On July 7, 2022, the Consumer Financial Protection Bureau (Bureau) issued an advisory opinion to outline certain obligations of consumer reporting agencies and consumer report users under section 604 of the Fair Credit Reporting Act (FCRA). This advisory opinion explains that the permissible purposes listed in FCRA section 604(a)(3) are consumer specific, and it affirms that a consumer reporting agency may not provide a consumer report to a user under FCRA section 604(a)(3) unless it has reason to believe that all of the consumer report information it includes pertains to the consumer who is the subject of the user’s request. The Bureau notes that disclaimers will not cure a failure to have a reason to believe that a user has a permissible purpose for a consumer report provided pursuant to FCRA section 604(a)(3). This advisory opinion also reminds consumer report users that FCRA section 604(f) strictly prohibis a person who uses or obtains a consumer report from doing so without a permissible purpose.
The CFPB’s new advisory opinion makes clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy. The advisory also reminds covered entities of potential criminal liability for certain misconduct.
The Fair Credit Reporting Act ensures fair and accurate reporting, and it requires users who buy these dossiers to have a legally permissible purpose. This ensures that companies cannot check an individual’s personal information, including their credit history, without a bona fide reason. Some common permissible purposes include using consumer reports for credit, insurance, housing, or employment decisions. For example, a bank may request a credit report in order to determine the terms on which it will offer someone a line of credit.
This advisory opinion will help to hold responsible any company, or user of credit reports, that violates the permissible purpose provisions of the Fair Credit Reporting Act. Specifically, the advisory opinion makes clear:
- Insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, which would violate consumers’ privacy rights,
- It is unlawful to provide credit reports of multiple people as “possible matches”,
- Disclaimers about insufficient matching procedures do not cure permissible purpose violations,
- Users of credit reports must ensure that they do not violate a person’s privacy by obtaining a credit report when they lack a permissible purpose for doing so.
The advisory opinion outlines some of the criminal liability provisions in the Fair Credit Reporting Act. Covered entities can face criminal liability for obtaining a background report on an individual under false pretenses or by providing a background report to an unauthorized individual. For example, Section 620 of the Fair Credit Reporting Act imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to an unauthorized person. Violators can face criminal penalties and imprisonment.
The CFPB will continue to take steps to ensure credit reporting companies and other relevant entities adhere to the Fair Credit Reporting Act and other consumer financial protection laws.