CFPB Fair Credit Reporting Act Rulemaking

In 2023, the Consumer Financial Protection Bureau (CFPB) announced that it was kicking off a rulemaking under the Fair Credit Reporting Act (FCRA) to more tightly regulate data brokers and the use of personal information in consumer reporting. The FCRA is a federal law that promotes accuracy, fairness, and the privacy of personal information collected and held by consumer reporting agencies (CRAs).

The FCRA establishes firm limits on the purposes for which a CRA can collect, sell, or disclose certain personal data, and it requires each CRA to maintain the accuracy of the personal data it holds and to comply with a consumer’s request to access or correct their own information. But in the half century since the FCRA was enacted, the business of collecting and selling personal information has radically changed in scale, complexity, and the threats it poses to privacy.

In response to these changes, the CFPB is poised to update and upgrade existing consumer reporting regulations through its FCRA rulemaking authority. The CFPB released an outline of proposals and alternatives under consideration in September 2023, and the Bureau is expected to soon release a notice of proposed rulemaking.

The CFPB’s Potential Updates to FCRA Rules

Acknowledging the rapid growth and evolution of the consumer reporting market since the FCRA was enacted in 1970, the CFPB is considering a variety of proposals to update the FCRA. These include:

  • Clarifying the FCRA’s applicability to data brokers: The FCRA applies to “consumer reporting agencies” that furnish “consumer reports.” These terms are defined broadly in the FCRA and include many of the activities data brokers regularly engage in. The CFPB is considering proposals to clarify the applicability of the FCRA to data brokers.
    • First, the CFPB may clarify that the definition of “consumer reports” includes all consumer information provided to a third party for a “permissible purpose,” as defined in the statute, even if the data broker providing the information to the third party did not know that the information was intended to be used for that purpose.
    • Second, the CFPB may clarify that data brokers that sell certain types of consumer data, including data typically used to make credit and employment eligibility determinations, are CRAs subject to the FCRA.
    • Third, data brokers that collect consumer information for permissible purposes, which are set forth by the FCRA, may be subject to obligations under the FCRA including to not sell that consumer information for non-permissible purposes and to not obtain consumer report information from a consumer reporting agency without a permissible purpose.
  • Defining Assembling or Evaluating Consumer Information: The CFPB may clarify that data brokers which facilitate data sharing by accessing consumer information and transmitting the data to third party recipients with the consent of consumers are engaged in “assembling or evaluating” consumer information under the FCRA, as long as the data broker also satisfies the definition of a CRA.
    • The CFPB is considering providing a more bright-line definition to clarify when other third-party entities who also facilitate electronic data access between parties engage in “assembling or evaluating” consumer information.
  • Credit Header Data: Credit header data includes identifying information like an individual’s name, address, Social Security number, and phone numbers. Some CRAs sell credit header data for marketing or law enforcement purposes, which are not authorized purposes under the FCRA.
    • The CFPB is considering a proposal to clarify the extent to which credit header data constitutes a consumer report, which would likely reduce a CRA’s ability to sell or disclose credit header data without a permissible purpose.
  • Targeted Marketing and Aggregated Data: The FCRA generally prohibits CRAs from furnishing consumer reports to third parties except for specific permissible purposes. Marketing and advertising are not permissible purposes under the FCRA.
    • In some instances, CRAs combine consumer reports with third party data and then deliver marketing materials on behalf of the third party. The CFPB is considering a proposal to clarify that even though a CRA in this situation has not shared information with the third party, the CRA has still furnished a consumer report to a user without a permissible purpose.
    • The CFPB is also considering proposals to clarify whether and when aggregated or anonymized consumer report information constitutes a consumer report.
  • Permissible Purposes: The CFPB is considering proposals to clarify and interpret the scope of the “written instructions of the consumer” and “legitimate business need” permissible purposes.
  • Data Security and Data Breaches: The CFPB is considering a proposal addressing CRAs’ obligations to protect consumer reports from data breaches or unauthorized access under the FCRA.
  • Disputes: The FCRA empowers consumers to dispute the completeness and accuracy of the data in their consumer reports.
    • The CFPB is considering proposals related to how CRAs and furnishers must respond to and investigate certain types of consumer disputes, including when the dispute involves a systemic issue, which are issues affecting a large number of consumers including outdated software or deficiencies in a furnisher’s procedures.
  • Medical Debt Collection Information: The CFPB is considering proposals that would prohibit creditors from using or obtaining medical debt collection information to make credit eligibility determinations and prohibit CRAs from including medical debt collection tradelines on consumer reports.

How the CFPB’s FCRA Rule Updates Would Protect Consumers

Under the rules CFPB is considering, consumers would be better protected from the harmful practices of the data broker industry. Data brokers use the millions of data points they collect about individuals to predict and influence consumer behavior, combining the personal data they collect with other datasets, mining that data for insights (often using AI tools), and selling personal data to third parties. Because of the types and volume of personal information they collect, data brokers exercise a deep and invasive reach into the lives of consumers.

In addition to the privacy harms caused by industry practices, data brokers also inflict economic and broader social harms. For example, consumers may suffer economic and reputational harms, as well as severe anxiety, when their data collected by a broker is subject to a security breach. Considering certain kinds of personal data when making determinations related to a person’s eligibility for credit, employment, or housing can exacerbate existing inequalities and perpetuate racial bias. Data brokers also pose a significant threat to national security, putting active duty servicemembers and veterans at risk and exposing sensitive information to potential disclosure through blackmail and phishing.

Even as data brokers profit off the intimate details of our lives, we have little transparency into how our personal data is collected, used, and shared, let alone the ability to stop these practices. The data broker industry has exploded as technology has advanced, and the CFPB’s FCRA rulemaking process would help to ensure that the FCRA works to protect consumers in the modern technological landscape. The CFPB’s regulations would clarify that a wide range of data brokers are within FCRA’s scope. As a result, covered data brokers would only be able to collect consumer information for permissible purposes set forth under the FCRA, and they would only be able to share data they collect with third parties when there is a permissible purpose to do so. Reducing the availability of personal data available for purchase would limit the information that could be subject to a data breach or misused to harm or discriminate against consumers.

Timeline of CFPB Progress Toward an Updated FCRA Rule

  • February 2023: EPIC and a coalition of civil society organizations call on the CFPB to clarify that so-called “credit header data” (which includes names, addresses, and Social Security Numbers) is not exempt from the FCRA. The same groups also call on the CFPB to step up FCRA enforcement and update its FCRA regulations.
  • March 2023: The CFPB launches an inquiry into the business practices of data brokers. The Bureau issues a Request for Information (RFI) seeking public feedback on how data brokers’ business practices impact consumers and details about the types of information data brokers collect and sell.
  • July 2023: EPIC submits extensive comments in response to the CFPB’s RFI. The CFPB also holds a public hearing focusing on coercive credit reporting and medical billing practices.
  • August 2023: CFPB Director Rohit Chopra announces that the CFPB would be developing rules under the FCRA to “prevent misuse and abuse” by data brokers.
  • September 2023: The CFPB announces that the FCRA rulemaking process would include rules to remove medical bills from American’s credit reports. The CFPB also releases an outline of proposals and alternatives under consideration. Following the announcement, the CFPB will convene a Small Business Review Panel to seek feedback from representatives of small businesses likely to be affected by the proposed rules. The panel is tasked with preparing written feedback in response to the proposals and questions provided in the outline provided by the CFPB. The Panel Report will be published in the public rulemaking record once a proposed rule is published.
  • October 2023: EPIC submits further comments commending the CFPB’s rulemaking and suggesting further improvements to the proposals under consideration.
  • December 2023: The CFPB releases the Final Report of the Small Business Review Panel on the CFPB’s Proposals and Alternatives Under Consideration for the Consumer Reporting Rulemaking, which reflects feedback on the proposals from small entity representatives to the panel.
  • June 2024: The CFPB issues a Notice of Proposed Rulemaking to remove medical bills from most credit reports. This proposal was included in the CFPB’s September 2023 outline of proposals and alternatives under consideration and is moving forward separately from the anticipated FCRA rule changes focused on data brokers. 
  • In the Future: After collecting feedback from small business representatives and other stakeholders, the CFPB will issue a proposed rule, or Notice of Proposed Rulemaking (NPRM) in the Federal Register. At that time, members of the public will have an opportunity to submit comments, and the CFPB will consider the comments it receives while formulating the final rule.

Primers on Key Issues at Play in the FCRA Rulemaking

The following is an evolving collection of primers on some of the key issues at at play in the CFPB’s FCRA rulemaking:

EPIC’s Work