------------------------
By providing that the FCRA prohibits consumer reporting agencies
from facilitating a third party's use of consumer report information
for financial gain without a permissible purpose, the proposed rule
would also impact some surveys. Since academics, nonprofit
organizations, and government agencies do not conduct or sponsor
surveys for financial gain, their use of consumer reporting agencies to
facilitate surveys would not be prohibited, and consumers would
continue to benefit from research that relies upon these types of
surveys. However, to the extent that consumers benefit from surveys
that rely on or elicit consumer report information and are conducted
for financial gain, consumers would face reduced benefits associated
with their prohibition. While it is likely that entities would simply
cease relying on consumer reporting agencies to facilitate surveys
rather than abandon the surveys entirely, this could reduce the
efficacy of such surveys, and in turn, reduce their value to consumers.
The CFPB requests comment on the extent to which consumers benefit from
surveys facilitated by consumer reporting agencies for a person's
financial gain.
The CFPB requests information that can be used to quantify these
costs to consumers, as well as comment on whether there are additional
use cases outside of targeted marketing and research that one would
expect to be impacted by the proposed rule.
Potential Costs to Covered Persons of Provisions To Reduce the Use of
Consumer Report Information for Marketing and Advertising
There are several ways in which consumer reporting agencies would
lose revenues under the provisions of the proposed rule related to
marketing. If the provision clarifying that furnishing includes
facilitating a person's use of a consumer report for financial gain is
finalized, consumer reporting agencies would forgo revenues that they
previously could have generated from certain activities, such as
facilitating marketing or conducting surveys that rely upon consumer
report information on behalf of other entities for those entities'
financial gain. In addition to lost revenue, consumer reporting
agencies could incur costs of compliance associated with changing
processes, policies, and procedures related to these activities if the
provision is finalized. The proposed provisions are expected to have
fewer impacts on consumer reporting agencies that do not at baseline
engage in these activities. The CFPB requests comment on these issues,
especially data that can be used to quantify these potential losses in
revenue, such as data on the sales of consumer report information that
would be affected by the proposed provisions.
Companies may also incur costs due to the proposed provisions
pertaining to marketing and advertising. Companies target ads for a
variety of purposes, including to build an applicant pool or customer
base meeting certain criteria, or to increase the percentage of ads
that lead to customer acquisition or purchases. Companies generally use
a variety of advertising methods to increase customer volume at the
lowest customer acquisition cost possible. In the modern economy,
targeted digital ads using consumer data is one method for doing so,
along with contextual digital ads, behavioral digital ads, physical
mailings, email, texts, telemarketing, television, billboards, radio,
podcasts, and other ad types. This proposed rule could impact the
efficacy of digital advertising by preventing consumer reporting
agencies from facilitating companies' use of consumer report
information, such as that pertaining to income or financial tier, in
the design and development of targeting algorithms, which is not a
permissible purpose. The CFPB is not aware of research demonstrating
whether, and the degree to which, the inclusion of consumer report data
like income or financial tier in targeting algorithms increases
customer acquisition efficiency. But in theory, the proposed rule may
result in a higher customer acquisition cost for firms with a heavier
reliance on digital advertising (in particular targeted marketing based
on surveillance data, as opposed to contextual or behavioral ads) and
with
[[Page 101445]]
a target audience in specific subgroups defined by certain consumer
report information. Having said that, as noted above, targeted
advertising based on consumer data would remain viable with the many
other variables available to advertisers, so the impact on customer
acquisition cost for even those firms would likely be limited.
In recent years, large firms such as Google and Apple,\292\ and
some States (e.g., California, Colorado, Connecticut, Virginia, and
Utah) have considered or have implemented changes to strategies and
policies related to consumer privacy. While the proposed provisions
would specifically affect targeted advertising based on consumer report
information, companies' prior adjustments to industry and State-level
changes could potentially mitigate the additional costs that they may
incur if this proposed rule is finalized. Some companies may choose to
instead rely on written instructions as a means of obtaining consumer
reports for marketing or advertising purposes, which could increase
paperwork and processes associated with requesting consumer
information, or to comply with the FCRA's prescreening provisions. The
CFPB requests data and information that can be used to estimate the
potential revenue losses or additional costs that may be incurred by
companies that would be affected by the proposals.
---------------------------------------------------------------------------
\292\ Tim Bajarin, Apple's Do Not Track Me Rules Are Having
Significant Impact On Digital Advertising, Forbes (July 26, 2022),
https://www.forbes.com/sites/timbajarin/2022/07/26/apples-do-not-track-me-rules-are-having-significant-impact-on-digital-advertising/.
---------------------------------------------------------------------------
Provisions Clarifying the Responsibilities of Consumer Reporting
Agencies
The proposed rule would clarify certain responsibilities of
consumer reporting agencies. Proposed Sec. 1022.11 would clarify the
conditions that must be met for a consumer reporting agency to furnish
or a person to obtain a consumer report in accordance with the written
instructions of the consumer, including consumer disclosure and consent
requirements, and limitations on procurement, use, and retention of
consumer reports, including that such activities must be reasonably
necessary to provide the product or service the consumer requested or
the specific use identified by the consumer. Proposed Sec. 1022.11
would also provide that a consumer reporting agency furnishes a
consumer report in accordance with the written instructions of the
consumer if the report is furnished to a person that is an authorized
third party under subpart D of the PFDR Rule.
Proposed Sec. 1022.12(b)(2) would provide examples of the types of
transactions that would and would not establish a consumer-initiated
transaction for purposes of the legitimate business need permissible
purpose in FCRA section 604(a)(3)(F). For instance, the proposal
clarifies that a consumer does not initiate a business transaction for
purposes of the legitimate business need permissible purpose by
inquiring about the availability or pricing of products or services.
Potential Benefits to Consumers of Provisions Clarifying the
Responsibilities of Consumer Reporting Agencies
Proposed Sec. Sec. 1022.11 and 1022.12(b) would enhance consumer
protections by limiting the risk of unauthorized use and sharing of
consumer report information. The written instructions permissible
purpose in proposed Sec. 1022.11 provides this benefit in several
ways. First, by limiting the permissible purpose to users who will
obtain, use, and retain a consumer report only as reasonably necessary
to provide a product or service or use requested by a consumer,
consumers are protected from unknowingly agreeing to uses of their
consumer report that they do not want. Indeed, by providing that users
may only share a consumer report as reasonably necessary for these
purposes, the proposal would decrease the chance that the information
would be obtained by unauthorized or unanticipated users, including
through data leaks.\293\ Next, by requiring consumer reporting agencies
or consumer report users to disclose key information to consumers
concerning the requested written instructions, the proposal would
enable consumers to make informed decisions as to how their consumer
report information is used. In addition, by limiting the duration for
which a consumer's written instructions provide a permissible purpose
to up to one year, the proposed rule would allow consumers to provide
standing instructions to furnish consumer reports where required to
provide the requested product or service but would provide a check
against consumer reports being furnished for longer periods of time
than the consumer needs or wants. The CFPB does not have data that
would allow it to quantify how much consumers would benefit from these
additional protections.
---------------------------------------------------------------------------
\293\ See supra note 85.
---------------------------------------------------------------------------
Similarly, proposed Sec. 1022.12(b)(2), which clarifies the
legitimate business need permissible purpose, could benefit consumers
by minimizing the risk of unauthorized information sharing and reducing
market-based harms to consumers. The CFPB is concerned that some
companies could impermissibly obtain consumer reports before a consumer
initiates a business transaction, which could lead to the consumer
report being used to make decisions about the consumer in ways not
authorized by the FCRA. For example, in theory, companies might use
consumer report information to assess consumers and then discriminate
against certain consumers in terms of attention paid and differential
pricing. These situations could lead to higher prices for some
consumers. The proposed rule could further deter such conduct by
clarifying that users do not have a legitimate business need
permissible purpose for this information before the consumer has
initiated a transaction. To quantify the impact, the CFPB would need to
know how often and to what extent consumer report information is
currently used in this manner or in other ways that might harm certain
consumers.
Taken together, proposed Sec. Sec. 1022.11 and 1022.12(b)(2) would
minimize the unauthorized flow of consumer report information and
provide consumers with other privacy-related benefits. The CFPB invites
comments and feedback on the privacy implications of these proposals
for consumers.
Potential Benefits to Covered Persons of Provisions Clarifying the
Responsibilities of Consumer Reporting Agencies
The examples provided in proposed Sec. 1022.12(b)(2), regarding
the legitimate business need permissible purpose, could benefit
consumer reporting agencies by providing clarity and thus reduce legal
uncertainty that the consumer reporting agency impermissibly furnishes
consumer report information, enabling them to make more efficient
business decisions. The CFPB does not anticipate that any covered
persons would benefit from the written instructions provisions in
proposed Sec. 1022.11. The CFPB requests comment on benefits to
covered persons of these proposed provisions.
Potential Costs to Consumers of Provisions Clarifying the
Responsibilities of Consumer Reporting Agencies
Consumers would face additional burdens and frictions associated
with proposed Sec. 1022.11. Regarding proposed
[[Page 101446]]
Sec. 1022.11, at baseline, consumer written instructions to furnish
consumer reports often are included as part of larger terms and
conditions language provided to the consumer. Under the proposed rule,
the consumer's written instructions would need to be segregated from
other material. Similarly, since users of consumer report information
would only be allowed to use a consumer report obtained pursuant to the
written instructions permissible purpose for a single product or
service per instruction, consumers may be required to provide multiple,
separate written instructions in some circumstances. In addition,
consumers would be required to provide multiple, separate written
instructions if the user seeks to obtain a consumer report from more
than one consumer reporting agency. Thus, the proposed rule could
result in consumers reviewing multiple, separate disclosures. These
changes generally would increase the amount of time consumers spend to
provide written instructions for a user to obtain their consumer report
when signing up for a product or service for which this permissible
purpose is necessary.
Under proposed Sec. 1022.11, consumers may also face frictions
associated with the proposal to limit consumer instructions to a
duration that is reasonably necessary to provide the product or service
or use but no longer than one year. For example, if a consumer is
signed up for a credit monitoring service, consumers may be required to
reauthorize the entity to access their consumer reports on at least an
annual basis.
The cost of certain products and services that rely on consumer
report information may increase for consumers if proposed Sec. 1022.11
were adopted. For example, today users may obtain a consumers' written
instructions to obtain their consumer report without specifying the
consumer reporting agency from which the user will obtain it, and
afterwards change which consumer reporting agency they want to use to
acquire the report. Under the proposed rule, however, entities would no
longer be able to do this (or would need to obtain a new written
instruction), as they would be required to include in the disclosure
the name of the consumer reporting agency from which they intend to
obtain the consumer report. Therefore, the proposed rule may
disincentivize users from changing which consumer reporting agency they
use, even if a different consumer reporting agency offers less
expensive reports. To the extent that users pass through the increased
costs of consumer reports, as well as other costs associated with
complying with the proposed rule, consumers would face increased costs.
The CFPB does not have data to quantify these costs to consumers and
requests information and comment on these issues.
Potential Costs to Covered Persons of Provisions Clarifying the
Responsibilities of Consumer Reporting Agencies
Covered persons, including consumer reporting agencies and users of
consumer report information, would face costs associated with complying
with proposed Sec. 1022.11 regarding the written instructions
permissible purpose. Specifically, these covered persons that rely upon
the written instructions permissible purpose to furnish or obtain
consumer report information would experience legal and technological
costs associated with updating their processes and procedures to comply
with this proposed rule. All covered persons' systems would need to be
updated to present consumers with a segregated consumer authorization
disclosure. Covered persons' systems would also need to identify the
consumer reporting agency from which the user intends to pull the
consumers' report information, the name of the person for whom the
consumer is providing consent to obtain their consumer report, and
other information that would be required to be included in the
disclosure. Moreover, since consumer authorizations would only be valid
for as long as is reasonably necessary to provide the requested product
or service or identified use, up to one year, entities' systems would
need to be updated to reobtain consumers' written instructions after
the initial instructions lapse, should continued authorization be
needed. In addition, these systems would need to be updated to allow
for consumers to revoke their written instructions. Beyond the
technical and legal costs, these added frictions may also result in
decreased revenues for users.
Consumer reporting agencies would face frictions associated with
ensuring that consumers' written instructions comply with the proposed
rule. Likewise, users would face costs associated with proving to
consumer reporting agencies they have obtained consumers' written
instructions in a manner that comports with the proposed rule.
Today, consumers may not realize that they are providing written
instructions authorizing access to their consumer reports, such as when
such authorizations are buried in terms and conditions. Under this
proposed rule, entities would instead be required to provide consumers
with a ``clear and conspicuous'' disclosure. Therefore, in light of
this proposed rule, consumers may be more likely to decline authorizing
such access when a user or consumer reporting agency seeks written
instructions as required under the proposal. To the extent that this
occurs, the user requesting written permission, as well as the consumer
reporting agency that would have provided the consumer report, could
have decreased revenue due to the proposed rule. The CFPB requests
comment on this issue, particularly information on the extent to which
users and consumer reporting agencies would experience decreased
revenue.
Regarding proposed Sec. 1022.12(b)(2), consumer reporting agencies
that, in compliance with existing law, are already operating within the
scope of the legitimate business need permissible purpose as clarified
in the proposed rule are expected to face relatively few costs
associated with this proposal. However, consumer reporting agencies
that are currently selling consumer report information to users for
purposes outside of this scope and realize that they need to change
their practices due to the clarifications in the proposed rule would
lose revenue from the resulting decreased sale of consumer reports. The
CFPB does not have data available to quantify this revenue loss. The
CFPB requests comment on this issue, particularly information on the
extent to which the sale of consumer report information would cease
under the proposal.\294\
---------------------------------------------------------------------------
\294\ Small Business Review Panel Report, supra note 40, at 29.
---------------------------------------------------------------------------
F. Potential Reduction of Access by Consumers to Consumer Financial
Products or Services
The provisions addressing the definitions of consumer report and
consumer reporting agency that could affect which entities are consumer
reporting agencies may impose significant compliance costs on data
brokers and other entities that would become consumer reporting
agencies under the proposed rule. To the extent this occurs, data
brokers may, depending on market factors, pass through some or all of
those costs to creditors and depository institutions that use their
services. Creditors and depository institutions could then pass through
some or all of that increase to consumers in the form of higher prices.
This price impact may be mitigated to the extent that creditors and
depository
[[Page 101447]]
institutions choose to absorb part of the compliance costs borne by
data brokers. The CFPB does not have information to quantify these
potential impacts and requests comment on financial access issues that
may arise from the proposed rule if finalized.
G. Potential Impacts on Depository Institutions and Credit Unions With
$10 Billion or Less in Total Assets, as Described in Section 1026
The CFPB has preliminarily concluded that, relative to larger
depository institutions and credit unions, the proposed rule would not
have significantly different impacts on depository institutions and
credit unions with $10 billion or less in total assets. The CFPB
requests comment on its analysis of the potential impacts on these
smaller financial institutions.
H. Potential Impacts on Consumers in Rural Areas
The potential impacts of the proposed rule on consumers in rural
areas would likely be the same, on average, as those impacts on
consumers who do not reside in rural areas. For example, data brokers
that would become consumer reporting agencies if the proposed rule was
finalized likely operate similarly for rural and non-rural consumers.
Likewise, the CFPB is not aware of reasons why, at baseline, marketing
based on consumer report information currently impacts consumers
differently depending on whether they live in rural areas or not. The
CFPB requests comment on its analysis of potential impacts on consumers
in rural areas.
VII. Regulatory Flexibility Act Analysis
The Regulatory Flexibility Act (RFA) requires the CFPB to conduct
an initial regulatory flexibility analysis (IRFA) and convene a panel
to consult with small entity representatives before proposing a rule
subject to notice-and-comment requirements,\295\ unless it certifies
that the rule will not have a significant economic impact on a
substantial number of small entities.\296\ The CFPB has not certified
that the proposed rule would not have a significant economic impact on
a substantial number of small entities within the meaning of the RFA.
Accordingly, the CFPB convened a Small Business Review Panel under the
Small Business Regulatory Enforcement Fairness Act (SBREFA) on October
16, 2023, and held two Panel meetings on October 18 and 19, 2023, to
consider the impacts on small entities that would be subject to the
proposals under consideration and to obtain feedback from
representatives of such small entities. The Small Business Review Panel
for this proposed rule is discussed in part VII.A. The CFPB is also
publishing an IRFA. Among other things, the IRFA contains estimates of
the number of small entities that may be subject to the proposed rule
and describes the impact on those entities. The IRFA for this proposed
rule is set forth in part VII.B.
---------------------------------------------------------------------------
\295\ 5 U.S.C. 603, 609(b), (d)(2).
\296\ 5 U.S.C. 605(b).
---------------------------------------------------------------------------
A. Small Business Review Panel
Under section 609(b) of the RFA, as amended by SBREFA and the CFPA,
in certain circumstances, the CFPB must seek, prior to conducting the
IRFA, information from representatives of small entities that may
potentially be affected by a proposed rule to assess the potential
impacts of that rule on such small entities. The CFPB complied with
this requirement. Details on the Small Business Review Panel and Panel
Report for this proposed rule are described in part II.C.
B. Initial Regulatory Flexibility Analysis
1. Description of the Reasons Why Agency Action Is Being Considered
Developments in the consumer reporting marketplace have resulted in
vast amounts of sensitive consumer information being bought and sold,
often without the knowledge or consent of consumers, involving entities
(commonly known as data brokers) some of whom do not believe that the
FCRA applies to them or their activities. Data brokers use consumer
information to engage in or facilitate a variety of activities,
including targeting consumers for marketing. The CFPB is also aware
that data brokers that are consumer reporting agencies engage in
activities that may threaten consumer privacy and potentially disclose
consumer information to third parties who do not have a permissible
purpose to obtain the information. The proliferation of consumer
information in the market potentially leads to national security,
consumer privacy, consumer fraud, and data security risks that data
brokers, including consumer reporting agencies, might not be fully
accounting for. In addition, technological advancements have made it
increasingly feasible to identify or re-identify consumers from
aggregated or otherwise de-identified data using fewer data fields or
variables than before.\297\
---------------------------------------------------------------------------
\297\ Gina Kolata, Your Data Were `Anonymized'? These Scientists
Can Still Identify You, N.Y. Times (July 23, 2019), https://www.nytimes.com/2019/07/23/health/data-privacy-protection.html.
---------------------------------------------------------------------------
The activities of data brokers, including consumer reporting
agencies, pose a range of potential harms to consumers. For example,
lists of individuals with income information could potentially be used
to facilitate predatory marketing or financial scams. Personal
identifying information about consumers could potentially be used to
stalk or harass consumers who do not wish to be contacted. Consumers
might not be able to monitor or dispute the accuracy of information
that is bought and sold by data brokers when they do so outside of the
FCRA. The CFPB has preliminarily determined that clarifying that
certain activities and entities are covered by the FCRA would mitigate
these harms, as well as improve consumer privacy. Further details are
discussed in part II.B.
2. Succinct Statement of the Objectives of, and Legal Basis for, the
Proposed Rule
The objective of the proposed rule is to ensure that the FCRA's
protections are applied to sensitive consumer information that Congress
designed the statute to protect, including information sold by data
brokers, and to the types of activities Congress designed the statute
to regulate. Specifically, the proposed rule aims to clarify when
entities such as data brokers are consumer reporting agencies and to
ensure that consumer reports are furnished for permissible purposes
under the FCRA, and for no other reasons. The CFPB expects that the
proposed rule, if finalized, would protect Americans from the harms and
invasions of privacy created by certain activities that violate the
FCRA. These objectives are described in more detail in part II.B.
The CFPB proposes this rule pursuant to its authority under the
FCRA and the CFPA. Section 1022(b)(1) of the CFPA authorizes the CFPB
to prescribe rules ``as may be necessary or appropriate to enable the
[CFPB] to administer and carry out the purposes and objectives of the
Federal consumer financial laws, and to prevent evasions thereof.''
Under section 621(e) of the FCRA, the CFPB ``may prescribe regulations
as may be necessary or appropriate to administer and carry out the
purposes and objectives'' of the FCRA. FCRA section 621(e) further
provides that the CFPB may prescribe regulations as may be necessary
and appropriate to prevent evasions of the FCRA or to facilitate
compliance therewith. Part III contains a more detailed discussion of
the legal authority for the proposed rule.
[[Page 101448]]
3. Description and, Where Feasible, Provision of an Estimate of the
Number of Small Entities To Which the Proposed Rule Will Apply
The proposed rule would primarily affect three types of small
entities: (1) entities, including data brokers, that meet or would meet
(if the proposals were finalized) the definition of consumer reporting
agency in FCRA section 603(f), (2) entities that furnish information to
entities that would meet (if the proposals were finalized) the
definition of consumer reporting agency in FCRA section 603(f), and (3)
entities that use consumer reports from consumer reporting agencies or
consumer information from entities that would meet the definition of
consumer reporting agency if the proposed rule were finalized.
Collectively, these entities would include data aggregators and data
brokers, including consumer reporting agencies, as well as furnishers
and financial institutions or other users.
For purposes of assessing the impacts of the proposed rule on small
entities, ``small entities'' are defined in the RFA to include small
businesses, small nonprofit organizations, and small government
jurisdictions. Small businesses are those that meet standards set by
the Small Business Administration (SBA) Office of Size Standards for
all industries in the North American Industry Classification System
(NAICS).\298\
---------------------------------------------------------------------------
\298\ See U.S. Small Bus. Admin., Table of Small Business Size
Standards (effective Mar. 17, 2023) https://www.sba.gov/document/support-table-size-standards (last visited Oct. 15, 2024).
---------------------------------------------------------------------------
The first type of small entity that may be subject to the proposed
rule are entities that meet or would meet (if the proposed rule is
finalized) the definition of consumer reporting agency in FCRA section
603(f). The provisions addressing the definitions of consumer report
and consumer reporting agency that could affect which entities are
consumer reporting agencies would, if adopted, broaden or clarify the
type of entities subject to the FCRA as consumer reporting agencies,
including some small entities. The small entities that would
potentially be most affected by these provisions include certain small
data brokers and data aggregators. The provisions would also affect
small consumer reporting agencies that specialize in providing consumer
reports for purposes such as employment screening, tenant screening,
checking account screening, and insurance, sometimes using consumer
information purchased from the nationwide consumer reporting
agencies.\299\ Entities that meet the definition of consumer reporting
agency in FCRA section 603(f) would be subject to several proposed
provisions, such as those intended to prevent targeted marketing using
consumer report information.
---------------------------------------------------------------------------
\299\ An overview of many of the types of consumer reporting
agencies is accessible at Consumer Fin. Prot. Bureau, List of
consumer reporting companies, https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/ (last visited Oct. 15, 2024). This list is not intended
to be all-inclusive and does not cover every company in the
industry.
---------------------------------------------------------------------------
Furthermore, the provisions that could affect which entities are
consumer reporting agencies would affect entities that furnish consumer
information to entities, including data brokers, that would meet the
definition of consumer reporting agency in the proposed rule if
finalized. Such entities would acquire new or additional FCRA
obligations if they provide consumer information to such consumer
reporting agencies.
Finally, the proposed rule would affect users of consumer
information. Entities that currently obtain the four data types from
data brokers who currently do not consider themselves consumer
reporting agencies would generally only be able to access such
information for a permissible purpose under the FCRA going forward if
the proposed rule is finalized. These users might look to obtain
consumers' written instructions or rely upon a ``legitimate business
need'' in order to establish a permissible purpose to access consumer
reports. Proposals related to these permissible purposes would clarify
the responsibilities of consumer reporting agencies and may lead to
changes in the ways that users obtain consumer reports when relying
upon either the ``written instructions'' or ``legitimate business
need'' permissible purposes.
The SBA size standards are based on assets held, annual revenues,
or number of employees. For example, consumer reporting agencies, which
are primarily contained in NAICS category ``Credit Bureaus'' (561450),
are considered small if they receive less than $41 million in annual
revenues, ``Credit Unions'' (522130) are considered small if they have
less than $850M in assets and ``Directory and Mailing List Publishers''
(511140) are considered small if they have fewer than 1,000
employees.\300\
---------------------------------------------------------------------------
\300\ Thee NAICS descriptions and codes used in the 2017
Economic Census are used throughout this part, rather than the NAICS
descriptions and codes used in the Table of Small Business Size
Standards.
---------------------------------------------------------------------------
Table 1 shows the estimated number of small data brokers, including
consumer reporting agencies, within NAICS categories that may be
subject to the proposed rule if finalized. Table 2 shows the estimated
number of small current furnishers. To estimate the number of small
entities in Tables 1 and 2, the CFPB used data from the December 2023
NCUA and FFIEC Call Report data, the 2017 Economic Census data from the
U.S. Census Bureau, the California and Vermont data broker registries,
and the CFPB's list of consumer reporting agencies.\301\ The CFPB also
used the North American Product Classification System (NAPCS) codes in
the 2017 Economic Census to estimate the fraction of small entities
within each NAICS category that sell products that are likely to be
subject to the proposed rule.
---------------------------------------------------------------------------
\301\ Because size standards are adjusted each year in part for
inflation, the entity counts based on reported revenues in the 2017
Economic Census represent a potential overestimate of the number and
fraction of small entities. Calculations for NAICS 522110, 522130,
and 522180 are based on credit union and Call Report data from
December 2023 using current SBA size standards. See Table of Small
Business Size Standards, supra note 298. Calculations for all other
NAICS codes are based on revenue or employee size from the latest
2017 Economic Census data by the U.S. Census Bureau. See U.S. Census
Bureau, The Number of Firms and Establishments, Employment, Annual
Payroll, and Receipts by Industry and Enterprise Receipts Size: 2017
(May 28, 2021), https://www2.census.gov/programs-surveys/susb/tables/2017/us_6digitnaics_rcptsize_2017.xlsx; U.S. Census Bureau,
The Number of Firms and Establishments, Employment, Annual Payroll,
and Receipts by State, Industry, and Enterprise Employment Size:
2017 (May 28, 2021), https://www2.census.gov/programs-surveys/susb/tables/2017/us_state_naics_detailedsizes_2017.xlsx. Calculations
based on NAPCS codes are based on U.S. Census Bureau, 2017: ECN Core
Statistics Economic Census, https://data.census.gov/table/ECNNAPCSPRD2017.EC1700NAPCSPRDIND.
---------------------------------------------------------------------------
Entities that currently consider themselves as meeting the
definition of consumer reporting agency in FCRA section 603(f) are
mostly contained in the NAICS category ``Credit Bureaus'' (561450),
while a very small number may also be contained in the NAICS category
``Investigation Services'' (561611). The proposed rule would also
clarify that some other entities meet the definition of consumer
reporting agency in FCRA section 603(f). These entities may be
contained in a range of additional NAICS categories, depending on what
they view their primary activities to be.
The types of entities listed in Table 1 include entities that meet
or would meet the definition of consumer reporting agency in FCRA
section 603(f) under the proposed rule. While a particular entity can
only be of one type (i.e., a particular entity can be either an
existing consumer reporting agency or new consumer reporting agency) an
industry NAICS code may contain both new and existing consumer
reporting agencies.
[[Page 101449]]
On the other hand, while entities that furnish to or use consumer
information from entities that are or would be consumer reporting
agencies under the proposed rule if finalized could be affected by the
proposed rule, these entities are not easily delineated by NAICS codes
and are therefore not listed in Table 1. Instead, entities that may
furnish consumer information to consumer reporting agencies (whether at
baseline or as new furnishers after the proposed rule is finalized) are
listed in Table 2. Similarly, because any entity that has a permissible
purpose to access consumer reports is potentially a new or current user
under the FCRA, users may be found in a broad array of industries.
Generally, entities listed in Table 2, and entities that provide
consumer information to the entities listed in Table 1 or procure
information from the entities listed in Table 1, could be affected by
the proposed rule.
Not all entities within each NAICS category would be affected by
the proposed rule. It is possible that some small entities in these
NAICS categories are already in compliance, in whole or in part, with
the proposed rule at baseline. Alternatively, some small entities may
not engage in activities that would be subject to the proposed rule if
finalized.
To provide an estimate of the number of small entities that would
likely be affected by the proposed rule, the CFPB identified an initial
list of NAICS categories that may contain affected entities. The CFPB
also compiled a list of data brokers and other potentially covered
entities from three sources: the California Data Broker Registry
(including ``incomplete registrations''), the Vermont Data Broker
Registry, and the CFPB's list of consumer reporting agencies.\302\ The
CFPB purchased from the NAICS Association a list of NAICS codes that
likely apply to the firms in the compiled data broker list. To account
for the possibility that not every firm in each NAICS category would be
affected by the proposed rule, the CFPB used NAPCS codes to estimate
the fraction of small establishments within each NAICS category that
sell products that may be subject to the proposed rule if finalized,
whether as small data brokers, or small entities that furnish or
otherwise provide consumer information to data brokers.
---------------------------------------------------------------------------
\302\ See supra note 238.
---------------------------------------------------------------------------
NAPCS are codes used by establishments to report what products they
sell. Because it is possible for an entity (referred to as a ``firm''
in the data) to have multiple establishments, the CFPB only uses this
approach to calculate a fraction of likely affected establishments and
assumes that this fraction would be comparable to the fraction of
likely affected entities or firms. Moreover, for estimating the number
of furnishers or data providers, this approach also assumes that there
is no correlation between firm size and the likelihood that consumer
information is actually provided at baseline to data brokers, including
consumer reporting agencies. Because companies with a larger number of
consumer accounts likely have greater incentives to sell or furnish
consumer information, the CFPB expects that this assumption would cause
the number of furnishers or data providers to be overestimated.
To account for potential double-counting of establishments that
report multiple product codes, for each NAICS code the CFPB takes the
sum of the number of establishments that report selling a product
(identified by the NAPCS code) that are likely to be subject to the
proposed rule. The sum is then divided by the total number of
establishments that report NAPCS codes within that NAICS category. The
resulting fraction is then multiplied by the total number of small
entities in a NAICS category to obtain an estimate of the number of
small entities likely subject to the proposed rule if finalized. For
some NAICS categories, the CFPB adapted the estimation approach to data
availability. For NAICS categories ``Commercial Banking'' (522110) and
``Saving Institutions and Other Depository Credit Intermediation''
(522180), the estimate of the number of small entities likely affected
is assumed to be the estimated number of small entities from the
previous column because data on NAPCS codes was not available.\303\ For
NAICS categories ``Lessors of Residential Buildings and Dwellings''
(531110), ``Offices of Real Estate Agents and Brokers'' (531210) and
``Residential Property Managers'' (531311), the CFPB relied on industry
findings and data from the 2021 Rental Housing Finance Survey of the
U.S. Census Bureau to estimate the number of current small furnishers
or data providers.\304\ Finally, as discussed above, while a particular
entity can only be of one type, an industry may contain multiple types
of entities, making it possible for the same NAICS code to appear in
both Tables 1 and 2.
---------------------------------------------------------------------------
\303\ These NAICS codes are highlighted with an asterisk in
Table 2.
\304\ The CFPB assumed that property managers of single-unit
dwellings do not report rental payment information and referred to
the TransUnion survey of property managers for an estimate of the
fraction of multi-unit property managers that report rental payment
information. These NAICS codes are also highlighted with a ``+'' in
Table 2. See TransUnion, More Property Managers Embrace Rent Payment
Reporting: Here's Why, https://www.transunion.com/content/dam/transunion/us/business/collateral/sheet/rent_payment_reporting_insight_guide.pdf (last visited Oct. 15,
2024); U.S. Census Bureau, Rental Housing Finance Survey (RHFS),
https://www.census.gov/programs-surveys/rhfs.html (last visited Oct.
15, 2024).
---------------------------------------------------------------------------
Using this approach, the CFPB estimates that 80,130 small entities,
including small data brokers and other small consumer reporting
agencies, would be subject to the proposed rule if finalized, as
summarized in Table 1. Because the CFPB does not have the information
to assess with certainty which covered entity types are contained
within each NAICS code, the CFPB is not able to provide a breakdown of
the estimated number of affected small entities by covered entity type.
As summarized in Table 2, the CFPB estimates that there are potentially
34,448 small furnishers to consumer reporting agencies. Because the
CFPB cannot verify whether these small entities furnish pursuant to the
FCRA at baseline, the CFPB is unable to provide a more precise estimate
of the number of small furnishers that would be affected by the
proposed rule or delineate which NAICS codes may contain current FCRA
furnishers or data providers that may acquire new obligations as FCRA
furnishers.
While the CFPB lacks the data to more precisely quantify the number
of small entities that would be affected by the proposed rule if
finalized, comments received during the SBREFA process indicate that
small entity representatives expect many small entities to be impacted
by at least one of the proposed provisions. The CFPB requests
information on small entities that may be affected by the proposed rule
if finalized and information that can be used to quantify potential
impacts.
BILLING CODE 4810-AM-P
[[Page 101450]]
[GRAPHIC] [TIFF OMITTED] TP13DE24.080
[[Page 101451]]
[GRAPHIC] [TIFF OMITTED] TP13DE24.081
[[Page 101452]]
[GRAPHIC] [TIFF OMITTED] TP13DE24.082
[[Page 101453]]
[GRAPHIC] [TIFF OMITTED] TP13DE24.083
[[Page 101454]]
[GRAPHIC] [TIFF OMITTED] TP13DE24.084
BILLING CODE 4810-AM-C
4. Projected Reporting, Recordkeeping, and Other Compliance
Requirements of the Proposed Rule, Including an Estimate of the Classes
of Small Entities Which Will Be Subject to the Requirement and the Type
of Professional Skills Necessary for the Preparation of the Report
---------------------------------------------------------------------------
\305\ These NAICS codes correspond to the codes used in the 2017
Economic Census.
\306\ Table of Small Business Size Standards, supra note 298.
\307\ While under the proposed rule, newspaper entities would
not be considered consumer reporting agencies based on activities
that constitute publishing news concerning local, national, or
international events or other matters of public interest, some
establishments under the NAICS category ``Newspaper Publishers''
report the NAPCS code for internet advertising.
\308\ These NAICS codes correspond to the codes used in the 2017
Economic Class.
\309\ Table of Small Business Size Standards, supra note 298.
---------------------------------------------------------------------------
The proposed rule may impose reporting, recordkeeping, and other
compliance requirements on small entities subject to the proposal.
These requirements generally differ for small entities in the following
three classes: (1) entities that meet or would meet (if the proposals
were finalized) the definition of consumer reporting agency in FCRA
section 603(f), (2) entities that furnish information to entities that
would meet (if the proposals were finalized) the definition of consumer
reporting agency in FCRA section 603(f), and (3) entities that use
consumer reports from entities that meet or would meet (if the
proposals were finalized) the definition of consumer reporting agency
in FCRA section 603(f). Based on Table 1, these requirements would be
imposed on an estimated 80,130 small entities that are or would be
consumer reporting agencies under the proposed rule if finalized, an
unknown number of users, and an unknown number of new furnishers. Based
on Table 2, there are an estimated 34,448 small entities that
potentially furnish consumer information to consumer reporting agencies
at baseline or after the proposed rule is finalized. The CFPB requests
information that can be used to estimate the number of small entities
that could become new FCRA furnishers that are in NAICS categories not
listed in Table 2. For the reasons discussed above, the CFPB views the
estimates presented in Tables 1 and 2 as potential overestimates, as
some small entities within each NAICS category might not be subject to
the proposed rule. Moreover, the costs associated with the reporting,
recordkeeping, and other compliance requirements would depend on
whether affected entities currently comply with the FCRA. The CFPB
requests information that can be used to more precisely quantify the
number of small entities that would be affected by the proposed rule.
Requirements for Consumer Reporting Agencies
The CFPB expects that entities that already consider themselves to
meet the definition of consumer reporting agency in FCRA section 603(f)
at baseline already have FCRA-compliant systems, processes, and
policies and procedures. Compliance with the proposed rule would likely
require some or all of these systems, processes, and policies and
procedures to be updated, imposing a
[[Page 101455]]
one-time cost on small consumer reporting agencies. For example,
proposed Sec. 1022.4(d) regarding personal identifiers would classify
communications by a consumer reporting agency of personal identifiers
that were collected for the purpose of preparing consumer reports as
consumer reports. Compliance could require updates to consumer
reporting agencies' systems. Further discussion of these and other
impacts to consumer reporting agencies may be found in part VI.E
Provisions addressing what constitutes a consumer report, Provisions to
reduce the use of consumer report information for marketing and
advertising, and Provisions clarifying the responsibilities of consumer
reporting agencies. Compliance for affected small consumer reporting
agencies would generally require professional skills related to
software development, legal expertise, compliance, and customer
support. The CFPB does not have the data to estimate the one-time and
ongoing costs of reporting, recordkeeping, dispute resolution, and
other compliance requirements for small consumer reporting agencies,
and requests information to quantify these costs.
The proposed rule, if finalized, would cause some small entities,
such as certain data brokers, to be considered consumer reporting
agencies subject to the FCRA and may clarify the application of the
statute to some data aggregators and other entities. The CFPB expects
that many of these small entities may not currently have FCRA-compliant
systems, processes, and policies and procedures at baseline, and would
need to incur one-time costs to develop them, as well as ongoing
operational costs to maintain them. Because such small entities
currently do not operate as though they are subject to liability under
the FCRA, they would also incur increased ongoing or operational costs
to manage dispute resolution and other requirements of the FCRA. One
small entity representative stated that they have already invested in
FCRA-compliant infrastructure, which would mitigate the additional
costs that they would incur if the proposed rule was finalized.\310\
Compliance for small entities that would be considered consumer
reporting agencies under the proposed rule if finalized would generally
require professional skills related to software development, legal
expertise, compliance, and customer support. Small entities might need
to work with third parties for assistance with building FCRA-compliant
systems or updating existing systems. The CFPB requests information
that can be used to quantify impacts to small entities that would be
considered consumer reporting agencies if the proposed rule is
finalized.
---------------------------------------------------------------------------
\310\ Small Business Review Panel Report, supra note 40, at 42.
---------------------------------------------------------------------------
Requirements for Furnishers
Some small entities may acquire new FCRA obligations as furnishers
if the entities they currently furnish consumer information to are
entities that would become consumer reporting agencies under the
proposed rule if finalized. Under sections 611 and 623 of the FCRA,
consumers have a right to dispute incomplete or inaccurate information
on their consumer reports.\311\ While consumers typically initiate
disputes with the relevant consumer reporting agencies, the consumer
reporting agencies (and, if the proposed rule is finalized, the
entities that would be considered consumer reporting agencies) must
forward disputes to furnishers, who would then have the obligation to
investigate the dispute and report the results of their investigation
back to the consumer reporting agencies.\312\ Furnishers generally must
also investigate disputes that consumers directly submit to them.\313\
If, upon investigating, furnishers determine that the disputed consumer
information was inaccurate, furnishers are subject to obligations to
relay the corrected information to consumer reporting agencies that
received the inaccurate information.\314\ Dispute resolution required
by the FCRA may therefore impose costs on furnishers.
---------------------------------------------------------------------------
\311\ 15 U.S.C. 1681i(a)(1)(A), 1681s-2.
\312\ 15 U.S.C. 1681s-2(b).
\313\ See 15 U.S.C. 1681s-2(a)(8); 12 CFR 1022.43.
\314\ 15 U.S.C. 1681s-2(b)(1)(D); 12 CFR 1022.43(e)(4).
---------------------------------------------------------------------------
In addition, furnishers could incur potentially significant costs
associated with accuracy obligations under FCRA section 623(a) and
Regulation V.\315\ To comply with FCRA section 623(a) and Regulation V,
furnishers are required to implement accuracy policies and procedures
and are not permitted to furnish information to consumer reporting
agencies that do not satisfy accuracy requirements. Further discussion
of these and other impacts on new furnishers due to the provisions
clarifying which entities are consumer reporting agencies may be found
in part VI.E, Provisions that could affect consumer reporting agency
coverage.
---------------------------------------------------------------------------
\315\ See 15 U.S.C. 1681s-2(a); 12 CFR 1022.42.
---------------------------------------------------------------------------
Compliance for affected small furnishers would generally require
professional skills related to software development and compliance. For
example, a small entity that furnishes consumer information to an
entity that would be considered a consumer reporting agency under the
CFPB's proposal to interpret ``expected to be used'' (proposed Sec.
1022.4(c)) would then acquire new FCRA obligations as a furnisher, if
the proposed rule is finalized. The furnisher would likely need to
possess detailed and organized records in their databases in order to
conduct a reasonable investigation of consumer disputes. Modifying
their systems and databases to meet these requirements would require
professional skills related to software development and compliance.
Many small entities might need to hire more staff to assist with
dispute resolution and work with third parties for assistance with
systems updates. The CFPB does not have the data to estimate the one-
time and ongoing costs of reporting, recordkeeping, and other
compliance requirements for small furnishers, and requests information
to quantify these costs.
Requirements for Users
Small entity users of consumer reports from consumer reporting
agencies may need to update their processes and procedures in order to
comply with the proposed rule. For example, small entities that rely
upon the ``written instructions'' permissible purpose to obtain
consumer report information would need to ensure that consumers are
presented with a segregated consumer authorization disclosure, which
may be provided by either the consumer reporting agency or the user.
The disclosure would also need to identify the consumer reporting
agency from which the user intends to pull the consumer's consumer
report information and include the name of the person for whom the
consumer is providing consent to obtain their consumer report, as well
as other information that would be required to be in the disclosure.
Small entity users' systems would also need to be updated to ensure
consumers' written instructions are reobtained after the initial
instructions lapse should continued authorization be needed, and to
allow for consumers to revoke their written instructions.
Some small users may be affected by proposed provisions that would
increase the number of data brokers and other entities that meet the
definition of consumer reporting agency under the FCRA. Specifically,
small entities that currently obtain the four data types from data
brokers that would be considered
[[Page 101456]]
consumer reporting agencies under the FCRA if the proposed rule is
finalized would no longer be able to obtain that information without a
permissible purpose. Affected small entities that plan to continue
accessing consumer information under the ``written instructions''
permissible purpose would need to develop the procedures and processes
detailed above. Compliance for affected small users would generally
require professional skills related to customer support, software
development, and compliance. The CFPB does not have the data to
estimate the one-time and ongoing costs of reporting, recordkeeping,
and other compliance requirements for small users, and requests
information to quantify these costs.
5. Identification, to the Extent Practicable, of All Relevant Federal
Rules Which May Duplicate, Overlap, or Conflict With the Proposed Rule
The CFPB has identified the following Federal statutes and
regulations that address consumer credit eligibility and privacy issues
as having provisions that may duplicate, overlap, or conflict with
certain aspects of the proposed rule.
The GLBA and the CFPB's implementing regulation, Regulation P, 12
CFR part 1016, require financial institutions subject to the CFPB's
jurisdiction to provide their customers with notices concerning their
privacy policies and practices, among other things. They also place
certain limitations on the disclosure of nonpublic personal information
to nonaffiliated third parties, and on the redisclosure and reuse of
such information. Other parts of the GLBA, as implemented by
regulations and guidelines of certain other Federal agencies (e.g., the
FTC's Safeguards Rule and the prudential regulators' Safeguards
Guidelines), set forth standards for administrative, technical, and
physical safeguards with respect to financial institutions' customer
information.
During the SBREFA process, some small entity representatives also
stated that the CFPB should consider the potential implications of the
proposals under consideration for entities' compliance with the Bank
Secrecy Act and the USA PATRIOT Act. A few small entity representatives
noted that the CFPB should consider the intersection between the
proposals under consideration and the CFPB's PFDR rulemaking.
The CFPB requests comment on whether there are other Federal
statutes or regulations that may duplicate, overlap, or conflict with
the proposed rule and on methods to minimize such conflicts to the
extent they might exist.
6. Description of Any Significant Alternatives to the Proposed Rule
Which Accomplish the Stated Objectives of Applicable Statutes and
Minimize Any Significant Economic Impact of the Proposed Rule on Small
Entities
The CFPB is considering alternatives to the proposed rule that
would possibly result in lower costs for small entities. These include:
(1) different compliance timetables, and (2) clarifying compliance
requirements for small entities. The CFPB has not identified any legal
or policy basis to exempt certain or all small entities from coverage
of the rule, in whole or in part, based on their small-entity status.
As discussed in part V, the CFPB is considering alternative
compliance dates for the proposed rule, which may mitigate the burden
on all entities, including small entities. For example, the CFPB is
considering whether a final rule should take effect six months or one
year after publication in the Federal Register. The CFPB requests
comment on whether this compliance timetable would provide sufficient
time for entities, including small entities, to comply with the
provisions of the proposed rule, as well as ways the CFPB could
facilitate implementation for small entities, such as by providing for
a longer implementation period for small entities and what that period
should be.
The CFPB is also considering clarifying compliance requirements for
all entities, including small entities. In part IX, the CFPB requests
comment on whether the provisions of the proposed rule are sufficiently
clear and whether clarifying revisions or additional examples are
needed.
7. Discussion of Impact on Cost of Credit for Small Entities
The CFPB expects that the proposal may have a limited impact on the
cost of credit for small entities. One small entity representative
stated during the SBREFA process that the proposed rule may affect the
cost and ease of accessing credit for small entities. In particular,
the written instructions provision may slow down the application
process for small business loans because creditors lending to small
businesses check the personal credit of the small business owner and
may need to rely on the small business owner's written authorization to
do so.\316\ In theory, the proposed rule could increase the cost of
credit for small businesses if the compliance costs discussed above are
passed on to small businesses in the form of higher prices on loans
from lenders. Small entity representatives did not provide further
comments on potential impacts on cost of credit for small entities. The
CFPB requests comment on this topic, and requests data or evidence that
can be used to quantify the potential impact of the proposed rule on
the cost of credit to small entities.
---------------------------------------------------------------------------
\316\ Small Business Review Panel Report, supra note 40, at 43.
---------------------------------------------------------------------------
VIII. Paperwork Reduction Act
Under the Paperwork Reduction Act of 1995 (PRA),\317\ Federal
agencies are required to seek approval from OMB for data collection,
disclosure, and recordkeeping requirements (collectively, information
collection requirements) prior to implementation. Under the PRA, the
CFPB may not conduct or sponsor, and, notwithstanding any other
provision of law, a person is not required to respond to, an
information collection unless the information collection displays a
valid control number assigned by OMB. As part of its continuing effort
to reduce paperwork and respondent burden, the CFPB conducts a
preclearance consultation program to provide the general public and
Federal agencies with an opportunity to comment on the information
collection requirements in accordance with the PRA. This helps ensure
that the public understands the CFPB's requirements or instructions,
respondents can provide the requested data in the desired format,
reporting burden (time and financial resources) is minimized,
information collection instruments are clearly understood, and the CFPB
can properly assess the impact of information collection requirements
on respondents.
---------------------------------------------------------------------------
\317\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------
This proposed rule would amend 12 CFR part 1022 (Regulation V). The
CFPB's OMB control number for Regulation V is 3170-0002, which
currently expires on October 31, 2025. As described below, the proposed
rule would revise existing information collections and create the
following new information collection requirements in Regulation V.
The proposed rule would provide that entities that sell information
about a consumer's credit history, credit score, debt payments, and
income or financial tier generally are consumer reporting agencies
selling consumer reports, regardless of whether any specific
communication of such information is used or expected to be used for
FCRA
[[Page 101457]]
purposes. If these provisions were finalized, certain entities that
today are not consumer reporting agencies would become consumer
reporting agencies and would need to comply with FCRA requirements
applicable to consumer reporting agencies. Existing information
collection requirements would be expanded to these newly covered
entities to the extent required to comply with the FCRA.
The proposed rule also would specify the conditions that would need
to be satisfied for an entity to establish a ``written instructions''
permissible purpose to furnish or obtain a consumer report, thereby
creating several new information collection requirements.
First, entities would be required to provide consumers a disclosure
specifying:
The name of the person to whom the consumer is providing
consent to obtain the consumer report;
The name of the consumer reporting agency that will
furnish the consumer report;
A brief description of the product or service that the
consumer is requesting, or, when no product or service is requested,
the specific use the consumer identified;
Statements notifying the consumer about limitations on the
procurement, use, and retention of their consumer report; and
A description of an easy to access and operate method by
which a consumer may revoke their consent and that the consumer will
not incur any costs or penalties to revoke their consent.
The disclosure would need to be clear, conspicuous, and segregated
from other material. After providing the disclosure, entities would be
required to obtain the consumer's express, informed consent for their
consumer report to be furnished, and the consumer's signature, either
in writing or electronically, authorizing the consumer reporting agency
to furnish the report. Currently, entities often obtain consumers'
written instructions as part of larger terms and conditions language,
and Regulation V does not currently require entities to provide
consumers with specific disclosures or specify how entities must obtain
consumers' consent.
Second, a written instructions permissible purpose could be
established only with respect to one consumer reporting agency per
disclosure, and only as reasonably necessary to provide the product or
service the consumer has requested, or for the use the consumer has
specified. Currently, consumer reporting agencies and users often
obtain consent to furnish consumer reports to multiple users or from
multiple consumer reporting agencies, respectively, in a single
authorization. Therefore, if the proposal were finalized, the number of
disclosures that consumer reporting agencies and consumer report users
would need to provide would increase.
Third, users would only be allowed to continue accessing a consumer
report for up to one year after the date on which the particular
consumer consents for the report to be furnished. After one year, users
would be required to reobtain the consumer's written consent if they
wished to continue obtaining the consumer report. Currently, there is
no explicit duration limitation in Regulation V governing consumers'
written instructions.
Fourth, consumers must be provided a method by which to revoke
consent for their consumer report to be furnished that is as easy to
access and operate as the method by which the consumer provided consent
to the furnishing of their consumer report, and consumers could not be
charged any costs or penalties to revoke their consent. Currently,
there are no explicit requirements or prohibitions in Regulation V
related to revocation of consumers' consent.
There are estimated to be 81,922 additional respondents to the
information collections contained in Regulation V (FCRA) as a result of
the new requirements that would be imposed if this proposal were
finalized. There are estimated to be 37,296 existing respondents
(furnishers and consumer reporting agencies currently subject to
Regulation V) who would have new obligations if this proposal were
finalized. The CFPB estimates that there would be 7.1 million
additional annual burden hours stemming from new information
collections if the proposal were finalized. The collections of
information contained in this proposed rule, and identified as such,
have been submitted to OMB for review under section 3507(d) of the PRA.
A complete description of the information collection requirements
(including the burden estimate methods) is provided in the supporting
statement accompanying the information collection request (ICR) that
the CFPB has submitted to OMB under the requirements of the PRA. Please
send your comments to the Office of Information and Regulatory Affairs,
OMB, Attention: Desk Officer for the Bureau of Consumer Financial
Protection. Send these comments by email to [email protected]
or by fax to 202-395-6974. If you wish to share your comments with the
CFPB, please send a copy of these comments as described in the
ADDRESSES section above. The ICR submitted to OMB requesting approval
under the PRA for the information collection requirements contained
herein is available at www.regulations.gov as well as on OMB's public-
facing docket at www.reginfo.gov.
Title of Collection: Protecting Americans from Harmful Data Broker
Practices (Regulation V).
OMB Control Number: 3170-0002.
Type of Review: Revision of a currently approved collection.
Affected Public: Private sector.
Estimated Number of Respondents: 81,922.
Estimated Total Annual Burden Hours: 7,127,600.
Comments are invited on:
1. Whether the collection of information is necessary for the
proper performance of the functions of the CFPB, including on whether
the information will have practical utility;
2. The accuracy of the CFPB's estimate of the burden of the
collection of information, including the validity of the methods and
the assumptions used;
3. Ways to enhance the quality, utility, and clarity of the
information to be collected; and
4. Ways to minimize the burden of the collection of information on
respondents, including through the use of automated collection
techniques or other forms of information technology.
Comments submitted in response to this notification will be
included or summarized in the request for OMB approval. All comments
will become a matter of public record.
If applicable, the final rule will inform the public of OMB's
approval of the new information collection requirements proposed herein
and adopted in the final rule. If OMB has not approved the new
information collection requirements prior to publication of the final
rule in the Federal Register, the CFPB will publish a separate
notification in the Federal Register announcing OMB's approval prior to
the effective date of the final rule.
IX. Request for Comments
The CFPB requests comment on all aspects of this proposed rule. In
addition to the requests regarding specific topics in parts III through
VIII, the CFPB generally requests comment on:
1. Whether each proposed provision is sufficiently clear so that
entities that would be covered under a final rule could comply, or
whether clarifying revisions are needed and, if so, what they are;
[[Page 101458]]
2. Whether additional examples regarding any of the proposed
provisions would be helpful and, if so, what those examples should be;
3. Any anticipated drawbacks of any of the proposed provisions,
such as any unintended negative consequences for consumers or covered
entities or potential conflicts with other laws, and any alternatives
that would achieve the goals of the proposed rule while reducing or
avoiding such consequences or conflicts;
4. The anticipated benefits and costs of each proposed provision to
consumers and to entities that would be covered if the proposed rule
were adopted as proposed, and any alternatives that would reduce costs;
and
5. With respect to questions 1 through 4, any considerations
particular to small entities that the CFPB should consider.
X. Severability
The CFPB preliminarily intends that, if the proposed rule is
finalized, and if any provision of the final rule, or any application
of a provision, is stayed or determined to be invalid, the remaining
provisions or applications are severable and shall continue to be in
effect.
List of Subjects in 12 CFR Part 1022
Banks, Banking, Consumer protection, Credit unions, Holding
companies, National banks, Privacy, Reporting and recordkeeping
requirements, Savings associations.
Authority and Issuance
For the reasons set forth in the preamble, the CFPB proposes to
amend Regulation V, 12 CFR part 1022, as set forth below:
PART 1022--FAIR CREDIT REPORTING (REGULATION V)
0
1. The authority citation for part 1022 continues to read as follows:
Authority: 12 U.S.C. 5512, 5581; 15 U.S.C. 1681a, 1681b, 1681c,
1681c-1, 1681c-3, 1681e, 1681g, 1681i, 1681j, 1681m, 1681s, 1681s-2,
1681s-3, and 1681t; Sec. 214, Pub. L. 108-159, 117 Stat. 1952.
Subpart A--General Provisions
0
2. Section 1022.1 is amended by revising the section heading and adding
paragraph (b)(1) to read as follows:
Sec. 1022.1 Purpose, scope, model forms and disclosures, and
organization.
* * * * *
(b) * * *
(1) FCRA provisions implemented. This part implements only certain
provisions of the FCRA. Other Federal agencies' regulations also
implement only certain provisions of the FCRA. See 12 CFR part 41
(Office of the Comptroller of the Currency), 12 CFR part 222 (Board of
Governors of the Federal Reserve System), 12 CFR part 334 (Federal
Deposit Insurance Corporation), 12 CFR part 717 (National Credit Union
Administration), and subchapter F of chapter I of title 16 (Federal
Trade Commission). Statutory text contains additional requirements.
* * * * *
0
3. Section 1022.3 is amended by revising the section heading to read as
follows:
Sec. 1022.3 Definitions; in general.
* * * * *
0
4. Sections 1022.4 and 1022.5 are added to read as follows:
Sec. 1022.4 Definition; consumer report.
(a) In general. For purposes of this part, unless explicitly stated
otherwise, the term consumer report means any written, oral, or other
communication of any information by a consumer reporting agency that:
(1) Bears on a consumer's creditworthiness, credit standing, credit
capacity, character, general reputation, personal characteristics, or
mode of living; and
(2) Is used or expected to be used or collected in whole or in part
for the purpose of serving as a factor in establishing the consumer's
eligibility for:
(i) Credit or insurance to be used primarily for personal, family,
or household purposes;
(ii) Employment purposes; or
(iii) Any other purpose authorized under section 604 of the FCRA,
15 U.S.C. 1681b.
(b) Is used. Information in a communication is used for a purpose
described in paragraph (a)(2) of this section if a recipient of the
information uses it for such purpose.
(c) Is expected to be used. Information in a communication is
expected to be used for a purpose described in paragraph (a)(2) of this
section if:
(1) The person making the communication expects or should expect
that a recipient of the information in the communication will use the
information for such a purpose; or
(2) The information is about a consumer's:
(i) Credit history;
(ii) Credit score;
(iii) Debt payments; or
(iv) Income or financial tier.
(d) Personal identifier for a consumer. (1) A communication by a
consumer reporting agency of a personal identifier for a consumer that
was collected by the consumer reporting agency in whole or in part for
the purpose of preparing a consumer report about the consumer is a
consumer report as defined in paragraph (a) of this section, regardless
of whether the communication contains any information other than the
personal identifier.
(2) For purposes of this paragraph (d), a personal identifier for a
consumer means:
(i) The consumer's:
(A) Current or former name or names, including any aliases;
(B) Age or date of birth;
(C) Current or former address or addresses;
(D) Current or former telephone number or numbers;
(E) Current or former email address or addresses; or
(F) Social Security number (SSN) or Individual Taxpayer
Identification Number (ITIN); or
(ii) Any other personal identifier for the consumer similar to
those listed in paragraph (d)(2)(i) of this section.
Alternative 1--Paragraph 4(e)
(e) De-identification of information. De-identification of
information is not relevant to a determination of whether the
definition of consumer report in paragraph (a) of this section is met.
Alternative 2--Paragraph 4(e)
(e) De-identification of information. De-identification of
information is not relevant to a determination of whether the
definition of consumer report in paragraph (a) of this section is met
if the information is still linked or linkable to a consumer.
Alternative 3--Paragraph 4(e)
(e) De-identification of information. (1) In general. De-
identification of information is not relevant to a determination of
whether the definition of consumer report in paragraph (a) of this
section is met if:
(i) The information is still linked or reasonably linkable to a
consumer;
(ii) The information is used to inform a business decision about a
particular consumer, such as a decision whether to target marketing to
that consumer; or
(iii) A person that directly or indirectly receives the
communication, or any information from the communication, identifies
the consumer to whom information from the communication pertains.
(2) Examples. The following are examples of information that is
linked or reasonably linkable to a consumer for purposes of paragraph
(e)(1)(i) of this section:
[[Page 101459]]
(i) Information that identifies a specific household;
(ii) Information that identifies a specific ZIP+4 Code in which a
consumer resides; or
(iii) Information that includes a persistent identifier (such as a
cookie identifier, an internet Protocol (IP) address, a processor or
device serial number, or a unique device identifier) that can be used
to recognize the consumer over time and across different websites or
online services.
(f) Exclusions. Except as provided in paragraph (g) of this
section, the term consumer report does not include:
(1) Subject to section 624 of the FCRA, 15 U.S.C. 1681s-3, any:
(i) Report containing information solely as to transactions or
experiences between the consumer and the person making the report;
(ii) Communication of information described in paragraph (f)(1)(i)
of this section among persons related by common ownership or affiliated
by corporate control; or
(iii) Communication of information other than information described
in paragraph (f)(1)(i) of this section among persons related by common
ownership or affiliated by corporate control, if:
(A) It is clearly and conspicuously disclosed to the consumer that
the information may be communicated among such persons; and
(B) The consumer is given the opportunity, before the information
is initially communicated, to direct that the information not be
communicated among such persons;
(2) Any authorization or approval of a specific extension of credit
directly or indirectly by the issuer of a credit card or similar
device;
(3) In circumstances in which a third party has requested that a
person make a specific extension of credit directly or indirectly to a
consumer, any report in which such person conveys his or her decision
with respect to such request, if:
(i) The third party advises the consumer of the name and address of
the person to whom the request was made; and
(ii) Such person makes the disclosures to the consumer required
under section 615 of the FCRA, 15 U.S.C. 1681m; or
(4) A communication described in section 603(o) or (y) of the FCRA,
15 U.S.C. 1681a(o) or (y).
(g) Restriction on sharing of medical information. Except for
information or any communication of information disclosed as provided
in section 604(g)(3) of the FCRA, 15 U.S.C. 1681b(g)(3), the exclusions
in paragraph (f) of this section do not apply with respect to
information disclosed to any person related by common ownership or
affiliated by corporate control, if the information is:
(1) Medical information, as that term is defined in Sec.
1022.3(k);
(2) An individualized list or description based on the payment
transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment
transactions for medical products or services.
Sec. 1022.5 Definition; consumer reporting agency.
(a) In general. For purposes of this part, unless explicitly stated
otherwise, the term consumer reporting agency means any person that:
(1) For monetary fees, dues, or on a cooperative nonprofit basis,
regularly engages in whole or in part in the practice of assembling or
evaluating consumer credit information or other information about
consumers for the purpose of furnishing consumer reports to third
parties; and
(2) Uses any means or facility of interstate commerce for the
purpose of preparing or furnishing consumer reports.
(b) Assembling or evaluating. (1) In general. For purposes of
paragraph (a)(1) of this section, a person assembles or evaluates
consumer credit information or other information about consumers if the
person:
(i) Collects, brings together, gathers, or retains such
information;
(ii) Appraises, assesses, makes a judgment regarding, determines or
fixes the value of, verifies, or validates such information; or
(iii) Contributes to or alters the content of such information.
(2) Examples. A person assembles or evaluates consumer credit
information or other information about consumers for purposes of
paragraph (a)(1) of this section if, for example, the person:
(i) Collects such information from a consumer's bank account and
assesses it, such as by grouping or categorizing it based on
transaction type;
(ii) Alters the content of information the person has received
about a consumer, such as by modifying the year date fields to all
reflect four, rather than two, digits to ensure consistency;
(iii) Determines the value of such information, such as when a
company that hosts an online database regarding consumers' criminal
histories arranges or orders search results in order of perceived
relevance to users, or provides scores, color coding, or other indicia
of weight or import to users;
(iv) Retains information about consumers, such as by retaining data
files containing consumers' payment histories in a database or
electronic file system; or
(v) Verifies or validates information the person has received about
a consumer, such as by checking whether a consumer's date of birth
received from a third-party data provider matches the consumer's date
of birth as listed in an external database or is properly formatted
regardless of whether the person takes any action to correct any errors
found.
0
5. Subpart B is added to read as follows:
Subpart B--Permissible Purposes of Consumer Reports
Sec.
1022.10 Permissible purposes of consumer reports; in general.
1022.11 Permissible purpose based on a consumer's written
instructions.
1022.12 Permissible purposes based on a consumer reporting agency's
reasonable belief about a person's intended use.
1022.13 Permissible purposes based on certain agency or other
official requests.
Subpart B--Permissible Purposes of Consumer Reports
Sec. 1022.10 Permissible purposes of consumer reports; in general.
(a) In general. Subject to section 604(c) of the FCRA, 15 U.S.C.
1681b(c), any consumer reporting agency may furnish a consumer report
under the circumstances described in Sec. Sec. 1022.11 through 1022.13
and no other.
(b) Furnish a consumer report. For purposes of paragraph (a) of
this section, a consumer reporting agency furnishes a consumer report
if the consumer reporting agency:
(1) Provides the consumer report to a person; or
(2) Facilitates a person's use of the consumer report for that
person's financial gain.
Sec. 1022.11 Permissible purpose based on a consumer's written
instructions.
(a) In general. A consumer reporting agency may furnish a consumer
report in accordance with the written instructions of the consumer to
whom the report relates.
(b) Conditions for permissible purpose based on consumer's written
instructions. A consumer reporting agency furnishes a consumer report
in accordance with the written instructions of the consumer only if the
conditions in this paragraph (b) are satisfied.
(1) Consumer disclosure and consent. (i) The consumer reporting
agency or the person to whom the consumer reporting agency will furnish
the consumer report:
[[Page 101460]]
(A) Provides the consumer, either in writing or electronically, a
disclosure that satisfies the requirements of paragraph (c) of this
section;
(B) Obtains the consumer's express, informed consent to the
furnishing of a consumer report in accordance with the limitation
described in paragraph (b)(2) of this section; and
(C) Obtains the consumer's signature, either in writing or
electronically, authorizing the consumer reporting agency to furnish
the consumer report.
(ii) The consumer has not revoked consent to such furnishing.
(2) Limitation on furnishing. The consumer reporting agency
furnishes the consumer report to a person only in connection with the
person's provision to the consumer of a specific product or service the
consumer has requested, or, if the consumer has not requested a product
or service, in connection with a specific use the consumer has
identified.
(3) Procurement, use, and retention. The person to whom the
consumer reporting agency furnishes the consumer report:
(i) Procures, uses, or retains the consumer report, or provides the
report to a third party, only as reasonably necessary to provide the
product or service the consumer has requested or, if the consumer has
not requested a product or service, for the specific use the consumer
has identified;
(ii) Procures the consumer report no more than one year after the
date on which the consumer consents to the furnishing of the report as
described in paragraph (b)(1)(i)(B) of this section; and
(iii) Provides the consumer report to a third party only if the
third party agrees by contract to comply with the limitations described
in this paragraph (b)(3).
(4) Revocation of consent. (i) The consumer reporting agency or the
person to whom the consumer reporting agency will furnish the consumer
report provides the consumer a method by which to revoke consent for
their report to be furnished that is as easy to access and operate as
the method by which the consumer provided consent for their report to
be furnished.
(ii) No person charges the consumer any costs or penalties to
revoke their consent.
(c) Disclosure format and content. The disclosure required by
paragraph (b)(1) of this section must be clear, conspicuous, and
segregated from other material and must include:
(1) The name of the person for whom the consumer is providing
consent to obtain their consumer report, which name must be readily
understandable to the consumer;
(2) The name of the consumer reporting agency that will furnish the
consumer report to the person identified in paragraph (c)(1) of this
section, which name must be readily understandable to the consumer;
(3) A brief description of the specific product or service that the
consumer is requesting from the person identified in paragraph (c)(1)
of this section and in connection with which that person will use the
consumer report, or, if the consumer is not requesting a product or
service, the specific use for which the report will be furnished;
(4) Statements notifying the consumer of the procurement, use, and
retention limitations described in paragraph (b)(3) of this section,
and a statement that the person identified in paragraph (c)(1) of this
section, and any third party to whom the consumer report is provided,
will comply, or will be required to comply, with those limitations; and
(5) A description of the method by which the consumer may revoke
consent for their consumer report to be furnished that is as easy to
access and operate as the method by which the consumer provided consent
for their report to be furnished, and a statement that the consumer
will not incur any costs or penalties to revoke their consent.
(d) Reasonably necessary; examples. For purposes of paragraph
(b)(3)(i) of this section, examples of uses of consumer reports that
are not part of, or reasonably necessary to provide, any other product
or service include:
(1) Targeted advertising;
(2) Cross-selling of other products or services; and
(3) The sale of information in the consumer report.
Sec. 1022.12 Permissible purposes based on a consumer reporting
agency's reasonable belief about a person's intended use.
(a) In general. A consumer reporting agency may furnish a consumer
report to a person that the consumer reporting agency has reason to
believe intends to use the information as follows:
(1) Credit transaction involving a consumer. In connection with a
credit transaction involving the consumer on whom the information is to
be furnished and involving the extension of credit to, or review or
collection of an account of, that consumer.
(2) Employment purposes. For employment purposes.
(3) Insurance underwriting. In connection with the underwriting of
insurance involving the consumer.
(4) Eligibility for governmental license or other benefit. In
connection with a determination of the consumer's eligibility for a
license or other benefit granted by a governmental instrumentality
required by law to consider an applicant's financial responsibility or
status.
(5) Assessment of an existing credit obligation. As a potential
investor or servicer, or current insurer, in connection with a
valuation of, or an assessment of the credit or prepayment risks
associated with, an existing credit obligation.
(b) Legitimate business need. (1) In general. In addition to
furnishing a consumer report to a person for any purpose described in
paragraph (a) of this section, a consumer reporting agency may furnish
a consumer report to a person that the consumer reporting agency has
reason to believe otherwise has a legitimate business need for the
information:
(i) In connection with a business transaction that is initiated by
the consumer; or
(ii) To review an account to determine whether the consumer
continues to meet the terms of the account.
(2) Initiated by the consumer. (i) In general. Paragraph (b)(1)(i)
of this section authorizes a consumer reporting agency to furnish a
consumer report to a person only if the consumer reporting agency has
reason to believe that the consumer has initiated a business
transaction.
(ii) Examples. (A) Business transactions initiated by a consumer. A
consumer initiates a business transaction for purposes of paragraph
(b)(1)(i) of this section if, for example, the consumer:
(1) Applies to rent an apartment;
(2) Applies to open a brokerage account or checking account; or
(3) Offers to pay for merchandise by personal check.
(B) Interactions that are not business transactions initiated by a
consumer. A consumer does not initiate a business transaction for
purposes of paragraph (b)(1)(i) of this section by, for example, asking
about the availability or pricing of products or services.
(3) Solicitation or marketing. (i) In general. Paragraphs (b)(1)(i)
and (ii) of this section do not authorize a consumer reporting agency
to furnish a consumer report to a person if the consumer reporting
agency has reason to believe the person is seeking information from the
report to solicit the consumer for a transaction the consumer did not
initiate or to otherwise market products or services to the consumer.
For requirements related to furnishing consumer reports in connection
with prescreened offers for credit or
[[Page 101461]]
insurance transactions that are not initiated by a consumer, see
section 604(c) of the FCRA, 15 U.S.C. 1681b(c).
(ii) Example; account review. Assume a consumer has a checking
account with a bank. Paragraph (b)(1)(ii) of this section authorizes a
consumer reporting agency to furnish a consumer report to the bank if
the consumer reporting agency has reason to believe the bank needs the
report to determine, as part of an account review, whether to modify
the terms of the consumer's existing checking account based on whether
there are credible and meaningful indicia that the consumer used the
account to defraud others. However, paragraph (b)(1)(ii) of this
section does not authorize the consumer reporting agency to furnish a
consumer report to the bank if the consumer reporting agency has reason
to believe the bank is seeking the information from the report to
market other products or services to the consumer.
Sec. 1022.13 Permissible purposes based on certain agency or other
official requests.
(a) In general. A consumer reporting agency may furnish a consumer
report as follows:
(1) Court order or subpoena. In response to:
(i) The order of a court having jurisdiction to issue such an
order;
(ii) A subpoena issued in connection with proceedings before a
Federal grand jury; or
(iii) A subpoena issued in accordance with 31 U.S.C. 5318 or 18
U.S.C. 3486.
(2) Request by child support enforcement agency. In response to a
request by the head of a State or local child support enforcement
agency (or a State or local government official authorized by the head
of such an agency), if the person making the request certifies to the
consumer reporting agency that:
(i) The consumer report is needed for the purpose of establishing
an individual's capacity to make child support payments, determining
the appropriate level of such payments, or enforcing a child support
order, award, agreement, or judgment;
(ii) The parentage of the consumer for the child to which the
obligation relates has been established or acknowledged by the consumer
in accordance with State laws under which the obligation arises (if
required by those laws); and
(iii) The consumer report will be kept confidential, will be used
solely for a purpose described in paragraph (a)(2)(i) of this section,
and will not be used in connection with any other civil,
administrative, or criminal proceeding, or for any other purpose.
(3) Request related to State plans for child support. To an agency
administering a State plan under 42 U.S.C. 654 for use to set an
initial or modified child support award.
(4) Request related to insured depository institutions or insured
credit unions. To the Federal Deposit Insurance Corporation or the
National Credit Union Administration:
(i) As part of its preparation for its appointment as, or as part
of its exercise of powers as, conservator, receiver, or liquidating
agent for an insured depository institution or insured credit union
under the Federal Deposit Insurance Act, 12 U.S.C. 1811 et seq., the
Federal Credit Union Act, 12 U.S.C. 1751 et seq., or other applicable
Federal or State law; or
(ii) In connection with the resolution or liquidation of a failed
or failing insured depository institution or insured credit union, as
applicable.
(5) Request related to government-sponsored, individually billed
travel charge cards. To executive departments and agencies in
connection with the issuance of government-sponsored, individually
billed travel charge cards.
(b) [Reserved]
Subpart C--Affiliate Marketing
0
6. In Sec. 1022.20, introductory text of paragraph (b) is republished
and paragraph (b)(3) is revised to read as follows:
Sec. 1022.20 Coverage and definitions.
* * * * *
(b) Definitions. For purposes of this subpart:
* * * * *
(3) Eligibility information. The term ``eligibility information''
means any information the communication of which would be a consumer
report if the exclusions from the definition of consumer report in
Sec. 1022.4(f)(1) did not apply. Eligibility information does not
include aggregate or blind data that does not contain personal
identifiers such as account numbers, names, or addresses.
* * * * *
Subpart D--Medical Information
0
7. Section 1022.32 is amended by revising paragraphs (b) and (c) to
read as follows:
Sec. 1022.32 Sharing medical information with affiliates.
* * * * *
(b) In general. The exclusions from the term consumer report in
Sec. 1022.4(f) that allow the sharing of information with affiliates
do not apply to a person described in paragraph (a) of this section if
that person communicates to an affiliate:
(1) Medical information;
(2) An individualized list or description based on the payment
transactions of the consumer for medical products or services; or
(3) An aggregate list of identified consumers based on payment
transactions for medical products or services.
(c) Exceptions. A person described in paragraph (a) of this section
may rely on the exclusions from the term consumer report in Sec.
1022.4(f) to communicate the information in paragraph (b) of this
section to an affiliate:
(1) In connection with the business of insurance or annuities
(including the activities described in section 18B of the model Privacy
of Consumer Financial and Health Information Regulation issued by the
National Association of Insurance Commissioners, as in effect on
January 1, 2003);
(2) For any purpose permitted without authorization under the
regulations promulgated by the Department of Health and Human Services
pursuant to the Health Insurance Portability and Accountability Act of
1996 (HIPAA);
(3) For any purpose referred to in section 1179 of HIPAA;
(4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
(5) In connection with a determination of the consumer's
eligibility, or continued eligibility, for credit consistent with Sec.
1022.30; or
(6) As otherwise permitted by order of the Bureau.
Subpart E--Duties of Furnishers of Information
0
8. In Sec. 1022.41, introductory text is republished and paragraph (c)
is revised to read as follows:
Sec. 1022.41 Definitions.
For purposes of this subpart and appendix E of this part, the
following definitions apply:
* * * * *
(c) Furnisher means an entity that furnishes information relating
to consumers to one or more consumer reporting agencies for inclusion
in a consumer report. An entity is not a furnisher when it:
(1) Provides information to a consumer reporting agency solely to
obtain a consumer report in accordance with Sec. Sec. 1022.10 through
1022.13 and section 604(f) of the FCRA;
(2) Is acting as a consumer reporting agency as defined in Sec.
1022.5;
(3) Is a consumer to whom the furnished information pertains; or
[[Page 101462]]
(4) Is a neighbor, friend, or associate of the consumer, or another
individual with whom the consumer is acquainted or who may have
knowledge about the consumer, and who provides information about the
consumer's character, general reputation, personal characteristics, or
mode of living in response to a specific request from a consumer
reporting agency.
* * * * *
Subpart H--Duties of Users Regarding Risk-Based Pricing
0
9. Section 1022.71 is amended by revising paragraphs (f) and (g) to
read as follows:
Sec. 1022.71 Definitions.
* * * * *
(f) Consumer report has the same meaning as in Sec. 1022.4.
(g) Consumer reporting agency has the same meaning as in Sec.
1022.5.
* * * * *
Subpart N--Duties of Consumer Reporting Agencies Regarding
Disclosures to Consumers
0
10. In Sec. 1022.130, introductory text is republished and paragraphs
(c) and (d) are revised to read as follows:
Sec. 1022.130 Definitions.
For purposes of this subpart, the following definitions apply:
* * * * *
(c) Consumer report has the meaning provided in Sec. 1022.4.
(d) Consumer reporting agency has the meaning provided in Sec.
1022.5.
* * * * *
Subpart O--Miscellaneous Duties of Consumer Reporting Agencies
0
11. Section 1022.142 is amended by revising paragraphs (a) and (b)(2)
and (3) to read as follows:
Sec. 1022.142 Prohibition on inclusion of adverse information in
consumer reporting in cases of human trafficking.
(a) Scope. This section applies to any consumer reporting agency as
defined in Sec. 1022.5.
(b) * * *
(2) Consumer report has the meaning provided in Sec. 1022.4.
(3) Consumer reporting agency has the meaning provided in Sec.
1022.5.
* * * * *
Rohit Chopra,
Director, Consumer Financial Protection Bureau.
[FR Doc. 2024-28690 Filed 12-12-24; 8:45 am]
BILLING CODE 4810-AM-P