New Proposed CFPB Consumer Data Regulation Would Significantly Expand FCRA Obligations
Highlights
- The Consumer Financial Protection Bureau (CFPB) recently issued its long-awaited proposed rule to amend Regulation V, which implements the Fair Credit Reporting Act (FCRA).
- If enacted, the proposed rule would significantly expand the types of businesses, including data brokers, that utilize sensitive consumer information subject to the FCRA.
- This Holland & Knight alert examines various aspects of the proposed rule and the timing of its announcement given the impending change in presidential administrations.
The Consumer Financial Protection Bureau (CFPB) on Dec. 3, 2024, issued its long-awaited proposed rule to amend Regulation V (Proposed Rule), which implements the Fair Credit Reporting Act (FCRA). If enacted, the CFPB's Proposed Rule would significantly expand the types of businesses that utilize sensitive consumer information subject to the FCRA, including data brokers.1 However, the Proposed Rule's timing – approximately seven weeks before the onset of the Trump Administration – raises some questions about its long-term viability.
Overview of the Proposed Rule
The CFPB's new Proposed Rule clarifies and expands requirements for businesses by elucidating and reinterpreting various key definitions used in the FCRA to include new activities, including "consumer report" and "consumer reporting agency."
Consumer Report
Ambiguities associated with the term "consumer report" have long presented obstacles for businesses, as utilization of consumer information that qualifies as a "consumer report" triggers a litany of compliance obligations. The CFPB Proposed Rule is designed to implement and interpret the definition of "consumer report" in light of modern business practices and consumer data usage in order to ensure that all communications of sensitive consumer information meant to be regulated by the FCRA are deemed consumer reports.
"Is Used" or "Is Expected to Be Used." Two of the proposed provisions address when information "is used" or "is expected to be used" for a specified purpose under the FCRA. FCRA specified purposes include, for example, when consumer data is used to evaluate a consumer's eligibility for consumer credit or insurance or for employment purposes.
Under the "is used" provision, the proposed rule would state that "if a recipient of information in a communication uses [it] for one of [the] specified purposes, the communication … constitute[s] a consumer report … regardless of whether the person communicating [it] collected the information or expected [it] to be used for that purpose."2
The "is expected to be used" provision would establish two tests to determine whether information is expected to be used for one of the consumer report definition's statutorily specified purposes. First, that "the person making the communication expects or should expect that a recipient of information [direct or downstream] will use it for such a purpose" or second, if "[i]t is information about a consumer's credit history, credit score, debt payments, or income or financial tier."3 If either test is satisfied, the communication would be deemed a consumer report, and the communicator would be deemed a consumer reporting agency.
The new interpretations of "used or expected to be used" would modify the term "information" rather than "communication." This interpretation recognizes that consumer reporting agencies do not "collect" communications. The proposed interpretation of "used" would include use by persons other than the direct recipient of a communication. Moreover, the proposed interpretation of "expected to be used" would refer to the expectations of the person communicating the information and consider both what that person subjectively expected and what that person objectively should have expected about the use of the transmitted information.
Personal Identifiers for a Consumer Collected by a Consumer Reporting Agency. The CFPB notes that, currently, reports limited to identifying information that do not bear on any of the seven factors specified in the FCRA and are not used to determine eligibility are not considered "consumer reports" by courts or the FTC.4 The CFPB's Proposed Rule also acknowledges that consumer reporting agencies currently sell "credit header" information for marketing purposes, because personal identifier information is typically not treated by businesses as subject to the FCRA.5
The Proposed Rule would expand the definition of consumer report to include any communications by a consumer reporting agency of a consumer's personal identifiers – i.e., a consumers name(s), age, date of birth, address(es), telephone number(s), email address(es), Social Security number or Individual Taxpayer Identification Number ("credit header" information" – if "1) those personal identifiers were originally collected by a consumer reporting agency, and 2) if that collection was at least in part for the purpose of preparing a consumer report about the consumer."6 Generally, furnishing this type of information would be permitted only for the permissible purposes outlined in the FCRA.
Deidentification of Consumer Information. Currently, industry participants do not consider information obtained from consumer report databases to be a consumer report if the information has been aggregated or stripped of its identifying information.7 Many of these industry participants believe that such information obtained from a consumer reporting agency is not a consumer report if "the information is not linked or reasonably linkable to a specific individual."8 However, the CFPB is concerned that the purportedly deidentified information can be reidentified to target individuals in ways that may violate the consumer's privacy.9
The CFPB is considering at least three options for finding that "communications of de-identified consumer report data, such as aggregated data reports, are still consumer reports":
- Deidentified consumer report data is a consumer report.
- Deidentified consumer report data is a consumer report if the information is still linked or linkable to the consumer.
- Deidentified consumer report data is a consumer report if certain conditions are met [which may include] a combination of any or all of the following:
- The information is still linked or reasonably linkable to a consumer;
- The information is used to inform a business decision about a particular consumer … [;] or
- A person who directly or indirectly receives the communication … identifies the consumer to whom the information from the communication pertains. 10
Consumer Reporting Agency
The CFPB's Proposed Rule expands the definition of consumer reporting agency (by reinterpreting the term "assembling or evaluating." The Proposed Rule provides "that a person assembles or evaluates … consumer credit information or other information about consumers if the person:"
- Collects, brings together, gathers, or retains such information;
- Appraises, assesses, makes a judgment regarding, determines or fixes the value of, verifies, or validates such information; or
- Contributes to or alters the content of such information.11
The CFPB offers five nonexhaustive examples of when a person would assemble or evaluate consumer credit information or other information about consumers for purposes of the above proposed interpretation. The broad examples are designed to capture myriad business activities that previously may not have qualified a business as a consumer reporting agency. Two such examples are:
- Collecting information about a consumer from a consumer's bank account and assessing it, such as by grouping or categorizing it based on transaction type;
- Altering the content of information the person has received about a consumer, such as by modifying the year date fields to all reflect four, rather than two, digits to ensure consistency.12
Permissible Purposes of Consumer Reports
The Proposed Rule also clarifies under what circumstances a consumer report has been "furnished" and other key requirements related to the permissible purposes listed in the FCRA.
"Furnishing" a Consumer Report. The Proposed Rule states that a consumer reporting agency furnishes "a consumer report if it provided the consumer report to a person or if it facilitated a person's use of any information from the [] report for the person's financial gain."13 This updated description means that if a consumer reporting agency gives information from a consumer report to a third party and the third party uses the information in targeted advertising (for example), the consumer reporting agency will have "furnished" a consumer report to the third party because it facilitated that party's financial gain from the use of such information. The current definition and guidance available do not make clear that such communications have previously been considered "furnishing" a consumer report.
Required Disclosures. The Proposed Rule would require consumer reporting agencies and recipients of the consumer reports to provide consumers a disclosure and obtain their signature and express consent before furnishing a consumer report. The disclosure must describe the product, service or use for which the consumer is providing express consent. The Proposed Rule notes that specific formatting and content requirements would be adopted in a final rule.
Identification of Consumer Information. Importantly, the Proposed Rule would also limit what the recipient of the consumer report can do with it to:
- Only using the report, as reasonably necessary to provide the consumer-specified product, service, or use;
- Procure the consumer report no more than one year after the date of consumer consent; and
- Sharing the consumer report with a third party only if that party agrees by contract to comply with the above limitations.14
The Proposed Rule would also require that there be an easily accessible avenue (utilizing a method similar to the original grant of consent) for revocation of consent. It also includes prohibitions on costs or penalties for revoking consent.
Legitimate Business Need Permissible Purpose. The Proposed Rule also clarifies when a business has a "legitimate business need" for the protected information to two scenarios:
- Consumer-initiated transaction prong: In connection with a business transaction that is initiated by the consumer; or
- Account review prong: To review an account to determine whether the consumer continues to meet the terms of the account.15
For prong one, the CFPB provides examples such as "a consumer applying to rent an apartment, open a brokerage account or checking account, or offering to pay for merchandise by personal check."16 The CFPB also clarifies that consumer reporting agencies would not be authorized to furnish a consumer report if they have a reason to believe the person seeking the information intends to solicit the consumer as opposed to the consumer initiating a transaction.
Compliance with the Proposed Rule and Recently Issued Open Banking Final Rule
The CFPB's Proposed Rule was released against the backdrop of a busy rulemaking season that also included the CFPB's Personal Financial Data Rights (PFDR) rulemaking. The intersection of the PFDR Rule and the FCRA, including the extent of overlap, duplication, or conflict, has been a topic of much interest as of late. The CFPB acknowledges that certain entities that are subject to the PFDR Rule (and especially the authorized third-party provisions in that rulemaking) may also have obligations under the FCRA. For example, certain companies seeking to become authorized third parties under the PFDR Rule may also be subject to the FCRA as users of consumer reports from consumer reporting agencies because they are utilizing data aggregators that are consumer reporting agencies to obtain consumer-permissioned data. Accordingly, the CFPB proposes to "expressly provide that a consumer reporting agency furnishes a consumer report in accordance with the written instructions of the consumer for purposes of the FCRA and Regulation V if the person to whom the report is furnished is an authorized third party under subpart D of the PFDR Rule."17 The CFPB has previously determined that compliance with the PFDR Rule does not require a person to violate the FCRA or Regulation V. Therefore, a person that is subject to the PFDR Rule and the FCRA/Regulation V must comply with both.
Practical Impact
The CFPB emphasizes that one of the biggest practical effects of the Proposed Rule's finalization would be to limit the sale and transmission of consumer information between data brokers used to market products to consumers.18 Furthermore, the Proposed Rule would drastically expand the obligations of downstream companies that utilize information that may newly be considered a "consumer report."
Data Brokers and Sales Would Now Be Subject to FCRA
The Proposed Rule would cast a much wider net regarding persons who would be considered consumer reporting agencies. Essentially, any person who sells information "used for a purpose described in [the Proposed Rule] would become a consumer reporting agency, regardless of whether the person knows or believes that the communication of that information is legally considered a consumer report … ." The CFPB gives the following example:
An entity collects information about consumer travel preferences for marketing and sells the information to a third party with the belief that it will be used for marketing purposes and not as a consumer report. If, however, the third party actually uses the information to establish a consumer's eligibility for credit, the report would be a consumer report and the entity that sold it would be a consumer reporting agency – solely because it intended to communicate to the third party the underlying information.19
Furthermore, if the Proposed Rule is finalized, data brokers and similar entities would not be able to sell reports containing a "consumer's credit history credit score, debt payments," etc. to "anyone who lacked a [FCRA] permissible purpose to obtain them."20 These entities would also be required to comply with other FCRA standards. The CFPB states that if the Proposed Rule is finalized, "a substantial number of additional data brokers operating today likely will qualify as consumer reporting agencies selling consumer reports under the FCRA."21 Should the Proposed Rule be finalized, many additional data broker products will qualify as consumer reports. Because many additional data brokers would be subject to the FCRA, they and other consumer reporting agencies would need to modify their operations and activities to be in compliance with the FCRA.
Credit Header Information Would Now Be a Consumer Report
The Proposed Rule's treatment of credit header information will result in the regulation of additional businesses and businesses practices by the FCRA. The CFPB recognizes that there is industry concern that treating "credit header" information as consumer report information may increase costs and cause delays and consumer frustration. But the CFPB believes these fears are overblown and states that "identifying information would still be available in various ways."22 The CFPB notes that specific permissible purposes under FCRA Section 604(a)(3), such as confirming an applicant meets the minimum age requirement for a job or loan or using the report for identity verification and fraud prevention, would not be changed. The CFPB makes it clear that the Proposed Rule would not affect access to identifying information that is not subject to the FCRA (i.e., public records accessible directly from governmental entities). Nor would the Proposed Rule affect the availability of identifying information from financial institutions used for purposes other than the preparation of consumer reports.
Deidentified Consumer Data Could Be a Consumer Report
The Proposed Rule's treatment of information drawn from a consumer reporting database would mean that industry participants would no longer be able to automatically assume that certain consumer reporting information drawn from a consumer reporting database is not a consumer report if the information has been aggregated or otherwise stripped of identifying information. Given the potential ease with which certain consumer data can be reidentified, the proposed rule's changes would limit the sale of these types of data in circumstances where no FCRA permissible purpose exists, such as for targeted marketing. The Proposed Rule's changes may also cover some communications of deidentified consumer reporting information that never will be reidentified in practice since it is not possible to determine with certainty whether a particular item of deidentified information will be reidentified.
Expanded Scope of Consumer Reporting Agency
"Assembling or Evaluating." By utilizing standard dictionary definitions of the terms and synonyms of "assembling" and "evaluating," the CFPB would be broadening the scope of activities that make a person or entity a consumer reporting agency. The FCRA includes a private right of action, so entities newly considered to be consumer reporting agencies could incur risk and costs related to FCRA litigation.
The Nebulous Future of the Proposed Rule
Comments to the Proposed Rule must be received by the CFPB by March 3, 2025. The CFPB requests comment on all aspects of the Proposed Rule. However, the new CFPB leadership may extend this comment period or, ultimately, decide not to finalize this rulemaking. It is unclear whether there will be bipartisan support for the Proposed Rule or whether the incoming presidential administration will support, in whole or in part, the finalization of the Proposed Rule. Upon confirmation by the U.S. Senate, a CFPB director appointed by President Donald Trump is expected to withdraw or refuse to enforce proposed or new regulations deemed burdensome for business.
How to Anticipate and Prepare for the Proposed Changes
Any business that utilizes, furnishes or buys consumer data (or even utilizes or furnishes solely "credit header" information) has a vested interest in the outcome of this rulemaking. Businesses can prepare by gaining an in-depth understanding of how their current practices may need to change and what systems may need to be put in place to implement the changes sought by the CFPB. It is important to note that the change in the presidential administration may likely impact when and how this rule becomes finalized (or not).
The CFPB is not the only agency scrutinizing consumer data and data brokers in these final weeks of the Biden Administration. The FTC has recently taken enforcement action against the collection and selling of location data (i.e., sensitive location data – consumers' homes, visits to health clinics and places of worship, etc.) that tracked consumers to sensitive websites. (See Holland & Knight's previous alert, "FTC Cracks Down on Selling Sensitive Location Info, Restricts Use of Consumer Data for 1st Time," Dec. 6, 2024.)
How Holland & Knight Can Help
If your company utilizes, furnishes or buys consumer reports, Holland & Knight's Consumer Protection Defense and Compliance and Data Strategy, Security & Privacy teams can help you understand the potential impact of this Proposed Rule on your business and what changes you may need to make in order to come into compliance should it be finalized. Holland & Knight can also advise on the submission of comments to the CFPB or challenges to the CFPB's rulemaking authority.
Holland & Knight's Consumer Protection Defense and Compliance Team includes a robust CFPB practice, with experienced attorneys who are recognized thought leaders in consumer protection and data issues, including issues related to consumer reports and consumer reporting agencies.
Notes
1 Protecting Americans from Harmful Data Broker Practices (Regulation V), CFPB-2024-0044, issued Dec. 3, 2024, [hereinafter "Proposed Rule"].
2 Id. at 26.
3 Id. at 30.
4 See e.g., id. at 50.
5 See e.g., id. at 51.
6 Fast Facts: FCRA Data Broker Practices Proposed Rule, at 3 [Hereinafter "Fast Facts"].
7 Proposed Rule, at 66.
8 Id. at 67.
9 Id. at 66.
10 Id. at 82.
11 Fast Facts at 4.
12 Id. at 5.
13 Id. at 6.
14 Id. at 7-8.
15 Id. at 8-9.
16 Id. at 9.
17 Proposed Rule at 105.
18 Id. at 14.
19 Id. at 29.
20 Id. at 44.
21 Id. at 79-80.
22 Id. at 60-61.
Information contained in this alert is for the general education and knowledge of our readers. It is not designed to be, and should not be used as, the sole source of information when analyzing and resolving a legal problem, and it should not be substituted for legal advice, which relies on a specific factual analysis. Moreover, the laws of each jurisdiction are different and are constantly changing. This information is not intended to create, and receipt of it does not constitute, an attorney-client relationship. If you have specific questions regarding a particular fact situation, we urge you to consult the authors of this publication, your Holland & Knight representative or other competent legal counsel.