On December 3, 2024, the Consumer Financial Protection Bureau (CFPB) announced its highly anticipated and controversial proposed rule that primarily aims to bring data brokers within the scope of the Fair Credit Reporting Act (FCRA). Data brokers have long argued that they do not furnish "consumer reports," and thus do not constitute "consumer reporting agencies" subject to the FCRA's obligations. The CFPB catalogues the harms that have resulted from such a stance; namely, risks to national security, financial well-being, and personal safety when data brokers sell information to countries of concern, scammers, or stalkers. The proposed rule seeks to cover data brokers by clarifying key provisions within the definition of "consumer report." The proposed rule also aims to shore up consumer protections under the FCRA by interpreting the definition of "consumer reporting agency" more broadly and permissible purposes for furnishing consumer reports more narrowly, such as consumer consent and legitimate business needs. The CFPB seeks public comment on the proposed rule, which must be received on or before March 3, 2025.

The CFPB's proposed rule reflects an effort across the current Executive Branch to safeguard the sensitive personal data of Americans. This move comes less than two months after the U.S. Department of Justice announced its proposed rule restricting the transfer of Americans' sensitive information to countries of concern, as analyzed in our prior client alert. In addition, the Federal Trade Commission has been active in this area by bringing enforcement actions against companies selling sensitive location data, including data broker Mobilewalla.

Of course, there will be a change in administration in January 2025 and press reports indicate that the new administration is likely to curb the activities of the CFPB. It is unclear how the CFPB in a Trump administration will deal with this rulemaking proceeding. We will continue to monitor developments in this area.

This alert provides an overview of the key provisions in the CFPB's proposed rule.

Definition of "Consumer Report"

Clarifying the Two-Pronged Definition to Cover Data Brokers

Under 15 U.S.C. § 1681a(d) of the FCRA, a consumer report is:

"any written, oral, or other communication of any information by a consumer reporting agency [1] bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living [2] which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for... credit or insurance to be used primarily for personal, family, or household purposes; employment purposes; or any other purpose authorized under [15 U.S.C. § 1681b]" (emphasis added).

In the proposed rule, § 1022.4(b)-(c) clarifies the CFPB's interpretation of the definition's second prong, which would cover data brokers.

Credit Header Information Covered by "Consumer Report"

Section 1022.4(d) of the proposed rule includes "personal identifiers," otherwise referred to as "credit header" information, within the definition of consumer report. A personal identifier includes the consumer's:

Consumer reporting agencies sell credit header information to third parties, who may not have a permissible purpose for obtaining the information and may seek to exploit it. In addition, the CFPB emphasizes that personal identifiers are central to maintaining accurate consumer reports. By capturing credit header information within the definition of consumer report, consumer reporting agencies must have a permissible purpose before selling such information and would be subject to the FCRA's accuracy obligations.

The CFPB acknowledges criticism of this proposal for potentially limiting the beneficial uses of credit header information. Industry trade groups warn that credit header information is used to prevent money laundering, terrorism financing, fraud online, and more. In response, the CFPB confirms that such uses of credit header information may still occur pursuant to a permissible purpose under the FCRA. Credit header information is also used by law enforcement to assist in criminal investigations or to identify witnesses. The CFPB notes that law enforcement can still access such information through various channels, but it seeks comment on how the proposed rule might be amended to ensure timely access to such information.

De-identification of Information Irrelevant to "Consumer Report" Determination

Section 1022.4(e) contains three proposals for determining when a communication of de-identified information constitutes a consumer report. Consumer reporting agencies sell information that is allegedly de-identified, whether through aggregation or other means, to purchasers who may not have a permissible purpose under the FCRA. However, the CFPB points out that technology increasingly makes it possible to identify individuals within data sets even when de-identification steps have been taken. The CFPB is concerned by the privacy implications of reidentification.

The proposed rule presents the three alternatives in increasingly business friendly terms. While the first proposal presents a bright-line rule in which the de-identification of information would be wholly irrelevant to determining whether a communication constitutes a consumer report, the two other proposals contemplate different conditions informing this determination. Under the second proposal, the de-identification of information would be irrelevant when the information is "linked or linkable to a consumer." The third alternative proposes that the de-identification of information would be irrelevant if one of the following three conditions is met: 1) the information is "still linked or reasonably linkable to a consumer;" 2) the information is used to inform a business decision about a particular consumer, such as a decision whether to target marketing to that consumer; or 3) a person that directly or indirectly receives the communication, or any information from the communication, identifies the consumer to whom information from the communication pertains.

Definition of "Consumer Reporting Agency"

Under 15 U.S.C. § 1681a(f) of the FCRA, a "consumer reporting agency" is a person who regularly engages in "assembling or evaluating" consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties. Section 1022.5 clarifies the CFPB's interpretation of "assembling or evaluating" consumer information. A person "assembles or evaluates" consumer credit information or other information if they:

The proposed rule also includes illustrative examples of activities that constitute "assembling or evaluating" consumer credit information or other information. Notable examples include determining the value of information by arranging or ordering information to suggest relevance to users or retaining information about consumers through a database or electronic file system. Though these interpretations are broad, the CFPB contends that they will not sweep in entities that have otherwise been outside the scope of the FCRA. Even if entities like newspapers or government agencies "assemble or evaluate" consumer credit information, they do not do so for the purpose of furnishing consumer reports to third parties and would thus not meet the definition of a consumer reporting agency. The CFPB seeks comment on the impact of this interpretation particularly on data aggregators and platforms in the mortgage lending industry.

Permissible Purposes for Furnishing Consumer Reports

Consent

Under 15 U.S.C. § 1681b of the FCRA, a consumer reporting agency may only furnish a consumer report pursuant to a permissible purpose under the statute. One permissible purpose is "in accordance with the written instructions of the consumer to whom the report relates." The CFPB notes that companies attempt to comply with the consumer consent permissible purpose through vague authorizations that are buried in lengthy text that consumers do not understand. The proposed rule sets out conditions for obtaining sufficient consumer consent under the FCRA. Such requirements include express, informed consent with the consumer's signature; easily accessible revocation of consent; and procurement, use, and retention limitations.

Legitimate Business Need

An additional permissible purpose for which a consumer reporting agency may furnish a consumer report is when the consumer reporting agency has reason to believe the third party has a "legitimate business need" for the information. Such needs must meet one of the following situations: 1) in a business transaction initiated by the consumer, or 2) to review an account to determine whether the consumer continues to meet the terms of the account. The proposed rule clarifies the circumstances that satisfy such legitimate business needs.

Proposed Effective Date

The CFPB also seeks comment on whether a final rule should have an effective date six months or one year following publication in the Federal Register.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning your FCRA compliance efforts, or preparing a comment regarding the CFPB's proposed rule, please contact Chris Olsen, Maneesha Mithal, Libby Weingarten, Jess Cheng, Taylor Stenberg Erb, or any member of the firm's data, privacy, and cybersecurity or fintech and financial services practices.