July 7, 2022

CFPB: Advisory Issued to Protect Privacy When Companies Compile Personal Data

Advisory affirms that “permissible purposes” are required to use and share credit reports and background reports

Today, the Consumer Financial Protection Bureau (CFPB) issued a legal interpretation to ensure that companies that use and share credit reports and background reports have a permissible purpose under the Fair Credit Reporting Act. The CFPB’s new advisory opinion makes clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy. The advisory also reminds covered entities of potential criminal liability for certain misconduct.

“Americans are now subject to round-the-clock surveillance by large commercial firms seeking to monetize their personal data,” said CFPB Director Rohit Chopra. “While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.”

Over the last century, Congress enacted a number of sector-specific privacy laws to protect personal data, such as educational and health data. One law that includes privacy protections across multiple sectors is the Fair Credit Reporting Act. Congress enacted the Fair Credit Reporting Act in 1970 to ensure companies “exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.” The Fair Credit Reporting Act regulates companies that assemble dossiers on individual consumers, including credit reporting companies, tenant screeners, and other data brokers.

Permissible Purposes

Among other things, the Fair Credit Reporting Act ensures fair and accurate reporting, and it requires users who buy these dossiers to have a legally permissible purpose. This ensures that companies cannot check an individual’s personal information, including their credit history, without a bona fide reason. Some common permissible purposes include using consumer reports for credit, insurance, housing, or employment decisions. For example, a bank may request a credit report in order to determine the terms on which it will offer someone a line of credit.

Today’s advisory opinion will help to hold responsible any company, or user of credit reports, that violates the permissible purpose provisions of the Fair Credit Reporting Act. Specifically, the advisory opinion makes clear:

Criminal Liability for Violating the Fair Credit Reporting Act’s Privacy Protections

The advisory opinion outlines some of the criminal liability provisions in the Fair Credit Reporting Act. Covered entities can face criminal liability for obtaining a background report on an individual under false pretenses or by providing a background report to an unauthorized individual. For example, Section 620 of the Fair Credit Reporting Act imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to an unauthorized person. Violators can face criminal penalties and imprisonment.

The CFPB will continue to take steps to ensure credit reporting companies and other relevant entities adhere to the Fair Credit Reporting Act and other consumer financial protection laws. In addition to some of the steps already mentioned, the CFPB has:

Read today’s advisory opinion, Fair Credit Reporting; Permissible Purposes for Furnishing, Using, and Obtaining Consumer Reports.

Consumers can submit credit reporting complaints, or complaints about other financial products or services, by visiting the CFPB’s website or by calling (855) 411-CFPB (2372).

This post was originally published here.