On December 3, the Consumer Financial Protection Bureau (CFPB or Bureau) issued a proposed rule for public comment aimed at amending Regulation V, which implements the Fair Credit Reporting Act (FCRA). The proposed rule seeks to redefine (and, in some cases, rewrite) key terms and provisions within the FCRA, particularly focusing on the activities of purported “data brokers.”

The CFPB’s stated goal is to address the sale of consumer report information by ensuring data brokers are subject to the same regulations as consumer reporting agencies (CRAs). The CFPB cites concerns about the misuse of consumer information for financial scams, identity theft, and other harmful activities. In its press release announcing the proposed rule, the CFPB stated, “Countries of concern, like China and Russia, can purchase detailed personal information about military service members, veterans, government employees, and other Americans for pennies per person.” Additionally, the Bureau stated, “The availability of sensitive contact information poses risks to those who are targeted for their profession, such as judges, police officers, prosecutors, and other government employees. Domestic violence survivors also face grave dangers when their current addresses and phone numbers are readily available for purchase through data brokers.”

Previously, we discussed, here and here, the CFPB’s intention to expand the reach of the FCRA by rulemaking, where Director Rohit Chopra highlighted two main initiatives: (1) defining data brokers as CRAs; and (2) addressing the “confusion” around credit header data. The latest proposed rule reemphasizes both of those issues, proposing to make many data brokers subject to FCRA regulations, and deciding that communications of personal identifiers collected for preparing consumer reports, often known as “credit header” information, are considered consumer reports. However, the CFPB goes far beyond this stated goal and addresses many other areas of consumer reporting, such as imposing new requirements and restrictions on the permissible purposes available to end users to obtain consumer reports from CRAs.

The CFPB will be accepting comments on this latest proposed rule until March 3, 2025. Notably, many of the concerns raised during the CFPB Small Business Review Panel in October 2023 were not addressed in the proposed rule.

The CFPB is considering an effective date of six months to one year after the final rule is published in the Federal Register. However, with the upcoming change in administration, the CFPB may have additional motivations behind proposing this far-reaching rule at this juncture.

Summary of the Proposed Rule

The CFPB’s proposed rule aims to apply the FCRA’s definitions of “consumer report” and “consumer reporting agency” more broadly. Key provisions include:

  • Expanded Definitions of “Used or Expected to Be Used”: The rule proposes a brightline test that would classify data brokers that sell information about a consumer’s credit history, credit score, debt payments, or income as CRAs, regardless of the purpose for which any specific communication of such information is used or expected to be used. The proposed rule would establish two tests for determining whether the “expected to be used” element of the definition of “consumer report” has been met. Under these tests, information in a communication is “expected to be used” for such a purpose if: (1) the person making the communication expects or should expect that a recipient of the information will use it for such a purpose; or (2) it is information about a consumer’s credit history, credit score, debt payments, or income or financial tier. Information would need to satisfy only one of the tests for the “expected to be used” element to be met.
  • Expanded Definition of “Assembles” or “Evaluates”: The CFPB also proposed an expansion of the “assembles” or “evaluates” definition of a CRA. If an entity assembles or evaluates information about consumers, including by even collecting, gathering, or retaining; assessing, verifying, or validating; or contributing to or altering the content of such information, it will be considered a CRA. An example the CFPB provided in the proposed rule is a person assembles or evaluates consumer information when that person retains information about consumers. Thus, a company is at risk of being characterized as assembling or evaluating information about a consumer merely by retaining data files containing consumers’ payment histories in a database or electronic file system.
  • “Credit Header” Information: The rule proposes the term “consumer report” includes a communication by a CRA of a personal identifier, i.e., name, date of birth, addresses, Social Security number, and telephone number, for a consumer that was collected by the CRA in whole or in part for the purpose of preparing a consumer report about the consumer. This would mean that a CRA could only make such a communication if the entity requesting such information has a permissible purpose under the FCRA to obtain it. This approach poses serious risk to fraud uses of consumer information that have not traditionally been treated as consumer reports.
  • Re-identification Prevention: The proposed rule restates the CFPB’s interest in continuing to treat de-identified information as consumer reports subject to all of the FCRA’s protections, even if such de-identified data has also been aggregated.
  • Written Instructions: The proposed rule imposes new obligations on the ability of a CRA to furnish a consumer report in accordance with the written instructions of the consumer. To obtain such authorization from the consumer, the written instructions must contain certain disclosures, be signed by the consumer, and not have been revoked by the consumer.
  • Legitimate Business Needs: The proposed rule provides that the FCRA’s permissible purpose relating to legitimate business needs for consumer reports does not authorize furnishing of consumer reports for marketing. The proposed rule would not interfere with CRAs’ ability to furnish consumer reports to either prevent fraud or verify the identity of a consumer when done in connection with a permissible purpose, like credit applications, government benefits, bank account opening, and rental applications, and in compliance with the FCRA’s other requirements.

The CFPB concurrently published a Fast Facts about the proposed rule.

Our Take

Based on the change in administration, the likelihood of this proposed rule being finalized is slim. President-Elect Trump is expected to replace Director Chopra early in his administration, which could lead to a shift in regulatory priorities and the rescinding, in whole or in part, of this proposed rule.

It may be the case, therefore, that the CFPB is proposing this rule to serve as a blueprint for state legislation, potentially leading to a patchwork of state laws that complicate compliance for data brokers.

We will be publishing more detailed blogs about each of these key provisions in the days to come.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of David N. Anthony David N. Anthony

David Anthony handles litigation against consumer financial services businesses and other highly regulated companies across the United States. He is a strategic thinker who balances his extensive litigation experience with practical business advice to solve companies’ hardest problems.

Photo of Mark Furletti Mark Furletti

Mark helps clients navigate regulatory risks posed by state and federal laws aimed at protecting consumers and small business, particularly in connection with credit, deposit, and payments products. He is a trusted advisor, providing practical legal counsel and advice to providers of financial

Mark helps clients navigate regulatory risks posed by state and federal laws aimed at protecting consumers and small business, particularly in connection with credit, deposit, and payments products. He is a trusted advisor, providing practical legal counsel and advice to providers of financial services across numerous industries.

Photo of David M. Gettings David M. Gettings

Dave is a partner of the firm who focuses on defending clients in consumer class actions and complex commercial litigation nationwide, particularly cases involving a variety of federal and state laws and regulations, including the Fair Credit Reporting Act (FCRA), the Telephone Consumer

Dave is a partner of the firm who focuses on defending clients in consumer class actions and complex commercial litigation nationwide, particularly cases involving a variety of federal and state laws and regulations, including the Fair Credit Reporting Act (FCRA), the Telephone Consumer Protection Act (TCPA) and associated FCC regulations, the Fair Debt Collection Practices Act, the Truth in Lending Act, the Electronic Fund Transfer Act, and many similar state consumer protection statutes.

Photo of Cindy D. Hanson Cindy D. Hanson

Consumer finance clients trust Cindy’s experience and skill to resolve their most challenging cases. Focused on class action defense, Cindy has handled numerous FCRA cases and is the point of contact for consumer protection defense.

Photo of Ethan G. Ostroff Ethan G. Ostroff

Ethan’s practice focuses on financial services litigation and compliance counseling, as well as digital assets and blockchain technology. With a long track record of successful litigation results across the U.S., both bank and non-bank clients rely on him for comprehensive advice throughout their

Ethan’s practice focuses on financial services litigation and compliance counseling, as well as digital assets and blockchain technology. With a long track record of successful litigation results across the U.S., both bank and non-bank clients rely on him for comprehensive advice throughout their business cycle.

Photo of Kim Phan Kim Phan

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the

Kim is a partner in the firm’s Privacy + Cyber Practice Group, where she is a privacy and data security attorney, who also assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of Tim J. St. George Tim J. St. George

Tim defends institutions nationwide facing class actions and individual lawsuits. He has particular experience litigating consumer class actions, including industry-leading expertise in cases arising under the Fair Credit Reporting Act and its state law counterparts, as well as litigation arising from data breaches.

Photo of Glen Trudel Glen Trudel

A former bank in-house counsel, Glen brings real-world experience to financial institutions, marketplace lenders, fintechs, and other companies grappling with both regulatory and transactional issues.

Photo of Chris Willis Chris Willis

Chris is the co-leader of the Consumer Financial Services Regulatory practice at the firm. He advises financial services institutions facing state and federal government investigations and examinations, counseling them on compliance issues including UDAP/UDAAP, credit reporting, debt collection, and fair lending, and defending…

Chris is the co-leader of the Consumer Financial Services Regulatory practice at the firm. He advises financial services institutions facing state and federal government investigations and examinations, counseling them on compliance issues including UDAP/UDAAP, credit reporting, debt collection, and fair lending, and defending them in individual and class action lawsuits brought by consumers and enforcement actions brought by government agencies.

Photo of Chris Capurso Chris Capurso

Chris focuses his practice on consumer financial services compliance, guiding clients through the many federal and state laws and regulations that impact consumer credit programs.