CFPB advisory stresses “permissible purpose” of consumer reports
On July 7, the CFPB issued an advisory opinion to state its interpretation that under certain FCRA-permissible purpose provisions, a consumer reporting agency may not provide a consumer report to a user unless it has reason to believe that all of the information it includes pertains to the consumer who is the subject of the user’s request. The Bureau explained that “credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy,” and reminded covered entities that “FCRA section 604(f) strictly prohibits a person who uses or obtains a consumer report from doing so without a permissible purpose.”
Among other things, the FCRA is designed to ensure fair and accurate reporting and requires users who buy these consumer credit reports to have a legally permissible purpose. Specifically, the advisory opinion clarifies that (i) insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, thus violating a consumer’s privacy rights (the Bureau explained that if a credit reporting company uses name-only matching procedures, items appearing on a credit report may not all correspond to a single individual); (ii) it is unlawful to provide credit reports of multiple people as “possible matches” (credit reporting companies are obligated to implement adequate procedures to find the correct individual); (iii) disclaimers about insufficient matching procedures will not cure a failure to take reasonable measures to ensure the information provided in a credit report is only about the individual for whom the user has a permissible purpose; and (iv) credit report users must ensure that they are not violating an individual’s privacy by obtaining a credit report when they lack a permissible purpose for doing so.
The Bureau also outlined certain criminal liability provisions in the FCRA. According to the advisory opinion, covered entities may face criminal liability under Section 619 for obtaining information on an individual under false pretenses, while Section 620 “imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to an unauthorized person.” Violators can face criminal penalties and imprisonment, the Bureau said in its announcement.
As previously covered by InfoBytes, the Bureau finalized its Advisory Opinions Policy in 2020. Under the policy, entities seeking to comply with existing regulatory requirements are permitted to request an advisory opinion in the form of an interpretive rule from the Bureau (published in the Federal Register for increased transparency) to address areas of uncertainty.