CFPB Proposes New Rule That, If Finalized, Would Significantly Expand FCRA’s Reach

On December 3, 2024, the Consumer Financial Protection Bureau (CFPB) issued a notice of proposed rulemaking (NPR) – Protecting Americans from Harmful Data Broker Practices. The CFPB’s proposal would amend Regulation V, which implements portions of the Fair Credit Reporting Act (FCRA), in ways that would materially expand the FCRA’s reach and, in certain circumstances, serve as a reversal of long-standing legal interpretations.

Comments on the proposed rule are due to the CFPB by March 3, 2025. Importantly, by March 2025, there will be a new administration in office and likely new leadership heading the CFPB. That leadership may have different priorities and, thus, be less inclined to push forward novel statutory interpretations such as those reflected in the NPR.

Even if the rule is pushed forward and finalized by the CFPB, the next Republican-controlled Congress would have the opportunity – and may be inclined – to block it from going into effect, pursuant to its authority under the Congressional Review Act (CRA).

Overview of the proposed rule

As described in more detail below, the proposed rule seeks, in several ways, to limit the use of consumers’ personal and financial information, and also ensure that entities that frequently engage with this type of information, such as data brokers, are regulated.

1. Data brokers as consumer reporting agencies

The CFPB has been vocal about using the FCRA to better protect against potential misuses of consumers’ financial data, particularly by data brokers. The proposed rule seeks to achieve this through a broad interpretation of the “expected to be used” element of the FCRA’s definition of a “consumer report.”

Under the FCRA, a “consumer report” means any:

1. Communication of information by a CRA
2. Bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living
3. Which is used or expected to be used or collected in whole or in part for the purpose of
4. Serving as a factor in establishing the consumer’s eligibility for credit, insurance, employment purposes or any other purpose authorized in section 1681b of the FCRA

The proposed rule would provide that the “expected to be used” component of the definition is met if the person making the communication either expects or should expect that the person receiving the information will use it for a FCRA-defined purpose or communicates information about a “consumer’s credit history, credit score, debt payments, or income or financial tier” –given that, according to the CFPB, these are data points that are typically used for FCRA purposes, namely credit underwriting.

The immediate implication of this interpretation is that data brokers who sell, and thus communicate, consumer credit history, credit scores, debt payments or income information would be considered CRAs and prohibited from selling reports containing this information, except where a permissible purpose under the FCRA exists.

2. Communication of ‘credit header’ information would be considered a consumer report”

The proposed rule memorializes a controversial position socialized by the CFPB in its September 2023 FCRA rulemaking outline – specifically, that a communication by a CRA of a “personal identifier” (i.e., a consumer’s name, age, date of birth, address, telephone number, email address, or social security number or individual taxpayer identification number) that was collected in whole or in part for the purpose of preparing a consumer report would by itself constitute a consumer report.

If this aspect of the proposed rule is finalized, a consumer’s “personal identifiers” – otherwise known as “credit header” data – could only be obtained from a CRA by persons with a permissible purpose, as defined by the FCRA. This would likely preclude many actions by entities that frequently rely on credit header data for legitimate purposes, such as identity theft and fraud prevention.

3. Broad interpretation of ‘assembling’ or ‘evaluating’ consumer information for purposes of the definition of CRA

The proposed rule includes an interpretation of the terms “assembling” or “evaluating,” which are components of the FCRA’s definition of a CRA, as encompassing collecting, bringing together, gathering, appraising, assessing, and making a judgment or determination as to the value of a consumer report.

The proposed rule includes examples of activity the CFPB believes would constitute “assembling” or “evaluating.” These reveal that an entity could be viewed as engaging in those activities if it simply “modifies the year date fields [of consumer information it collects and communicates to a third party] to all reflect four, rather than two, digits to ensure consistency” or “retains information about consumers.” If this portion of the rule is finalized, entities that provide innocuous formatting services, as well as those that merely retain consumer data files, could risk being viewed as a CRA if they otherwise satisfy the FCRA’s CRA definition.

4. Communications of de-identified data as consumer reports

Rather than take a firm position on the treatment of de-identified data within the proposed rule, the CFPB presents three options for its treatment under the FCRA. The first option – which reflects that de-identification would not have bearing on whether a communication was a “consumer report” – would dramatically expand the scope of the FCRA.

The other options, while still representing change, more closely align with state privacy laws’ treatment of personally identifiable information as information that is linked or can reasonably be linked to a consumer. Specifically, the CFPB proposes, as other options, that a communication that is “still linked or linkable to a consumer,” or alternatively, “reasonably linkable to the consumer” be considered a consumer report.

5. Strict requirements for and limitations on ‘written instruction’ permissible purpose

Under the FCRA, a CRA may furnish a consumer report to a third party based on the “written instruction” of the consumer. The FCRA, however, lacks explanation regarding what constitutes sufficient “written instruction.” With the proposed rule, the CFPB seeks to fill this gap.

To that end, the proposed rule would require that a CRA or user of a consumer report, seeking to rely on the consumer’s written instruction:

• Obtain the consumer’s express, informed consent, via a disclosure segregated from other material, that includes certain detailed information (e.g., the name of the person who the consumer authorizes to obtain their report and the name of the CRA that will furnish the report).
• Obtain the consumer’s written or electronic signature for the furnishing of their consumer report.

The consumer also must not have revoked their consent.

While there is no specific duration under the FCRA for which a consumer’s “written instruction” remains valid, the proposed rule would limit the time frame to one year.

The proposed rule also would require that where a consumer report is obtained based on the consumer’s written instruction, the recipient of the report may obtain, use and retain the consumer report “only as reasonably necessary to provide the product or service the consumer has requested,” or for the specific use the consumer identifies in the written instruction.

Practically, this means a consumer report obtained via a consumer’s written instruction could only be used for “a single product or service per instruction,” and consumers could be required to provide multiple, separate written instructions, even when interacting with one provider of services. For example, the CFPB says that a consumer would be required to “provide multiple, separate written instructions if the user seeks to obtain a consumer report from more than one consumer reporting agency.”

6. Clarification of the ‘legitimate business need’ permissible purpose

The proposed rule would clarify that one of the permissible purposes provided for in the FCRA – the “legitimate business need” permissible purpose – only applies if a CRA has reason to believe that the consumer has, in fact, initiated a business transaction (as distinguished from merely asking about the availability or pricing of products or services), and does not provide a basis to obtain or use consumer report information for a transaction that the consumer does not initiate. The proposed rule reflects the CFPB’s position that targeted advertising and marketing are not legitimate business needs.

Impact of the proposed rule

The proposed rule is broad in its potential application, and if finalized in its current form, would necessarily impact entities – beyond just data brokers – that would newly be required to comply with the FCRA’s requirements. For example, if “credit header” data and/or de-identified data is deemed a consumer report, not only would this have implications for CRAs, as the providers of such information, but also, it would have implications for entities procuring such information, as the FCRA imposes requirements on the users of consumer reports, including requirements to provide notice when adverse action is taken based on information in a consumer report. However, whether the proposed rule will actually be implemented – in the proposed or any other form – remains unclear given, as noted above, the impending changes in the administration, the CFPB and Congress.

To that end, the proposed rule is part of a broader effort by the current administration to ensure that consumers’ financial data is protected. It comes on the heels of the CFPB’s issuance of the final version of its Section 1033 rule, which is intended to give consumers greater access to and control over their financial data. It also coincides with the CFPB’s call to the states, via a report published in November 2024, to reconsider exemptions to their privacy laws for data and/or entities covered by the FCRA or the federal Gramm-Leach-Bliley Act, which the CFPB asserts leaves swarths of consumer data insufficiently protected.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.