On September 25, 2023, the Consumer Financial Protection Bureau (“CFPB”) began its most substantial Fair Credit Reporting Act (“FCRA”) rulemaking yet with an outline of proposed changes to Regulation V, which implements FCRA, ahead of the Bureau’s Small Business Advisory Review Panel.1 The proposals under consideration could have a substantial impact on the data brokerage industry, if implemented. In this Legal Update, we look at the key components of the CFPB’s initial proposals for revising Regulation V.
The CFPB has recently expressed a strong interest in addressing the risks and harms associated with artificial intelligence used to make predictions and decisions, as well as shedding light on the opaque status of the data brokerage industry. In August 2023, CFPB Director Rohit Chopra announced that part of the CFPB’s efforts would involve using FCRA to “develop rules to prevent misuse and abuse [of consumer sensitive data] by . . . data brokers.”2 In his remarks, Director Chopra brought up two proposals under consideration: (1) defining a data broker that sells certain types of consumer data, such as consumer’s payment history or income, as a consumer reporting agency (“CRA”); and (2) clarifying the extent to which “credit header data” (as described below) constitutes a consumer report. In conjunction with his remarks, the CFPB also issued an FAQ on the upcoming FCRA rulemaking.3
Under the Small Business Regulatory Enforcement Fairness Act (“SBREFA”), the CFPB must convene a Small Business Review Panel (“Panel”) in advance of it proposing any rule that will have a significant economic impact on a substantial number of small entities. During the Panel and through written comments, small businesses and other stakeholders have an opportunity to weigh in on the CFPB’s proposals. In September, the CFPB included Director Chopra’s data broker proposals, and the associated FAQ issued by the CFPB in its “Outline of Proposals and Alternatives Under Consideration” document (the “Outline”), which was published in advance of a Panel’s meeting related to the definitions of “consumer reporting agency” and “consumer report.” While the Outline is less detailed, it previews the broad strokes of the proposed rule expected in 2024.
A major topic covered in the Outline is the regulation of data brokers under FCRA. Data brokers collect, aggregate, sell, and/or analyze data, including consumer data. To the extent that consumer data meets the definition of a “consumer report” under FCRA, data brokers must comply with FCRA and Regulation V requirements for handling the data. Under current regulations, guidance, and interpretations of FCRA, certain types and/or uses of aggregated consumer data are not currently considered “consumer reports” under FCRA and accordingly, can be sold and used for reasons other than a “permissible purpose” under FCRA. As it stands now, data brokers dealing in data that does not meet the definition of a “consumer report” are not considered CRAs, and so are not required to comply with the laws and regulations governing the activities of CRAs. Data brokers are often able to avoid regulation as CRAs under FCRA by prohibiting the use of consumer data for purposes of determining eligibility for credit, insurance, employment or other purposes specified in FCRA.
The CFPB’s Proposals
The Outline indicates that the CFPB is seeking to alter the current landscape of data broker regulation under FCRA and Regulation V. The CFPB plans to use its authority to issue regulations implementing the FCRA and expand the regulation of data broker activities, including subjecting more data brokers to FCRA obligations (e.g., a consumer’s right to obtain data about themselves and dispute inaccuracies). The CFPB’s justification for the rulemaking is that engaging in data aggregation and sharing outside of FCRA’s scope threatens consumer privacy, and arguably evades FCRA’s purposes and objectives. While a few states regulate data brokers, there is no specific federal law regulating their general activities. The CFPB laid out several specific proposals to amend Regulation V to regulate data brokers.
Consumer Reports and CRAs
The CFPB “is considering several proposals related to the definitions of ‘consumer reporting agency’ and ‘consumer report.’”4 With respect to data brokers, these proposals provide that:
- consumer information provided to a user who uses it for a permissible purpose is a consumer report, regardless of whether the data broker knew—or should have known—that the user would use it for that purpose, or intended the user to use it for that purpose;
- data brokers who sell data typically used for credit and employment eligibility determinations will be deemed to be selling consumer reports;
- data brokers that collect consumer information for a permissible purpose will only be able to sell it to another user for a permissible purpose; and
- data brokers will only be able to obtain a consumer report from a CRA for a permissible purpose, and only sell it to another user if that user has a permissible purpose.
An example the CFPB provides is that the sale of data regarding payment history, income, and criminal records would be a consumer report regardless of the purpose for which the data was actually used or collected, or the expectations of the data broker, because that type of data is typically used for credit and employment determinations. In turn, a data broker “assembling and evaluating” and selling such data would be a CRA if the data broker meets the other elements of a CRA, as defined in FCRA.5
Assembling and Evaluating
The CFPB also seeks to issue regulations about activities that constitute “assembling and evaluating,” an element included in the definition of a CRA. The Outline states that data brokers that facilitate consumer-authorized data sharing by accessing consumer information held by data providers and communicating it to third party recipients are typically engaged in activities that constitute “assembling or evaluating” consumer information under existing precedent; and where they otherwise satisfy the definition of CRA, they are subject to FCRA. Per the CFPB, entities that facilitate electronic data access between parties may also engage in assembling or evaluating when they act as intermediaries or vendors, or otherwise transmit consumer data electronically between data sources and users. To help clarify whether activities are categorized as “assembling and evaluating,” the CFPB is considering adopting a bright line definition of those terms.6
Credit Header Data
Another topic the CFPB intends to address in a Regulation V rulemaking is the treatment of credit header data under FCRA. Credit header data typically includes names, addresses, Social Security numbers, and phone numbers of consumers. Currently, some data brokers sell credit header data for purposes other than permissible purposes under FCRA, including advertising, marketing, and fraud detection. The CFPB’s justification for addressing credit header data is that such data is being used more frequently for permissible purposes, such as eligibility determinations. A potential rulemaking may clarify the extent to which credit header data constitutes a consumer report, and may reduce a CRA’s ability to sell or otherwise disclose such data without a permissible purpose. The publication of a final rule regulating credit header data will likely adversely impact data brokers and CRAs currently selling or disclosing this type of information by bringing their activities within the scope of FCRA and subjecting this data to regulation as a consumer report.
Targeted Marketing and Aggregated Data
The Outline also directly addresses aggregated data and the use of data in targeted marketing campaigns. The CFPB is considering proposals to clarify when certain marketing activities constitute furnishing a consumer report and, accordingly, are not permitted under FCRA. Any such proposed rule would likely limit the circumstances under which a CRA can help third-party users market to consumers. The CFPB is specifically considering a rule providing that, if a CRA uses information from a consumer report in combination with information from a third party to engage in targeted advertising, the CRA will have furnished a consumer report to a user without a permissible purpose. In addition, the CFPB plans to clarify when and whether aggregated or anonymized consumer report information constitutes a consumer report.
The CFPB’s proposals also address permissible purposes for which consumer reports can be obtained under FCRA. Specifically, the CFPB is considering rules on steps companies must take to obtain a consumer’s written instructions, who can collect written instructions, limits on the scope of authorization, and methods for revoking ongoing authorization. This could have broad and far-reaching operational implications for many businesses using consumer reports, as it could limit the ability to obtain and rely upon the consumer’s written instructions as a permissible purpose under FCRA.
The CFPB is also considering a rule that clarifies that section 604(a)(3)(F)(i) of FCRA—which allows CRAs to furnish a report in connection with a business transaction initiated by the consumer—requires a consumer-purpose transaction and consumer reports are permitted only for use of determining consumer’s eligibility for a transaction.
Finally, the CFPB may clarify that section 604(a)(3)(F)(ii), which allows CRAs to furnish a report in connection with reviewing an account to determine if consumer continues to meet terms, requires an account review—for which the report is actually needed—to make a decision about whether the consumer continues to meet the terms. This purpose is routinely used by banks and other financial services companies to monitor open accounts.
With respect to consumer privacy and data protection, the CFPB indicated its intent to issue rules regarding a CRA’s obligation to protect consumer reports from a data breach or unauthorized access. The CFPB is considering issuing such rules based on either section 604 of FCRA, which provides that CRAs can only furnish reports under specific circumstances, or section 607(a), which states CRAs must use reasonable procedures to prevent furnishing reports without a permissible purpose.
These proposals, if implemented, would subject a broad range of entities to FCRA (and to CFPB jurisdiction). Data brokers holding consumer information for a wide variety of purposes would be required to consider whether they are CRAs and whether the data they purchase and/or share constitutes a consumer report. A sizable portion of the data brokerage industry would likely be required to implement FCRA’s operational requirements, including ensuring the accuracy of information and the permissible purpose of the user and handling consumer inquiries. Implementing existing FCRA requirements, as well as any new requirements the CFPB may promulgate in the future rulemaking, may prove to be a heavy lift for many companies (particularly small businesses), both financially and logistically. And while the CFPB states in the Outline that it intends to target data brokerage activities specifically, the proposals could include other entities that deal with consumer data depending upon how the proposals are implemented. This could result in a number of entities not otherwise considered to be data brokers finding their activities subject to FCRA.
The CFPB’s proposed rule, if implemented, could also substantially restrict the ability of data brokers to sell certain consumer information for advertising or marketing purposes. In addition, data brokers may be restricted from working with third parties to create advertising and marketing campaigns that utilize certain consumer data. The proposals would also introduce significant liability to data brokers. In particular, one proposal could hold a data broker liable if the broker knew—or should have known—that covered data the broker shared was not obtained by the user for a permissible purpose. At least one of the questions in the outline even suggests data brokers would need to monitor or control how their customers use purchased data.7
The proposals could also have the unintended consequence of restricting the ability of entities to use existing fraud detection methods. Data brokers often collect information not currently considered a “consumer report” under FCRA, such as credit header data, to generate reports and operate databases designed to detect fraud. If such data is considered a “consumer report,” data brokers will no longer be able to use it for fraud detection purposes, as such use would not be considered a permissible purpose under FCRA. Entities that rely on this data for fraud detection may be left scrambling for alternative methods if the CFPB’s proposal is adopted, potentially opening consumers up to additional fraud risk.
Although the Outline clearly states the CFPB’s regulatory goals, it is not always forthcoming on how the CFPB will accomplish those goals. For example, the CFPB intends to expand the scope of the data that is considered a consumer report, and the entities that are considered CRAs; however, those terms are statutorily defined in FCRA. The proposal that certain data typically used for eligibility purposes will be considered a consumer report, despite its actual or intended use, seems to disregard an element of the statutory definition of a “consumer report”—that the information “is used or expected to be used or collected” for determining eligibility for credit, insurance employment or other permissible purposes. Historically, this element of the definition has allowed companies to offer consumer information to third parties without being CRAs by prohibiting the recipients from using this information for the purpose of making eligibility determinations. The CFPB also seems to be taking a novel interpretation of FCRA in an effort to require CRAs to implement information security policies and procedures. The CFPB states it intends to rely on FCRA sections 604 and/or 607(a) for its authority to implement such regulations; however, the purpose of those sections appear limited to preventing illegal use of consumer reports, by requiring CRAs to only sell consumer reports to entities that certify they are using them for a permissible purpose.
This FCRA rulemaking is still in the early stages, with many steps to go before a final rule is implemented. The Panel will issue a report on the feedback received from participants within 60 days from the date the Panel was held for the CFPB’s consideration. From there, the CFPB will publish a proposed rule, subject to notice and comment, before finalizing any changes to Regulation V. For now, stakeholders, including but not limited to small businesses, can provide feedback on the Outline through October 30, 2023.
1 CFPB, Small Business Advisory Review Panel for Consumer Reporting Rulemaking, Outline of Proposals and Alternatives under Consideration (“SBREFA Outline”) (Sept. 15, 2023), available at: https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-rule-sbrefa_outline-of-proposals.pdf.
2 CFPB, Remarks of CFPB Director Rohit Chopra at White House Roundtable on Protecting Americans from Harmful Data Broker Practices (Aug. 15, 2023), available at: https://www.consumerfinance.gov/about-us/newsroom/remarks-of-cfpb-director-rohit-chopra-at-white-house-roundtable-on-protecting-americans-from-harmful-data-broker-practices/.
3 CFPB, Protecting the Public from Data Brokers in the Surveillance Industry (Aug. 15, 2023), https://s3.amazonaws.com/files.consumerfinance.gov/f/documents/cfpb-data-broker-rulemaking-faq_2023-08.pdf.
4 Outline at 7. Under FCRA, a “consumer report” is defined as “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other [permissible purpose].” 15 U.S.C. § 1681a(d). A “consumer reporting agency” is defined as any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.” Id. § 1681a(f).
5 As noted above, the term “consumer reporting agency” means any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. 15 U.S.C. § 1681a(f).
6 FCRA does not currently define those terms, although there is guidance in Federal Trade Commission interpretive letters and some older case law.
7 See Question 9 on page 9 of the Outline.