On December 3, 2024, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking (NPR) – Protecting Americans from Harmful Data Broker Practices. The CFPB’s proposal would amend Regulation V, which implements portions of the Fair Credit Reporting Act (FCRA), in ways that would materially expand the FCRA’s reach and, in certain circumstances, serve as a reversal of long-standing legal interpretations.
Comments on the proposed rules are due to the CFPB by March 3, 2025. Importantly, by March 2025, there will be a new administration in office and likely new leadership heading the CFPB. That leadership may have different priorities and, thus, be less inclined to push forward novel statutory interpretations such as those reflected in the NPR.
Even if the rules were pushed forward and finalized by the CFPB, the next Republican-controlled Congress would have the opportunity – and may be inclined – to block them from going into effect, pursuant to its authority under the Congressional Review Act (CRA).
Overview of the proposed rules
As described in more detail below, the proposed rules seek, in several ways, to limit the use of consumers’ personal and financial information, and also ensure that entities that frequently engage with this type of information, such as data brokers, are regulated.
1. Data brokers as consumer reporting agencies
The CFPB has been vocal about using the FCRA to better protect against potential misuses of consumers’ financial data, particularly by data brokers. The proposed rules seek to achieve this through a broad interpretation of the “expected to be used” element of the FCRA’s definition of a “consumer report.”
Under the FCRA, a “consumer report” means any:
- Communication of information by a CRA
- Bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living
- Which is used or expected to be used or collected in whole or in part for the purpose of
- Serving as a factor in establishing the consumer’s eligibility for credit, insurance, employment purposes or any other purpose authorized in section 1681b of the FCRA
The proposed rules would provide that the “expected to be used” component of the definition is met if the person making the communication either expects or should expect that the person receiving the information will use it for a FCRA-defined purpose or communicates information about a “consumer’s credit history, credit score, debt payments, or income or financial tier” –given that, according to the CFPB, these are data points that are typically used for FCRA purposes, namely credit underwriting.
The immediate implication of this interpretation is that data brokers who sell, and thus communicate, consumer credit history, credit scores, debt payments or income information would be considered CRAs and prohibited from selling reports containing this information, except where a permissible purpose under the FCRA exists.
2. Communication of ‘credit header’ information would be considered a consumer report”
The proposed rules memorialize a controversial position socialized by the CFPB in its September 2023 FCRA rulemaking outline – specifically, that a communication by a CRA of a “personal identifier” (i.e., a consumer’s name, age, date of birth, address, telephone number, email address, or social security number or individual taxpayer identification number) that was collected in whole or in part for the purpose of preparing a consumer report would by itself constitute a consumer report.
If this aspect of the proposed rules is finalized, a consumer’s “personal identifiers” – otherwise known as “credit header” data – could only be obtained from a CRA by persons with a permissible purpose, as defined by the FCRA. This would likely preclude many actions by entities that frequently rely on credit header data for legitimate purposes, such as identity theft and fraud prevention.
3. Broad interpretation of ‘assembling’ or ‘evaluating’ consumer information for purposes of the definition of CRA
The proposed rules include an interpretation of the terms “assembling” or “evaluating,” which are components of the FCRA’s definition of a CRA, as encompassing collecting, bringing together, gathering, appraising, assessing, and making a judgment or determination as to the value of a consumer report.
The proposed rules include examples of activity the CFPB believes would constitute “assembling” or “evaluating,” which reveal that an entity could be viewed as engaging in those actions if it simply “modifies the year date fields [of consumer information it collects and communicates to a third party] to all reflect four, rather than two, digits to ensure consistency” or “retains information about consumers.” If this portion of the rules were finalized, entities that provide innocuous formatting services, as well as those that merely retain consumer data files, could risk being viewed as a CRA if they otherwise satisfy the FCRA’s CRA definition.
4. Communications of de-identified data as consumer reports
Rather than take a firm position on the treatment of de-identified data within the proposed rules, the CFPB presents three options for its treatment under the FCRA. The first option – which reflects that de-identification would not have bearing on whether a communication was a “consumer report” – would dramatically expand the scope of the FCRA.
The other options, while still representing change, more closely align with state privacy laws’ treatment of personally identifiable information as information that is linked or can reasonably be linked to a consumer. Specifically, the CFPB proposes, as other options, that a communication that is “still linked or linkable to a consumer,” or alternatively, “reasonably linkable to the consumer” be considered a consumer report.
5. Strict requirements for and limitations on ‘written instruction’ permissible purpose
Under the FCRA, a CRA may furnish a consumer report to a third party based on the “written instruction” of the consumer. The FCRA, however, lacks explanation regarding what constitutes sufficient “written instruction.” With the proposed rules, the CFPB seeks to fill this gap.
To that end, the proposed rules would require that a CRA or user of a consumer report, seeking to rely on the consumer’s written instruction:
- Obtain the consumer’s express, informed consent, via a disclosure segregated from other material, that includes certain detailed information (e.g., the name of the person who the consumer authorizes to obtain their report and the name of the CRA that will furnish the report).
- Obtain the consumer’s written or electronic signature for the furnishing of their consumer report.
The consumer also must not have revoked their consent.
While there is no specific duration under the FCRA for which a consumer’s “written instruction” remains valid, the proposed rules would limit the time frame to one year.
The proposed rules also would require that where a consumer report is obtained based on the consumer’s written instruction, the recipient of the report may obtain, use and retain the consumer report “only as reasonably necessary to provide the product or service the consumer has requested,” or for the specific use the consumer identifies in the written instruction.
Practically, this means a consumer report obtained via a consumer’s written instruction could only be used for “a single product or service per instruction,” and consumers could be required to provide multiple, separate written instructions, even when interacting with one provider of services. For example, the CFPB says that a consumer would be required to “provide multiple, separate written instructions if the user seeks to obtain a consumer report from more than one consumer reporting agency.”
6. Clarification of the ‘legitimate business need’ permissible purpose
The proposed rules would clarify that one of the permissible purposes provided for in the FCRA – the “legitimate business need” permissible purpose – only applies if a CRA has reason to believe that the consumer has, in fact, initiated a business transaction (as distinguished from merely asking about the availability or pricing of products or services), and does not provide a basis to obtain or use consumer report information for a transaction that the consumer does not initiate. The proposed rules reflect the CFPB’s position that targeted advertising and marketing are not legitimate business needs.
Impact of the proposed rule
The proposed rules are broad in their potential application, and if finalized in their current state, they would necessarily impact entities – beyond just data brokers – that would newly be required to comply with the FCRA’s requirements. For example, if “credit header” data and/or de-identified data is deemed a consumer report, not only would this have implications for CRAs, as the providers of such information, but also, it would have implications for entities procuring such information, as the FCRA imposes requirements on the users of consumer reports, including requirements to provide notice when adverse action is taken based on information in a consumer report. However, whether the proposed FCRA rules will actually be implemented – in the proposed or any other form – remains unclear given, as noted above, the impending changes in the administration, the CFPB and Congress.
To that end, the proposed rules are part of a broader effort by the current administration to ensure that consumers’ financial data is protected. They come on the heels of the CFPB’s issuance of the final version of its Section 1033 rule, which is intended to give consumers greater access to and control over their financial data. They also coincide with the CFPB’s call to the states, via a report published in November 2024, to reconsider exemptions to their privacy laws for data and/or entities covered by the FCRA or the federal Gramm-Leach-Bliley Act, which the CFPB asserts leaves swarths of consumer data insufficiently protected.
