The Consumer Financial Protection Bureau (CFPB) issued a legal interpretation for companies that use and share credit reports and background reports.
The CFPB’s advisory says companies must have a permissible purpose under the Fair Credit Reporting Act to use and share credit reports. It also makes clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy. Further, it reminds covered entities of potential criminal liability for certain misconduct.
“Americans are now subject to round-the-clock surveillance by large commercial firms seeking to monetize their personal data,” CFPB Director Rohit Chopra said. “While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.”
The Fair Credit Reporting Act, enacted in 1970, regulates companies that assemble dossiers on individual consumers, including credit reporting companies, tenant screeners, and other data brokers. It ensures fair and accurate reporting and requires users who buy these dossiers to have a legally permissible purpose. That means companies cannot check an individual’s personal information, including their credit history, without a bona fide reason. Some common permissible purposes include using consumer reports for credit, insurance, housing, or employment decisions. For example, a bank may request a credit report to determine the terms on which it will offer someone a line of credit.
The CFPB makes that clear that credit reporting companies that provide reports to entities without a permissible purpose would violate consumers’ privacy rights. For example, when a credit reporting company uses name-only matching procedures, the items of information appearing on a credit report may not all correspond to a single individual. That means the user of a credit report could be provided a report about a person for whom the user does not have a permissible purpose.
Also, the advisory opinion outlines some of the criminal liability provisions in the Fair Credit Reporting Act. Covered entities can face criminal liability for obtaining a background report on an individual under false pretenses or providing a background report to an unauthorized individual. For example, the Fair Credit Reporting Act imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly provides information concerning an individual from the agency’s files to an unauthorized person. Violators can face criminal penalties and imprisonment.