CFPB Proposed FCRA Rulemaking Could Significantly Expand FCRA Coverage and Restrict Access to Information

The Consumer Financial Protection Bureau (“CFPB”) has published a Notice of Proposed Rulemaking (“NPRM”) titled “Protecting Americans From Harmful Data Broker Practices” 89 Fed. Reg. 101402 (Dec. 13, 2024). If adopted in its current form — and upheld against likely legal challenges — the NPRM would operate to significantly expand the scope of the Fair Credit Reporting Act (“FCRA”), restrict access to information for purposes ranging from fraud prevention to marketing, as well as add additional requirements governing the use of the FCRA’s written instructions permissible purpose for obtaining consumer reports and restrict the use of the legitimate business need permissible purpose. The NPRM is open for public comment through March 3, 2025.

The NPRM would interpret two definitions that are central to the scope and interpretation of the FCRA, the definitions of “consumer report” and “consumer reporting agency,” in new ways. These two definitions are intertwined and shape the applicability of most FCRA provisions. The NPRM would make more information “consumer reports,” which are subject to FCRA requirements and access limitations. The NPRM also would classify more organizations as “consumer reporting agencies” subject to FCRA. Consumer reporting agencies have a host of obligations under FCRA (and similar state laws), including limits on when consumer reports can be furnished (only for certain permissible purposes, such as credit, insurance underwriting, and employment), limits on how long information can be included in consumer reports, accuracy obligations, and consumer disclosure and reinvestigation obligations, among others. End users of this information could see their access to this information eliminated or subject to FCRA end-user obligations, such as adverse action notices when applicable.

The NPRM Would Make More Information Subject to FCRA

• Reports containing credit history, credit score, debt payment, income, or financial tier information. The NPRM would bring all information about a consumer’s credit history, credit score, debt payments, or income or financial tier within the definition of a consumer report, assuming that other elements of the relevant definitions are met. This significantly would expand the reach of the FCRA by applying it to these types of financial information, even if the information was not collected, used, or expected to be used by the parties for FCRA purposes. This change, if adopted, would significantly restrict the ability of third parties to sell or otherwise provide information of this type for due diligence, marketing, or other non-FCRA purposes without the written instructions (consent) of the consumer.

• Identifying/Credit Header Information. The NPRM would reclassify identifiers about individuals (e.g., name, address, age or date of birth, telephone number, e-mail address, and Social Security Numbers) as being consumer report information subject to the FCRA if they are collected by a consumer reporting agency, in whole or in part, for preparing a consumer report about an individual. This would restrict disclosures of this information to users with FCRA permissible purposes even if no other information about the individual were to be disclosed. This type of information, often referred to as “credit header” data because it traditionally appears at the top (i.e., in the “header”) of a credit report, has for the most part customarily been considered to be non-FCRA-regulated information. If adopted, this change could significantly limit the availability of this information for a range of products and services where it is utilized today, including various identity verification and fraud prevention services.

• De-identified/Aggregate Information. The NPRM also raises the prospect that de-identified and aggregate information derived from consumer report information will continue to be subject to FCRA requirements after it has been aggregated or de-identified. The NPRM identifies three potential options for public comment when de-identified information would continue to be subject to FCRA. The most stringent option would provide that de-identification simply is not relevant to whether the definition of a consumer report is met, and FCRA would continue to apply to de-identified and aggregate data. The other options would provide de-identification is not relevant if certain conditions are met, such as instances where the information is still linked, linkable, or reasonably linkable to the individual. If adopted, even the least rigorous of the three options would result in household or neighborhood level data derived from consumer reporting databases, such as zip code or zip-plus-four data, as well as persistent identifiers—such as cookies, IP addresses, processor or device serial numbers, or other unique identifiers that can be used to identify consumers over time across different websites or online services—in scope for FCRA limitations and requirements.

The NPRM Would Expand the Number of Organizations That Are Consumer Reporting Agencies

Because of the interrelated nature of the FCRA definitions of “consumer report” and “consumer reporting agency,” the more information that is in scope, the more entities that are likely to be considered consumer reporting agencies. The CFPB also takes additional steps in the NPRM intended to expand the number of entities that would constitute consumer reporting agencies under the FCRA and, therefore, be subject to FCRA requirements.

The CFPB, for example, proposes in the NPRM to look to the ultimate user of information to determine whether upstream data sources are consumer reporting agencies. The change could bring various types of data aggregators in scope because their customers’ customers or others even further downstream ultimately use the information for credit, insurance underwriting, employment, or other FCRA permissible purposes.

The CFPB anticipates that its proposed changes could bring a variety of data aggregators and platforms in the financial services industry within the definition of a consumer reporting agency, noting that it sought to align the NPRM with the requirements of its recently released Personal Financial Data Rights (“PFDR”) final rule. 89 Fed. Reg. 90838 (Nov. 18, 2024). The CFPB notes in the NPRM, for example, that authorized third parties under the PFDR rule could also be users of consumer reports because they are using aggregators that are consumer reporting agencies in order to obtain consumer data from financial institutions.

New Requirements for Written Instructions

The FCRA permits consumer reporting agencies to furnish consumer reports based on the written instructions of the consumer but does not specify what constitutes valid written instructions (although there is some case law). The NPRM would impose new content requirements for written instructions and would require an express right for the consumer to revoke their written instructions, which is as easy to exercise as it is for the consumer to provide written instructions. The written instructions also must be clear, conspicuous, and segregated from other material. Written instructions could be valid for up to one year, after which time new written instructions would be required.

Significant Marketing Restrictions

The FCRA permits the use of consumer report information for limited marketing purposes involving firm offers of credit and insurance. Virtually every proposal in the NPRM has the potential to restrict marketing activities other than firm offers. The NPRM expansion of the definition of consumer report to include all information related to an individual’s credit history, credit score, debt history and income, and financial tier would restrict the use of such information for marketing purposes (absent written instructions of the consumer as discussed above) even from data collected and used solely for marketing purposes. Even the least restrictive of the NPRM proposals to restrict the use of deidentified and aggregate information would limit the use of this information for marketing purposes. The NPRM would clarify that the FCRA legitimate business need permissible purpose does not apply to any marketing uses either in connection with transactions initiated by the consumer or in conjunction with account review. The NPRM restrictions on use of a consumer report information for a third party’s gain also is intended to restrict marketing activities, such as the development of target audiences. The NPRM also would restrict the ability to use written instructions for marketing purposes in various respects, including by providing that targeted advertising, cross-selling of other products and services, and the sale of information in a consumer report are NOT part of, or reasonably necessary to provide, any other product or service.

Potential Action Items

If adopted as proposed, the NPRM would operate to significantly expand the information subject to the FCRA and regulate many organizations that do not consider themselves to be consumer reporting agencies today. Potentially impacted organizations should consider whether and to what extent the NPRM would impact their businesses by making them consumer reporting agencies, imposing new obligations on the organization as a user of consumer reports, and/or restricting access to personal information used today without FCRA restrictions. The NPRM could also significantly restrict access to personal information currently used for a wide range of products and services, used for everything from fraud prevention and identity verification to marketing. Existing consumer reporting agencies should also consider how the NPRM might impact their information supply chains and their ability to rely on permissible purposes, such as the legitimate business need purpose and the written instructions purpose to furnish consumer reports to their customers. Potentially impacted organizations also should consider whether to submit comments on the NPRM to the CFPB by the March 3, 2025, deadline.

For additional information, please contact AGG partner Kevin Coy or another AGG Background Screening industry team member.