The Fair Credit Reporting Act (FCRA) and the Privacy of Your Credit Report
- EPIC Defends Privacy Laws in Supreme Court Brief: In an amicus brief for the Supreme Court EPIC defended Congress's authority to enact laws that safeguard the privacy of American consumers. EPIC explained that "Congress enacted laws that establish rights for individuals and imposed obligations on the companies that profit from the collection and use of this data." Spokeo v. Robins arises from a data broker's publication of inaccurate, personal information in violation of the Fair Credit Reporting Act. The data broker charged that, in addition to the violation of federal law, Mr. Robbins must also show that he was specifically harmed. Citing the current epidemic of privacy risks in the United States, including data breaches, identity theft, and financial fraud, EPIC wrote in the brief that this is "not the time for the Supreme Court to limit the ability of individuals to seek redress for violations of privacy rights set out by Congress." The EPIC amicus brief in Spokeo was endorsed by thirty-one technical experts and legal scholars, members of the EPIC Advisory Board. (Sep. 8, 2015)
- EPIC Files Comments on Financial Privacy: EPIC has filed extensive comments in response to a request from the Consumer Financial Protection Bureau. EPIC urged the Bureau to limit the information debt collectors gather on consumers. EPIC advised the Bureau to prohibit debt collectors from contacting employers and others about consumer debt. EPIC also advised the Bureau to require debt collectors to protect the information they acquire and to allow consumers to see the information about hem that js collected. EPIC routinely submits comments to federal agencies, urging them to uphold the Privacy Act and protect individuals from telephone and Internet misuse. In 2004, EPIC submitted comments regarding the "CAN-SPAM" Act and the proposed National "Do Not Email" Registry. In 2006, EPIC testified before Congress regarding the Truth in Caller ID Act of 2006. And in 2009, EPIC submitted comments on the Truth in Caller ID Act of 2009, recommending a prohibition against overriding calling parties' privacy choices. For more information, see EPIC: Comments on the Fair Debt Collection Practices Act, and EPIC: The Fair Credit Reporting Act. (Sep. 29, 2014)
- EPIC, Coalition Call for Transparency in Public Consumer Database: In comments to the Consumer Financial Protection Bureau, EPIC and other public interest organizations urged the Bureau to publish consumer complaint narratives. The Bureau currently publishes limited complaint information on financial products and services, including debt collection and credit reports. The Bureau is now considering a plan to provide consumer perspectives on experiences with the financial industry. The consumer groups support this effort and also recommend obtaining consumer consent and removing personally identifiable information before posting the complaints. Last year, EPIC uncovered documents revealing that many student debt collection companies fail to meet legal privacy obligations. For more information, see EPIC: Comments on the Fair Debt Collection Practices Act, and EPIC: The Fair Credit Reporting Act. (Sep. 22, 2014)
- Supreme Court Limits Remedies for Credit Card Privacy Violations: In U.S. v. Bormes, the U.S. Supreme Court held that the government could not be sued for violating the Fair Credit Reporting Act under an 1887 law that waived governmental immunity for certain claims "premised on other sources of law." The case arose after an attorney paid a federal-court filing fee with his credit card and noticed that the receipt included personal information in violation of the Fair Credit Reporting Act. He then sued the government under the Little Tucker Act, which waives sovereign immunity "for claims premised on other sources of law." Justice Scalia, writing for a unanimous Court, held that the attorney could not sue the government under the Little Tucker Act because the Fair Credit Reporting Act has its own detailed damages provision, and "[w]here . . . a statute contains its own self-executing remedial scheme, we look only to that statute to determine whether Congress intended to subject the United States to dam¬ages liability." The Court sent the case back to the Seventh Circuit Court of Appeals to determine whether the government may be sued under the Fair Credit Reporting Act itself. For more information, see EPIC: Fair Credit Reporting Act. (Nov. 13, 2012)
- Companies Unblock Links to Free Credit Report Site. The major credit reporting agencies have unblocked links to the free credit report site, annualcreditreport.com. In December 2004, EPIC and other groups urged the Federal Trade Commission to order that the links be unblocked. Congressman Barney Frank (D-MA) wrote (pdf) to the credit industry trade group to summarize changes made at the site to make it more consumer friendly. The World Privacy Forum recommends in a report that individuals call to get their free credit report instead of using the web site to avoid privacy-invasive practices of the credit reporting agencies. For more information, see the EPIC Fair Credit Reporting Act Page. (Mar. 21)
- Coalition Urges FTC to Unblock Links to Free Credit Site. EPIC and five privacy and consumer groups have called upon the FTC to order credit reporting agencies to stop blocking web hyperlinks to a site that provides free credit reports. The letter argues that blocking links violates federal regulations, and that, "Whether intentional or not, every subtle and not so subtle web design tactic has been employed to make www.annualcreditreport.com difficult to find and use." EPIC has posted a webpage that circumvents the blocking. (Dec. 7, 2004)
- Free Credit Report Site Blocks Web Links. Nationwide credit reporting agencies are required under federal law to provide a free credit report to residents of western states online starting December 1, 2004. However, the credit reporting agencies have blocked links to the free site, citing bogus security concerns. By blocking outside links, the companies create a greater risk of phishing because consumers have to type in the URL, and the companies can steer consumers to their expensive, unnecessary credit monitoring services, avoiding their duty to provide free reports. To get your free report, paste the following URL into your browser: http://www.annualcreditreport.com. (Dec. 4, 2004)
The Fair Credit Reporting Act (FCRA), Public Law No. 91-508, was enacted in 1970 to promote accuracy, fairness, and the privacy of personal information assembled by Credit Reporting Agencies (CRAs).
CRAs assemble reports on individuals for businesses, including credit card companies, banks, employers, landlords, and others. The FCRA provides important protections for credit reports, consumer investigatory reports, and employment background checks. The FCRA is a complex statute that has been significantly altered since 1970 by Congress and the courts. The Act's primary protection requires that CRAs follow "reasonable procedures" to protect the confidentiality, accuracy, and relevance of credit information. To do so, the FCRA establishes a framework of Fair Information Practices for personal information that include rights of data quality (right to access and correct), data security, use limitations, requirements for data destruction, notice, user participation (consent), and accountability.
The Federal Trade Commission (FTC) issues commentaries on the statute, but does not engage in rulemaking for the FCRA.
CRAs may also be referred to as "credit bureaus" or "consumer reporting agencies."
- Text of the Fair Credit Reporting Act of 1970, 15 U.S.C. §§ 1681-1681u.
- FTC Commentary on the FCRA, 16 C.F.R. Part 600.
- FTC Staff Opinion Letters on the FCRA.
The FCRA was passed to address a growing credit reporting industry in the United States that compiled "consumer credit reports" and "investigative consumer reports" on individuals. The FCRA was the first federal law to regulate the use of personal information by private businesses.
The first major credit reporting agency, Retail Credit Co, was started in 1899. Over the years, Retail Credit purchased smaller CRAs and expanded its business into selling reports to insurers and employers. By the 1960s, significant controversy surrounded the CRAs because their reports were sometimes used to deny services and opportunities, and individuals had no right to see what was in their file.
By the late 1960s, there was abuse in the industry, including requirements that investigators fill quotas of negative information on data subjects. To do this, some investigators fabricated negative information, others included incomplete information. Additionally, the investigators were collecting "lifestyle" information on data subjects, including their sexual orientation, marital status, drinking habits, and cleanliness. The CRAs were maintaining outdated information, and in some cases, providing the file to law enforcement and to unauthorized persons. Public exposure of the industry resulted in Congressional inquiry and federal regulation of CRAs.
Years of legislative leadership by Representative Leonor Sullivan and Senator William Proxmire resulted in the passage of the FCRA in 1970. After its passage, Senator Proxmire attempted to broaden the FCRA's protections over the next ten years. Shortly the FCRA took effect on April 25, 1971, CRAs were pursued for violations of numerous provisions of the Act. Most recently, in January 2000, the three CRAs paid $2.5 million in a case settlement brought by the FTC.
Comprehensive amendments to the FCRA were made in the Consumer Credit Reporting Reform Act of 1996 (P.L. 104-208). The Amendments contained a number of improvements to the FCRA, but it also included provisions that allow affiliate sharing of credit reports, "prescreening" of credit reports (unsolicited offers of credit made to certain consumers), and limited preemption of stronger state laws on credit.
The FCRA was re-visited by the 108th Congress in 2003, when the body enacted the "Fair and Accurate Credit Transactions Act of 2003" (FACTA). The Act preempts some state privacy protections, but includes a number of improvements to credit reporting law, including free credit reports annually.
- Robert Ellis Smith, Ben Franklin's Web Site, Privacy and Curiosity from Plymouth Rock to the Internet (Privacy Journal, 2000).
- Alan F. Westin, Privacy and Freedom (Athenum 1967). "...the largest American private investigative agency, the Retail Credit Company, which rates persons for a wide variety of purposes including industrial security, has 7,000 investigators, maintains dossiers on forty-two million people, and grosses more than $100 million annually from its activities."
- Vance Packard, The Naked Society (McKay 1964).
- Fair Credit Reporting Act, National Consumer Law Center.
- Be careful with your personally-identifying information, and in particular, do not reveal your Social Security Number, date of birth, or mother's maiden name to others, except when necessary.
- Request your credit report to inspect it for errors, to determine whether accounts have been opened without your knowledge or consent, and to see what entities are requesting your credit history. The CRA may charge you for access to your report. Currently, the charge as set by federal law is $9. The 2003 FACTA amendments
Opt-out of "prescreening." Prescreening is the practice of selling lists of customers based on information in the credit file. This is done in order to send unsolicited offers of credit to individuals. In some cases, malicious actors have intercepted these offers of credit and have opened account in others' names.
- By calling 1-888-5OPTOUT, you can opt-out of "prescreening." Be sure to indicate that you wish to opt-out permanently, otherwise, the CRA will start prescreening you again in five years. To opt-out permanently, you will need to complete a form that the CRAs will send after you complete the call.
- You can also opt-out by sending a letter to the three national CRAs. The FTC has a Sample Opt-Out Letter to assist you.
- Opt-out of marketing offers that derive from affiliate sharing. Under regulations being developed in 2004, individuals will be able to direct financial institutions to stop sending marketing material from their affiliates. This could result in a significant decrease in junk mail and telemarketing, as some banks have hundreds or even thousands of affiliates. Under the FACTA, your bank will be required in 2005 to give notice of how to opt-out of affiliate sharing marketing.
- Opt-out of "affiliate information sharing." Under the FCRA, individuals can prevent banks, credit card companies, and other creditors from sharing "transactional" and other information. It allows a subsidiary of a bank holding company to share credit reports and information from credit or employment or insurance applications with other affiliates even those without permissible purposes.
- If you believe that your credit report has been used improperly, or that other violations of the FCRA have occurred, consider contacting an attorney who concentrates on FCRA litigation. You can locate an appropriate attorney by contacting your state bar. Additionally, you should contact your state's Attorney General, and file a complaint with the Federal Trade Commission.
- Request that the CRAs withhold the last five SSN digits when supplying credit reports (per section 605 of the Fair and Accurate Credit Transactions Act of 2003)
- If you have been--or suspect that you may be--the victim of identity theft you can place a "fraud alert" with the CRAs indicating that you do not allow unauthorized credit to be issued in your name (see "Identity Theft" below).
Because credit reports can include sensitive personal information and because they are used to evaluate the ability to participate in so many different activities in modern life, they are subject regulations that follow a framework of Fair Information Practices.
The FCRA establishes rights and responsibilities for "consumers," "furnishers," and "users" of credit reports:
- Consumers are individuals.
- Furnishers are entities that send information to CRAs regarding creditworthiness in the normal course of business.
- Users of credit reports are entities that request a report to evaluate a consumer for some purpose.
What qualifies as a Credit Reporting Agency (CRA)?
A consumer reporting agency (CRA) is an entity that assembles and sells credit information and financial information about individuals.
There are three national CRAs in the United States: Experian (formerly TRW), Trans Union, and Equifax (formerly Retail Credit Co.). There are also many smaller credit reporting agencies that usually concentrate on reporting on individuals living in certain regions of the country.
Inspection bureaus, companies that sell information to insurance companies and assist in performing background checks, often are considered CRAs as well. Tenant screening and check approval companies are also considered CRAs.
Depending on the nature of the operation, other companies can be considered CRAs. Courts have held that private investigators, detective agencies, collection agencies, and even college placement offices can be CRAs under the law.
Consumer Credit Reports and Investigative Consumer Reports (ICRs)
Consumer credit reports contain information on financial accounts, and include credit card balances and mortgage information. Credit reports are used for evaluating eligibility for credit, insurance, employment, and tenancy; the ability to pay child support; professional licensing (for instance, to become an attorney); or for any purpose that a consumer approves.
A consumer credit report will contain basic identifying information (name, address, previous address, Social Security Number, marital status, employment information, number of children) along with:
- Financial information: Estimated income, employment, bank accounts, value of car and home.
- Public records information: Such as arrests, bankruptcies, and tax liens.
- Tradelines: Credit accounts and their status. This will also include the data subject's payment habits on credit accounts.
- Collection Items: Whether the data subject has unpaid or disputed bills.
- Current Employment and employment history.
- Requests for the credit report: The number of requests for the data subject's report and the identity of the requestors.
- Narrative information: A statement by the data subject or by the furnisher regarding disputed items on the credit report.
- Health information.
Certain information about consumers are excluded from the definition of "credit report." This includes "transaction and experience" information, that is, records of purchases of goods and services by the consumer. Additionally, corporations may share credit report information among affiliates as long as notice and opt-out is provided to the consumer.
CRAs can also prepare "investigative consumer reports," (ICRs) dossiers on consumers that include information on character, reputation, personal characteristics, and mode of living. ICRs are complied from personal interviews with persons who know the consumer. Since ICRs include especially sensitive information, the FCRA affords greater protections for them. For instance, within three days of requesting an ICR, the requestor must inform the consumer that an ICR is being compiled. The consumer also can request a statement explaining the nature and scope of the investigation underlying the ICR.
The Credit "Score"
The credit score is a "grade" of creditworthiness. Individuals with good credit scores can obtain credit more easily, and at lower interest rates. The precise algorithm used to develop the credit score is not publicly known. However, the following factors probably affect the overall number: the amount of money owed to creditors, payment history, whether the individual is seeking new extensions of credit, and the types of credit lines that an individual currently holds.
The Fair and Accurate Credit Transactions Act of 2003 (FACTA), which amended the FCRA, now requires CRAs to disclose a consumer's credit score for a "fair and reasonable fee" (to be determined by the FTC). The disclosure must include the score along with the range of possible scores. Mortgage lending companies must also provide the credit score upon request, in addition to the key factors of the underlying automated underwriting system if one is used. Some credit services companies also sell the credit score and advice for improving it for a fee.
- Credit Score Accuracy and Implications for Consumers (PDF), National Credit Reporting Association (NCRA) and the Consumer Federation of America (CFA), December 2002.
- Richard Le Febvre, AAA American Credit Bureau.
- Credit Where Credit Is Due, Washington Post, January 2, 2003.
- Survey of Three Big Sources Finds Credit Scores Can Clash, Wall Street Journal, December 18, 2002.
- Flaws in Credit Reports Could Hurt Millions of Consumers, Wall Street Journal, December 17, 2002.
- Credit-Scoring Firms Push Sale of Data to Consumers, Wall Street Journal, November 20, 2002.
- Know the Score Before You Borrow, Klipinger Personal Finance, March 6, 2002.
Your Right to Access Your Credit File
You can request your file by contacting the CRA directly. The CRA may charge you a fee for access, which currently is set by the FTC at $9.00. However, six states (Colorado, Georgia, Maryland, Massachusetts, New Jersey, and Vermont) have passed laws that require CRAs to issue a free report to residents upon request. Other states have set a reduced price by statute (Connecticut, Maine, Minnesota, California, and Montana).
You have a right to a free copy when an entity takes an "adverse action" against you based in whole or part on the report. Adverse actions are defined broadly under the act. They include: denial, termination, or an unfavorable change in the offer of credit or insurance; denial or an unfavorable change in employment or licensing. After an adverse action, the user of the credit report must send the individual information on how to obtain a free credit report from the CRA.
Free copies are also justified where the individual is unemployed and seeking employment, where the report is inaccurate because of fraud, and where the individual is on welfare.
Under the Fair and Accurate Credit Transactions Act of 2003 that amended the FCRA, consumers may now request a free annual credit report from each of the three major CRAs. This right will be made available incrementally over time based on geographic location. Although credit reports are made available to users (credit granting companies) instantaneously, consumers will have to wait up to fifteen days to receive their copies. Within one year, the FTC must establish a centralized source where consumers can request these reports. "Nationwide specialty credit reporting agencies" -- insurance, landlord-tenant, employment agencies-- will also be required to provide one free annual credit report upon request.
- Equifax 800.685.1111.
- Experian 888.397.3742.
- Trans Union 800.916.8800.
The Credit "Header"
A credit header is identifying information from a credit report. It includes name, mother's maiden name, date of birth, sex, address, prior addresses, telephone number, and the Social Security Number.
Credit headers came into use after the FTC changed its definition of a credit report in the course of settling a case against TRW (now Experian). The FTC allowed the CRAs to treat headers as "above the line" information and to sell it with no legal protections for the individual. The reasoning was that this information did not relate to credit, and thus should not be considered part of the credit report.
Credit headers are used for location of individuals and for target marketing. They are sold in bulk by the CRAs and can be purchased online.
- Ed Mierzwinski, Data Dealers Seizing Control Over Our Lives, US PIRG.
- Statement of Edmund Mierzwinski, Consumer Program Director, U.S. Public Interest Research Group Testimony Before the Subcommittee on Social Security of the House Committee on Ways and Means Hearing on Use and Misuse of Social Security Numbers, May 22, 2001.
Permissible Uses of the Credit Report
The FCRA limits the use of the credit report to certain purposes. They are:
- Applications for credit, insurance, and rentals for personal, family or household purposes.
- Employment, which includes hiring, promotion, reassignment or retention. A CRA may not release a credit report for employment decisions without consent.
- Court orders, including grand jury subpoenas.
- "Legitimate" business needs in transactions initiated by the consumer for personal, family, or household purposes.
- Account review. Periodically, banks and other companies review credit files to determine whether they wish to retain the individual as a customer.
- Licensing (professional).
- Child support payment determinations.
- Law enforcement access: Government agencies with authority to investigate terrorism and counterintelligence have secret access to credit reports.
Specific prior consent is required before consumer reports with medical information can be released.
Target marketing is not a permissible use of credit reports. Currently, both Equifax and Experian are in a consent agreement with the FTC to not use credit reports for target marketing. Trans Union attempted to challenge the FTC prohibition on using credit information for target marketing but failed in Trans Union v. FTC.
- Trans Union v. FTC, No. 00-1141 (D.C. Cir. 2001), cert. denied, 536 U. S. ____ (2002) . In Trans Union, the Court of Appeals for the District of Columbia Circuit held that tradelines (credit information that includes name, address, date of birth, telephone number, Social Security number, account type, opening date of account, credit limit, account status, and payment history) could not be sold for marketing purposes because they constituted a credit report for purposes of the Fair Credit Reporting Act (FCRA). Further, the Court rejected the profiler's claim that the First and Fifth Amendments invalidated the FCRA.
- Trans Union v. FTC, 81 F.3d 228 (D.C. Cir. 1996)("Trans Union I"). In Trans Union I, the Court of Appeals for the District of Columbia Circuit held that the sale of consumer credit reports for marketing purposes violated the FCRA.
Risk-Based Pricing Notices
The Fair and Accurate Credit Transactions Act of 2003, which updates the FCRA, requires that a creditor notify a consumer when it offers her credit terms that are "materially less favorable than the most favorable terms available to a substantial proportion of consumers." Previous to the amendments, creditors were not required to so inform consumers when the negative information in the credit report resulted in the offer of poor credit terms.Affiliate Marketing
The Fair and Accurate Credit Transactions Act of 2003 also allows consumers to opt-out of affiliate marketing -- a company's use of an affiliate company's information about a consumer for marketing purposes -- for a period of five years (which may be extended for an additional five years). However, communication of other information exempted from the definition of "consumer report" within the FCRA is not subject to a consumer's opt-out. These include, for example, information relating to transactions or experiences between the consumer and the company -- a broad wealth of information.
The Fair and Accurate Credit Transactions Act of 2003 restricts CRAs from reporting medical information in reports that will be used for employment, credit transactions or insurance transactions unless the consumer consents to such disclosures. The consent must be (a) in writing, (b) specific and (c) descriptive of the use for which the agency is disclosing the information (these specific requirements for consent are not necessary if the disclosure if for an insurance transaction). Furthermore, CRAs are prohibited from disclosing the name, address and telephone number of the medical furnisher (e.g. the hospital) responsible for specific information in the report. Creditors are disallowed from using consumer medical information in deciding whether to grant, or to continue granting, credit to a consumer.
Although the sharing of information between affiliates is generally excluded, medical information is extended additional protection. The following types of information are protected: an individualized list or description based on the consumer's payment transactions for medical products or services, or an aggregate list of consumers who paid for a medical product or service. On the other hand, exceptions are provided for certain information exchanges including those related to insurance transactions and disclosures authorized by the Department of Health and Services.
Special Rights in the Employment Context--Background Checks
Since September 11, 2001, many employers have either begun or expanded background check programs on current employees or new hires. Because they have become so prevalent, simple background checks can now be done for under $20, and more complex investigations may be hundreds of dollars.
Employers can request standard consumer credit reports or investigative consumer reports (ICRs) on their employees. Employers request the reports for hiring, promotion, reassignment, or retention decisions. In doing so, the employer must certify to the CRA that it will comply with the FCRA. The employer must also gain the individual's written consent before obtaining the report.
A patchwork of federal and state laws do limit the ability of employers to use background checks. Some states do not allow the consideration of arrest data (without a conviction) in employment decisions. Other states allow the consideration of conviction information only in certain circumstances. And, federal Equal Employment Opportunity Commission (EEOC) regulations prevent employers from taking adverse action against an individual for merely having a criminal conviction--the conviction must be relevant to the job, or there must be some other sound business reason for taking action against the individual.
The Fair and Accurate Credit Transactions Act of 2003, which updated the FCRA, excluded additional categories of employee investigation data from credit reports, thus eli mating protections offered by the FCRA. If the investigation is of suspected misconduct relating to employment, compliance with the law, or compliance with preexisting written policies of the employer, such information is not regulated by the FCRA. However, if the employer takes an adverse action due to such investigations, the employee has a right of notice.
The FCRA also prohibits the provision of reports that contain medical information for employment purposes without notice and explicit affirmative consent for release of the health data.
It is important to note that the FCRA does not apply to investigations performed by companies or individuals who are not CRAs.
Law Enforcement Access to the Credit Report
Federal, state, and municipal agencies can obtain basic identifying information (name, address, former address, employment) on any consumer through a CRA.
For many years, the FBI has had access to credit reports for counterintelligence purposes. In order to obtain the report, the FBI has to certify that the information is necessary for "the conduct of an authorized investigation to protect against international terrorism or clandestine intelligence activities." FBI access to the credit report is secret--the CRA is not allowed is disclose that the consumers' file was accessed. The Attorney General is required to report semiannually on the requests made by the FBI for credit reports to Congress.
The USA PATRIOT Act, passed in the wake of the September 11, 2001 terrorist attacks, broadened law enforcement access to credit reports. 15 U.S.C. § 1681v allows any government agency that is authorized to conduct intelligence or counterintelligence investigations or analysis of international terrorism to gain access to credit reports. Similar to the FBI access provision, the agency must certify that the credit report is necessary for investigation or analysis. The CRA is not permitted to disclose that the government agency sought the credit report. But, unlike the FBI provision, requests made under § 1681v do not have to be disclosed to Congress. It is likely that the FBI will use this new route to obtain credit reports than the former one because it lacks the reporting requirement.
The FCRA, like many other privacy statutes, provides a federal baseline of protections for individuals. The FCRA is only partially preemptive, meaning that except in a few narrow circumstances, state legislatures may pass laws to supplement the protections made by the FCRA. Some states have passed laws requiring the CRAs to provide reduced cost, or free credit reports. For detailed information about preemption, see EPIC's Privacy and Preemption Page.
Prior to the Fair and Accurate Credit Transactions Act of 2003 (FACTA) amendments, the FCRA provided that state laws passed after January 1, 2004 that offered greater protections for consumers would preempt the federal FCRA law. With this date -- and threat to the credit reporting industry -- fast approaching, the financial industry worked with Congress to develop and pass the 2003 FACTA amendments, eliminating this provision.
FACTA also overhauled other preemption provisions in FCRA. In "exchange" for the additional rights provided to consumers, broad preemption power was given to the FCRA in the 2003 amendments. All "subject matter" preemption provisions were retained, including matters such as the consumers' right to opt-out of prescreening reports and affiliate exchange of information (except a Vermont law which remains effective). Additionally, other subject matter preemptions were implemented, including the right to opt-out of certain affiliate marketing. The FACTA provides further preemptions for disclosure of credit scores (subject to certain exceptions for existing California and Colorado statutes). Finally, free credit reports are also preemptively regulated by the FACTA (except for existing statutes in CO, GA, ME, MA, NJ, and VA).
The extent to which the FACTA preempts state identity theft laws remains unclear. The provisions appear to allow states to enact stronger laws to protect their citizens from identity theft. But certain areas of identity theft regulation are then specifically excepted, thus again providing preemption. These include areas such truncation of credit/debit card numbers on electronic receipts and requiring CRAs to block identity-theft related information.
Right to Correct Inaccurate Information
Individuals may dispute inaccurate information that appears in a credit report. CRAs are required to investigate disputes and provide a report back to the consumer. If the CRA cannot resolve the dispute, the individual can add a statement to the credit report. Inaccurate or unverifiable information must be removed within 30 days of notice of the dispute. The Fair and Accurate Credit Transactions Act of 2003 (FACTA) -- amendments to the FCRA -- requires that investigation be "reasonable," although this standard is much lower than the requirements in creating the credit report which specify that there be "reasonable procedures to assure maximum possible accuracy."
Individuals may also dispute inaccurate information with the furnisher. If an individual disputes inaccurate information with a furnisher, that furnisher cannot report the information to a CRA without also including a notice of the dispute. If a furnisher determines that the information is inaccurate, it must block that information from being re-reported to CRAs -- a common and major problem in the credit reporting industry.
The FCRA limits the length of time some information can appear in a consumer report. For instance, bankruptcies must be removed from the report after 10 years. Civil suits, civil judgments, paid tax liens, accounts placed for collection, and records of arrest can only appear for 7 years. Records of criminal convictions can remain on the report indefinitely.
The FACTA provides consumers with additional rights to accurate credit information furnishing and reporting. The agencies that oversee FCRA enforcement will issue guidelines and regulations for credit information furnishers to ensure information accuracy and integrity.
Consumers may now directly dispute fraudulent transactions with the furnisher, the result of another FACTA amendment. Previously, a consumer was forced to pursue the dispute only with the CRA. The furnisher must investigate the disputed transactions and inform the consumer of the results. In exchange for this new right, the credit reporting industry successfully lobbied for a provision requiring that consumers be the party to initiate the dispute, disallowing "credit repair" agencies from disputing the transactions on behalf of the consumer. Additionally, the standard applied to furnishers in supplying credit information has been raised. Previously the FCRA required a furnisher to not report information that it "knows or consciously avoids knowing that the information is inaccurate." The FCRA now requires that a CRA not report information that it "knows or has reasonable cause to believe is inaccurate."On the "other end," when a CRA determines that transaction information is fraudulent, it must notify the furnisher that the information has been modified or deleted.
Before the 2003 FACTA amendments, one of consumers' only opportunities to discover the existence of negative information on their credit reports was when they were subjected to an adverse credit decision by an credit granting company. Now, when a furnisher reports negative information, it must notify the consumer within thirty days using a thirty word maximum notice to be designed by the Federal Reserve Board. Unfortunately, it appears that furnishers will be able to avoid meaningful notices because they can insert the notice with the standard contract documentation.
The FCRA affords individuals a private right of action that can be pursued in federal or state court against CRAs, users of credit reports, and furnishers. In certain circumstances, individuals can obtain attorney's fees, court costs, and punitive damages. Additionally, the FTC can enforce provisions of the act. Criminal penalties can be brought against those who knowingly and willfully obtain a consumer report under false pretenses.
The "qualified immunity provision" limits the situations in which a consumer can pursue legal action against a CRA. For the certain types of disclosures -- disclosures to consumers, condition and form of disclosure to consumers, requirements on users, and disclosure by user after taking adverse action against a consumer -- a consumer may only bring suit if the CRA acted with "malice or willful intent to injure." The Fair and Accurate Credit Transactions Act of 2003 (FACTA) amendments to the FCRA expanded the enumerated list of types of disclosure for which CRA liability is limited in this way. These new types of disclosures, which if violated are limited by the qualified immunity, include, among others: the requirement that agencies withhold the last five SSN digits when requested by a consumer; allowing identity theft victims to obtain business transaction information from businesses that have done business with the thief; and requiring mortgage lenders to disclose credit scores to loan applicants.
Furthermore, FACTA incorporated the new furnisher responsibilities into the qualified immunity provisions. These include, for example, requiring financial institutions to notify customers that they are furnishing negative information to CRAs about that customer -- into the qualified immunity provision. Other liability provisions were also limited by FACTA with respect to other new responsibilities established by the amendments. One such limitation prevents consumers from forcing a CRA to issue red flag guidelines and regulations.
The ability of states to pursue legal action against a CRA was also limited by the FACTA amendments. Even for major violations -- failure to provide accurate information, failure to comply with guidelines to protect accuracy and integrity of consumer information, etc. -- states must first obtain an injunction against the CRA. Only then may it seek damages for violations of the FCRA.
The FACTA added significant identity theft provisions to the FCRA, but most of these provisions are remedial and will not prevent identity theft.
These include the ability to issue one-call fraud alerts, extended fraud alerts and active military duty alerts. Additionally, new responsibilities are placed on users of credit reports (e.g. a lending company). These include red-flag guidelines, providing identity theft victims with business transaction information, and protecting certain consumer information.
All fraud alerts are now "one-call." If an agency receives a request for a fraud alert, it must notify the other CRAs also. The fraud alert is also communicated to users requesting the consumer's credit report. Additionally, the CRA must notify the consumer of her right to a free credit report which the FACTA requires to be delivered within three days of request. "Initial fraud alerts" last for ninety days.
A fraud alert indicates that a consumer does not authorize new credit, an additional card on an existing account, or increases in the credit limit of an existing account. A consumer may provide a telephone contact number in which case a credit user must verify the consumer's identity over the phone on that number. An exception to that rule allows a credit user to "take reasonable steps" instead of calling the consumer for an "initial fraud alert" or an "active military duty alert."
If the consumer has filed a report with a law enforcement agency, she may request an "extended fraud alert" that lasts for seven years. CRAs must also exclude the consumer from prescreening lists for five years. Finally, it must notify the consumer of her right to two free credit reports within twelve months of the fraud alert request. Deployed military personnel can request an "active military duty alert" that remains active for twelve months.
The FACTA requires the FTC, the National Credit Union Administration, and other certain banking agencies to jointly issue regulations requiring creditors to establish "reasonable policies and procedures" for implementing "red flag" guidelines regarding identity theft. Additionally, businesses who have dealt with an identity thief must, under certain circumstances, provide information about those transactions to the identity theft victim. However, the rule is weakened by several provisions, the absence of a consumer's enforcement action, and preemption of state law.
FCRA also now limit data disclosures that can lead to identity theft. Merchants will be required, over time, to truncate credit and debit numbers on electronically printed receipts. Consumers will also have the right to request that a CRA withhold their last five SSN digits on credit reports.
Inadequate CRA security also can contribute to identity theft. In November 2002, a prosecution was brought against a group of suspects who allegedly orchestrated the theft of 30,000 individuals' identities. The suspects used terminals that are commonly present in auto dealerships and apartment finding companies to gain access to thousands of credit reports. The reports were then used to open new lines of credit in others' names.
The FACTA also provides new rights for those that have suffered identity theft. CRAs and credit furnishers must help identity theft victims recover and restore their credit history. If a consumer can show a CRA that identity theft data is included in their report, the CRA must block that information within four days and notify the furnisher of the report of the fraudulent data. The consumer must establish proof of identity, a copy of an identity theft report, the fraudulent information, and a statement that the information is unrelated to any transaction of the consumer.
Furnishers of credit information also have new responsibilities under FACTA. Upon notification of fraudulent data by either a CRA or the consumer herself, the furnisher must not re-send the fraudulent data. Also, for such fraudulent information, the furnisher may not sell the debt, transfer the debt, or place it for collection. A debt collector who is notified by the consumer that the debt may be fraudulent or may have resulted from identity theft is obligated to notify creditors of the fraudulent debt. Finally, a nationwide CRA that receives an identity theft complaint must -- as with identity theft "fraud alerts" -- notify the other CRAs.
The statute of limitations for bringing an action for a violation of the FCRA is two years from the date of discovery of the violation by the consumer, although the action must be brought within five years of the date of the actual violation.
Comprehensive resources on identity theft can be found online at the Privacy Rights Clearinghouse Web Site, the Identity Theft Resource Center Web Site, Mari Frank's Identitytheft.org, the Federal Trade Commission Web Site, and on the Web Site of your State Attorney General.
- Identity Theft: What to Do if It Happens to You, CALPIRG and Privacy Rights Clearinghouse.
- What Can Consumers Do To Avoid Becoming Theft of Identity Victims?, US PIRG.
- Thanks for Not Stealing My Identity, New York Times, December 6, 2002.
- Identity Theft More Often an Inside Job, Old Precautions Less Likely to Avert Costly Crime, Experts Say, Washington Post, December 3, 2002.
- Huge Identity Theft Ring Busted, MSNBC, November 25, 2002.
Consumer Credit Reports Are Often Inaccurate
In order to gain passage of the FCRA in 1970, consumer advocates gave CRAs a big concession--immunity from defamation lawsuits based on information in the reports. Since defamation actions are limited, individuals often obtain redress against CRAs by suing for failure to correct inaccurate information
A March 1998 study conducted by US Public Interest Research Group (US PIRG) showed that 29% of credit reports contained serious inaccuracies (false judgments, false delinquency notices) that could result in denial of credit. Overall, PIRG found that 70% of reports had some type of error. Further, 20% of reports were missing creditworthiness information that would have assisted a consumer in obtaining credit. This results in lost jobs, denied mortgage applications, and higher interest rates for those who do obtain credit.
In the early 1990s, TRW (now Experian) identified all 3,000 residents of Norwich, Vermont as delinquent in property taxes, and failed to correct the inaccuracy after individuals identified the error.
Credit reports can also be inaccurate where there is incomplete information. In 1999, several banks admitted to withholding positive information about individuals so that their customers would not be lured away by competitors offering better credit terms. A 1999 Office of the Comptroller of the Current press release reads: "Some lenders appear to have stopped reporting information about sub prime borrowers to protect against their best customers being picked off by competitors."
US PIRG has recommended some solutions to credit report inaccuracies: First, the CRAs should mail free reports to consumers once a year so that consumers can check the accuracy of their files. Second, the CRAs should be placed on a greater obligation to correct errors and ensure the accuracy of information. This includes repealing portions of the FCRA that give defamation immunity to CRAs. Last, the FTC should ensure that consumers can contact CRA personnel to make corrections.
- Data on Complaints to the FTC Regarding the Credit Reporting Agencies, FTC, June 2003.
- Comptroller Urges Industry to End Abusive Practices And Elevate Customer Service Standards, OCC Press Release, June 7, 1999.
- Mistakes Do Happen: Credit Report Errors Mean Consumers Lose, US PIRG, March 1998.
- What to do if your credit report is wrong, and/or you're a victim of theft of identity, US PIRG.
How the FCRA Could be Improved
Congress amended the FCRA in the 108th (2003-2004) Congress, but further changes are needed:
- When an adverse action is taken based on a information within a credit report, the consumer should automatically receive a copy of the credit report.
- Consumers should receive notice whenever there is a change of an address or when an when inquiries are made based on an address that does not match the report.
- Consumers should have access at no cost to their credit score and to the underlying algorithm used to generate the score. Newly developed credit monitoring services should be provided at no charge to individuals.
- Congress should require CRAs to detail the purposes for which reports are obtained by users.
- There should be parity in obtaining access to a report: that is, businesses should have to provide the same amount and quality of information as consumers have to in order to obtain a report. Currently, in seeking a report, consumers must submit more personal information than businesses must submit.
- Congress should eliminate the distinction between the "credit header" and the actual credit report. In effect, Congress should move the credit header "below the line," so that it can only be used for permissible purposes under the FCRA.
- There should be an opt-in standard for prescreening. Currently, consumers have to opt-out of this information sharing.
- There should be an opt-in standard for affiliate use of credit reports.
- Consumers should have access to their entire file, including the names of sources of negative information.
- The FCRA should not contain preemption provisions.
- Criminal conviction information should be purged from the report after a reasonable number of years.
- Congress should limit the contexts in which a report can be obtained for employment purposes. These should be limited to jobs where employees handle large sums of money, or are genuinely security-sensitive.
Other Consumer Credit Issues
The FCRA implicates important consumer rights issues that are outside the scope of this page. Resources on credit scoring, credit repair, credit discrimination, credit repair, and truth in lending, are listed below.
- Nightmare on Credit Street, US PIRG.
- Your Rights Under the Revised Federal Fair Credit Reporting Act, US PIRG.
- Consumer Credit Publications, FTC.
- The Truth About Credit, State PIRGs.
- Credit Repair Scams: They Make Your Money Disappear, Consumer Action.
- The Truth About Credit and Credit Repair Services, National Consumer Law Center.
Previous Top News
- Coalition Urges Restricted Use of Medical Data in Credit Decisions. EPIC and a coalition of privacy advocacy organizations filed comments (pdf) with five federal agencies which issued a proposed regulation under the Fair and Accurate Credit Transactions Act. The coalition supported the regulation's general prohibition on creditors obtaining or using medical information about a consumer in connection with deciding whether the consumer is eligible for credit. We urged that financial institutions not be permitted to routinely request consent to obtain medical information and that affiliate sharing be limited. For more information, see EPIC's Medical Privacy Page. (May 25, 2004)
- FTC Urged to Create Privacy-Friendly Free Credit Report Site. In comments to the Federal Trade Commission, EPIC and Professor Dan Solove argued that the agency should implement a privacy-friendly central source for free credit reports. This centralized source, which was created by Congress in recent amendments to the Fair Credit Reporting Act, should provide free credit reports without allowing its users' data to be sold by credit reporting agencies. (Apr. 16, 2004)
- Appeals Court Rejects MBNA "Verification" Practices. The U.S. Court of Appeals for the Fourth Circuit has ruled (pdf) that creditors must perform "reasonable" investigations after receiving a customer dispute under the Fair Credit Reporting Act. The case is likely to change dispute processes nationwide by requiring creditors to more fully investigate consumers' claims that incorrect information has been provided to a credit reporting agency. (Feb. 11, 2003)
- President Signs Credit Reporting Bill. President Bush has signed the "Fair and Accurate Credit Transactions Act of 2003" (FACTA). The Act preempts some state privacy protections, but includes a number of improvements to credit reporting law including free credit reports annually. EPIC testified twice before Congress in support of strong privacy protections for medical and affiliate-shared information. For more information, see the EPIC Preemption Page. (Dec. 5, 2003)
- Credit Agencies Perpetuate Inaccurate Consumer Reports. In a submission to a Senate Banking Committee hearing on the Fair Credit Reporting Act, EPIC highlighted structural flaws in the credit reporting system that lead to inaccuracy and consumer frustration. Credit reporting representatives are required to complete 100 consumer files a day and are encouraged not to take simple steps that could resolve disputes. For more information, see the EPIC FCRA Page. (Jul. 10, 2003)
- EPIC Testifies on Credit Reporting Privacy. In testimony before the House Financial Services committee, EPIC Deputy Counsel Chris Jay Hoofnagle urged lawmakers to strengthen privacy and accountability provisions in the Fair Credit Reporting Act (FCRA). Nine leading consumer and civil liberties groups joined the testimony. EPIC also obtained new documents under the FOIA indicating that consumer complaints to the Federal Trade Commission regarding the credit reporting agencies have increased dramatically. (Jul. 9, 2003)
- EPIC Urges Opt-In for Affiliate Sharing. In a submission to the Senate Banking Committee Hearing on Affiliate Sharing and the Fair Credit Reporting Act, EPIC argued that Congress should adopt an opt-in standard for affiliate sharing of personal information. The size of modern financial institutions has diminished individuals' control over their personal information, leading to fraudulent telemarketing and heightened risk of identity theft. (Jun. 26, 2003)
- EPIC Urges Expiration of FCRA Preemption. In an address to the American Banking Association US 2003 Conference, EPIC Legislative Counsel Chris Hoofnagle argued that Congress should allow preemption in the Fair Credit Reporting Act to expire. For more information, see the EPIC Preemption Page. (Feb. 2003)
- Somewhat Fair and Increasingly Accurate, Washington Post, December 11, 2003.
- Study Indicates Mortgage-Rate Bias Against Blacks, Seniors, Washington Post, December 11, 2003.
- Is your life an open book? And who's reading it? If Congress heeds industry groups, a wide audience could see your
data, Akron Beacon Journal, September 8, 2003.
- EDITORIAL A Privacy Message to D.C., LA Times, September 5, 2003.
- Do College Students Need Credit Cards? Hardly., Washington Post, August 28, 2003.
- A Credit Trap For Consumers, Hartford Courant, May 11, 2003.
- TU Loses $5M Punitive Award, As Well As GLB Lawsuit (PDF), Evan Hendrick's Privacy Times, August 5, 2002.
- Bad Credit, Big Premiums, Washington Post, June 18, 2002.
- Suit Says Bank Of America Violates Financial Privacy - Update, Newsbytes, February 14, 2001.
- Nation's Big Three Consumer Reporting Agencies Agree To Pay $2.5 Million To Settle FTC Charges of Violating Fair Credit Reporting Act, FTC Press Release, January 13, 2000.
- California Debt Collection Agency Settles FTC Charges Of Fair Credit Reporting Act Violations, FTC Press Release, August 24, 2000.
- Marketer of Federally Insured Home Improvement Loans Agrees to Pay Civil Penalty for Violations of Federal Law, FTC Press Release, October 14, 1999.
- Privacy, Accuracy and Fairness of Sensitive Personal Information Enhanced for Consumers under Amended Credit Report Statute, FTC Press Release, September 29, 1997.
- Trans Union v. FTC, No. 00-1141 (D.C. Cir. 2001), cert. denied, 536 U. S. 915 (2002) . In Trans Union, the Court of Appeals for the District of Columbia Circuit held that "tradelines" (credit information that includes name, address, date of birth, telephone number, Social Security number, account type, opening date of account, credit limit, account status, and payment history) could not be sold for marketing purposes because they constituted a credit report for purposes of the Fair Credit Reporting Act (FCRA). Further, the Court rejected the profiler's claim that the First and Fifth Amendments invalidated the FCRA.
- FTC v. Citigroup Inc., et al, No. 1:01-CV-606-JTC (N.D. Ga. 2001). In Citigroup, the FTC has alleged that a Citibank company, Associates Corp., used consumer reports for marketing.
- Nelson v. Chase Manhattan Mortgage Corp. (PDF), No. 00-15946 (9th Cir. 2002). In Nelson, the 9th Circuit Court of Appeals ruled that 1996 Amendments to the FCRA granted consumers a private right of action against furnishers of data to CRAs.
- In the Matter of Nationssecurities and Nationsbank, SEC Enforcement Action, May 1998.
- Guimond v Trans Union Credit Info. Co., 45 F3d 1329, 95 (9th. Cir. 1995). The FCRA is to be liberally construed.
- Dun & Bradstreet v. Greenmoss Builders, 472 U.S. 749 (1985). In Dun & Bradstreet, the Supreme Court held that consumer credit reports concern no public issue, and thus receive reduced Constitutional protection.
- Ohio Consumer Law, Burdge Law Office.
- EPIC: Smith v. LexisNexis Screening Solutions, Inc. (6th Cir. 2016)
- Chris Jay Hoofnagle, FCRA: Congress Should Allow Preemption to Expire, Submitted to the ABA US Banking 2003 Conference, March 2003.
- Summary of Consumer Rights Under the FCRA, FTC.
- Fact Sheet 6: How Private Is My Credit Report?, Privacy Rights Clearinghouse.
- Fact Sheet 16: Employment Background Checks, Privacy Rights Clearinghouse.
- Credit Bureaus, Consumers Union.
- Using Consumer Reports: What Employers Need to Know, FTC.
- Using Consumer Reports: What Landlords Need to Know, FTC.
- The Fair Credit Reporting Act, National Consumer Law Center.
- The Cost of Credit, National Consumer Law Center.
- Race and Age Discrimination in Lending Documented, National Community Reinvestment Coalition, December 2003.
- Robert Manning, Credit Card Nation: The Consequences of America's Addiction to Credit, Basic Books, December 2000.
- Credit Discrimination, National Consumer Law Center.
- The Fair Credit Reporting Act: Issues and Policy Options, AARP.
- Consumer Law Resources, Findlaw.com
- FCRA Staff Opinion Letters 1996-2001, FTC.
- Notices of Rights and Duties Under the Fair Credit Reporting Act, FTC Federal Register Notice, 16 CFR Part 601.
- Prescribed Summary of Consumer Rights, FTC Federal Register Notice, 16 CFR Part 601 Appendix A.
- Prescribed Notice of Furnisher Responsibilities, FTC Federal Register Notice, 16 CFR Part 601 Appendix B.
- Prescribed Notice of User Responsibilities, FTC Federal Register Notice, 16 CFR Part 601 Appendix C.
- Major Financial Services Legislation, The Gramm-Leach-Bliley Act (P.L. 106-102): An Overview (PDF), CRS Report for Congress RL30375, updated December 16, 1999.
- International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001, Title III of P.L. 107-56 (PDF), CRS Report for Congress RL31208, updated December 4, 2001.
- Financial Privacy: An Economic Perspective (PDF), CRS Report for Congress RL31758, updated February 25, 2003.
- Financial Privacy Laws Affecting Sharing of Customer Information Among Affiliated Institutions (PDF), CRS Report for Congress RS21427, updated February 27, 2003.
- Privacy Protection for Customer Financial Information (PDF), CRS Report for Congress RS20185, updated February 28, 2003.
- Personal Privacy Protection: The Legislative Response (PDF), CRS Report for Congress RL30671, updated May 24, 2001.
- What constitutes "consumer reporting agency" within meaning of 15 USCS § 1681a(f). 101 ALR Fed 751.
- Validity and construction of state fair credit reporting acts. 12 ALR4th 294.
- L. Bryan Burns, Bakker v. McKinnon: Attorney Faces Punitive Damages For Obtaining Credit Reports On Adverse Litigant, 53 Ark. L. Rev. 73 (2000).
- L. Richard Fischer, Privacy and Accuracy of Personal Information, 3 N.C. Banking Inst. 11 (April 1999).
- Joseph L. Seidel, The Consumer Credit Reporting Reform Act: Information Sharing and Preemption, 2 N.C. Banking Inst. 79 (April 1998).
- Bonnie G. Camden, Fair Credit Reporting Act: What You Don't Know May Hurt You, 57 U. Cin. L. Rev. 267.
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Communications Law and Policy
Jerry Kang and Alan Butler