On September 15, 2023, the Consumer Financial Protection Bureau (CFPB) published an outline of expansive rulemaking proposals to modernize the coverage of the Fair Credit Reporting Act (FCRA) to include data brokers, data aggregators and alternative data sources (FCRA Proposal).1
In its FCRA Proposal, the CFPB focuses on two broad objectives:
- Data broker regulation: The FCRA Proposal aims to modernize the reach of the FCRA by prohibiting data brokers from selling covered data for purposes not authorized under the FCRA (which would include marketing and training of artificial intelligence (AI)). It would also require companies that are data brokers or otherwise engage in surveillance – potentially even including online digital marketers and lead generators – to be characterized as “consumer reporting agencies” and the data they collect, process and sell to be characterized as “consumer reports.” This would mean that the FCRA’s controls would apply to their activities and, among other things, prohibit them from disclosing or sharing that consumer data without an FCRA “permissible purpose.”
- Removal of medical debt from consumer reports: The FCRA Proposal would prohibit consumer reporting agencies from including medical debt in consumer reports with the goal of preventing creditors from considering medical debt in credit underwriting.
The CFPB plans to achieve these objectives primarily by broadening its interpretation of two interconnected definitions that determine coverage under the FCRA and thus shape the legal landscape of digital marketing, data brokering and aggregation: “consumer reports” and “consumer reporting agencies”.2
The CFPB’s FCRA Proposal is a required step in the formal rulemaking process under the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), by which the CFPB must solicit feedback from representatives of small entities that would be subject to the new rule. The CFPB is accepting public comments through the end of October and it is expected that the CFPB will subsequently formally issue proposed rules for public comment.
This FCRA Proposal builds on a request for information on data aggregation and data brokers issued earlier this year.3 The proposals under consideration would dramatically expand the application of the FCRA to data brokers and other business models and practices not contemplated when the statute was adopted in 1970, including the increasing use of consumer data for purposes of marketing and training AI. Relatedly, the proposal targets the use of medical debt in credit underwriting, the effects of which the CFPB has studied since its inception in 200.
This FCRA Proposal should not be confused with companion rulemaking the CFPB is undertaking under Section 1033 of the Dodd-Frank Act that will give consumers greater control over their personal data (Section 1033 Proposed Rules). Section 1033 mandates that consumers be able to access any personal information about them that is held by their financial services providers, giving them more control over the use and disclosure of their information. The CFPB has already issued a SBREFA outline in that area,4 conducted its SBREFA hearing, and issued its final report.5 The CFPB is expected to release its Section 1033 Proposed Rules next month around the October 22, 2022 anniversary of its commencement of this rulemaking.
Institutions of all sorts should closely monitor the CFPB’s rulemaking under both the FCRA and Section 1033. These rules will impact insurance companies, employers, banks, and others who receive and rely upon data related to consumers’ online preferences, work history, past and current addresses and other demographics, financial performance on loans and other extensions of credit, litigation history, including sensitive personal information.
As discussed below, the CFPB is proposing to expand the scope of what information may be considered a ‘consumer report’ and what entities may be viewed as ‘consumer reporting agencies’ and thus subject to all the features and controls in the FCRA. Should regulations be finalized consistent with the FCRA Proposal, businesses that directly or indirectly obtain and evaluate consumers’ information will need to assure they have a permissible purpose for doing so and determine whether their own and their service providers’ sourcing and handling of consumer data constitutes compiling “consumer reports,” 6 thus subjecting them to FCRA onerous regulation as “consumer reporting agencies”. 7
- Data Brokers
- Bringing Data Brokers under the FCRA umbrella
The CFPB is considering specifying by rule that consumer information provided to a user who actually uses the consumer information for a FCRA purpose (i.e., determining eligibility for employment, credit, or insurance) is a “consumer report” regardless of whether the data broker knew or should have known that the data would be used for a FCRA purpose or intended the FCRA use. In other words, the data broker’s knowledge and intent regarding the eventual use of the information are irrelevant; the sale of information that is eventually used for a FCRA purpose constitutes the sale of a “consumer report”. This has enormous compliance-related consequences for data brokers.
If a data broker is selling consumer reports, it may deemed to be a “consumer reporting agency” subject to FCRA provisions requiring accuracy of consumer reports, prohibiting the furnishing of consumer reports for non-FCRA purposes, and imposing obligations regarding investigation of consumer disputes and consumers’ access to their credit files. Perhaps most significantly, if information that a data broker sells is a “consumer report,” it cannot be obtained from a consumer reporting agency, or sold by the data broker, for use in marketing (outside of narrow exceptions), to train AI, or for any other use outside the permissible purposes of the FCRA, unless the consumer gives his or her written informed consent.
- Broadening the scope of activities included in “assembling” and “evaluating”
The FCRA does not classify an entity as a consumer reporting agency unless it “assembles” or “evaluates” information on consumers. Although these terms have been the subject of scattered regulatory and judicial interpretation, there is significant uncertainty in the industry as to when a company’s handling of consumer data rises to the level of assembling or evaluating as opposed to acting as a mere conduit. The CFPB is proposing to eliminate that distinction in favor of treating any entity that acts as an intermediary in the transmission of consumer data from sources to users as engaged in “assembling” and “evaluating” within the meaning of the FCRA. This proposal will also have enormous implications for the digital advertising ecosystem.
- Classifying credit header data as consumer reports
The CFPB is considering expressly classifying reports consisting of credit header data, which typically consists of the consumer’s current and former names, current and former addresses, social security number and phone number, as “consumer reports”. This would not only prevent consumer reporting agencies from selling header information in the absence of consumer permission or a FCRA “permissible purpose,” but as is noted below, could also potentially subject consumer reporting agencies to claims of having caused a data security breach for improperly disclosing consumers’ information to a third party.
What is curious about this potential reclassification of an individual’s basic demographics as “consumer reports” is that it appears to be inconsistent with the Gramm Leach Bliley Act’s classification of these same data elements as not being protected if they are already in the public domain (because they are not “non-public personal information”).
- Clarifying that consumer reporting agencies violate the FCRA when they use consumer information for a non-FRCA purpose on behalf of third parties
The CFPB is considering prohibiting consumer reporting agencies from using consumer data to target consumers for advertising on behalf of third parties. Currently, this activity is not clearly prohibited by the FCRA because established consumer reporting agencies (such as Equifax, TransUnion, Experian and Innovis) do not furnish traditional consumer reports without either a consumer’s permission or meeting the FCRA’s permissible purpose standard. By expanding the scope of who may be a consumer reporting agency and what constitutes a consumer report, regulations in this area would bring a wide range of technology, insurance, lead generation, and other activities within the FCRA’s scope.
Many such companies do not currently view themselves as consumer reporting agencies. Importantly, however, to the extent that they host online resources and apps into which consumers log their information and use analytics, cookies, algorithms or artificial intelligence to customize information presented to consumers to meet their preferences, those companies could now fall into the CFPB’s expanded FCRA coverage. There are dozens of companies advertising on the internet that they offer software as a service to some of the largest global companies (who they list on their websites) for purposes of helping those companies either locate and capitalize on leads or track the behavior of former customers.
- Drawing a bright line on when aggregated or anonymized consumer data is a “consumer report”
The FCRA classifies information as a “consumer report” if it bears on “a consumer’s” characteristics relevant to his or her eligibility for insurance, credit, or employment. Thus, it is currently unclear to what extent aggregated or anonymized data qualifies as a “consumer report,” and the CFPB has indicated that it is studying this issue. As noted above, whether consumer data is classified as a consumer report under the FCRA determines whether any entity that buys, sells, or uses such information is subject to the requirements of the FCRA.
- Specifying what constitutes “written instructions” of the consumer sufficient to allow furnishing of a consumer report outside of FCRA purposes
The FCRA provides an exception to the requirement that consumer reports be furnished only for permissible purposes under the FCRA when the consumer gives “written instructions” for the information to be provided to a third party. The regulatory guidance currently provides that such an instruction must be something more than a passive acknowledgement that information will be shared, but there are no bright lines on how detailed or directed those instructions must be. The CFPB is proposing to specify how broad a consent may be. More specifically, the CFPB is proposing to establish guardrails around who can collect written instructions, how broad the permitted uses and disclosures may be (including the number of purposes or entities that may be covered), who would be scoped to receive a consumer’s information, and how consumers can revoke their permission. This data governance approach could be difficult if not impossible to administer for organizations that routinely accumulate information on consumers from more than one source, potentially integrating it with information they already have in their systems from prior dealings with those same consumers.
- Reining in the “legitimate business need” exemption
The FCRA currently provides that a consumer reporting agency may furnish a consumer report to a person that it has reason to believe “otherwise has a legitimate business need” for the information in connection with a transaction initiated by the consumer or to review an account to determine the consumer’s continued eligibility. The CFPB is proposing to limit the exemption to situations in which (1) the information is actually used to determine the consumer’s eligibility for the requested transaction or (2) the information is actually needed for an account review.
It is not clear how a regulator would decide whether a consumer reporting agency’s oversight of downstream recipients was sufficient. For example, it would be difficult for a regulator to evaluate whether a consumer reporting agency gave the appropriate amount of deference to a financial institution, employer, insurance company or other entity that has been authorized by a consumer to receive a credit report – or whether the recipient actually had a “legitimate business need” or the scope of that need.
- Making data brokers and data aggregators accountable for data loss
Currently, in the absence of a consumer’s permission, consumer reporting agencies are restricted under the FCRA from disclosing consumer reports to third parties. Consistent with some recent Federal Trade Commission (FTC) enforcement actions, the CFPB is proposing to clarify that a consumer reporting agency that makes disclosures of consumer reports for any reason other than those authorized by consumers or aligned with a permissible purpose may be found to have caused data security breach. Among the proposals the CFPB is considering is an interpretation of FCRA Sections 604 or 607(a)8 so that a consumer reporting agency has a duty to protect against the unauthorized use of consumer reports by third parties and, by extension, is responsible for data security breaches when it does not live up to this duty. Importantly, this analysis is consistent with the FTC’s analysis in its recent GoodRx9 and 1Health.io/Vitagene10 enforcement actions.
- Making the dispute process easier to navigate for consumers
The CFPB is proposing to require consumer reporting agencies to investigate and respond to consumer disputes regarding “legal” in addition to “factual” issues. The CFPB notably has written amicus briefs in recent litigation involving traditional consumer reporting agencies consistent with this position. If adopted, the proposal would require consumer reporting agencies to investigate and respond to consumer disputes regarding, for example, whether a reported debt was owed or collectible. Additionally, the CFPB is considering implementing a dispute process specifically designed for systemic issues with the consumer reporting agency’s processes for ensuring accuracy of information it reports.
- Medical Debt Reporting
Since the CFPB’s first director, Richard Cordray, released a study in 2014 regarding the impact collections of medical debts affect consumers’ credit scores,11 the agency has focused on the burdens of medical debt and how those burdens are exacerbated when past due medical debts are reported on consumers’ credit files. In Regulation F issued by the CFPB and effective on November 21, 2021, debt collectors were prohibited from reporting medical debts on consumers’ credit files unless and until they had first communicated with consumers about those debts and provided consumers with an opportunity to dispute or otherwise challenge the accuracy of the information.
The CFPB under Director Chopra has continued to focus on medical debt and medical debt collections, bringing an enforcement action earlier this year against a medical data furnisher for allegedly failing to report accurate information on consumer’s credit files and for allegedly failing to investigate consumers’ disputes.12 Based on research conducted by the CFPB that concludes medical debt is not a reliable predictor of whether or not consumers will repay their debts, the CFPB is proposing to prohibit creditors from using or relying upon medical debts on consumers’ credit files. Moreover, the CFPB has proposed to eliminate medical bills from inclusion in consumers’ credit reports. It is notable that in the past year the consumer reporting agencies have voluntarily stopped reporting small balance medical bills on consumers’ credit reports. https://www.consumerfinance.gov/about-us/blog/medical-debt-anything-already-paid-or-under-500-should-no-longer-be-on-your-credit-report/. Additionally, a number of states have proposed legislation to prohibit medical credit reporting, and in August the state of Colorado became the first state to enact a law prohibiting medical credit reporting. With the exception of this medical data furnishing proposal, little in this outline of proposed FCRA rules would change the current obligations of data furnishers.
Entities that rely upon data sourced by alternative data resources such as data brokers, data aggregators, lead generators, and online resources to assist entities capture information about visitors to their apps and websites, and for online advertising, should take a close look at the modernized interpretations of “consumer report” and “consumer reporting agency” that the CFPB is proposing. This long-awaited FCRA Proposal, together with the CFPB’s consumer financial data rulemaking under Section 1033, would expand entities’ responsibilities for assuring they obtain consumer permission to collect, use and disclose consumers’ information, especially when sharing, analyzing or aggregating that information using artificial intelligence. Moreover, entities that would ultimately meet the expanded view of “consumer reporting agencies” would need to be accountable to rigorously comply with FCRA’s “permissible purpose” requirements before disseminating consumers’ FCRA protected information.
6 15 USC § 1681a(d) The FCRA defines a “consumer report” as “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used for personal, family, or household purposes; (B) employment purposes; or (C) any other permissible purpose authorized under [the FCRA]”
7 15 USC § 1681a(f) The FCRA defines a “consumer reporting agency” as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties . . .”
8 15 U.S.C. §§ 1681b, 1681e(a)