Proposed Rule2024-28690
Protecting Americans From Harmful Data Broker Practices (Regulation V)
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
December 13, 2024
Issuing agencies
Consumer Financial Protection Bureau
Abstract
The Consumer Financial Protection Bureau (CFPB) is issuing a proposed rule for public comment to amend Regulation V, which implements the Fair Credit Reporting Act (FCRA). The proposed rule would implement the FCRA's definitions of consumer report and consumer reporting agency as well as certain of the FCRA's provisions governing when consumer reporting agencies may furnish, and users may obtain, consumer reports. The proposed rule is designed to, among other things, ensure that the FCRA's protections are applied to sensitive consumer information that the statute was enacted to protect, including information sold by data brokers.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 240 (Friday, December 13, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 240 (Friday, December 13, 2024)]
[Proposed Rules]
[Pages 101402-101462]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-28690]
[[Page 101401]]
Vol. 89
Friday,
No. 240
December 13, 2024
Part VII
Consumer Financial Protection Bureau
-----------------------------------------------------------------------
12 CFR Part 1022
Protecting Americans From Harmful Data Broker Practices (Regulation V);
Proposed Rule
��Federal Register / Vol. 89, No. 240 / Friday, December 13, 2024 /
Proposed Rules��
[[Page 101402]]
-----------------------------------------------------------------------
CONSUMER FINANCIAL PROTECTION BUREAU
12 CFR Part 1022
[Docket No. CFPB-2024-0044]
RIN 3170-AB27
Protecting Americans From Harmful Data Broker Practices
(Regulation V)
AGENCY: Consumer Financial Protection Bureau.
ACTION: Proposed rule; request for public comment.
-----------------------------------------------------------------------
SUMMARY: The Consumer Financial Protection Bureau (CFPB) is issuing a
proposed rule for public comment to amend Regulation V, which
implements the Fair Credit Reporting Act (FCRA). The proposed rule
would implement the FCRA's definitions of consumer report and consumer
reporting agency as well as certain of the FCRA's provisions governing
when consumer reporting agencies may furnish, and users may obtain,
consumer reports. The proposed rule is designed to, among other things,
ensure that the FCRA's protections are applied to sensitive consumer
information that the statute was enacted to protect, including
information sold by data brokers.
DATES: Comments must be received on or before March 3, 2025.
ADDRESSES: You may submit comments, identified by Docket No. CFPB-2024-
0044 or RIN 3170-AB27, by any of the following methods:
<bullet> Federal eRulemaking Portal: <a href="https://www.regulations.gov">https://www.regulations.gov</a>.
Follow the instructions for submitting comments. A brief summary of
this document will be available at <a href="https://www.regulations.gov/docket/CFPB-2024-0044">https://www.regulations.gov/docket/CFPB-2024-0044</a>.
<bullet> Email: <a href="/cdn-cgi/l/email-protection#4d7f7d7f7960031d1f00600e02031e1800081f601f081d021f1904030a0d2e2b3d2f632a223b"><span class="__cf_email__" data-cfemail="76444644425b3826243b5b35393825233b33245b2433263924223f3831361510061458111900">[email protected]</span></a>. Include
Docket No. CFPB-2024-0044 or RIN 3170-AB27 in the subject line of the
message.
<bullet> Mail/Hand Delivery/Courier: Comment Intake--Protecting
Americans from Harmful Data Broker Practices (Regulation V), c/o Legal
Division Docket Manager, Consumer Financial Protection Bureau, 1700 G
Street NW, Washington, DC 20552.
Instructions: The CFPB encourages the early submission of comments.
All submissions should include the agency name and docket number or
Regulatory Information Number (RIN) for this rulemaking. Because paper
mail is subject to delay, commenters are encouraged to submit comments
electronically. In general, all comments received will be posted
without change to <a href="https://www.regulations.gov">https://www.regulations.gov</a>.
All submissions, including attachments and other supporting
materials, will become part of the public record and subject to public
disclosure. Proprietary information or sensitive personal information,
such as account numbers or Social Security numbers, or names of other
individuals, should not be included. Submissions will not be edited to
remove any identifying or contact information.
FOR FURTHER INFORMATION CONTACT: George Karithanom, Regulatory
Implementation and Guidance Program Analyst, Office of Regulations, at
202-435-7700 or <a href="https://reginquiries.consumerfinance.gov/">https://reginquiries.consumerfinance.gov/</a>. If you
require this document in an alternative electronic format, please
contact <a href="/cdn-cgi/l/email-protection#87c4c1d7c5d8c6e4e4e2f4f4eee5eeebeef3fec7e4e1f7e5a9e0e8f1"><span class="__cf_email__" data-cfemail="de9d988e9c819fbdbdbbadadb7bcb7b2b7aaa79ebdb8aebcf0b9b1a8">[email protected]</span></a>.
SUPPLEMENTARY INFORMATION: Data brokers, including consumer reporting
agencies, collect information about, among other things, the credit,
criminal, employment, and rental histories of hundreds of millions of
Americans. They analyze and package this information into reports used
by creditors, insurers, landlords, employers, and others to make
decisions about consumers. This collection, assembly, evaluation,
dissemination, and use of vast quantities of often highly sensitive
personal and financial data about consumers poses a significant threat
to consumer privacy. It can also threaten national security and
facilitate numerous tangible consumer harms, such as financial scams
and the identification of victims for stalking and harassment.
Congress enacted the Fair Credit Reporting Act (FCRA) \1\ in part
to protect consumer privacy by regulating the communication of consumer
information by consumer reporting agencies. The statute subjects such
communications, which are referred to as consumer reports, to certain
requirements and limitations, and it affords certain protections to
consumers. For example, the FCRA imposes clear bright-line rules
permitting people to obtain consumer reports from consumer reporting
agencies only for certain specified purposes, known as permissible
purposes, and forbidding consumer reporting agencies from furnishing
consumer reports to users who lack a permissible purpose. In addition,
consumers have various rights under the FCRA, such as the right to
dispute the accuracy of information in their file and to be notified
when, for example, a creditor, landlord, or employer relies on consumer
report information to make a negative decision about the consumer's
application for credit, housing, or employment.
---------------------------------------------------------------------------
\1\ 15 U.S.C. 1681 et seq.
---------------------------------------------------------------------------
In recent years, the consumer reporting marketplace has evolved in
ways that imperil Americans' privacy. There is an emerging consensus
that intrusive surveillance and aggregation of sensitive data about
consumers can create conditions for harming national security by
exposing information that could be exploited by countries of
concern.\2\ Stalkers and domestic abusers can also obtain sensitive
contact information from data brokers to contact or locate people who
do not wish to be contacted or located, such as domestic violence
survivors. In addition, vast troves of sensitive data, including, for
example, individualized data about a consumer's finances, are bought
and sold, without consumers' knowledge or consent, by data brokers who
believe that the FCRA does not apply to them or to some of their
activities. This data can be leveraged to scam or defraud people. Data
brokers evading coverage under the FCRA include traditional consumer
reporting agencies and recent market entrants using new business models
and technologies to collect and analyze consumer information on an
unprecedented scale. The CFPB is proposing this rule to address when a
data broker is covered by the FCRA, and to protect Americans from the
harms and invasions of privacy created by certain data broker
activities that violate the FCRA.
---------------------------------------------------------------------------
\2\ See, e.g., E.O. No. 14117, 89 FR 15421 (Feb. 28, 2024);
Justin Sherman et al., Data Brokers and the Sale of Data on U.S.
Military Personnel: Risks to Privacy, Safety, and National Security
(Nov. 2023) (hereinafter Duke Report on Data Brokers and Military
Personnel Data), <a href="https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf">https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf</a>.
---------------------------------------------------------------------------
I. Summary of the Proposed Rule
The CFPB proposes to implement the FCRA's definitions of consumer
report and consumer reporting agency in several respects to ensure that
the FCRA's protections apply to all data brokers that transmit the
types of consumer information that Congress designed the statute to
protect, and to the types of activities that Congress designed the
statute to regulate. For example, the proposed rule:
<bullet> Provides that data brokers that sell information about a
consumer's credit history, credit score, debt payments (including on
non-credit obligations), or income or financial tier generally are
consumer reporting agencies selling consumer reports, regardless of the
[[Page 101403]]
purpose for which any specific communication of such information is
used or expected to be used;
<bullet> Provides that a communication by a consumer reporting
agency of a portion of the consumer report that consists of personal
identifiers such as the consumer's name, address, or age, is a consumer
report if the information was collected for the purpose of preparing a
consumer report about the consumer;
<bullet> Includes provisions intended to prevent privacy harms
associated with the re-identification of de-identified consumer report
information;
<bullet> Provides that a communication by a consumer reporting
agency of information about a consumer is a consumer report if the
information is used for an FCRA-covered purpose, regardless of whether
there is evidence that the consumer reporting agency knew or expected
that the information would be used for such a purpose;
<bullet> Provides that an entity that otherwise meets the
definition of consumer reporting agency is a consumer reporting agency
if it assembles or evaluates information about consumers, including by
collecting, gathering, or retaining; assessing, verifying, or
validating; or contributing to or altering the content of such
information.
The CFPB also proposes to address certain aspects of FCRA section
604(a) regarding permissible purposes to furnish and obtain consumer
reports. These proposals are designed to ensure that consumer reports
are furnished for permissible purposes under the FCRA, and for no other
reasons. For example, the proposed rule:
<bullet> Provides that a consumer reporting agency furnishes a
consumer report to a person when the consumer reporting agency
facilitates the person's use of the consumer report for the person's
financial gain, even if the consumer reporting agency does not
technically transfer the consumer report to the person;
<bullet> Provides that the FCRA provision that authorizes a
consumer reporting agency to furnish a consumer report in accordance
with the written instructions of the consumer can be used to obtain a
consumer report for any reason specified by a consumer, but only if the
consumer signs a separate authorization that is not hidden in fine
print and that discloses certain information to the consumer, including
the reason for obtaining the report; and
<bullet> Provides that the FCRA's permissible purpose relating to
legitimate business needs for consumer reports does not authorize
furnishing of consumer reports for marketing.
The proposal would not interfere with consumer reporting agencies'
ability to furnish consumer reports to either prevent fraud or verify
the identity of a consumer when done in connection with a permissible
purpose, like credit applications, government benefits, bank account
opening, and rental applications, and in compliance with the FCRA's
other requirements.
II. Background
A. History and Purposes of the FCRA
Congress enacted the FCRA, one of the first data privacy laws in
the world, in 1970. The FCRA's enactment was the culmination of
multiple Congressional investigations into the growing data
surveillance industry.\3\ By the late 1960s, the industry was already
of ``vast size and scope.'' \4\ It involved: (1) the collection by
private entities, known as consumer reporting agencies, of information
about tens of millions of American consumers, including information
about ``their employment, income, billpaying record, marital status,
habits, character and morals''; \5\ (2) the assembly and evaluation of
this information by consumer reporting agencies in order to create
elaborate dossiers about individual consumers; and (3) the sale of
those dossiers to a range of entities, including to potential creditors
and employers, who used them to make eligibility determinations about
consumers.\6\
---------------------------------------------------------------------------
\3\ See generally Robert M. McNamara Jr., The Fair Credit
Reporting Act: A Legislative Overview, 22 J. Public Law 67, 77-88
(1973) (hereinafter Fair Credit Reporting Act: A Legislative
Overview).
\4\ 115 Cong. Rec. S2410 (daily ed. Jan. 31, 1969) (statement of
Sen. William Proxmire) (``For example, the Associated Credit Bureaus
of America have over 2,200 members serving 400,000 creditors in
36,000 communities. These credit bureaus maintain credit files on
more than 110 million individuals and in 1967 they issued over 97
million credit reports.'').
\5\ 115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement of
Sen. William Proxmire).
\6\ See generally 115 Cong. Rec. S2410-11 (daily ed. Jan. 31,
1969) (statement of Sen. William Proxmire).
---------------------------------------------------------------------------
Before the FCRA's passage, the consumer reporting industry was
subject to ``an almost complete lack of regulation,'' \7\ leaving
consumers largely powerless to protect themselves from a wide range of
serious harms.\8\ Congressional hearings revealed an industry shrouded
in secrecy. Many consumer reporting agencies prohibited consumer report
users from disclosing to consumers that information in a consumer
report was the reason for an adverse decision, such as the denial of
credit, or the name of the consumer reporting agency that prepared the
report on which the user relied.\9\ According to one contemporary
commentator, ``[w]hether the consumer ever discovered the cause of his
being rejected was largely a matter of an educated guess or
clairvoyance bordering on blind luck.'' \10\ But even if a consumer
knew the reason for an adverse decision and the name of the consumer
reporting agency, this often was not enough: consumers were not always
permitted to access their files or dispute inaccurate information.\11\
And even if a consumer overcame these obstacles and managed to file a
dispute, the investigations conducted by consumer reporting agencies
were often standardless and shoddy, in part because many consumer
reporting agencies deemed investigations too costly to conduct.\12\
---------------------------------------------------------------------------
\7\ S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969).
\8\ See generally Fair Credit Reporting Act: A Legislative
Overview, supra note 3, at 77-88; S. Rep. No. 517, 91st Cong., 1st
Sess. 3-4 (1969); 115 Cong. Rec. S2410-14 (daily ed. Jan. 31, 1969)
(statement of Sen. William Proxmire).
\9\ S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969); 115 Cong.
Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen. William
Proxmire).
\10\ Fair Credit Reporting Act: A Legislative Overview, supra
note 3, at 79.
\11\ S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969); 115 Cong.
Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen. William
Proxmire).
\12\ Fair Credit Reporting Act: A Legislative Overview, supra
note 3, at 81-82; S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969);
115 Cong. Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen.
William Proxmire).
---------------------------------------------------------------------------
Congressional hearings further revealed that many consumer
reporting agencies at that time exhibited only a marginal commitment to
accuracy. Consumer reports sometimes included information that was
false or incomplete or that pertained to the wrong consumer
altogether.\13\ Indeed, consumer reporting agencies often disclaimed
the accuracy of their reports, portraying themselves as mere
transmitters of information without responsibility for ensuring that
the information was correct.\14\ Because consumers generally were
unable to see the information for themselves and have it corrected, the
harms that flowed from the communication of inaccurate, incomplete,
irrelevant, and outdated information could be intractable.
---------------------------------------------------------------------------
\13\ 115 Cong. Rec. S2411-12 (daily ed. Jan. 31, 1969)
(statement of Sen. William Proxmire).
\14\ Fair Credit Reporting Act: A Legislative Overview, supra
note 3, at 80.
---------------------------------------------------------------------------
Congressional hearings also revealed that the consumer reporting
industry posed significant privacy risks to consumers, and the
legislative history suggests that Congress was concerned about the
invasion of consumer privacy generally, as well as the specific harms
[[Page 101404]]
that flow from such invasions.\15\ Consumer reporting agencies
possessed huge quantities of sensitive information about tens of
millions of Americans, but there were no ``public standards to [e]nsure
that the information [was] kept confidential and used only for its
intended purpose''--a fact that the primary sponsor of the FCRA,
Senator William Proxmire, described as ``disturbing.'' \16\ As a
result, it was relatively easy for one person to obtain confidential
information about another person. In one example, a reporter was able
to obtain 10 out of 20 reports requested at random from 20 consumer
reporting agencies by using the name of a fictitious company under the
guise of offering credit.\17\ As Senator Proxmire noted in introducing
the bill that would become the FCRA, these threats to consumer privacy
were only likely to increase with ``[t]he growing accessibility of this
information through computer- and data-transmission techniques.'' \18\
---------------------------------------------------------------------------
\15\ 115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement
of Sen. William Proxmire).
\16\ Id.
\17\ S. Rep. No. 517, 91st Cong., 1st Sess. 4 (1969); 115 Cong.
Rec. S2413 (daily ed. Jan. 31, 1969) (statement of Sen. William
Proxmire).
\18\ 115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement
of Sen. William Proxmire).
---------------------------------------------------------------------------
Congress sought to address these and other consumer harms in the
FCRA. In enacting the statute, it found that consumer reporting
agencies played a ``vital role'' in assembling and evaluating consumer
information to meet the needs of commerce, but that rules were
necessary to ensure that consumer reporting agencies conduct their
activities in a manner that is ``fair and equitable to the consumer,
with regard to the confidentiality, accuracy, relevancy, and proper
utilization'' of that information.\19\ Accordingly, the FCRA
established a framework with four principal pillars: (1) a bright-line
prohibition on using or disseminating consumer reports unless for one
of the limited permissible purposes identified by Congress; (2) a
requirement that consumer reporting agencies follow reasonable
procedures to assure the maximum possible accuracy of consumer reports;
(3) a consumer right to dispute inaccurate or incomplete information
and have it corrected; and (4) a consumer right to see the information
that a consumer reporting agency possesses about the consumer. In the
years since its passage in 1970, the FCRA has been amended many times,
including to expand the statute's reach so that it now imposes
obligations not just on consumer reporting agencies and consumer report
users, but also on the entities that furnish information to consumer
reporting agencies.\20\
---------------------------------------------------------------------------
\19\ FCRA section 602, 15 U.S.C. 1681 (Congressional findings
and statement of purpose).
\20\ See, e.g., Fair & Accurate Credit Transactions Act of 2003,
Public Law 108-159 (2003); Consumer Credit Reporting Reform Act of
1996, Public Law 104-208 (1996).
---------------------------------------------------------------------------
The CFPB's Regulation V, 12 CFR part 1022, generally implements the
FCRA. In 2003, Congress granted the Federal Trade Commission (FTC) and
several other Federal agencies rulemaking authority for certain FCRA
provisions.\21\ For some provisions the authority was joint; for others
it was exclusive to a particular agency. Over the next several years,
the FTC and those agencies issued multiple rules implementing various
provisions of the statute.\22\ With the passage of the Consumer
Financial Protection Act of 2010 (CFPA), Congress transferred
rulemaking authority for most provisions of the FCRA to the CFPB.\23\
---------------------------------------------------------------------------
\21\ See Fed. Trade Comm'n, 40 Years of Experience with the Fair
Credit Reporting Act: An FTC Staff Report with Summary of
Interpretations, at 5-6 (July 2011) (hereinafter FTC 40 Years Staff
Report), <a href="https://www.ftc.gov/sites/default/files/documents/reports/40-years-experience-fair-credit-reporting-act-ftc-staff-report-summary-interpretations/110720fcrareport.pdf">https://www.ftc.gov/sites/default/files/documents/reports/40-years-experience-fair-credit-reporting-act-ftc-staff-report-summary-interpretations/110720fcrareport.pdf</a>.
\22\ See, e.g., 74 FR 31484 (July 1, 2009); 69 FR 63922 (Nov. 3,
2004); 69 FR 35467 (June 24, 2004).
\23\ See Dodd-Frank Wall Street Reform and Consumer Protection
Act (Dodd-Frank Act), Public Law 111-203, section 1088, 124 Stat.
1376, 2086 (2010); see also Dodd-Frank Act sections 1024, 1025, and
1061, 124 Stat. 1987 (codified at 12 U.S.C. 5514, 5515, and 5581).
Authority over FCRA sections 615(e) and 628, 15 U.S.C. 1681m(e) and
1681w, is limited to the Federal banking agencies and the National
Credit Union Administration, the FTC, the Commodity Futures Trading
Commission, and the U.S. Securities and Exchange Commission. In
addition, section 1029 of the Dodd-Frank Act generally excludes from
the transfer of authority to the CFPB rulemaking authority over a
motor vehicle dealer that is predominantly engaged in the sale and
servicing of motor vehicles, the leasing and servicing of motor
vehicles, or both. 12 U.S.C. 5519(a) and (c).
---------------------------------------------------------------------------
B. Goals of the Rulemaking
Protecting Consumer Information in the Data Broker Market
Today, Americans regularly engage in activities that reveal
personal information about themselves, often without realizing it. They
may, for example, visit a website, download an app, charge an item to a
credit card, use a loyalty card at a grocery store or pharmacy, order
goods online, subscribe to a newspaper or magazine, or make a donation.
In each instance, the entity with whom the consumer interacts might
collect information about the consumer. These entities might sell the
consumer's information to other entities with whom the consumer does
not have a relationship, or they might keep or reuse the information
for themselves. Entities that collect, aggregate, sell, resell,
license, enable the use of, or otherwise share consumer information
with other parties are commonly known as data brokers.\24\
---------------------------------------------------------------------------
\24\ See 88 FR 16951, 16952-53 (Mar. 21, 2023).
---------------------------------------------------------------------------
Different data brokers compile and sell different types of consumer
information.\25\ Much of the information is private and highly
sensitive, such as information about a consumer's finances, income,
physical and mental health, sexual orientation, religious affiliation,
and political preferences, as well as information about the websites
and apps the consumer visits or uses, the stores the consumer
frequents, the products the consumer buys, and the consumer's location
throughout the day.\26\ Data brokers obtain this information from a
variety of sources, including retailers, websites and apps, newspaper
and magazine publishers, and financial service providers, as well as
cookies and similar technologies that gather information about
consumers' online activities.\27\ Other information is publicly
available, such as criminal and civil record information maintained by
Federal, State, and local courts and governments, and information
available on the internet, including information posted by consumers on
social media.\28\ The volume of data collected, bought,
[[Page 101405]]
and sold by data brokers is enormous. Some of the nation's largest data
brokers boast that they possess information about hundreds of millions
of American consumers consisting of billions of data points, with some
data updated instantaneously.\29\
---------------------------------------------------------------------------
\25\ See generally Urbano Reviglio, The Untamed and Discreet
Role of Data Brokers in Surveillance Capitalism: A Transnational and
Interdisciplinary Overview, 11 Internet Policy Review 3 (Aug. 4,
2022), <a href="https://policyreview.info/articles/analysis/untamed-and-discreet-role-data-brokers-surveillance-capitalism-transnational-and">https://policyreview.info/articles/analysis/untamed-and-discreet-role-data-brokers-surveillance-capitalism-transnational-and</a>; Fed. Trade Comm'n, Data Brokers: A Call for Transparency and
Accountability, at 11-18, 24, B3-B6 (May 2014) (hereinafter FTC Data
Broker Report), <a href="https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf">https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf</a>.
\26\ See Am. Compl. For Permanent Inj. and Other Relief ]] 72-
76, 97-106, FTC v. Kochava, Inc., No. 2:22-cv-00377-BLW (D. Idaho
June 5, 2023), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/26AmendedComplaint%28unsealed%29.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/26AmendedComplaint%28unsealed%29.pdf</a>; Joanne Kim, Duke Sanford Cyber
Policy Program, Data Brokers & the Sale of Americans' Mental Health
Data (Feb. 2023) (hereinafter Duke Report on Data Brokers and Mental
Health Data), <a href="https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/02/Kim-2023-Data-Brokers-and-the-Sale-of-Americans-Mental-Health-Data.pdf">https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/02/Kim-2023-Data-Brokers-and-the-Sale-of-Americans-Mental-Health-Data.pdf</a>; FTC Data Broker Report, supra note
25; Staff of S. Comm. on Com., Sci., & Transp., A Review of the Data
Broker Industry: Collection, Use, and Sale of Consumer Data for
Marketing Purposes, at ii, 13-21 (Dec. 18, 2013), <a href="https://www.commerce.senate.gov/services/files/0D2B3642-6221-4888-A631-08F2F255B577">https://www.commerce.senate.gov/services/files/0D2B3642-6221-4888-A631-08F2F255B577</a>.
\27\ See, e.g., Alfred Ng & Jon Keegan, Who is Policing the
Location Data Industry?, The Markup (Feb. 24, 2022), <a href="https://themarkup.org/the-breakdown/2022/02/24/who-is-policing-the-location-data-industry">https://themarkup.org/the-breakdown/2022/02/24/who-is-policing-the-location-data-industry</a>; FTC Data Broker Report, supra note 25, at 11-14.
\28\ See FTC Data Broker Report, supra note 25, at 11-13.
\29\ Justin Sherman, Duke Sanford Cyber Policy Program, Data
Brokers and Sensitive Data on U.S. Individuals: Threats to American
Civil Rights, National Security, and Democracy, at 4-8 (2021)
(hereinafter Duke Report on Data Brokers and Sensitive Data),
<a href="https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2021/08/Data-Brokers-and-Sensitive-Data-on-US-Individuals-Sherman-2021.pdf">https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2021/08/Data-Brokers-and-Sensitive-Data-on-US-Individuals-Sherman-2021.pdf</a>.
---------------------------------------------------------------------------
Certain data brokers compile the information they collect into
reports about individual consumers, which they sell to third parties
for use in assessing a consumer's eligibility for credit, employment,
or insurance. Data brokers may also use the information, or the
inferences they have drawn from that information, to create elaborate
dossiers about consumers for targeted marketing purposes. For example,
a data broker may use information about a consumer's income, location,
purchases, or health condition to classify the consumer--including, for
instance, as ``Financially Challenged,'' ``Modest Wages,'' ``Working-
class Mom,'' ``Senior Products Buyer,'' or ``Consumer[ ] with Clinical
Depression''--and then sell lists of such consumers to advertisers.\30\
In addition, data brokers may use the information they collect to
develop and maintain their own products, such as ``people search''
engines and other online lookup tools, to build proprietary algorithms,
to test and run advertising campaigns, and to train machine learning
systems.\31\ Some data brokers simply sell the consumer information
they collect to individual purchasers, including to other data brokers
and members of the general public.
---------------------------------------------------------------------------
\30\ See Duke Report on Data Brokers and Mental Health Data,
supra note 26, at 14; FTC Data Broker Report, supra note 25, at 20-
21.
\31\ See, e.g., Will Knight, Generative AI Is Making Companies
Even More Thirsty for Your Data, Wired (Aug. 10, 2023), <a href="https://www.wired.com/story/fast-forward-generative-ai-companies-thirsty-for-your-data/">https://www.wired.com/story/fast-forward-generative-ai-companies-thirsty-for-your-data/</a>.
---------------------------------------------------------------------------
Government agencies, technology and privacy experts, consumer
advocates, and others have identified a range of consumer harms posed
by data brokers that treat consumer information as though it is not
subject to the FCRA.\32\ As discussed further in part IV, the data
broker industry can threaten national security. For example, countries
of concern can obtain from data brokers the financial information of
active military members, such as income and level of indebtedness, to
compromise or blackmail them in an effort to obtain sensitive national
security information. The data broker industry also is used to
facilitate a range of financial scams. For example, fraudsters can
obtain from data brokers lists of people with income below a certain
threshold, which can be used to pitch predatory and unlawful products
to families in financial distress. The highly sensitive information
collected and sold by data brokers also is an attractive target for
other bad actors. For example, thieves can obtain information from data
brokers that enables them to steal people's identities and open new
accounts or drain existing ones. And stalkers, harassers, and other
criminals can use sensitive information obtained from data brokers to
contact people who do not wish to be contacted, such as domestic
violence survivors.
---------------------------------------------------------------------------
\32\ See, e.g., Elec. Privacy Info. Ctr., Disrupting Data Abuse:
Protecting Consumers from Commercial Surveillance in the Online
Ecosystem (Nov. 2022), <a href="https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf">https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf</a>; Duke
Report on Data Brokers and Sensitive Data, supra note 29; FTC Data
Broker Report, supra note 25.
---------------------------------------------------------------------------
To date, however, many data brokers have attempted to avoid
liability under the FCRA by arguing that they are not consumer
reporting agencies selling consumer reports, as those terms are defined
in the statute. Many data brokers have made these arguments even though
they collect, assemble, evaluate, or sell the same information as other
consumer reporting agencies--and even though their activities pose the
same risks to consumers that motivated the FCRA's passage. As explained
further below, the proposed rule provides that the FCRA's definitions
of consumer reporting agency and consumer report cover a wide range of
data brokers and data broker activities under the FCRA. If the proposed
rule is finalized, one practical effect would be that additional data
brokers would be prohibited from selling information for non-FCRA
purposes, thus limiting the transmission of information that is used to
market products to consumers--and to scam, defraud, stalk, or harass
them.
Protecting Consumer Information From Unauthorized Disclosure by
Consumer Reporting Agencies
The CFPB also has observed that consumer reporting agencies
continue to engage in practices that may be harmful to consumers. The
consumer credit reporting industry has consistently been a major source
of consumer complaints to the CFPB. Complaints about credit or consumer
reporting represented roughly 80 percent of consumer complaints
submitted to the CFPB during 2023, far more than any other category of
consumer product or service.\33\ Indeed, credit or consumer reporting
has been the most-complained-about category of consumer financial
product or service to the CFPB every year since 2017.\34\ One ongoing
area of concern for the CFPB is consumer reporting agencies engaging in
practices that may threaten consumer privacy.
---------------------------------------------------------------------------
\33\ Consumer Fin. Prot. Bureau, Consumer Response Annual
Report, at 11 (Mar. 2024), <a href="https://files.consumerfinance.gov/f/documents/cfpb_cr-annual-report_2023-03.pdf">https://files.consumerfinance.gov/f/documents/cfpb_cr-annual-report_2023-03.pdf</a> (noting that the CFPB
received approximately 1.3 million credit or consumer reporting
complaints in 2023, a 34 percent increase compared to 2022).
\34\ Consumer Fin. Prot. Bureau, Consumer Response Annual
Report, at 11 (Mar. 2023), <a href="https://files.consumerfinance.gov/f/documents/cfpb_2022-consumer-response-annual-report_2023-03.pdf">https://files.consumerfinance.gov/f/documents/cfpb_2022-consumer-response-annual-report_2023-03.pdf</a>;
Consumer Fin. Prot. Bureau, Consumer Response Annual Report, at 3
(Mar. 2022), <a href="https://files.consumerfinance.gov/f/documents/cfpb_2021-consumer-response-annual-report_2022-03.pdf">https://files.consumerfinance.gov/f/documents/cfpb_2021-consumer-response-annual-report_2022-03.pdf</a>; Consumer Fin.
Prot. Bureau, Consumer Response Annual Report, at 9 (Mar. 2021),
<a href="https://files.consumerfinance.gov/f/documents/cfpb_2020-consumer-response-annual-report_03-2021.pdf">https://files.consumerfinance.gov/f/documents/cfpb_2020-consumer-response-annual-report_03-2021.pdf</a>; Consumer Fin. Prot. Bureau,
Consumer Response Annual Report, at 9 (Mar. 2020), <a href="https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2019.pdf">https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2019.pdf</a>; Consumer Fin. Prot. Bureau, Consumer Response
Annual Report, at 9 (Mar. 2019), <a href="https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2018.pdf">https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2018.pdf</a>; Consumer
Fin. Prot. Bureau, Consumer Response Annual Report, at 9 (Mar.
2018), <a href="https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2017.pdf">https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2017.pdf</a>.
---------------------------------------------------------------------------
As discussed above, privacy was a key motivating factor for passage
of the FCRA, and the FCRA protects consumer privacy in multiple ways,
including by strictly limiting the circumstances under which consumer
reporting agencies may disclose consumer information. For example, FCRA
section 604, entitled ``Permissible purposes of consumer reports,''
identifies an exclusive list of permissible purposes for which consumer
reporting agencies may furnish consumer reports, including in
accordance with the written instructions of the consumer to whom the
report relates and for purposes relating to credit, employment, and
insurance.\35\ The FCRA's
[[Page 101406]]
permissible purpose provisions are central to the statute's protection
of consumer privacy. The CFPB is concerned that sensitive consumer
information that the statute was designed to protect is being furnished
by consumer reporting agencies to users that do not have a permissible
purpose under the FCRA to obtain the information, thereby threatening
consumers' privacy, and causing reputational, emotional, economic, and
physical harm to consumers. These threats have grown more acute as
advances in technology have facilitated the easy sharing of such
consumer information online.
---------------------------------------------------------------------------
\35\ 15 U.S.C. 1681b(a). Other sections of the FCRA identify
additional limited circumstances under which consumer reporting
agencies are permitted or required to disclose certain information
to government agencies. See FCRA sections 608, 626, and 627, 15
U.S.C. 1681f, 1681u, 1681v; see also, e.g., FTC v. Manager, Retail
Credit Co., Miami Beach Branch Off., 515 F.2d 988, 994-95 (D.C. Cir.
1975) (holding that 15 U.S.C. 1681s(a) authorizes the FTC to obtain
consumer reports in FCRA enforcement investigations). Further, the
Debt Collection Improvement Act of 1996, Public Law 104-134, 110
Stat. 1321, section 31001(m)(1), allows the head of an executive,
judicial, or legislative agency to obtain a consumer report under
certain circumstances relating to debt collection. See 31 U.S.C.
3711(h). The proposed rule is not intended to alter the additional
circumstances in which government agencies may obtain consumer
report information.
---------------------------------------------------------------------------
For example, consumer reporting agencies sell personal identifiers
collected for the purpose of preparing consumer reports--often known as
``credit header'' information--to third parties who may not have an
FCRA-permissible purpose to obtain the information. The sale by
consumer reporting agencies of personal identifiers, which may include
sensitive information such as a consumer's Social Security number,
contributes to the availability of such information for purchase
online, potentially by fraudsters and other persons seeking to dox and
expose consumers' personal information or otherwise exploit or harm
consumers. The proposed rule would take steps to address this problem
by providing that the term ``consumer report'' includes communications
by a consumer reporting agency of personal identifiers that were
collected for the purpose of preparing consumer reports and that such
information therefore can be sold by consumer reporting agencies only
to users who have a permissible purpose to obtain it.
The CFPB is also aware that consumer reporting agencies offer and
sell to users who do not have an FCRA permissible purpose a variety of
products that include information that has been drawn from consumer
reporting databases and that has been aggregated or otherwise
purportedly de-identified to try to mask the identities of the
individual consumers to whom the information relates. This information
may be sold or made available, for example, for use in marketing
campaigns, even though advertising and marketing generally are not
permissible purposes under the FCRA.\36\ As with the sale of personal
identifiers, the sale of purportedly de-identified information about
consumers to users who do not have an FCRA permissible purpose to
obtain it contributes to the proliferation of sensitive consumer
information available for purchase online. The CFPB is concerned that
advances in technology have made, and will continue to make, it easier
for users to combine data and identify consumers within purportedly de-
identified data sets, and that the sale of such information by consumer
reporting agencies thus threatens the privacy of consumer information
in the very ways Congress designed the FCRA to prevent. The CFPB
proposes three possible alternatives to address this problem and
clarify when a communication by a consumer reporting agency of
information about a consumer is a consumer report.
---------------------------------------------------------------------------
\36\ An exception exists for the purpose of making firm offers
of credit or insurance. FCRA section 604(c)(1)(B), 15 U.S.C.
1681b(c)(1)(B). In addition, a consumer reporting agency may provide
a consumer report to a user ``in accordance with the written
instructions of the consumer'' to whom the report relates. FCRA
section 604(a)(2), 15 U.S.C. 1681b(a)(2).
---------------------------------------------------------------------------
In addition to general concerns regarding the privacy of consumers'
sensitive information, the CFPB is concerned that consumer reporting
agencies are monetizing consumer report information for use in
marketing in ways that the FCRA prohibits. As noted, marketing and
advertising generally are not permissible purposes for furnishing or
obtaining consumer reports. Nevertheless, as technology has advanced,
consumer reporting agencies have begun to employ techniques and
business models designed to evade this restriction. The proposed rule
would address these developments and would emphasize that the FCRA's
legitimate business need permissible purpose does not authorize
consumer reporting agencies to furnish consumer reports to users for
solicitation or marketing purposes.
The CFPB additionally proposes to specify what is needed to
establish a permissible purpose based on the written instructions of a
consumer. This proposed provision is intended to ensure that consumer
reporting agencies and consumer report users do not abuse the written
instructions permissible purpose by purportedly obtaining consumer
consent to furnish or obtain a consumer report pursuant to disclosures
buried within lengthy terms and conditions or otherwise presented to
the consumer in a manner that interferes with the consumer's ability to
make informed decisions.
C. Outreach and Engagement
Request for Information
On March 15, 2023, the CFPB issued a Request for Information (RFI)
regarding the data broker industry and business practices involving the
collection and sale of consumer information.\37\ The RFI sought
information about new business models that sell consumer data and about
consumer harm that could result from such business models. The CFPB
received over 7,000 comments in response to the RFI. The comments
helped to inform the CFPB's approach to the proposed rule.
---------------------------------------------------------------------------
\37\ 88 FR 16951 (Mar. 21, 2023) (hereinafter CFPB Data Broker
RFI).
---------------------------------------------------------------------------
Small Business Review Panel
Pursuant to the Small Business Regulatory Enforcement Fairness Act
of 1996 (SBREFA),\38\ the CFPB issued an Outline of Proposals and
Alternatives under Consideration in connection with this proposal in
September 2023.\39\ The CFPB convened a Small Business Review Panel
(Panel) on October 16, 2023, and held Panel meetings on October 18 and
19, 2023. Representatives from 16 small businesses were selected as
small entity representatives for the SBREFA process. These entities
represented small businesses that the CFPB determined would likely be
directly affected by one or more of the proposals under consideration.
On December 15, 2023, the Panel completed the Final Report of the Small
Business Review Panel on the CFPB's Proposals and Alternatives Under
Consideration for the Consumer Reporting Rulemaking.\40\ The CFPB also
invited and received feedback on the proposals under consideration from
others, including stakeholders other than small entity representatives,
although this feedback was not included in the Small Business Review
Panel Report.\41\ The CFPB has considered the
[[Page 101407]]
feedback from small entity representatives and other stakeholders, as
well as the findings and recommendations of the Small Business Review
Panel, in preparing this proposed rule. Panel recommendations regarding
specific proposals under consideration are addressed in part IV.
---------------------------------------------------------------------------
\38\ Public Law 104-121, 110 Stat. 857 (1996).
\39\ Consumer Fin. Prot. Bureau, Small Business Advisory Review
Panel For Consumer Reporting Rulemaking--Outline of Proposals and
Alternatives Under Consideration (Sept. 15, 2023) (hereinafter Small
Business Review Panel Outline or Outline), <a href="https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-rule-sbrefa_outline-of-proposals.pdf">https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-rule-sbrefa_outline-of-proposals.pdf</a>.
\40\ Consumer Fin. Prot. Bureau, Final Report of the Small
Business Review Panel on the CFPB's Proposals and Alternatives Under
Consideration for the Consumer Reporting Rulemaking (Dec. 15, 2023)
(hereinafter Small Business Review Panel Report or Panel Report),
<a href="https://files.consumerfinance.gov/f/documents/cfpb_sbrefa-final-report_consumer-reporting-rulemaking_2024-01.pdf">https://files.consumerfinance.gov/f/documents/cfpb_sbrefa-final-report_consumer-reporting-rulemaking_2024-01.pdf</a>.
\41\ Feedback received on the Small Business Review Panel
Outline will be placed on the public docket for this rulemaking.
---------------------------------------------------------------------------
This proposed rule does not address feedback received as part of
the SBREFA process about proposals that were under consideration
regarding medical debt collection information. Those proposals under
consideration were addressed in the CFPB's proposed rule regarding
consumer reporting of medical information.\42\ This proposed rule also
does not address feedback received as part of the SBREFA process about
proposals that were under consideration regarding data security and
data breaches, disputes involving legal matters, and disputes involving
systemic issues. Those topics are not included in this proposed rule.
---------------------------------------------------------------------------
\42\ 89 FR 51692 (June 18, 2024) (hereinafter CFPB Medical Debt
Proposed Rule).
---------------------------------------------------------------------------
Interagency and Stakeholder Consultations
Consistent with section 1022(b)(2)(B) of the CFPA, the CFPB has
consulted with the appropriate prudential regulators and other Federal
agencies, including regarding consistency with any prudential, market,
or systemic objectives administered by these agencies. The CFPB has
also consulted with officials from certain State agencies. In addition,
the CFPB has discussed the proposed rule with, and considered written
feedback submitted by, a range of interested stakeholders. The CFPB
discusses throughout this document feedback received through these
various channels that is relevant to the proposed rule.
III. Legal Authority
The CFPB is proposing to amend Regulation V pursuant to its
authority under the FCRA and the CFPA. Section 1022(b)(1) of the CFPA
authorizes the CFPB to prescribe rules ``as may be necessary or
appropriate to enable the [CFPB] to administer and carry out the
purposes and objectives of the Federal consumer financial laws, and to
prevent evasions thereof.'' \43\ The FCRA is a Federal consumer
financial law, except with respect to sections 615(e) and 628.\44\
Accordingly, the CFPB has authority under CFPA section 1022(b)(1) to
issue regulations to administer and carry out the purposes and
objectives of the FCRA and to prevent evasion thereof, except with
respect to sections 615(e) and 628.
---------------------------------------------------------------------------
\43\ 12 U.S.C. 5512(b)(1).
\44\ CFPA section 1002(14), 12 U.S.C. 5481(14) (defining
``Federal consumer financial law'' to include the ``enumerated
consumer laws'' and the provisions of the CFPA); CFPA section
1002(12), 12 U.S.C. 5481(12) (defining ``enumerated consumer laws''
to include the FCRA, except with respect to sections 615(e) and
628).
---------------------------------------------------------------------------
FCRA section 621(e) provides that, except with respect to sections
615(e) and 628, the CFPB ``shall prescribe such regulations as are
necessary to carry out the purposes of [the FCRA].'' \45\ Specifically,
FCRA section 621(e) provides that the CFPB ``may prescribe regulations
as may be necessary or appropriate to administer and carry out the
purposes and objectives'' of the FCRA.\46\ The stated purpose of the
FCRA is to ensure that ``consumer reporting agencies adopt reasonable
procedures for meeting the needs of commerce for consumer credit,
personnel, insurance, and other information in a manner which is fair
and equitable to the consumer, with regard to the confidentiality,
accuracy, relevancy, and proper utilization of such information.'' \47\
Except with respect to sections 615(e) and 628, the CFPB accordingly
has authority to issue regulations ``necessary or appropriate to
administer and carry out'' the provisions of the FCRA consistent with
this purpose.\48\ FCRA section 621(e) further provides that the CFPB
may prescribe regulations as may be necessary and appropriate to
prevent evasions of the FCRA or to facilitate compliance therewith.\49\
---------------------------------------------------------------------------
\45\ 15 U.S.C. 1681s(e).
\46\ Id.
\47\ FCRA section 602(b), 15 U.S.C. 1681(b).
\48\ See Loper Bright Enters. v. Raimondo, 144 S. Ct. 2244, 2263
(2024) (explaining that Congress's use of the term ``appropriate''
``leaves agencies with flexibility'' in regulating (citation
omitted)).
\49\ Cf. Consumer Fin. Prot. Bureau v. Townstone Fin., Inc., 107
F.4th 768, 776 (7th Cir. 2024) (``In endowing the Board with
authority to prevent `circumvention or evasion,' Congress indicated
that the [Equal Credit Opportunity Act] must be construed broadly to
effectuate its purpose of ending discrimination in credit
applications.'').
---------------------------------------------------------------------------
The CFPB has considered this proposed rule in the context of its
legal authority under the FCRA and the CFPA and has developed the
proposed provisions by relying on its expertise in understanding and
developing policy regarding the consumer reporting market. The CFPB has
preliminarily determined that each of the proposed provisions is
consistent with the purpose of the FCRA and is authorized under FCRA
section 621(e) and CFPA section 1022(b)(1). Pursuant to FCRA section
621(e), any final rule prescribed by the CFPB would apply to all
persons subject to the FCRA, except as described in section 1029(a) of
the CFPA.\50\
---------------------------------------------------------------------------
\50\ The CFPB also notes that, subject to certain exceptions,
the FCRA states that it ``does not annul, alter, affect, or exempt
any person subject to [the FCRA] from complying with the laws of any
State with respect to the collection, distribution, or use of any
information on consumers, or for the prevention or mitigation of
identity theft, except to the extent that those laws are
inconsistent with any provision of this subchapter, and then only to
the extent of the inconsistency.'' 15 U.S.C. 1681t(a); see also
Davenport v. Farmers Ins. Grp., 378 F.3d 839, 842 (8th Cir. 2004)
(``The FCRA makes clear that it is not intended to occupy the entire
regulatory field with regard to consumer reports''). Therefore,
State laws that are not inconsistent with the FCRA--including State
laws that are more protective of consumers than the FCRA--are
generally not preempted. See 87 FR 41042 (July 11, 2022).
---------------------------------------------------------------------------
As noted in proposed Sec. 1022.1(b)(1) regarding the scope of
Regulation V, the regulation implements only certain provisions of the
FCRA. In this rulemaking, the CFPB proposes to implement for the first
time in Regulation V the definitions of consumer report and consumer
reporting agency in FCRA section 603(d) and (f) and the permissible
purposes of consumer reports as set forth in FCRA section 604(a).\51\
Unless specifically noted otherwise, the CFPB's mere restatement of
statutory language is not intended to affect the status quo regarding
caselaw or judicial or other interpretations that exist with respect to
such restated language. Explaining the scope of Regulation V in
proposed Sec. 1022.1(b)(1) and restating certain statutory text should
facilitate compliance with the statute, but the CFPB requests comment
on the proposed approach.
---------------------------------------------------------------------------
\51\ The proposed rule does not restate all of FCRA sections 603
and 604. Among other provisions in those sections, the proposed rule
does not restate FCRA section 604(c) regarding credit or insurance
transactions that are not initiated by the consumer.
---------------------------------------------------------------------------
IV. Discussion of the Proposed Rule
Subpart A--General Provisions
Section 1022.4 Definition; Consumer Report
In general, a consumer report under the FCRA is a written, oral, or
other communication by a consumer reporting agency of any information
that: (1) bears on at least one of seven specified factors relating to
a consumer; and (2) is used or expected to be used or collected in
whole or in part for the purpose of serving as a factor in establishing
the consumer's eligibility for credit or insurance, for employment
purposes, or for any other purpose authorized under FCRA section 604
(i.e., the section that establishes permissible purposes of consumer
reports). The seven factors relating to a consumer specified in the
definition of consumer report are a
[[Page 101408]]
consumer's creditworthiness, credit standing, credit capacity,
character, general reputation, personal characteristics, or mode of
living.\52\ The CFPB proposes Sec. 1022.4 to implement and interpret
the FCRA definition of consumer report.
---------------------------------------------------------------------------
\52\ FCRA section 603(d), 15 U.S.C. 1681a(d).
---------------------------------------------------------------------------
Proposed Sec. 1022.4(a), (f), and (g) restate the FCRA definition
with minor wording and organizational changes for clarity.\53\ Proposed
Sec. 1022.4(a)(1) restates the ``bears on'' prong of the definition,
proposed Sec. 1022.4(a)(2) restates the purposes listed in the
definition, and proposed Sec. 1022.4(f) and (g) restate provisions
addressing exclusions from the definition. The CFPB proposes Sec.
1022.4(b) through (e) to address whether and when the communication of
certain consumer information constitutes a consumer report, with the
goal of ensuring the FCRA's protections are applied to such
information. The CFPB also proposes to revise several provisions in
existing Regulation V that cross-reference the definition of consumer
report in FCRA section 603(d) to instead cross-reference the definition
in proposed Sec. 1022.4.\54\
---------------------------------------------------------------------------
\53\ In restating FCRA section 603(d)(2)(D), proposed Sec.
1022.4(f) cross-references FCRA section 603(y) rather than FCRA
section 603(x) because the CFPA re-designated FCRA section 603(x) as
FCRA section 603(y). See 15 U.S.C. 1681a, n.1; Fed. Trade Comm'n,
Fair Credit Reporting Act, 15 U.S.C. 1681, at 2 n.1 (Sept. 2018),
<a href="https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf">https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf</a> (noting that
``(o) or (x)'' in FCRA section 603(d)(2)(D) ``[s]hould be read as
`(o) or (y)' '').
\54\ These provisions are Sec. Sec. 1022.20(b)(3), 1022.32(b),
1022.71(f), 1022.130(c), and 1022.142(b)(2). If this proposal and
the CFPB's Medical Debt Proposed Rule, supra note 42, are both
finalized, the CFPB intends to revise in the same way cross-
references to the terms ``consumer report'' and ``consumer reporting
agency'' in Sec. 1022.38, as proposed to be added to Regulation V
by the Medical Debt Proposed Rule.
---------------------------------------------------------------------------
Is Used or Expected To Be Used
Proposed Sec. 1022.4(b) and (c) address the phrase ``is used or
expected to be used'' and surrounding elements of the statutory
definition of consumer report. The proposed provisions address whether
and when the applicable information is used (proposed Sec. 1022.4(b))
or is expected to be used (proposed Sec. 1022.4(c)) for one of the
purposes specified in the definition--that is, for the purpose of
serving as a factor in establishing a consumer's eligibility for
consumer credit or insurance, for employment purposes, or for any other
purpose authorized under FCRA section 604. The CFPB proposes these
provisions to ensure that the FCRA's protections apply to certain
communications of consumer information, including by incentivizing
entities that sell consumer information to monitor the uses to which
such information is put and by ensuring that certain types of consumer
information are within the scope of the FCRA regardless of how any
particular communication of that information is used.
As explained further below, the FCRA's definition of the term
``consumer report'' presents several interpretive questions relevant to
this proposed rule. First, what is the item that might be ``used or
expected to be used'' for the relevant purpose--the specific
``communication'' (i.e., the actual transmittal of data) or the
``information'' contained within that communication (i.e., the facts
that the communication describes)? Courts have tended to focus their
analysis on the specific communication, although it is unclear how many
courts have been presented with the alternative.\55\ Second, given that
the phrase is in the passive voice, by whom might a communication or
information be ``used or expected to be used'' to qualify as a consumer
report--the specific recipient of the communication or a broader
population of parties? Again, courts have tended to consider the
activities of the specific user in the case at issue, but it is unclear
whether courts have been presented with the alternative.\56\ Third,
whose expectations are relevant in determining whether a communication
of information is ``expected to be used'' for a particular purpose--the
person making the communication or someone else? And fourth, are that
person's subjective expectations all that matter, or, as courts have
held, does the analysis also consider what the person objectively
should expect?
---------------------------------------------------------------------------
\55\ See, e.g., Comeaux v. Brown & Williamson Tobacco Co., 915
F.2d 1264, 1273-74 (9th Cir. 1990) (``The plain language of section
1681a(d) reveals that a credit report will be construed as a
`consumer report' under the FCRA if the credit bureau providing the
information expects the user to use the report for a purpose
permissible under the FCRA . . . .'' (second emphasis added)); cf.
Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d 988, 994 (D.
Nev. 2021) (applying the series-qualifier and nearest-reasonable-
referent cannons to conclude that, under the definition of consumer
report, ``it is the information in the communication, not the
communication itself, that must be of the kind that is used or
expected to be used or collected in whole or in part for the
purposes of serving as a favor [sic] in credit, employment, or
insurance decisions or other reasons allowed under the FCRA'').
\56\ See, e.g., Comeaux, 915 F.2d at 1273-74.
---------------------------------------------------------------------------
With these interpretive questions in mind, the CFPB is proposing
provisions to administer and carry out the statutory scheme, prevent
evasion of the FCRA's requirements, and ensure that the statute's
protections apply to communications of consumer information that raise
concerns the FCRA was designed to address. In doing so, the CFPB is
also proposing particular approaches to resolving the interpretive
questions set forth above. First, the CFPB proposes to treat ``used or
expected to be used'' as modifying ``information'' rather than
``communication.'' Grammatically, the term to which ``used or expected
to be used'' refers should also be the term to which ``collected''
refers, and a consumer reporting agency does not ``collect''
communications. Second, the CFPB proposes to interpret ``used'' to
include use by persons other than the direct recipient of a
communication. If ``used or expected to be used'' referred only to how
the direct recipient used or was expected to use the information in a
communication, then the recipient's use or expected use for a non-
permissible purpose would not violate the statute because, by virtue of
that use or expected use, the communication would not be a consumer
report.\57\ Moreover, if the analysis focused only on the initial
recipient, the statute would be easy to evade by passing information
through intermediaries before it reached the ultimate user. Third, the
CFPB proposes to interpret ``expected to be used'' to refer to the
expectations of the person communicating the information, which is
consistent with longstanding case law and is a natural reading of the
statutory language. Fourth, the CFPB proposes to interpret ``expected
to be used'' to consider both what that person subjectively expected
and what that person objectively should have expected about the use of
the transmitted information. This interpretation is consistent with
past agency and judicial interpretations and would emphasize that
persons cannot sell consumer information and attempt to avoid coverage
by willfully ignoring the purposes for which the information will be
used.
---------------------------------------------------------------------------
\57\ The communication of the information could still be a
consumer report if the information was collected for a purpose
described in FCRA section 603(d)(1), in which case it could be
furnished only to a recipient with a permissible purpose.
---------------------------------------------------------------------------
Since the FCRA's enactment in 1970, applications of the law have
often undermined one of the statute's core commitments: protecting
consumer privacy. The CFPB proposes to implement the statute in a
manner that respects Congress's concern with limiting the purchase and
sale of sensitive consumer information and restores the full meaning of
the statute's permissible purpose provisions.
[[Page 101409]]
The CFPB uses these threshold principles, described in more detail
below, to guide the following proposals.
4(b) Is Used
Proposed Sec. 1022.4(b) interprets the phrase ``is used'' in the
definition of consumer report. It provides that information in a
communication is used for a purpose described in proposed Sec.
1022.4(a)(2) if a recipient of the information uses the information for
such purpose. The proposal would clarify that the purpose for which
information in a communication is used can cause the communication to
be a consumer report, regardless of whether the person communicating
the information collected it or expected it to be used for that
purpose.
This interpretation derives from a straightforward reading of the
statute. As summarized above, section 603(d)(1) of the FCRA defines a
consumer report as a communication of information by a consumer
reporting agency bearing on any of seven, specified consumer factors
that is ``[1] used or [2] expected to be used or [3] collected'' in
whole or in part for a purpose described in proposed Sec.
1022.4(a)(2). The principle that a statute must be construed to ``give
effect, if possible, to every clause and word'' \58\ requires that the
phrase ``is used'' be given a meaning independent of ``expected to be
used'' and ``collected.'' \59\ The CFPB's proposed interpretation does
so.
---------------------------------------------------------------------------
\58\ Williams v. Taylor, 529 U.S. 362, 404 (2000) (quoting
United States v. Menasche, 348 U.S. 528, 538-39 (1955)); see also
Duncan v. Walker, 533 U.S. 167, 174 (2001) (discussing rule against
surplusage).
\59\ Similarly, the series-qualifier cannon requires reading the
phrase ``in whole or in part'' as modifying each word or phrase in
the series (i.e., ``is used,'' ``expected to be used,'' and
``collected'') rather than just the final one (i.e., ``collected'').
See Facebook, Inc. v. Duguid, 592 U.S. 395, 402 (2021) (describing
the series-qualifier canon); United States v. <a href="http://MyLife.com">MyLife.com</a>, Inc., 499
F. Supp. 3d 757, 764 (C.D. Cal. 2020) (finding that the complaint
adequately pled that the defendant's reports ``were used or expected
to be used in whole or in part for a FCRA purpose'').
---------------------------------------------------------------------------
The proposed interpretation is consistent with guidance previously
issued by FTC staff explaining that a report that is not otherwise a
consumer report may become a consumer report if it is subsequently used
by the recipient for an FCRA-covered purpose.\60\ That guidance also
suggests that a communication of consumer information that is actually
used for an FCRA-covered purpose might not be a consumer report if the
person making the communication could not have reasonably expected the
information to be used in such a way.\61\ Under the CFPB's proposed
interpretation, however, a report including information that ``is
used'' for a purpose described in proposed Sec. 1022.4(a)(2) (and that
satisfies the other elements of the definition of consumer report) is a
consumer report, irrespective of whether the person furnishing the
report could have reasonably expected that use or took steps to prevent
it.
---------------------------------------------------------------------------
\60\ FTC 40 Years Staff Report, supra note 21, at 22.
\61\ See id. (``If the entity supplying the report has taken
reasonable steps to [e]nsure that the report is not used for such a
purpose, and if it neither knows of, nor can reasonably anticipate
such use, the report should not be deemed a consumer report by
virtue of uses beyond the entity's control.'').
---------------------------------------------------------------------------
Proposed Sec. 1022.4(b) also would clarify another aspect of the
phrase ``is used'' in the FCRA's definition of consumer report. In the
definition, the phrase ``for the purpose of serving as a factor in
establishing the consumer's eligibility,'' which follows the phrase
``is used,'' lacks a subject, making it unclear whose use of the
information matters in determining whether information is used for a
purpose described in proposed Sec. 1022.4(a)(2). Proposed Sec.
1022.4(b) would clarify that information is used for a purpose
described in proposed Sec. 1022.4(a)(2) if anyone, not merely the
direct recipient of the communication, uses the information for such a
purpose.
Interpreting the phrase ``is used'' to encompass not just the
immediate recipient of the information but also downstream users is
necessary to carry out the purposes of the statute and prevent evasion.
If all that mattered was what the immediate recipient would do with the
information, a person could potentially avoid FCRA coverage even if the
person had actual knowledge that the entity to which it communicated
the information was selling the information to a downstream recipient
who planned to use it for a purpose described in proposed Sec.
1022.4(a)(2). Indeed, under such an interpretation, a person could
potentially use intermediaries to ensure that they never sold
information directly to a recipient who would use it for such a
purpose, even if the person knew that was how the information would
eventually be used. The CFPB's proposed interpretation is consistent
with case law holding that the ``is used'' element of the definition of
consumer report is satisfied if anyone--not just the initial recipient
of the communication--uses the information for a purpose described in
proposed Sec. 1022.4(a)(2).\62\
---------------------------------------------------------------------------
\62\ Ernst v. Dish Network, LLC, 49 F. Supp. 3d 377, 383
(S.D.N.Y. 2014) (``This means that if anyone uses, expects to use or
collects the information for [a permissible purpose], the statutory
definition of `consumer report' is satisfied.'') (emphasis added);
see also Henderson v. Corelogic Nat'l Background Data, LLC, 161 F.
Supp. 3d 389, 397-98 (E.D. Va. 2016).
---------------------------------------------------------------------------
As a practical matter, this would mean that a person that sells
information that is used for a purpose described in proposed Sec.
1022.4(a)(2) would become a consumer reporting agency, regardless of
whether the person knows or believes that the communication of that
information is legally considered a consumer report, assuming the other
elements of the definition of consumer reporting agency are satisfied.
In other words, so long as a person acts for the purpose of furnishing
a report that is or becomes a consumer report as that term is defined
in proposed Sec. 1022.4, that person is a consumer reporting agency; a
person need not know or believe it is furnishing a consumer report as
that term is defined under the FCRA. For example, consider an entity
that collects information about individual consumers' travel
preferences for use in marketing and sells that information to a third
party for marketing purposes with the belief that the communication of
that information is not a consumer report. If the third party actually
uses the information to establish a consumer's eligibility for credit,
the report would be a consumer report (assuming the other elements of
that definition were satisfied). The entity that sold the information
would then be a consumer reporting agency (assuming the other elements
of that definition were satisfied) because it intended to communicate
to the third party the information that was in fact used for an FCRA-
covered purpose, even if it did not believe that it was furnishing
consumer reports. The CFPB proposes that this conclusion flows from the
definition of consumer reporting agency in FCRA section 603(f).
In addition to being consistent with the regulatory text, this
reading of the statute better prevents entities from evading FCRA
coverage by disclaiming intent to furnish consumer reports. A
requirement that a person selling consumer information is a consumer
reporting agency only if it believes that its communications meet the
FCRA's definition of consumer report would incentivize willful
ignorance and undermine the purpose of the statute. The CFPB's
interpretation, by contrast, provides a clear, bright-line rule that
should be more difficult for entities, particularly data brokers, to
evade. For that reason, it is more consistent with
[[Page 101410]]
the broad remedial purpose of the FCRA.\63\
---------------------------------------------------------------------------
\63\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial
statute that must be read in a liberal manner in order to effectuate
the congressional intent underlying it''); Guimond v. Trans Union
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that
the FCRA's ``consumer oriented objectives support a liberal
construction'' of the statute).
---------------------------------------------------------------------------
The CFPB proposes Sec. 1022.4(b) as an interpretation of the
phrase ``is used.'' The CFPB also preliminarily concludes that proposed
Sec. 1022.4(b) is necessary to prevent evasion of the FCRA by entities
that sell consumer information and ignore the uses to which that
information is put by initial and downstream recipients.\64\ The CFPB
requests comment on whether the proposed interpretation is likely to
incentivize entities to monitor more carefully how a communication of
consumer information ultimately is used, any potential alternatives to
prevent entities from evading coverage under the FCRA, and any
compliance challenges associated with the proposed interpretation.
---------------------------------------------------------------------------
\64\ See supra part II.B, Goals of the Rulemaking, Protecting
Consumer Information in the Data Broker Market.
---------------------------------------------------------------------------
4(c) Is Expected To Be Used
Proposed Sec. 1022.4(c) would establish two tests for determining
whether information is expected to be used for a purpose described in
proposed Sec. 1022.4(a)(2). Under these tests, information in a
communication is expected to be used for such a purpose if: (1) the
person making the communication expects or should expect that a
recipient of the information will use it for such a purpose; or (2) it
is information about a consumer's credit history, credit score, debt
payments, or income or financial tier. Information would need to
satisfy only one of the tests for the ``expected to be used'' element
of the definition of consumer report to be met. If either test were
satisfied, the communication of the information would be a consumer
report and the person communicating the information would be a consumer
reporting agency, assuming the other elements of those definitions were
met. As a result, the person's sale of the information would be subject
to the FCRA.
4(c)(1)
Under the first test, described in proposed Sec. 1022.4(c)(1),
information in a communication is expected to be used for a purpose
described in proposed Sec. 1022.4(a)(2) if the person making the
communication expects or should expect that a recipient of the
information in the communication will use the information for such a
purpose.\65\ Proposed Sec. 1022.4(c)(1) would clarify four aspects of
the meaning of the phrase ``expected to be used.''
---------------------------------------------------------------------------
\65\ Regulation V, 12 CFR 1022.3(l) defines person to mean ``any
individual, partnership, corporation, trust, estate cooperative,
association, government or governmental subdivision or agency, or
other entity.''
---------------------------------------------------------------------------
Information Is Expected To Be Used
The ``expected to be used'' element of the definition of consumer
report does not identify what item must be ``expected to be used'' for
a purpose described in proposed Sec. 1022.4(a)(2). A consumer report
is a ``communication'' of certain ``information'' about a consumer, so
the phrase could reasonably refer to the communication itself (i.e.,
the actual transmittal of data), or the information contained within
the communication (i.e., the facts that the communication describes).
Proposed Sec. 1022.4(c) clarifies that, under the first test, the
relevant inquiry is whether the information in a communication is
expected to be used for a purpose described in proposed Sec.
1022.4(a)(2). This proposed interpretation follows directly from the
statutory language. As relevant here, the FCRA defines a consumer
report as a communication of information by a consumer reporting agency
``which is used or expected to be used or collected in whole or in
part'' for a purpose described in proposed Sec. 1022.4(a)(2).
Grammatically, the term to which ``expected to be used'' refers should
also be the term to which ``collected in whole or in part'' refers.
Consumer reporting agencies collect information, not communications.
Accordingly, under the CFPB's proposed interpretation, the term
``expected to be used'' refers to information.\66\
---------------------------------------------------------------------------
\66\ See Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d
988, 994 (D. Nev. 2021) (applying the series-qualifier and nearest-
reasonable-referent cannons to conclude that, under the definition
of consumer report, ``it is the information in the communication,
not the communication itself, that must be of the kind that is used
or expected to be used or collected in whole or in part for the
purposes of serving as a favor [sic] in credit, employment, or
insurance decisions or other reasons allowed under the FCRA'').
---------------------------------------------------------------------------
Person Communicating the Information
The ``expected to be used'' element of the FCRA's definition of
consumer report is phrased in the passive voice; it does not identify
the subject whose expectations are relevant in determining whether a
communication of information is a consumer report. Proposed Sec.
1022.4(c)(1) rephrases this element of the definition in the active
voice to clarify that, under the first test, the expectations of the
person communicating the information determine whether the information
is expected to be used for a particular purpose. In other words, the
proposal clarifies that a communication of information is a consumer
report if the person communicating the information expects the
information to be used for a purpose described in proposed Sec.
1022.4(a)(2) and the other elements of that definition are met. This
proposed interpretation, which is consistent with longstanding case
law, is a natural reading of the statutory language and makes sense in
the context of the statute.\67\ It is also necessary to prevent evasion
by entities, such as data brokers, that have sufficient information to
know that the consumer data they sell is likely being used for
eligibility determinations.
---------------------------------------------------------------------------
\67\ See, e.g., Fralish v. Transunion, LLC, No. 3:20-CV-969 JD,
2021 WL 4990003, at *3 (N.D. Ind. Oct. 26, 2021) (``Information
constitutes a `consumer report' if the consumer reporting agency
which prepares and sends the report `expects' the report to be used
for one of the `consumer purposes' set forth by the FCRA.'');
Ippolito v. WNS, Inc., 864 F.2d 440, 449 (7th Cir. 1988) (``[A]
consumer may establish that a particular credit report is a
`consumer report' falling within the coverage of the FCRA if . . .
the consumer reporting agency which prepares the report `expects'
the report to be used for one of the `consumer purposes' set forth
in the FCRA.''); Heath v. Credit Bureau of Sheridan, Inc., 618 F.2d
693, 696 (10th Cir. 1980) (explaining that `` `expected to be used'
would seem to refer to what the reporting agency believed'').
---------------------------------------------------------------------------
Knowledge Standard
The FCRA does not define the term ``expected.'' Proposed Sec.
1022.4(c)(1) would clarify that, under the first test, information is
expected to be used for a purpose described in proposed Sec.
1022.4(a)(2) if the person communicating the information subjectively
expects that it will be used for such a purpose, or if the person
objectively should expect that it will be used for such a purpose.
Interpreting the phrase ``expected to be used'' to encompass a
person's subjective and objective expectations is consistent with FTC
staff's longstanding view that the definition of consumer report covers
uses of information that the person can reasonably anticipate.\68\ And
it is consistent with case law holding that a person's reasonable
expectations about how information
[[Page 101411]]
will be used can establish whether the person is providing consumer
reports.\69\
---------------------------------------------------------------------------
\68\ FTC 40 Years Staff Report, supra note 21, at 22 (``If the
entity supplying the report has taken reasonable steps to [e]nsure
that the report is not used for such a purpose, and if it neither
knows of, nor can reasonably anticipate such use, the report should
not be deemed a consumer report . . . .'' (emphasis added)).
\69\ See, e.g., Harrington v. ChoicePoint Inc., No. CV 05-1294
MRP JWJX, 2005 WL 7979032, at *5 (C.D. Cal. Sept. 15, 2005) (holding
that consumer reporting agency ``should have expected the
information it disclosed would be used for FCRA purposes'' despite
the entity's contractual language with users barring such uses);
Mem. & Order at *6, Roybal v. Equifax, No. 2:05-CV-01207-MCE-KJM,
2008 WL 4532447 (E.D. Cal. Oct. 9, 2008) (allowing an FCRA claim
based on inaccuracies in the reporting of a joint account because
that information ``could reasonably have been expected to be used''
in establishing consumer's eligibility for credit); cf. Intel Corp.
Inv. Pol'y Comm. v. Sulyma, 589 U.S. 178 (2020) (``[T]he law will
sometimes impute knowledge--often called `constructive' knowledge--
to a person who fails to learn something that a reasonably diligent
person would have learned.'').
---------------------------------------------------------------------------
Interpreting ``expected to be used'' in this way also is necessary
to carry out the purposes of the FCRA and prevent evasion. If all that
mattered was how a person subjectively expected the information to be
used, the statute would reward willful ignorance: a person could
potentially avoid FCRA coverage by, for example, choosing not to ask or
deciding not to monitor how recipients of the information intended to
use it. The proposed interpretation is therefore consistent with the
statute's purpose.\70\
---------------------------------------------------------------------------
\70\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial
statute that must be read in a liberal manner in order to effectuate
the congressional intent underlying it''); Guimond v. Trans Union
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that
the FCRA's ``consumer oriented objectives support a liberal
construction'' of the statute).
---------------------------------------------------------------------------
The proposed interpretation also makes sense in the context of the
statute as a whole. Elsewhere in the FCRA, Congress imposed
requirements that refer only to a person's actual knowledge. For
example, FCRA section 605 requires the exclusion of certain information
from a consumer report if, among other things, the consumer reporting
agency ``has actual knowledge that the information is related to a
veteran's medical debt.'' \71\ If Congress had intended the meaning of
``expected to be used'' to turn only on the person's actual, subjective
expectations in the same way, it would have said so.\72\
---------------------------------------------------------------------------
\71\ 15 U.S.C. 1681c(a)(7), (8) (emphasis added).
\72\ See DHS v. MacLean, 574 U.S. 383, 392 (2015) (``Congress
generally acts intentionally when it uses particular language in one
section of a statute but omits it in another.'').
---------------------------------------------------------------------------
In enforcement actions and guidance documents, other regulators
have identified a non-exhaustive list of factors that may be relevant
to determining whether a person should expect that information will be
used for an FCRA-covered purpose. These factors include, for example,
whether the person screens potential users before allowing them to
access information, whether the person advertises its information for
non-FCRA-covered uses only, and whether the person maintains procedures
to monitor and audit how its information is used.\73\ The CFPB requests
comment on whether it would be helpful to identify in Regulation V
factors that are or may be relevant to determining whether a person
should expect that information will be used for an FCRA-covered
purpose, and, if so, what those factors might be. The CFPB also
requests comment on whether it would be helpful to identify the steps a
person must or should take to ensure that the consumer information it
sells is not used for an FCRA-covered purpose, absent which the person
would be deemed to expect that the consumer information will be used
for such a purpose.
---------------------------------------------------------------------------
\73\ See, e.g., Compl. ] 9, United States v. Instant Checkmate,
Inc., No. 3:14-CV-00675-H-JMA (S.D. Cal. Mar. 24, 2014), <a href="https://www.ftc.gov/system/files/documents/cases/140409instantcheckmatecmpt.pdf">https://www.ftc.gov/system/files/documents/cases/140409instantcheckmatecmpt.pdf</a> (alleging that Instant Checkmate, in
its marketing and advertising, including through its Google Ad Words
campaign, ``promoted the use of its reports as a factor in
establishing a person's eligibility for employment or housing'');
Compl. for Civil Penalties, Permanent Inj. & Other Equitable Relief
] 13, United States v. ChoicePoint (N.D. Ga. Jan. 30, 2006), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2006/01/0523069complaint.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2006/01/0523069complaint.pdf</a> (alleging that ChoicePoint failed to adequately
verify or authenticate the identities and qualifications of
prospective users of its database).
---------------------------------------------------------------------------
Downstream Recipients
The phrase ``for the purpose of serving as a factor in establishing
the consumer's eligibility,'' which follows the phrase ``expected to be
used'' in the definition, lacks a subject, making it unclear whose use
of the information matters in determining whether information is
expected to be used for a purpose described in proposed Sec.
1022.4(a)(2). For the same reasons described in the discussion of
proposed Sec. 1022.4(b), proposed Sec. 1022.4(c)(1) would clarify
that, under the first test, information is expected to be used for a
purpose described in proposed Sec. 1022.4(a)(2) if the person
communicating the information expects or should expect that any
recipient of the information will use it for such a purpose.
As discussed above, the CFPB proposes Sec. 1022.4(c)(1) as an
interpretation of the phrase ``expected to be used.'' The CFPB also
proposes Sec. 1022.4(c)(1) pursuant to its authority to prevent
evasions of the FCRA. The CFPB preliminarily concludes that proposed
Sec. 1022.4(c)(1) is necessary to prevent evasion of the FCRA by
entities that sell consumer information and ignore the uses to which
that information is put by initial and downstream recipients.\74\
---------------------------------------------------------------------------
\74\ See supra part II.B, Goals of the Rulemaking, Protecting
Consumer Information in the Data Broker Market.
---------------------------------------------------------------------------
4(c)(2)
Under the second test, described in proposed Sec. 1022.4(c)(2),
the CFPB preliminarily concludes that entities that sell consumer
information generally expect certain types of that information to be
used in the market at large for a purpose described in proposed Sec.
1022.4(a)(2), because those types of information are typically used for
such a purpose. Specifically, under proposed Sec. 1022.4(c)(2), a
person selling any of four types of information about a consumer--
credit history, credit score, debt payments, and income or financial
tier--for any purpose generally would qualify as a consumer reporting
agency selling consumer reports because those information types are
typically used to underwrite loans. Accordingly, the person's conduct
would be governed by the FCRA's restrictions and requirements,
including provisions that protect the privacy and promote the accuracy
of consumer data.
As discussed in part II, the data broker industry poses a range of
significant harms to consumers and the nation. These include national
security harms.\75\ As the U.S. Department of Justice (DOJ) has
observed, countries of concern can use Americans' sensitive personal
data ``to engage in malicious cyber-enabled activities and malign
foreign influence, and to track and build profiles on U.S. individuals,
including members of the military and Federal employees and
contractors, for illicit purposes such as blackmail and espionage.''
\76\ They can also use that data ``to collect information on activists,
academics, journalists, dissidents, political figures, or members of
non-governmental organizations or marginalized communities in order to
intimidate such persons; curb political opposition; limit freedoms of
expression, peaceful assembly, or association; or enable other forms of
suppression of civil liberties.'' \77\
---------------------------------------------------------------------------
\75\ See, e.g., The White House, Fact Sheet: President Biden
Issues Executive Order to Protect Americans' Sensitive Personal Data
(Feb. 28, 2024), <a href="https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/">https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/</a>.
\76\ 89 FR 15780, 15781 (Mar. 5, 2024) (U.S. Dep't of Just.
Advance Notice of Proposed Rulemaking seeking comment on topics
related to the implementation of E.O. 14117).
\77\ Id.
---------------------------------------------------------------------------
[[Page 101412]]
Recent research funded by the U.S. Military Academy at West Point
has highlighted the gravity of the threat posed by data brokers who
sell information about the activities and private lives of United
States military personnel, veterans, government employees, and their
families.\78\ With virtually no vetting, researchers were able to
purchase individually identified information about active-duty military
members' income, net worth, and credit rating--information that could
be used by foreign adversaries to identify individuals for purposes of
coercion, blackmail, or espionage.\79\ Data brokers also facilitate the
targeting of military members and government employees by allowing
buyers to purchase lists that match multiple categories, such as lists
that include individuals who fall into the ``Intelligence and
Counterterrorism'' category and the ``Behind on Bills'' category.\80\
As President Biden noted in a February 2024 executive order addressing
foreign access to Americans' data, ``[t]he continuing effort of certain
countries of concern to access Americans' sensitive personal data and
United States Government-related data constitutes an unusual and
extraordinary threat . . . to the national security and foreign policy
of the United States.'' \81\
---------------------------------------------------------------------------
\78\ See Duke Report on Data Brokers and Military Personnel
Data, supra note 2.
\79\ Id. at 5.
\80\ Consumer Fin. Prot. Bureau, Prepared Remarks of CFPB
Director Rohit Chopra at the White House on Data Protection and
National Security (Apr. 2, 2024), <a href="https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-white-house-on-data-protection-and-national-security/">https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-white-house-on-data-protection-and-national-security/</a>.
\81\ E.O. No. 14117, 89 FR 15421 (Feb. 28, 2024).
---------------------------------------------------------------------------
The data broker industry also poses unique harms to individuals in
financially precarious situations. Fraudsters can use information from
data brokers to target individuals likely to purchase predatory
financial products. For example, some data brokers sell consumer lists
with titles such as ``Rural and Barely Making It,'' ``Retiring on
Empty: Single,'' and ``Credit Crunched: City Families.'' \82\ As the
Senate Committee on Commerce, Science, and Transportation observed over
a decade ago, these lists ``appeal to companies that sell high-cost
loans and other financially risky products to populations more likely
to need quick cash.'' \83\ The purchase and sale of consumers'
financial information can also be used to perpetrate outright scams
against low-income individuals and individuals in financially
precarious situations. In 2015, for example, the FTC brought suit
against a data broker operation that sold payday loan applicants'
financial information to phony internet merchants and fraudsters who
used the information to debit consumers' bank accounts for financial
products that the consumers never actually purchased.\84\
---------------------------------------------------------------------------
\82\ S. Comm. on Com., Sci., & Transp., Off. of Oversight &
Investigations Majority Staff, A Review of the Data Broker Industry:
Collection, Use, and Sale of Consumer Data for Marketing Purposes,
at 5 (Dec. 18, 2013), https://www.commerce.senate.gov/services/
files/0d2b3642-6221-4888-a631-08f2f255b577.
\83\ Id.
\84\ Compl. for Permanent Inj. and Other Equitable Relief, Fed.
Trad Comm'n v. Sequoia One, LLC, No. 2:15-cv-01512-JCM-CWH (D. Nev.
Aug. 7, 2015), <a href="https://www.ftc.gov/system/files/documents/cases/150812sequoiaonecmpt.pdf">https://www.ftc.gov/system/files/documents/cases/150812sequoiaonecmpt.pdf</a>; Fed. Trade Comm'n, FTC Charges Data
Brokers with Helping Scammer Take More Than $7 Million from
Consumers' Accounts (Aug. 12, 2015), <a href="https://www.ftc.gov/news-events/news/press-releases/2015/08/ftc-charges-data-brokers-helping-scammer-take-more-7-million-consumers-accounts">https://www.ftc.gov/news-events/news/press-releases/2015/08/ftc-charges-data-brokers-helping-scammer-take-more-7-million-consumers-accounts</a>.
---------------------------------------------------------------------------
The data broker industry also poses data security risks. The highly
sensitive consumer information collected and sold by data brokers is an
attractive target for hackers and identity thieves. In recent years,
cyber criminals have stolen from data brokers information about
hundreds of millions of Americans,\85\ some of which has been made
available for sale.\86\ Purchasers can use this information to open new
financial accounts in consumers' names, drain existing accounts, obtain
loans, seek employment, apply for government benefits, and send
``phishing'' communications to family and friends. According to the
DOJ, in 2021 nearly 24 million U.S. residents over 16 had experienced
identity theft in the past 12 months, with financial losses of over $16
billion.\87\
---------------------------------------------------------------------------
\85\ See, e.g., Brian Krebs, <a href="http://NationalPublicData.com">NationalPublicData.com</a> Hack Exposes
a Nation's Data, Krebs on Security (Aug. 15, 2024), <a href="https://krebsonsecurity.com/2024/08/nationalpublicdata-com-hack-exposes-a-nations-data/">https://krebsonsecurity.com/2024/08/nationalpublicdata-com-hack-exposes-a-nations-data/</a>; Justin Sherman, Duke Sanford School of Public Policy,
Data Brokers and Data Breaches (Sept. 27, 2022), <a href="https://techpolicy.sanford.duke.edu/blogroll/data-brokers-and-data-breaches">https://techpolicy.sanford.duke.edu/blogroll/data-brokers-and-data-breaches</a>;
Brian Krebs, Hacked Data Broker Accounts Fueled Phone COVID Loans,
Unemployment Claims, Krebs on Security (Aug. 6, 2020), <a href="https://krebsonsecurity.com/2020/08/hacked-data-broker-accounts-fueled-phony-covid-loans-unemployment-claims/">https://krebsonsecurity.com/2020/08/hacked-data-broker-accounts-fueled-phony-covid-loans-unemployment-claims/</a>; Lily Hay Newman, 1.2 Billion
Records Found Exposed Online in a Single Server, Wired (Nov. 22,
2019), <a href="https://www.wired.com/story/billion-records-exposed-online">https://www.wired.com/story/billion-records-exposed-online</a>;
Stacy Cowley, Equifax to Pay at Least $650 Million in Largest-Ever
Data Breach Settlement, N.Y. Times (July 22, 2019), <a href="https://www.nytimes.com/2019/07/22/business/equifax-settlement.html">https://www.nytimes.com/2019/07/22/business/equifax-settlement.html</a>.
\86\ See, e.g., Brian Krebs, National Public Data Published Its
Own Passwords, Krebs on Security (Aug. 19, 2024), <a href="https://krebsonsecurity.com/2024/08/national-public-data-published-its-own-passwords/">https://krebsonsecurity.com/2024/08/national-public-data-published-its-own-passwords/</a>; Brian Krebs, Data Broker Giants Hacked by ID Theft
Service, Krebs on Security (Sept. 25, 2013), <a href="https://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/">https://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/</a>.
\87\ Erika Harrell & Alexandra Thompson, Bureau of Just. Stat.,
U.S. Dep't of Just., NCJ 306474, Victims of Identity Theft, 2021, at
1 (Oct. 2023), <a href="https://bjs.ojp.gov/document/vit21.pdf">https://bjs.ojp.gov/document/vit21.pdf</a>.
---------------------------------------------------------------------------
In addition, the data broker industry poses risks to the personal
safety of American consumers. For example, domestic abusers and others
can use data from data brokers to stalk, harass, and commit
violence.\88\ Other bad actors can use data broker information to dox
consumers, expose their personal information, and subject them to
distress, embarrassment, shame, and stigma.\89\ Moreover, the data
broker industry threatens consumers' right to privacy--the right to be
left alone, free from wrongful intrusions into private activities.\90\
Surveys suggest that many consumers would be concerned to know that
information about their personal lives was being bought and sold
without their consent and outside their control by entities with whom
they have no
[[Page 101413]]
relationship and whose actions they cannot trace.\91\ And the data
broker industry raises questions of fundamental fairness to consumers.
The consumer profiles that data brokers compile and sell can determine
what offers, benefits, and opportunities consumers receive.\92\ Yet
those profiles, often based on data of dubious veracity and sometimes
merely on inferences drawn from that data, are typically constructed
without consumers' knowledge, input, or permission, creating a
significant risk that they contain inaccurate, incomplete, or outdated
information that consumers are often powerless to correct.
---------------------------------------------------------------------------
\88\ See, e.g., Letter from Amy Klobuchar & Lisa Murkowski,
Sens., U.S. Senate, to Hon. Rebecca K. Slaughter, Acting Chair, Fed.
Trade Comm'n (Mar. 4, 2021), https://www.klobuchar.senate.gov/
public/_cache/files/5/e/5e1e58a4-4b38-49e8-9a8b-37ea1604d9b9/
A6F005737B2A977445475E4E0C2E3685.ftc-privacy-and-domestic-violence-
letter-final_-signed.pdf (expressing ``serious concerns regarding
recent reports that data brokers are publicizing the location and
contact information of victims of domestic violence, sexual
violence, and stalking''); Esther Salas, My Son Was Killed Because
I'm a Federal Judge, N.Y. Times (Dec. 8, 2020), <a href="https://www.nytimes.com/2020/12/08/opinion/esther-salas-murder-federal-judges.html">https://www.nytimes.com/2020/12/08/opinion/esther-salas-murder-federal-judges.html</a> (recounting instance in which aggrieved litigant
obtained Federal judge's address from data broker); Mara
Hvistendahl, I Tried to Get My Name Off People-Search Sites. It Was
Nearly Impossible., Consumer Reports (Aug. 20, 2020), <a href="https://www.consumerreports.org/personal-information/i-tried-to-get-my-name-off-peoplesearch-sites-it-was-nearly--a0741114794/">https://www.consumerreports.org/personal-information/i-tried-to-get-my-name-off-peoplesearch-sites-it-was-nearly--a0741114794/</a> (recounting
domestic abuse victim's effort to delete her information from data
broker databases so that her abuser could not obtain it); Remsburg
v. Docusearch, Inc., No. Civ. 00-211-B, 2002 WL 844403, at *2-3
(D.N.H. Apr. 25, 2002) (describing stalker's use of data broker
information to locate victim).
\89\ See, e.g., Joseph Cox & Emanuel Maiberg, Fiverr Freelancers
Offer to Dox Anyone With Powerful U.S. Data Tool, 404 Media (July 2,
2024), <a href="https://www.404media.co/fiverr-freelancers-offer-to-dox-anyone-with-powerful-u-s-data-tool-tloxp/">https://www.404media.co/fiverr-freelancers-offer-to-dox-anyone-with-powerful-u-s-data-tool-tloxp/</a>; Joseph Cox, The Secret
Weapon Hackers Can Use to Dox Nearly Anyone in America for $15, 404
Media (Aug. 22, 2023), <a href="https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/?curator=TechREDEF">https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/?curator=TechREDEF</a>.
\90\ Cf. In re Facebook, Inc. Internet Tracking Litig., 956 F.3d
589, 603-04 (9th Cir. 2020) (observing that ``[t]echnological
advances . . . provide access to a category of information otherwise
unknowable and implicate privacy concerns in a manner different from
traditional intrusions as a ride on horseback is different from a
flight to the moon'' (internal quotation marks and citations
omitted)); FTC v. Kochava, Inc., 715 F. Supp. 3d 1319, 1324 (D.
Idaho 2024) (noting that the Supreme Court has recognized ``the
unique threat that modern technology can pose to privacy rights''
(citing Carpenter v. United States, 585 U.S. 296 (2018)).
\91\ See, e.g., Brooke Auxier et al., Americans and Privacy:
Concerned, Confused and Feeling Lack of Control Over Their Personal
Information, Pew Rsch. Ctr. (Nov. 15, 2019), <a href="https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/">https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/</a>; cf. Tiffany Johnson et al., It's All Personal: A Study
on Consumer Attitudes Towards Data Collection & Usage, PCH Consumer
Insights, at 3 (Nov. 15, 2023), <a href="https://insights.pch.com/img/data-ethics-design.pdf">https://insights.pch.com/img/data-ethics-design.pdf</a> (identifying data types that consumers regard as
``personal'').
\92\ See FTC Data Broker Report, supra note 25, at 31 (noting
that score produced by data brokers ``could be used to determine the
types of offers consumers may receive, the number of offers, or even
the level of customer service provided to specific individuals'').
---------------------------------------------------------------------------
Notwithstanding these harms, for years many data brokers have
attempted to avoid liability under the FCRA by arguing that the
``expected to be used'' portion of the statute's definition of consumer
report is satisfied only if the person selling the communication
expects that the buyer will use the communication for a purpose
described in FCRA section 603(d)(1), such as to assess the consumer's
eligibility for credit. According to this argument, if the seller
expects that the buyer will use the communication for another purpose,
such as to market products, the ``expected to be used'' portion of the
definition is not satisfied. And as long as the communication was not
actually used, and the information in the communication was not
collected, for a purpose described in FCRA section 603(d)(1), this
argument provides that there is no consumer report and the FCRA does
not apply. Where courts have been presented with certain fact patterns,
such as where the data broker took steps to monitor and prohibit the
sale of data for FCRA uses, this has sometimes served as an adequate
defense. However, it is unclear whether courts have been squarely
presented with an alternative approach to the issue.\93\
---------------------------------------------------------------------------
\93\ See, e.g., Ippolito v. WNS, Inc., 864 F.2d 440, 450-51 (7th
Cir. 1988) (focusing on the purchaser's conduct in determining
whether the entity that sold a report expected that it would be used
for an FCRA-covered purpose).
---------------------------------------------------------------------------
Construing the phrase ``expected to be used'' in this way leads to
a result contrary to the FCRA's stated objective in section 602(a)(4)
of ``respect[ing] . . . the consumer's right to privacy.'' Section
604's prohibition on furnishing consumer reports for non-permissible
purposes, such as marketing outside of the prescreening context, is
evaded by the very acts that section 604 purportedly prohibits. This is
because, as the FCRA defines the term ``consumer report'' in section
603(d)(1)(C), a communication of information is not a consumer report
unless it is used or expected to be used for a permissible purpose in
the first place--i.e., for a purpose ``authorized under section
[604].'' This reading of ``expected to be used'' would render section
604's prohibitions a nullity with respect to the furnishing of consumer
reports for non-permissible purposes, except for the fact that a
communication of information could still be a consumer report if the
information was ``collected in whole or in part'' for a permissible
purpose. Under this reading, if an entity collects information for a
permissible purpose, it cannot provide that same information for an
impermissible purpose.
But it would shortchange the FCRA's privacy-protecting objectives
to conclude that consumer information collected by a consumer reporting
agency for a purpose authorized under section 604 is subject to all of
the FCRA's restrictions, including prohibitions on uses outside of what
section 604 authorizes, while identical consumer information collected
by a data broker solely for a purpose not authorized under section 604
is subject to none of the FCRA's restrictions. Under such an
interpretation, for example, Congress would have prohibited a consumer
reporting agency that collects consumers' income information for use by
banks in making credit eligibility decisions from selling that
information for marketing purposes (or any other non-permissible
purpose), but it would have permitted a data broker that collects the
exact same income information solely for purposes Congress did not
authorize in the FCRA to sell the information for those purposes. This
has led to the unregulated proliferation of the very types of consumer
information that the FCRA's framers intended to protect.\94\
---------------------------------------------------------------------------
\94\ See 115 Cong. Rec. S2413 (Jan. 31, 1969) (statement of
FCRA's primary sponsor expressing concern about companies that
maintain ``files on millions of Americans, including their
employment, income, billpaying record, marital status, habits,
character and morals'' without adequate regulations restricting the
files' use).
---------------------------------------------------------------------------
Proposed Sec. 1022.4(c)(2) would avoid this result and conform
with Congress's intent to protect consumers' right to privacy by
providing that certain types of information about consumers--namely,
credit history, credit score, debt payments, and income or financial
tier--are expected to be used for a purpose described in proposed Sec.
1022.4(a)(2) even if the specific communication in which the
information is conveyed is not itself used or expected to be used for
such a purpose.
The CFPB proposes that the text of FCRA section 603(d)(1) alone may
support proposed Sec. 1022.4(c)(2). In contrast to prior case law that
did not consider this approach, the CFPB preliminarily determines that
the part of the definition of consumer report referring to what the
sender ``expects'' could be construed as referring not to how the
sender expects the ``communication'' or report will be used, but rather
to how the sender expects the ``information'' within the report will be
used.\95\ ``Information'' is defined as ``knowledge obtained from
investigation, study, or instruction; intelligence, news; facts,
data.'' \96\ Accordingly, whether information ``is expected to be
used'' for a particular purpose may depend, in part, on how the facts
in a communication might be used in the future, even if they are
provided by other entities in different ``communications'' or reports.
---------------------------------------------------------------------------
\95\ Cf. Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d
988, 994 (D. Nev. 2021).
\96\ See Information, <a href="http://Merriam-Webster.com">Merriam-Webster.com</a> Dictionary, <a href="https://www.merriam-webster.com/dictionary/information">https://www.merriam-webster.com/dictionary/information</a> (last visited Oct.
15, 2024).
---------------------------------------------------------------------------
The CFPB preliminarily concludes that a data broker selling
information about a consumer's credit history, credit score, debt
payments (including on non-credit obligations), or income or financial
tier should know that such information is typically used in determining
a consumer's eligibility for credit, and therefore should expect that
such information will be used for an FCRA purpose. According to FICO,
for example, its credit scores are used in 90 percent of all lending
decisions.\97\ Moreover, in assessing a consumer's eligibility for a
mortgage loan, the nation's largest lenders consider, among other
things, a prospective borrower's income (often by reviewing a
consumer's W-2 statements, tax returns, and pay stubs), as well as the
borrower's credit history and level of indebtedness
[[Page 101414]]
(often by reviewing multiple or merged consumer reports).\98\ Indeed,
the government-sponsored entities that purchase a substantial portion
of residential mortgage loans \99\ require lenders to obtain a
consumer's credit report and score, and consider a consumer's income
and recurring debt payments, before making a loan.\100\ And the CFPB's
ability-to-repay rules require lenders to consider similar
information.\101\
---------------------------------------------------------------------------
\97\ Basic Facts About FICO Scores, FICO, <a href="https://www.fico.com/en/latest-thinking/fact-sheet/basic-facts-about-fico-scores">https://www.fico.com/en/latest-thinking/fact-sheet/basic-facts-about-fico-scores</a> (last
visited Oct. 30, 2024).
\98\ See, e.g., What Documents Are Needed to Apply for a
Mortgage?, Chase, <a href="https://www.chase.com/personal/mortgage/education/financing-a-home/mortgage-application">https://www.chase.com/personal/mortgage/education/financing-a-home/mortgage-application</a> (last visited Oct. 30, 2024);
How to Apply for a Mortgage, Bank of America, <a href="https://www.bankofamerica.com/mortgage/learn/how-to-apply-for-a-mortgage/">https://www.bankofamerica.com/mortgage/learn/how-to-apply-for-a-mortgage/</a>
(last visited Oct. 30, 2024); Home-Buying & Mortgage Process, US
Bank, <a href="https://www.usbank.com/home-loans/mortgage/first-time-home-buyers/mortgage-process.html">https://www.usbank.com/home-loans/mortgage/first-time-home-buyers/mortgage-process.html</a> (last visited Oct. 30, 2024);
Importance of Credit, Debt, and Savings When Buying a House, Wells
Fargo, <a href="https://www.wellsfargo.com/mortgage/learning/getting-started/importance-of-credit-debt-savings-in-homebuying/">https://www.wellsfargo.com/mortgage/learning/getting-started/importance-of-credit-debt-savings-in-homebuying/</a> (last visited Oct.
15, 2024); Hanna Kielar, Qualifying For A Mortgage: The Basics,
Rocket Mortgage (Apr. 10, 2024), <a href="https://www.rocketmortgage.com/learn/mortgage-qualification">https://www.rocketmortgage.com/learn/mortgage-qualification</a>.
\99\ See Fed. Hous. Fin. Agency, FHFA Statistics, What Types of
Mortgages Do Fannie Mae and Freddie Mac Acquire? (Apr. 14, 2021),
<a href="https://www.fhfa.gov/blog/statistics/what-types-of-mortgages-do-fannie-mae-and-freddie-mac-acquire">https://www.fhfa.gov/blog/statistics/what-types-of-mortgages-do-fannie-mae-and-freddie-mac-acquire</a> (listing enterprise share of
mortgage originations by year).
\100\ See, e.g., Fannie Mae, Selling Guide: Fannie Mae Single
Family, at B3 (June 5, 2024), <a href="https://singlefamily.fanniemae.com/media/39241/display">https://singlefamily.fanniemae.com/media/39241/display</a>; Freddie Mac, Seller/Servicer Guide, at Series
5000, <a href="https://guide.freddiemac.com/app/guide/series/5000">https://guide.freddiemac.com/app/guide/series/5000</a> (last
visited Oct. 30, 2024).
\101\ Regulation Z, 12 CFR 1026.43(c).
---------------------------------------------------------------------------
As a practical matter, if proposed Sec. 1022.4(c)(2) were
finalized, then, under FCRA section 604, data brokers and similar
entities that otherwise met the definition of a consumer reporting
agency could not sell reports containing a consumer's credit history,
credit score, debt payments, or income or financial tier to anyone who
lacked a permissible purpose to obtain them, such as a company that
intended to use the reports for marketing purposes outside of the
statute's pre-screening provisions.\102\ Such entities also would need
to comply with the FCRA's other prohibitions and requirements for
consumer reporting agencies, such as the requirement in FCRA section
607 to follow reasonable procedures to assure maximum possible accuracy
of the information in their reports, and the requirements in FCRA
sections 609 and 611 to disclose certain information to consumers and
to investigate consumers' disputes.\103\
---------------------------------------------------------------------------
\102\ 15 U.S.C. 1681b.
\103\ 15 U.S.C. 1681e, 1681g, 1681i.
---------------------------------------------------------------------------
If proposed Sec. 1022.4(c)(2) is finalized, a substantial number
of additional data brokers operating today likely will qualify as
consumer reporting agencies selling consumer reports under the FCRA,
resulting in improved consumer protections and a substantial reduction
in the volume of consumer information being bought and sold for non-
permissible purposes, such as marketing. In addition, proposed Sec.
1022.4(c)(2), if finalized, should make it more difficult for bad
actors to purchase consumer information from data brokers and threaten
national security or facilitate financial scams and fraud. In these
ways, proposed Sec. 1022.4(c)(2) would further the FCRA's broad
remedial purpose \104\ and Congress's intent to protect consumers'
right to privacy and to provide greater protections for particularly
sensitive consumer information.\105\
---------------------------------------------------------------------------
\104\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial
statute that must be read in a liberal manner in order to effectuate
the congressional intent underlying it''); Guimond v. Trans Union
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that
the FCRA's ``consumer oriented objectives support a liberal
construction'' of the statute).
\105\ See 15 U.S.C. 1681(a).
---------------------------------------------------------------------------
In the Small Business Review Panel Outline, the CFPB described a
proposal under consideration that would have provided that information
in a communication is expected to be used for an FCRA purpose if the
information is the type of information typically used for such a
purpose. The Small Business Review Panel recommended that the CFPB
consider how best to provide guidance on the types of information about
consumers that are typically used for an FCRA purpose. Proposed Sec.
1022.4(c)(2) is limited to the four types of information listed in that
section: a consumer's credit history, credit score, debt payments, and
income or financial tier. This limitation creates a bright-line rule
that is responsive to the Small Business Review Panel's feedback, and
that should simplify compliance and enforcement and reduce market
uncertainty. The CFPB requests comment on whether it would be helpful
to provide further guidance defining the four types of information
listed in proposed Sec. 1022.4(c)(2).
The CFPB notes that proposed Sec. 1022.4(c)(2) would cover, for
example, a list of people with income or credit scores above or below a
certain number or within a certain range, even if a consumer's precise
income or credit score is not specified. If all other elements of the
definitions of consumer report and consumer reporting agency were
satisfied, the list would be a series of consumer reports and the
entity communicating the list would be a consumer reporting agency. In
addition, the CFPB reiterates that information would need to satisfy
only one of the tests in proposed Sec. 1022.4(c) for the ``expected to
be used'' element of the definition of consumer report to be met. In
other words, the communication of information that is not specifically
listed in proposed Sec. 1022.4(c)(2)--including, for example, criminal
records, employment information, eviction history, and alternative data
\106\--could still be a consumer report if the person communicating the
information expects or should expect that a recipient of the
information in the communication will use the information for an FCRA
purpose.
---------------------------------------------------------------------------
\106\ See generally 82 FR 11183 (Feb. 21, 2017) (request for
information about the use or potential use of alternative data in
the credit process).
---------------------------------------------------------------------------
The CFPB proposes Sec. 1022.4(c)(2) as an administrable, bright-
line rule for certain categories of information to implement the phrase
``expected to be used'' in the FCRA's definition of consumer report.
The CFPB also proposes Sec. 1022.4(c)(2) pursuant to its authority to
prescribe regulations necessary to carry out the purposes of the FCRA
and prevent evasion. It is likely that a substantial number of data
brokers sell the types of information listed in proposed Sec.
1022.4(c)(2), and that a substantial number of the entities that buy
such information from data brokers in fact use it for FCRA purposes--
including to make credit eligibility determinations. Nevertheless, many
data brokers attempt to avoid the legal obligations of the FCRA by
remaining ignorant of how their data ultimately is used, in some
instances by selling data without inquiring into the buyer's identity
or intended use of the data, in other instances by ignoring certain
uses or disclaiming liability for them, and in other instances by
selling data to intermediary entities that sell it further
downstream.\107\ These practices--data brokers' sale of information
that is typically used for credit eligibility determinations and data
brokers' minimal oversight of the uses to which that information is
[[Page 101415]]
put \108\--have created a unique likelihood that the information sold
by data brokers will be used by downstream buyers to evaluate a
consumer's eligibility for credit.\109\ Data brokers collect, buy, and
sell the same types of data that consumer reporting agencies assemble
and disseminate, and the data broker industry poses many of the same
risks that the FCRA was designed to address.\110\ Yet many data brokers
have attempted to evade coverage under the statute. One purpose of
proposed Sec. 1022.4(c)(2) is to prevent further evasion.
---------------------------------------------------------------------------
\107\ See, e.g., Duke Report on Data Brokers and Military
Personnel Data, supra note 2, at 25-29; Compl. For Permanent Inj.,
Monetary Relief, Other Equitable Relief, and Civil Penalties, FTC v.
Instant Checkmate, LLC, No. 3:23-cv-01674 TWR (MSB) (S.D. Cal. Sept.
11, 2023), <a href="https://www.ftc.gov/system/files/ftc_gov/pdf/truthfinder_complaint.pdf">https://www.ftc.gov/system/files/ftc_gov/pdf/truthfinder_complaint.pdf</a>; Press Release, Fed. Trade Comm'n, FTC
Warns Data Broker Operations of Possible Privacy Violations (May 7,
2013), <a href="https://www.ftc.gov/news-events/news/press-releases/2013/05/ftc-warns-data-broker-operations-possible-privacy-violations">https://www.ftc.gov/news-events/news/press-releases/2013/05/ftc-warns-data-broker-operations-possible-privacy-violations</a>.
\108\ See, e.g., Duke Report on Data Brokers and Sensitive Data,
supra note 29, at 4-8; FTC Data Broker Report, supra note 25, at B1-
B5.
\109\ See 15 U.S.C. 1681a(d)(1)(A) through (C) and 1681b(a)(3).
\110\ See 115 Cong. Rec. S2413 (Jan. 31, 1969).
---------------------------------------------------------------------------
The CFPB requests comment on proposed Sec. 1022.4(c)(2) and other
possible approaches to implementing the definition of consumer report,
as well as on the potential impacts of each approach, including on
whether they would advance the privacy interests of consumers and
protect consumers from data misuses and abuses. In addition, the CFPB
requests comment on the possible effects, if proposed Sec.
1022.4(c)(2) is finalized, on entities that furnish data to, purchase
data from, or rely on the services of entities that would qualify as
consumer reporting agencies selling consumer reports.
4(d) Personal Identifiers for a Consumer
Proposed Sec. 1022.4(d) relates to certain personal identifiers
for a consumer that are often referred to as ``credit header''
information. Personal identifiers typically appear at the top of
consumer reports and include, for example, names, date of birth,
addresses, Social Security number (SSN), and telephone number. In Sec.
1022.4(d)(1), the CFPB proposes to provide that the term ``consumer
report'' includes a communication by a consumer reporting agency of a
personal identifier for a consumer that was collected by the consumer
reporting agency in whole or in part for the purpose of preparing a
consumer report about the consumer. This would mean that a consumer
reporting agency could only make such a communication if the user had a
permissible purpose under the FCRA to obtain it. Proposed Sec.
1022.4(d)(2) sets forth an enumerated list of information that would
constitute personal identifiers for a consumer. The CFPB proposes Sec.
1022.4(d) to prevent the misuse of personal identifiers collected by
consumer reporting agencies to prepare consumer reports and to prevent
evasions of the FCRA.
How Personal Identifiers Are Treated Today
The FTC has addressed personal identifiers collected by consumer
reporting agencies in various contexts over the last few decades and
has generally taken a fact-specific approach in determining whether
communications of identifying information by consumer reporting
agencies are consumer reports. For example, in 2000, the FTC determined
in an administrative opinion that age was consumer report information
when communicated by a consumer reporting agency,\111\ but that various
other types of personal identifiers were not, based on evidence in a
proceeding regarding whether the different types of information bore on
the seven factors specified in the definition of consumer report and
how they were used or expected to be used.\112\ In its 2011 staff
report, the FTC indicated that demographic and identifying information
about consumers such as name and address generally is not considered
consumer report information under the FCRA, unless it is used for
eligibility determinations.\113\ The FTC stated that a report limited
to identifying information does not constitute a consumer report if it
does not bear on any of the seven factors specified in the definition
and is not used to determine eligibility.\114\
---------------------------------------------------------------------------
\111\ In re Trans Union Corp., FTC Docket No. 9255, at 31 (Feb.
10, 2000), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf</a> (``[T]he record shows
that an individual's age does bear on their credit capacity and is
used in credit granting decisions. . . . The record . . .
demonstrates that lenders use age information as a factor in credit
granting decisions. Further, age clearly bears on credit capacity
where state laws restrict contracting with minors. Therefore, age
information falls within the definition of a consumer report and its
disclosure by a CRA to target marketers violates the FCRA.'')
(citations omitted); see also 65 FR 33645, 33668 n.35 (May 24, 2000)
(noting that age is consumer report information).
\112\ In re Trans Union Corp., FTC Docket No. 9255, at 30-31
(Feb. 10, 2000), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf</a> (concluding that
(1) name, mother's maiden name, generational designator, telephone
number, and SSN were not consumer report information because the
evidence presented in the proceeding did not show that they bore on
any of the seven factors specified in the definition of consumer
report, and (2) address was not consumer report information because,
while it might bear on creditworthiness, the evidence presented in
the proceeding did not show that address was used or expected to be
used as a credit eligibility factor in scoring or as a credit
criterion in prescreening).
\113\ FTC 40 Years Staff Report, supra note 21, at 1 n.4.
\114\ Id. at 21. The 2011 staff report indicated, for example,
that ``[t]elephone and other directories that only provide names,
addresses, and phone numbers, are not `consumer reports,' because
the information is not collected to be used or expected to be used
in evaluating consumers for credit, insurance, employment, or other
purposes.'' The FTC recognized, however, that a list of consumers'
names and addresses is a series of consumer reports if the list is
assembled or defined by reference to characteristics or other
information that is also used (even in part) in eligibility
decisions. For example, the FTC noted that ``a list comprised solely
of consumer names and addresses, but compiled based on the criterion
that every name on the list has at least one active trade line,
updated within six months, is a series of consumer reports.'' Id.
---------------------------------------------------------------------------
In finalizing its initial privacy regulation under the Gramm-Leach-
Bliley Act (GLBA), the FTC explained that, to the extent that a
consumer reporting agency's communication of ``credit header''
information is not a consumer report, GLBA and its implementing
regulation limit consumer reporting agencies' redisclosure of
information furnished by financial institutions pursuant to the GLBA's
consumer reporting exception, which allows financial institutions to
share nonpublic personal information with a consumer reporting agency
in accordance with the FCRA without providing consumers notice and an
opportunity to opt out of such sharing.\115\ Specifically, the FTC
explained that GLBA and its implementing regulation do not allow a
consumer reporting agency that receives information pursuant to this
exception to redisclose the information to ``individual reference
services, direct marketers, or any other party that does not have a
permissible purpose to obtain that information as part of a consumer
report.'' \116\ The FTC noted, however, that consumer reporting
agencies may be able to sell consumer identifying information if they
receive the information from financial institutions outside of a GLBA
exception.\117\
---------------------------------------------------------------------------
\115\ 65 FR 33646, 33668 (May 24, 2000) (citing 15 CFR
313.15(a)(5), which the CFPB later restated in Regulation P as 12
CFR 1016.15(a)(5)).
\116\ 65 FR 33646, 33668 (May 24, 2000) (declining requests that
the FTC create a new exception to the reuse and redisclosure
limitations that would allow consumer reporting agencies to sell
``credit header'' information); see also Trans Union LLC v. FTC, 295
F.3d 42 (D.C. Cir. 2002) (rejecting challenges to FTC privacy rule,
including to its handling of header information).
\117\ 65 FR 33646, 33668-69 (May 24, 2000).
---------------------------------------------------------------------------
Courts considering communications of personal identifiers by
consumer reporting agencies have generally concluded that such
communications are not consumer reports, largely on the ground that the
information does not bear on the factors specified in the
definition.\118\ However, similar to the
[[Page 101416]]
FTC's guidance, some decisions have recognized that communications of
identifying information may meet the FCRA definition of consumer report
in specific circumstances.\119\
---------------------------------------------------------------------------
\118\ See, e.g., Gray v. Experian Info. Sols. Inc., No. 8:23-CV-
981-WFJ-AEP, 2023 WL 6895993, at *3-4 (M.D. Fla. Oct. 19, 2023);
Bickley v. Dish Network, LLC, 751 F.3d 724, 729 (6th Cir. 2014); Ali
v. Vikar Mgmt. Ltd., 994 F. Supp. 492, 497, 499 (S.D.N.Y. 1998);
Dotzler v. Perot, 914 F. Supp. 328, 330-31 (E.D. Mo. 1996), aff'd,
124 F.3d 207 (8th Cir. 1997).
\119\ Steinmetz v. LexisNexis, No. 2:19-CV-00070-RFB-DJA, 2020
WL 2198974, at *3 (D. Nev. May 5, 2020) (noting that ``it is not
inconceivable that information like one's birthdate could be
relevant for determining eligibility for certain consumer credit
products'').
---------------------------------------------------------------------------
Consumer reporting agencies and other industry stakeholders have
generally taken the position that personal identifiers are not subject
to the FCRA at all.\120\ Consumer reporting agencies thus currently
sell ``credit header'' information for purposes that are not
permissible purposes under the FCRA.\121\ For example, such information
appears to be offered for sale for purposes not authorized under
section 604, such as marketing \122\ that is not done in accordance
with the statute's prescreening or written instructions
provisions.\123\
---------------------------------------------------------------------------
\120\ See, e.g., Comment from stakeholder Equifax, Re: CFPB's
Small Business Advisory Review Panel for Consumer Reporting
Rulemaking--Outline of Proposals and Alternatives Under
Consideration, at 2 (Nov. 6, 2023) (``Credit header information,
such as name, current and former addresses, Social Security number,
date of birth, and phone number, does not meet the current,
definitional standard for a consumer report.''). Indeed, an industry
trade association has erroneously suggested that the FTC has
categorically excluded identifying information from the definition
of consumer report. Comment from stakeholder CDIA, Re: CFPB's Small
Business Advisory Review Panel for Consumer Reporting Rulemaking--
Outline of Proposals and Alternatives Under Consideration, at 13
(Nov. 6, 2023) (``The FTC's long-standing and unambiguous
interpretation of the FCRA is that identifying information (i.e.,
credit header information) does not constitute a consumer
report.'').
\121\ See, e.g., What Is Credit Header?, Tracers (Oct. 22,
2020), <a href="https://www.tracers.com/blog/what-is-credit-header/">https://www.tracers.com/blog/what-is-credit-header/</a> (``You
can see how beneficial all of this information can be if you're a
business trying to reach out to brand new or existing customers.
This type of data isn't regulated under the Fair Credit Reporting
Act because it's not part of a customer's credit history, which
means you can use it in a variety of ways for your business's
benefit.'').
\122\ See, e.g., Introducing Acxiom Auto 360: Data Solution for
OEMs and Car Dealerships, Acxiom, <a href="https://www.acxiom.com/auto-360/">https://www.acxiom.com/auto-360/</a>
(last visited Oct. 30, 2024) (``What if you needed only one,
incredibly powerful data-marketing tool? One solution using best-in-
industry capabilities combining household data sets with credit
header data and adding insights to influence a customer's next
buying decision.'').
\123\ FCRA section 604(c)(1)(B) permits consumer reporting
agencies to furnish consumer reports in connection with credit or
insurance transactions not initiated by the consumer under certain
conditions, including that the consumer reporting agency must allow
consumers to opt out of the prescreening process, the user must
provide a firm offer of credit or insurance to consumers whose
information they receive, and both the consumer reporting agency and
the user must comply with notice requirements. FCRA section
604(a)(2) permits consumer reporting agencies to furnish a consumer
report in accordance ``with the written instructions of the consumer
to whom it relates.''
---------------------------------------------------------------------------
Implementing the FCRA's Definition of the Term ``Consumer Report''
The CFPB proposes Sec. 1022.4(d) pursuant to its authority under
FCRA section 621(e)(1) to ``prescribe regulations as may be necessary
or appropriate to administer and carry out the purposes and
objectives'' of the FCRA, including the definition of consumer report
in FCRA section 603(d). As noted above, a consumer report under the
FCRA is, in general, a communication by a consumer reporting agency of
any information that: (1) bears on at least one of seven specified
factors; and (2) is used or expected to be used or collected in whole
or in part for the purpose of serving as a factor in establishing a
consumer's eligibility for credit, insurance, or employment purposes or
for any other purpose authorized under FCRA section 604. The CFPB
preliminarily concludes that a consumer reporting agency's
communication of a personal identifier for a consumer that the consumer
reporting agency collected for the purpose of preparing a consumer
report about the consumer meets both prongs of the definition and,
therefore, that a communication of such information by a consumer
reporting agency is a consumer report.
The CFPB preliminarily concludes that personal identifiers for a
consumer bear on one or more of the seven factors specified in the
definition of consumer report. Those factors are a consumer's
creditworthiness, credit standing, credit capacity, character, general
reputation, personal characteristics, or mode of living.
Webster's dictionary defines ``characteristic'' as ``a
distinguishing trait, quality, or property.'' \124\ A consumer's names
(including aliases), age or date of birth, addresses, telephone
numbers, email addresses, and SSN or Individual Taxpayer Identification
Number (ITIN) are all themselves personal characteristics of the
consumer because they are personal traits, qualities, or properties
that serve to distinguish the consumer.\125\
---------------------------------------------------------------------------
\124\ See Characteristic, <a href="http://Merriam-Webster.com">Merriam-Webster.com</a> Dictionary,
<a href="https://www.merriam-webster.com/dictionary/characteristic">https://www.merriam-webster.com/dictionary/characteristic</a> (last
visited Oct. 30, 2024).
\125\ See, e.g., Moreland v. CoreLogic SafeRent LLC, No. SACV
13-470 AG ANX, 2013 WL 5811357, at *4 (C.D. Cal. Oct. 25, 2013)
(``Where a person lives is a fundamental `personal characteristic [
].' '').
---------------------------------------------------------------------------
Personal identifiers for a consumer also can bear on the specified
factors in other ways. For example, a consumer's current and former
names and aliases may bear on the consumer's mode of living by
revealing family associations, marital history, and the names the
consumer has chosen to use. Similarly, email addresses that the
consumer uses or has used may, for example, provide information about
the consumer's educational or employment associations. Addresses and
telephone numbers provide information about where a consumer has lived,
how often they have moved, and whether they receive mail at a post
office box, which are part of the consumer's mode of living. The fact
that no SSN is provided for a consumer or that another identification
number (such as an ITIN or a matricula consular number) is provided can
reveal information about the consumer's immigration status, which is a
personal characteristic and bears on the consumer's mode of living.
Additionally, the mere fact that a particular consumer reporting
agency or type of consumer reporting agency has personal identifiers
for a consumer can itself bear on one or more of the factors specified
in the definition of consumer report. For example, the fact that a
nationwide consumer reporting agency has personal identifiers for a
consumer suggests that it has credit records about the consumer and the
consumer is not ``credit invisible,'' which goes to the consumer's
credit capacity or credit standing. Similarly, the fact that a
particular type of specialty consumer reporting agency has personal
identifiers for a consumer might suggest that the consumer rents rather
than owns their home; has applied for individually underwritten life or
health insurance; has had claims filed against their homeowner's or
automobile insurance policies; or has a telecommunication, pay TV, or
utility account.\126\
---------------------------------------------------------------------------
\126\ See, e.g., Consumer Fin. Prot. Bureau, List of Consumer
Reporting Companies (2024), <a href="https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/companies-list/">https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/companies-list/</a> (last visited Oct. 15, 2024) (``Most
tenant screening companies won't have information on you unless you
apply for rental housing or otherwise authorize a landlord or
property manager to obtain a report from them.''); Request Your MIB
Underwriting Services Consumer File, MIB Group, <a href="https://www.mib.com/request_your_record.html">https://www.mib.com/request_your_record.html</a> (last visited Oct. 15, 2024) (``You will
not have an MIB Underwriting Services Consumer File unless you have
applied for individually underwritten life or health insurance in
the last seven years.''); Natalie Todoroff & Jessa Claeys, What are
CLUE reports in insurance? Bankrate (Sept. 3, 2024), <a href="https://www.bankrate.com/insurance/homeowners-insurance/clue-report/">https://www.bankrate.com/insurance/homeowners-insurance/clue-report/</a>
(describing information included in CLUE reports); NCTUE empowers
you to take control of your credit, NCTUE Consumers, <a href="https://nctue.com/consumers/">https://nctue.com/consumers/</a> (last visited Oct. 15, 2024).
---------------------------------------------------------------------------
The CFPB also preliminarily determines that personal identifiers
collected by consumer reporting agencies to prepare consumer reports
meet the second prong of the definition
[[Page 101417]]
of consumer report because they are used or expected to be used or
collected in whole or in part for the purpose of serving as a factor in
establishing the consumer's eligibility for consumer credit or
insurance, employment purposes, or other purposes authorized under FCRA
section 604. The personal identifiers at issue in this proposal are
only information that comes from entities that are already consumer
reporting agencies that furnish consumer reports, and the question is
whether such entities can take the sensitive contact information that
they collect to prepare consumer reports and sell it for purposes not
authorized under the FCRA. In that fact pattern, the CFPB preliminarily
determines that the sensitive contact information was ``collected in
whole or in part'' to populate consumer reports to furnish to clients
that use it for a permissible purpose. Proposed Sec. 1022.4(d) does
not address data brokers that sell contact information that was not
collected for the purpose of preparing consumer reports.
Moreover, every time any information from a consumer report, such
as income or employment history, is used as a factor in determining
eligibility for an FCRA purpose, a personal identifier for the consumer
must also be used. Otherwise, it would be impossible for users to be
sure that the information used from the consumer report relates to the
correct consumer.
Indeed, personal identifiers provided by consumer reporting
agencies can be critical in assessing whether applicable requirements
are met. For example, employers may be required for certain positions
to ensure that prospective employees do not appear on a sex offender
registry and may use names and other personal identifiers from consumer
reporting agencies to do so. Similarly, financial institutions and
others may use names and other personal identifiers in determining
whether an applicant for credit or other products or services is on the
list of Specially Designated Nationals maintained by the Office of
Foreign Assets Control (OFAC) or one of OFAC's other sanctions lists,
to ensure that OFAC's regulations do not prohibit them from approving
the transaction.\127\
---------------------------------------------------------------------------
\127\ See generally Off. of Foreign Assets Control, U.S. Dep't
of Treas., FFIEC, BSA/AML Manual: Office of Foreign Assets Control--
Overview, <a href="https://bsaaml.ffiec.gov/manual/OfficeOfForeignAssetsControl/01">https://bsaaml.ffiec.gov/manual/OfficeOfForeignAssetsControl/01</a> (last visited Oct. 15, 2024); Cortez
v. Trans Union, LLC, 617 F.3d 688, 707-08 (3rd Cir. 2010) (``Trans
Union invites us to conclude that information that goes to the very
legality of a credit transaction is somehow not `a factor in
establishing the consumer's eligibility . . . for credit.'. . . . It
is difficult to imagine an inquiry more central to a consumer's
`eligibility' for credit than whether federal law prohibits
extending credit to that consumer in the first instance. The
applicability of the FCRA is not negated merely because the
creditor/dealership could have used the OFAC Screen to comply with
the USA PATRIOT Act, as well as deciding whether it was legal to
extend credit to the consumer.''); Off. of Foreign Assets Control,
U.S. Dep't of Treas., Frequently Asked Question #46 (Sept. 10,
2002), <a href="https://ofac.treasury.gov/faqs/46">https://ofac.treasury.gov/faqs/46</a> (last visited Oct. 15,
2024) (discussing what to provide as a denial reason on an adverse
action notice if a loan meets an institution's underwriting
standards but is a true ``hit'' on the Specially Designated
Nationals list).
---------------------------------------------------------------------------
Personal identifiers provided by consumer reporting agencies can
also serve as a factor in eligibility determinations in other ways. For
example, age may be specifically considered in determining whether a
consumer meets requirements for credit and insurance products and
services. Minors, for example, may be ineligible to even enter into
contracts under State law, and some products such as reverse mortgages
are only offered to seniors.\128\ Age also can determine whether an
applicant is eligible for a particular employment position or for
benefits such as Social Security retirement benefits and Supplemental
Security Income.\129\ Similarly, whether a consumer has an SSN can
affect eligibility for employment, Social Security benefits, and
certain other government benefits.\130\
---------------------------------------------------------------------------
\128\ Fed. Trade Comm'n, Reverse Mortgages (Aug. 2022), <a href="https://consumer.ftc.gov/articles/reverse-mortgages">https://consumer.ftc.gov/articles/reverse-mortgages</a> (noting that you cannot
legally commit to a regular mortgage until you are 18, unless you
have a co-signer, and that you must be 62 or older to get a reverse
mortgage); cf. In re Trans Union Corp., FTC Docket No. 9255, at 31
(Feb. 10, 2000), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf</a> (explaining
various ways in which age had been used in credit granting
decisions).
\129\ See, e.g., Soc. Sec. Admin., Retirement Benefits, at 2-4
(2024), <a href="https://www.ssa.gov/pubs/EN-05-10035.pdf">https://www.ssa.gov/pubs/EN-05-10035.pdf</a> (explaining age
restrictions for Social Security retirement benefits); Soc. Sec.
Admin., Supplemental Security Income (SSI) Eligibility Requirements
(2024), Understanding SSI--SSI Eligibility (<a href="http://ssa.gov">ssa.gov</a>).
\130\ Soc. Sec. Admin., Social Security Numbers for Noncitizens
(Apr. 2023), <a href="https://www.ssa.gov/pubs/EN-05-10096.pdf">https://www.ssa.gov/pubs/EN-05-10096.pdf</a> (``You need an
SSN to work, collect Social Security benefits, and receive other
government services.'').
---------------------------------------------------------------------------
Address information provided by consumer reporting agencies can
also play a role in eligibility determinations. For example, many
financial service providers and insurance companies are only licensed
to operate in particular States and therefore can only offer their
products or services to consumers residing in those jurisdictions.
Federally regulated lenders are also prohibited from making a mortgage
loan to a consumer if a property is not covered by flood insurance and
is located in a Special Flood Hazard area where flood insurance is
available.\131\ Employment positions may be limited to residents of
certain localities.
---------------------------------------------------------------------------
\131\ 42 U.S.C. 4012a(b).
---------------------------------------------------------------------------
In light of all of these considerations, the CFPB preliminarily
concludes that communications by consumer reporting agencies of
personal identifiers for a consumer that are collected by a consumer
reporting agency for the purpose of preparing consumer reports about
the consumer are consumer reports. FCRA section 608 further supports
this interpretation by specifically permitting consumer reporting
agencies to share ``identifying information respecting any consumer,
limited to his name, address, former addresses, places of employment,
or former places of employment'' with a governmental agency
notwithstanding the permissible purpose requirements for consumer
reports.\132\ If identifying information were entirely excluded from
the definition of consumer report as industry has suggested, there
would have been no need for Congress to craft FCRA section 608 to
expressly allow sharing of certain identifying information with
government agencies.
---------------------------------------------------------------------------
\132\ 15 U.S.C. 1681f.
---------------------------------------------------------------------------
Proposed Sec. 1022.4(d) Would Promote the FCRA's Goals and Prevent
Misuse of Personal Identifiers
Proposed Sec. 1022.4(d) would promote the FCRA's goals of ensuring
accuracy and fairness in consumer reporting by ensuring that personal
identifiers collected by consumer reporting agencies for the purpose of
preparing consumer reports are subject to all of the FCRA's protections
that apply to consumer reports. A primary purpose of the FCRA is ``to
protect consumers from the transmission of inaccurate information about
them, and to establish credit reporting practices that utilize
accurate, relevant, and current information in a confidential and
responsible manner.'' \133\ The CFPB has long recognized how important
personal identifiers are in ensuring the accuracy of consumer
reports.\134\ Specifying that such information is a consumer report
when it is communicated on its own by a consumer reporting agency would
ensure that consumers receive notice when adverse actions are taken
based on the information, thereby alerting
[[Page 101418]]
consumers to inaccuracies in their personal identifiers as well as
increasing visibility for consumers into users' decision-making. It
would also help confirm that consumers have a right to dispute
incorrect personal identifiers maintained by consumer reporting
agencies and have their information corrected.\135\ For example, there
may be consumers who are being denied credit, insurance, employment, or
benefits due to an address or SSN discrepancy resulting from erroneous
information and who would benefit from an adverse action notice so they
can identify and clear up the error.
---------------------------------------------------------------------------
\133\ Guimond v. Trans Union Credit Info. Co., 45 F.3d 1329,
1333 (9th Cir. 1995) (citations omitted).
\134\ For example, the CFPB highlighted in an advisory opinion
regarding name-only matching the importance of consumer reporting
agencies' matching procedures in ensuring accuracy. 86 FR 62468
(Nov. 10, 2021). However, even the best matching procedures cannot
prevent mistakes if the identifying information maintained by
consumer reporting agencies is itself wrong.
\135\ In the absence of a bright-line rule regarding personal
identifiers, at least one consumer reporting agency has taken the
position that consumer reporting agencies have no obligation to
investigate consumer disputes about inaccurate identifying
information that they use in generating consumer reports,
notwithstanding the fact that the FCRA clearly requires them to do
so. See Brief of Amici Curiae, Consumer Fin. Prot. Bureau and Fed.
Trade Comm'n in Supp. of Plaintiff-Appellant, Nelson v. Experian
Info. Sols., Inc., No. 4:21-cv-00894-CLM (11th Cir. filed Mar. 29,
2024), <a href="https://files.consumerfinance.gov/f/documents/cfpb_amicus-brief-nelson-v-experian_2024-03.pdf">https://files.consumerfinance.gov/f/documents/cfpb_amicus-brief-nelson-v-experian_2024-03.pdf</a>.
---------------------------------------------------------------------------
Providing that the term ``consumer report'' includes personal
identifiers collected by consumer reporting agencies to prepare
consumer reports would also protect consumers' privacy by limiting
access to such information to entities that have one of the purposes
recognized by Congress in the FCRA. As discussed elsewhere in this
document, recent studies by Duke University have found that data
brokers are openly and explicitly advertising for sale sensitive
demographic and other information about U.S. individuals, including
active-duty members of the military, their families, and veterans,
which can be used to identify and compromise or blackmail them in order
to obtain sensitive military information, threatening national
security.\136\ Personal identifiers may include sensitive information,
including SSNs and driver's license numbers, as well as addresses and
telephone numbers for people who do not wish to be located, such as
domestic violence survivors seeking to stay safe from their abusers.
Consumer groups have noted that, because consumer reporting agencies
sell ``credit header'' information, this information has become readily
available for purchase online. They have expressed concern that this
online marketplace for ``credit header'' information is used for
doxing, identity theft, harassment, and physical violence.\137\
Investigative reporting by 404 Media indicates that criminals have
obtained access to ``credit header'' information and are selling
unfettered access to such data to other criminals.\138\
---------------------------------------------------------------------------
\136\ Duke Report on Data Brokers and Military Personnel Data,
supra note 2; Duke Report on Data Brokers and Sensitive Data, supra
note 29.
\137\ See, e.g., Comment from stakeholders Just Futures Law,
Consumer Action, and six other nonprofits, Re: CFPB's Small Business
Advisory Review Panel for Consumer Reporting Rulemaking--Outline of
Proposals and Alternatives Under Consideration, at 2 (Nov. 6, 2023).
\138\ Joseph Cox, The Secret Weapon Hackers Can Use to Dox
Nearly Anyone in America for $15, 404 Media (Aug. 22, 2023), <a href="https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/?curator=TechREDEF">https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/?curator=TechREDEF</a> (``This is the result of a secret weapon
criminals are selling access to online that appears to tap into an
especially powerful set of data: the target's credit header. . . .
Through a complex web of agreements and purchases, that data
trickles down from the credit bureaus to other companies who offer
it to debt collectors, insurance companies, and law enforcement. A
404 Media investigation has found that criminals have managed to tap
into that data supply chain, in some cases by stealing former law
enforcement officer's identities, and are selling unfettered access
to their criminal cohorts online.''); see also Joseph Cox & Emanuel
Maiberg, Fiverr Freelancers Offer to Dox Anyone With Powerful U.S.
Data Tool, 404 Media (July 2, 2024), <a href="https://www.404media.co/fiverr-freelancers-offer-to-dox-anyone-with-powerful-u-s-data-tool-tloxp/">https://www.404media.co/fiverr-freelancers-offer-to-dox-anyone-with-powerful-u-s-data-tool-tloxp/</a>
(``Dozens of sellers on the freelancing platforming Fiverr claim to
have access to a powerful data tool used by private investigators,
law enforcement, and insurance firms which contains personal data on
much of the U.S. population. The sellers are then advertising the
ability to dig through that data for prospective buyers, including
uncovering peoples' Social Security numbers for as little as $30,
according to listings viewed by 404 Media. . . . The advertised tool
is TLOxp, maintained by the credit bureau TransUnion, and can also
provide a target's unlisted phone numbers, utilities, physical
addresses, and more.'').
---------------------------------------------------------------------------
Except for certain information that may be released to government
agencies under specific FCRA provisions, the proposal would curtail
consumer reporting agencies' ability to furnish without a permissible
purpose personal identifiers that had been collected for the purpose of
preparing consumer reports. The proposal would thus reduce the ability
of consumer reporting agencies to disclose sensitive contact
information that ultimately could be accessed and used by stalkers,
doxxers, domestic abusers, and other lawbreakers, as discussed above.
While the storage of Americans' sensitive data may be necessary to
facilitate lending, employment background checks, and other beneficial
uses prescribed under the FCRA, it cannot be used to facilitate crimes.
Impacts on Other Current Uses of Personal Identifiers
The Small Business Review Panel recommended that the CFPB consider
the impacts on current uses of ``credit header'' information
(including, e.g., for identity verification, fraud prevention and
detection, employment background checks, other investigations, and
digital advertising) and ways to mitigate any negative effects if
communications of ``credit header'' information are consumer
reports.\139\ Small entity representatives and others have noted that
``credit header'' information has numerous beneficial uses. For
example, it is often used currently to comply with legal obligations
related to identity verification. These obligations include customer
identification programs and anti-money laundering compliance
obligations pursuant to the USA PATRIOT Act and the Bank Secrecy Act,
which are designed to prevent and detect money laundering and the
financing of terrorism.\140\ According to industry trade associations,
``credit header'' information is also used for other purposes, such as
identifying and locating people in a range of contexts, including
missing children, victims of natural disasters, and responsible parties
and witnesses in insurance claims investigations and civil and criminal
matters.\141\ Other uses cited include investigating human trafficking,
ensuring that packages are sent to the correct address, preventing
online purchase fraud, and ensuring age-restricted content and
merchandise is not available to minors.
---------------------------------------------------------------------------
\139\ Small Business Review Panel Report, supra note 40, at 47-
48 & section 9.3.3.
\140\ For example, section 326 of the USA PATRIOT Act requires
the U.S. Department of Treasury's Financial Crimes Enforcement
Network (FinCEN) to prescribe regulations that require financial
institutions to establish programs for account opening that include:
(1) verifying the identity of any person seeking to open an account,
to the extent reasonable and practicable; (2) maintaining records of
the information used to verify the person's identity, including
name, address, and other identifying information; and (3)
determining whether the person appears on any lists of known or
suspected terrorists or terrorist organizations provided to the
financial institution by any government agency. 31 U.S.C. 5318(l).
\141\ Other examples cited include identifying and locating
owners of lost or stolen property, heirs, pension beneficiaries,
organ and tissue donors, suspects, terrorists, fugitives, tax
evaders, and parents and ex-spouses with delinquent child or spousal
support obligations.
---------------------------------------------------------------------------
Industry stakeholders have expressed concern that treating ``credit
header'' information as consumer report information may increase costs,
result in delays where time is of the essence, and cause consumer
frustration, while undermining efforts to combat money laundering,
terrorism, and other crimes. However, it appears that many of these
predictions overstate the consequences of reading the FCRA's definition
of consumer report to include communications of personal identifiers
collected by consumer reporting
[[Page 101419]]
agencies to prepare consumer reports. If the proposal is finalized,
identifying information would still be available in various ways. Many
current uses of such information, such as confirming an applicant meets
the minimum age requirement for a job or a loan, fall within specific
permissible purposes. If an entity has a permissible purpose under FCRA
section 604(a)(3) to obtain a consumer report, the entity can also use
the consumer report for identity verification and fraud prevention
activities conducted in connection with that permissible purpose. For
example, a creditor has a permissible purpose to use consumer report
information for identity verification and fraud prevention if such
activities are conducted in connection with a credit transaction that
involves an extension of credit to the consumer or review or collection
of a credit account of the consumer.\142\ A court order or a subpoena
can also provide an FCRA permissible purpose.\143\ Additionally, a
consumer's written instructions can provide a permissible purpose, such
as for any identity verification or fraud prevention activities that
are not conducted in connection with another permissible purpose.\144\
---------------------------------------------------------------------------
\142\ FCRA section 604(a)(3)(A), 15 U.S.C. 1681b(a)(3)(A).
\143\ FCRA section 604(a)(1), 15 U.S.C. 1681b(a)(1).
\144\ See infra discussion of proposed Sec. 1022.11.
---------------------------------------------------------------------------
Furthermore, proposed Sec. 1022.4(d) would not affect access to
identifying information from any sources that are not subject to the
FCRA. Proposed Sec. 1022.4(d) would not, for example, affect the
status or availability of an ordinary telephone directory or of any
other repository of identifying information that is not collected for
the purpose of preparing consumer reports. Other data sources could
include, for example, public records directly from a government entity,
such as property records, voter registrations, and professional license
filings.\145\
---------------------------------------------------------------------------
\145\ See discussion of government-run databases in the
discussion of proposed Sec. 1022.5 below.
---------------------------------------------------------------------------
Proposed Sec. 1022.4(d) also would not affect the status or
availability of identifying information obtained from financial
institutions for purposes other than to prepare consumer reports.\146\
The GLBA and Regulation P generally require financial institutions to
provide consumers with notice and a right to opt out of the sharing of
their nonpublic personal information with non-affiliated third parties,
but an exception to these requirements provides that financial
institutions can share such information ``to protect against or prevent
actual or potential fraud, unauthorized transactions, claims, or other
liability.'' \147\
---------------------------------------------------------------------------
\146\ To the extent any repository included identifying
information obtained from financial institutions, it would need to
comply with the restrictions and requirements of the GLBA and its
implementing regulations, including the limitations on reuse and
redisclosure. See, e.g., 15 U.S.C. 6802(c); 12 CFR 1016.11.
\147\ 15 U.S.C. 6802(e)(3)(B); 12 CFR 1016.15(a)(2)(ii). A
financial institution may provide identifying information to a non-
affiliated third party for purposes of identity verification and
fraud prevention pursuant to this exception, and Regulation P's
reuse and redisclosure provisions would allow the recipient of such
information to redisclose the information to other non-affiliated
third parties for the same purposes. 15 U.S.C. 6802(c); 12 CFR
1016.11(a)(1)(iii), (c)(3) (providing that information received
pursuant to an exception, such as the fraud exception, may generally
only be used or disclosed in the ordinary course of business to
carry out the activity covered by the exception under which the
recipient received the information). As long as the information was
not received under Regulation P's exception to the notice and opt
out requirements to allow disclosure of nonpublic personal
information for consumer reporting purposes (see 12 CFR
1016.15(a)(5)(i), allowing financial institutions to provide
consumers' nonpublic information to consumer reporting agencies in
accordance with the FCRA), or otherwise collected, expected to be
used, or used for the purpose of serving as a factor in establishing
the consumer's eligibility for an FCRA permissible purpose, the
communication of such data would not be a consumer report under
proposed Sec. 1022.4(d).
---------------------------------------------------------------------------
Some stakeholders have raised questions about the impact that this
proposed intervention might have on government agencies' access to
identifying information originating from consumer reporting agencies
for law enforcement and other purposes. Government agencies, including
local, Tribal, State, and Federal law enforcement, access personal
identifiers for numerous beneficial uses. These include for
facilitating access to and administering government benefits,
identifying and ruling out suspects for criminal investigations,
identifying witnesses, and other uses that may serve the public
interest.
Law enforcement and other government agencies currently obtain data
from a broad range of sources and proposed Sec. 1022.4(d) would not
affect many of these sources, such as government-run databases
addressed below in the discussion of proposed Sec. 1022.5. To the
extent that government agencies currently use information that would be
affected by proposed Sec. 1022.4(d), they would continue to be able to
access such information in a variety of ways if the proposed rule were
finalized. For example, FCRA section 608 provides that a consumer
reporting agency may furnish to a governmental agency the name,
address, former addresses, places of employment, or former places of
employment of any consumer even if no permissible purpose exists. FCRA
sections 626 and 627 also provide that, under specified circumstances,
consumer reporting agencies must provide certain consumer reporting
information to the FBI and a consumer report and all other information
in a consumer's file to certain government agencies for
counterintelligence or counterterrorism purposes.\148\ If government
agencies required additional information beyond what is available
pursuant to FCRA sections 608, 626, and 627, access could be obtained
through a court order, a subpoena, a consumer's written instructions,
or any other permissible purpose.
---------------------------------------------------------------------------
\148\ 15 U.S.C. 1681u, 1681v.
---------------------------------------------------------------------------
While personal identifiers would remain available to law
enforcement and other government agencies through these various
channels, the CFPB recognizes the value of government agencies' access
to personal identifiers in efficient, consolidated, and timely ways.
The CFPB therefore requests comment on proposed Sec. 1022.4(d) and how
best to maintain government agencies' access to personal identifiers in
order to ensure that the beneficial uses described above can continue
as usual. In particular, the CFPB requests comment on a potential
exemption from Sec. 1022.4(d) for communications consisting
exclusively of personal identifiers that are solely furnished to, or
solely used to furnish to, local, Tribal, State, and Federal
governments.
The CFPB is also continuing to consider the potential impacts of
proposed Sec. 1022.4(d) on the other areas identified by the Small
Business Review Panel. The CFPB requests comment on those impacts and
on ways to mitigate any potentially negative impacts.
Preventing Evasions of the FCRA
In addition to proposing Sec. 1022.4(d) pursuant to the CFPB's
authority to ``prescribe regulations as may be necessary or appropriate
to administer and carry out the purposes and objectives'' of the FCRA,
the CFPB also proposes Sec. 1022.4(d) pursuant to its rulemaking
authority under FCRA section 621(e) to prevent evasions of, and to
facilitate compliance with, the FCRA. Proposed Sec. 1022.4(d) would
facilitate compliance with the FCRA by establishing a clear, bright-
line rule on how the FCRA applies to personal identifiers. It also
would help to prevent evasions of the FCRA where consumer reporting
agencies willfully or otherwise ignore how the personal identifiers
they sell are used or expected to be used or
[[Page 101420]]
wrongly assume such information cannot bear on the specified factors.
The absence of a bright-line rule regarding personal identifiers
could raise more compliance concerns and make the rule more susceptible
to evasions than proposed Sec. 1022.4(d)'s categorical approach. As
noted above, the FTC's staff guidance in the 40 Years Staff Report
indicated that identifying information can be consumer report
information if it bears on any of the seven factors identified in the
FCRA and is used to determine eligibility.\149\ Rather than engaging in
the communication-by-communication analysis required under the FTC's
approach, many consumer reporting agencies and trade associations have
instead taken the position that communication of personal identifiers
is never a consumer report. Indeed, although the FTC recognized decades
ago that communications of age information drawn from consumer
reporting databases fall within the definition of a consumer
report,\150\ consumer reporting agencies have continued to include age
information, such as full or partial dates of birth, in the ``credit
header'' information they sell to entities that have no permissible
purpose under the FCRA, incorrectly claiming that such information is
not covered by the FCRA.\151\ As technology advances, uses of
identifying information in eligibility determinations are likely to
expand and develop in ways that may not be visible to regulators and
consumers, amplifying the concern that consumer reporting agencies may
violate the FCRA in the absence of a bright-line rule regarding
personal identifiers. The CFPB preliminarily determines that proposed
Sec. 1022.4(d)'s categorical approach with respect to personal
identifiers is necessary to facilitate compliance with the FCRA and to
prevent evasion of the FCRA by consumer reporting agencies that sell
personal identifiers without adequately considering whether the
information they are selling constitutes a consumer report.
---------------------------------------------------------------------------
\149\ FTC 40 Years Staff Report, supra note 21, at 21.
\150\ In re Trans Union Corp., FTC Docket No. 9255, at 31 (Feb.
10, 2000), <a href="https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf">https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf</a> (concluding based on
the evidence presented that ``age information falls within the
definition of a consumer report''); see also 65 FR 33645, 33668 n.35
(May 24, 2000) (noting that the FTC's 2000 decision determined that
age is consumer report information).
\151\ See, e.g., Matt Wiley, What Is Header Data?, Equifax (Feb.
22, 2021), <a href="https://www.equifax.com/business/blog/-/insight/article/what-is-header-data/">https://www.equifax.com/business/blog/-/insight/article/what-is-header-data/</a>); CLEAR Enhancements Overview, Thomson Reuters,
<a href="https://legal.thomsonreuters.com/content/dam/ewp-m/documents/legal/en/pdf/fact-sheets/clear-enhancements-2021.pdf">https://legal.thomsonreuters.com/content/dam/ewp-m/documents/legal/en/pdf/fact-sheets/clear-enhancements-2021.pdf</a> (announcing inclusion
of full Equifax ``credit header'' information regarding date of
birth in CLEAR database) (last visited Oct. 15, 2024); Letter from
Ron Wyden, Sen., U.S. Senate, to Rohit Chopra, Director, CFPB (Dec.
8, 2021), <a href="https://www.wyden.senate.gov/imo/media/doc/CFPB%20Letter%20120821.pdf">https://www.wyden.senate.gov/imo/media/doc/CFPB%20Letter%20120821.pdf</a> (describing sale of ``credit header''
information from the National Consumer Telecom and Utilities
Exchange including date of birth).
---------------------------------------------------------------------------
The CFPB requests comment on whether, in lieu of adopting the
approach of proposed Sec. 1022.4(d), a final rule should provide that
a communication by a consumer reporting agency of personal identifiers
can be a consumer report if the information meets the two-prong test in
proposed Sec. 1022.4(a)'s definition of consumer report. If the CFPB
adopted this alternative approach in a final rule, the final rule could
provide illustrative examples of communications by consumer reporting
agencies of personal identifiers that are consumer reports, such as
communications of age or address information. The CFPB requests comment
on examples that might be helpful to include if it were to adopt this
alternative approach in a final rule.
4(e) De-Identification of Information
Proposed Sec. 1022.4(e) addresses when a consumer reporting
agency's communication of de-identified information should be
considered a consumer report. Industry participants often assume that
information drawn from a consumer reporting database is not a consumer
report if the information has been aggregated or otherwise stripped of
identifying information. However, information that has been aggregated
or otherwise purportedly de-identified can often be used to re-identify
individuals and to target individuals to receive or not receive
marketing or used in other ways that may violate consumer privacy. The
CFPB is considering a range of options to address the risk of re-
identification of consumer report information that has been de-
identified.\152\ The CFPB therefore proposes three alternative versions
of Sec. 1022.4(e). The proposed alternatives are all designed to
further the FCRA's goal of ensuring the privacy of consumer
information, including by preventing targeted marketing using
purportedly de-identified consumer reporting information that could be
re-identified. Each alternative would have varying effects on the use
of de-identified information as discussed below.
---------------------------------------------------------------------------
\152\ In the Small Business Review Panel Outline, the CFPB
indicated that it was considering proposals to clarify whether and
when ``aggregated or anonymized'' consumer report information
constitutes or does not constitute a consumer report. Small Business
Review Panel Outline, supra note 39, at 11. The CFPB is using the
terms ``de-identified information'' and ``de-identification'' in
this proposal because it believes these terms capture information
that has been stripped of identifiers, through aggregation or other
means, and therefore can encompass information that has been
aggregated or anonymized or both. The term ``de-identified'' is
similar to the term ``anonymized'' that was used in the Outline but
more aptly conveys that there is a possibility that data may be re-
identified.
---------------------------------------------------------------------------
FCRA section 603(d)(1) defines consumer report, in part, as a
``communication of . . . information by a consumer reporting agency
bearing on a consumer's credit worthiness, credit standing, credit
capacity, character, general reputation, personal characteristics, or
mode of living.'' \153\ FCRA section 603(c) defines a consumer as ``an
individual.'' \154\ Interpreting these terms, the FTC 40 Years Staff
Report states that ``information may constitute a consumer report even
if it does not identify the consumer by name if it could `otherwise
reasonably be linked to the consumer.' '' \155\ Extrapolating from that
statement, many stakeholders today believe that a communication of
information by a consumer reporting agency is not a consumer report if
the information is not linked or reasonably linkable to a specific
individual. Many stakeholders also often seem to assume that
information is not reasonably linkable when in fact it is.
---------------------------------------------------------------------------
\153\ 15 U.S.C. 1681a(d)(1).
\154\ 15 U.S.C. 1681a(c).
\155\ FTC 40 Years Staff Report, supra note 21, at 21.
---------------------------------------------------------------------------
In light of advances in technology and current industry practices,
the CFPB is concerned that the reasonably linkable standard articulated
in the FTC 40 Years Staff Report alone may not be sufficiently
protective of consumer reporting information that, while nominally de-
identified, may in fact be re-identifiable. The CFPB is aware that, in
many cases, consumers may be re-identified with relative ease from
purportedly de-identified datasets.\156\ Indeed, there have been
numerous reports over the years of supposedly de-identified data being
re-identified and revealing potentially sensitive personal information
such as web browsing
[[Page 101421]]
activity,\157\ medical information,\158\ and sexual orientation.\159\
For example, in one well-publicized case, researchers were able to
identify individuals from anonymized Netflix data with the help of
publicly available information.\160\ More recently, scientists reported
developing an algorithm capable of identifying ``99.98 percent of
Americans from almost any available data set with as few as 15
attributes, such as gender, ZIP code or marital status.'' \161\
Presumably, the potential to re-identify data that has been de-
identified will only increase as artificial intelligence and data
analytics technologies continue to improve.\162\ In the FCRA context,
concerns about potential re-identification of data that have been de-
identified are particularly pronounced due to the sensitivity of
consumer report information and the privacy goals that prompted
Congress to enact the statute.
---------------------------------------------------------------------------
\156\ See Kristen Cohen, Fed. Trade Comm'n, Location, Health,
and Other Sensitive Information: FTC Committed to Fully Enforcing
the Law Against Illegal Use and Sharing of Highly Sensitive Data
(July 11, 2022), <a href="https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal">https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal</a>; The White House, Exec. Off. of the
President, Big Data: Seizing Opportunities, Preserving Values, at 8
(May 2014), <a href="https://obamawhitehouse.archives.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf">https://obamawhitehouse.archives.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf</a>; Fed. Trade
Comm'n, Protecting Consumer Privacy in an Era of Rapid Change:
Recommendations for Businesses and Policymakers, at iv, 18-22 (Mar.
2012) (hereinafter 2012 FTC Privacy Report), <a href="https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers">https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers</a>; see also Fed Trade Comm'n,
FTC Staff Report: Self-Regulatory Principles for Online Behavioral
Advertising: Tracking, Targeting, and Technology, at 20-21 (Feb.
2009), <a href="https://www.ftc.gov/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising">https://www.ftc.gov/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising</a>.
\157\ See Press Release, Fed. Trade Comm'n, FTC Order Will Ban
Avast from Selling Browsing Data for Advertising Purposes, Require
It to Pay $16.5 Million Over Charges the Firm Sold Browsing Data
After Claiming Its Products Would Block Online Tracking (Feb. 22,
2024), <a href="https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over">https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over</a> (browsing history combined with
persistent identifiers could be re-identified and connected to
individual consumers).
\158\ Chris Culnane et al., Health Data in an Open World: A
Report on Re-Identifying Patients in the MBS/PBS Dataset and the
Implications for Future Releases of Australian Government Data (Dec.
18, 2017), <a href="https://arxiv.org/pdf/1712.05627">https://arxiv.org/pdf/1712.05627</a>.
\159\ Marisa Iati & Michelle Boorstein, Case of High-Ranking
Cleric Allegedly Tracked on Grindr App Poses Rorschach Test for
Catholics, Wash. Post (July 21, 2021), <a href="https://www.washingtonpost.com/religion/2021/07/21/catholic-official-grindr-reaction/">https://www.washingtonpost.com/religion/2021/07/21/catholic-official-grindr-reaction/</a>.
\160\ Letter from Maneesha Mithal, Assoc. Dir., Div. of Privacy
& Identity Prot., Fed. Trade Comm'n, to Reed Freeman, Counsel for
Netflix, Morrison & Foerster LLP, at 2 (Mar. 12, 2010), <a href="https://www.ftc.gov/legal-library/browse/cases-proceedings/closing-letters/netflix-inc">https://www.ftc.gov/legal-library/browse/cases-proceedings/closing-letters/netflix-inc</a>.
\161\ Gina Kolata, Your Data Were `Anonymized'? These Scientists
Can Still Identify You, N.Y. Times (July 23, 2019), <a href="https://www.nytimes.com/2019/07/23/health/data-privacy-protection.html">https://www.nytimes.com/2019/07/23/health/data-privacy-protection.html</a>; see
generally Paige Collings, Debunking the Myth of `Anonymous' Data,
Elec. Frontier Found. (Nov. 10, 2023), <a href="https://www.eff.org/deeplinks/2023/11/debunking-myth-anonymous-data">https://www.eff.org/deeplinks/2023/11/debunking-myth-anonymous-data</a>.
\162\ See 2012 FTC Privacy Report, supra note 156, at 20.
---------------------------------------------------------------------------
The CFPB is aware that consumer reporting agencies offer and sell a
variety of products that include information that has been drawn from
consumer reporting databases and that has been aggregated or otherwise
purportedly de-identified.\163\ Some of these products include
information that has been aggregated at a household or neighborhood
level (e.g., a ZIP Code or ZIP-plus-four Code segmentation); others may
include information aggregated according to specific behavioral
characteristics (e.g., consumers who shop at high-end retailers). Given
the potential ease with which household and other data can be re-
identified, the sale of these types of data raises concerns that
sensitive consumer reporting information may be disclosed in
circumstances where no FCRA permissible purpose exists, such as for
marketing. In light of these concerns, the CFPB is proposing three
alternative versions of Sec. 1022.4(e) and, as noted below, requests
comment on how each alternative, or combinations thereof, would affect
current uses of de-identified information drawn from consumer reporting
databases.
---------------------------------------------------------------------------
\163\ See, e.g., Robinson + Yu, Knowing the Score: New Data,
Underwriting, and Marketing in the Consumer Credit Marketplace, A
Guide for Financial Inclusion Stakeholders, at 2, 17-19 & tbl. 10
(Oct. 2014), <a href="https://www.upturn.org/static/files/Knowing_the_Score_Oct_2014_v1_1.pdf">https://www.upturn.org/static/files/Knowing_the_Score_Oct_2014_v1_1.pdf</a> (providing examples of
aggregated marketing scores and noting that such scores ``have
become a primary way for credit bureaus to sell, and for creditors
and other actors to use, consumers' credit histories to market to
them with greater precision''); FTC Data Broker Report, supra note
25, at 19-21 (describing the creation of lists of consumers who
share similar characteristics, including lists that segment
consumers based on their financial status, e.g., underbanked, credit
worthiness, and upscale retail card holder); In re Trans Union, 129
FTC 417, 493-94 (2000), <a href="https://www.ftc.gov/system/files/documents/commission_decision_volumes/volume-129/vol129complete_0.pdf">https://www.ftc.gov/system/files/documents/commission_decision_volumes/volume-129/vol129complete_0.pdf</a>
(discussing a ZIP-plus-four aggregation, i.e., an average of the
credit data of a geographical area covering 5 to 15 households
divided by the number of people in the area who have credit
reports).
---------------------------------------------------------------------------
Proposed Alternative One
The first proposed version of Sec. 1022.4(e) is a bright-line
approach under which de-identification of information would not be
relevant to a determination of whether the definition of consumer
report is met. Under this alternative, a consumer reporting agency's
communication of de-identified information that would constitute a
consumer report if the information were not de-identified would be a
consumer report, regardless of the measures taken to de-identify the
information. While different methods of de-identification, including
different methods of aggregation, may present varying levels of re-
identification risk, this alternative would set a bright-line rule that
de-identification of information in a communication does not affect
whether the communication is a consumer report. Of the three proposed
alternatives, this would be the most protective of consumer privacy and
would place the greatest restriction on information sharing. This
alternative could address concerns about consumer reporting information
being used for differentiated marketing and pricing, such as sending or
not sending advertisements to certain consumers based on aggregated
indicators of the financial well-being of their neighborhood. This
approach would also provide a bright line for supervisory and
enforcement purposes that would make it easier to identify and prove
violations. However, it would also constrict or eliminate the
availability of de-identified information from consumer reporting
databases for policy analysis and development, research, advocacy work,
model and risk score development, and market monitoring. For example,
the National Mortgage Database (NMDB), which the CFPB and the Federal
Housing Finance Agency (FHFA) jointly established, uses de-identified
information from a nationwide consumer reporting agency to facilitate
Federal agencies' monitoring of the U.S. mortgage markets. Such
information would no longer be available to assist with such monitoring
if the first alternative version of proposed Sec. 1022.4(e) were
finalized. Under this alternative, a consumer reporting agency could
generally only disclose information drawn from a consumer reporting
database for a purpose that is permissible under the FCRA, regardless
of the extent to which the information is de-identified.
Proposed Alternative Two
The second proposed version of Sec. 1022.4(e) would provide that
de-identification of information is not relevant to a determination of
whether the definition of consumer report in Sec. 1022.4(a) is met if
the information is still linked or linkable to a consumer. Under this
alternative, a consumer reporting agency's communication of de-
identified information that would constitute a consumer report if the
information were not de-identified is a consumer report if the
information is still linked or linkable to a consumer. The Office of
Management and Budget (OMB), the National Institute of Standards and
Technology, and various other Federal agencies have used similar
``linked or linkable'' standards in defining ``personally identifiable
[[Page 101422]]
information.'' \164\ For example, the U.S. Securities and Exchange
Commission's crowdfunding regulation defines ``personally identifiable
information'' as ``information that can be used to distinguish or trace
an individual's identity, either alone or when combined with other
personal or identifying information that is linked or linkable to a
specific individual.'' \165\ The ``linked or linkable'' test in the
second proposed version of Sec. 1022.4(e) would be similar to the
``linked or reasonably linkable'' standard in the third proposed
version of Sec. 1022.4(e) (discussed below) but omits the word
``reasonably'' and therefore would be more protective of consumer
privacy and more restrictive of information flows.
---------------------------------------------------------------------------
\164\ E.g., 6 CFR 37.3 (defining personally identifiable
information in Department of Homeland Security's regulation on Real
ID Driver's Licenses and Identification Cards); 45 CFR 75.2
(defining personally identifiable information for purposes of
uniform administrative requirements, cost principles, and audit
requirements for Department of Health and Human Services awards); M-
17-12, Memorandum for Heads of Exec. Dep'ts & Agencies from Shaun
Donovan, Off. of Mgmt. & Budget, at 8 (Jan. 3, 2017), <a href="https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf">https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf</a> (defining personally identifiable
information for purposes of Federal agency data breaches); U.S. Gen.
Servs. Admin., Order CIO 2180.2, GSA Rules of Behavior for Handling
Personally Identifiable Information (PII) (Oct. 8, 2019), <a href="https://www.gsa.gov/directives-library/gsa-rules-of-behavior-for-handling-personally-identifiable-information-pii-2">https://www.gsa.gov/directives-library/gsa-rules-of-behavior-for-handling-personally-identifiable-information-pii-2</a>; Erika McCallister et al.,
Nat'l Inst. of Standards and Tech., U.S. Dep't of Com., Special
Publ'n 800-122, Guide to Protecting the Confidentiality of
Personally Identifiable Information (PII) at ES-1 (Apr. 2010),
<a href="https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=904990">https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=904990</a>; U.S.
Dep't of Def., DoD 5400.11-R, Dep't of Def. Privacy Program, at 9
(May 14, 2007), <a href="https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/540011r.pdf">https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/540011r.pdf</a>.
\165\ 17 CFR 227.305.
---------------------------------------------------------------------------
Proposed Alternative Three
The third proposed version of Sec. 1022.4(e) would provide that
de-identification of information is not relevant to a determination of
whether the definition of consumer report is met if at least one of the
conditions set forth in proposed Sec. 1022.4(e)(1)(i) through (iii) is
met. The CFPB designed this proposed alternative to allow uses of de-
identified data that present less risk for consumers, such as research
conducted by academic institutions and government agencies, to
continue, while nonetheless ensuring the FCRA's protections apply where
appropriate (for example, to sales of de-identified consumer report
information when such information is re-identified). Under this
alternative, a consumer reporting agency's communication of de-
identified information that would constitute a consumer report if the
information were not de-identified is a consumer report if at least one
of the conditions set forth in proposed Sec. 1022.4(e)(1)(i) through
(iii) is met. The CFPB could finalize any of the conditions alone or in
combination. The conditions in a final rule thus could include one or
more of the following: (i) the information is still linked or
reasonably linkable to a consumer; (ii) the information is used to
inform a business decision about a particular consumer, such as a
decision whether to target marketing to that consumer; or (iii) a
person that directly or indirectly receives the communication, or any
information from the communication, identifies the consumer to whom
information from the communication pertains.
Using the ``linked or reasonably linkable'' standard set forth in
proposed Sec. 1022.4(e)(1)(i) as a condition in the third proposed
version would be the most consistent with how the FTC has approached
the issue of de-identified information under the FCRA.\166\ A
reasonableness test also is embedded in various other Federal
provisions that address personally identifiable information or other
types of information in identifiable form, such as the Family
Educational Rights and Privacy Act (FERPA) and the Health Insurance
Portability and Accountability Act (HIPAA).\167\ Additionally, the
comprehensive privacy laws that various States have enacted incorporate
a ``linked or reasonably linkable'' approach in defining ``personal
data'' or similar concepts.\168\ While almost any piece of data
theoretically could be linked to a consumer, a reasonableness standard
would consider whether such a link is practical or likely in light of
current technology and context, and could evolve over time as
technology advances. Including ``reasonably'' in the condition might
help to ensure that the rule does not unnecessarily limit the use of
data that does not pose a meaningful risk to consumers, such as
research conducted by government and academic institutions. On the
other hand, it might make Sec. 1022.4(e) more difficult to enforce
than the first and second proposed alternatives, particularly if the
examples and other conditions in the third proposed alternative are not
finalized.
---------------------------------------------------------------------------
\166\ FTC 40 Years Staff Report, supra note 21, at 21.
\167\ See 34 CFR 99.3 (defining personally identifiable
information for purposes of FERPA to include ``information that,
alone or in combination, is linked or linkable to a specific student
that would allow a reasonable person in the school community, who
does not have personal knowledge of the relevant circumstances, to
identify the student with reasonable certainty''); 45 CFR 160.103
(defining individually identifiable health information for purposes
of the HIPPA as ``information that is a subset of health
information, including demographic information collected from an
individual . . . [t]hat identifies the individual; or [w]ith respect
to which there is a reasonable basis to believe the information can
be used to identify the individual'').
\168\ See, e.g., Cal. Civ. Code section 1798.140(v)(1) (defining
personal information as ``information that identifies, relates to,
describes, is reasonably capable of being associated with, or could
reasonably be linked, directly or indirectly, with a particular
consumer or household''); Colo. Rev. Stat. section 6-1-1303(17)
(defining personal data as ``information that is linked or
reasonably linkable to an identified or identifiable individual''
and providing that the term ``[d]oes not include de-identified data
or publicly available information''); Va. Code section 59.1-575
(similar).
---------------------------------------------------------------------------
The third proposed version includes in Sec. 1022.4(e)(2) three
examples of information that would be considered linked or reasonably
linkable to a consumer. The three examples are intended to clarify the
``linked or reasonably linkable'' condition in proposed Sec.
1022.4(e)(1)(i) and to ensure the condition is read in a way that is
protective of consumer privacy. The examples could help to clarify when
information that has nominally been aggregated or otherwise stripped of
identifiers is reasonably linkable to a consumer. The first two
examples, in proposed Sec. 1022.4(e)(2)(i) and (ii), are information
that identifies a specific household or that identifies a specific
ZIP+4 Code in which a consumer resides. The risk of re-identification
of information is extremely high when data is provided at the household
level, as households may contain a small number of occupants, and
household data may be merged with other available sources of
information to tease out information about specific occupants.
Similarly, the ZIP+4 Code denotes a highly specific delivery segment
for U.S. mail and can identify a small population, such as the people
who live on one side of a block or in a specific building or house or
who use a specific Post Office box.\169\ Data provided about consumers
in a specif
[…truncated; see source link]Indexed from Federal Register on December 13, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.