Excerpted from a Wiley Rein LLP Blog by Ian Barlow, Tawanna Lee, Duane Pozza and Kathleen Scott
Companies that share or sell data, including data brokers, and companies that use data from other companies should pay close attention to the Fair Credit Reporting Act (FCRA) – particularly given renewed scrutiny of third-party data sales. The FCRA is a complex statute, and its application to consumer data flows in the modern digital economy can be complicated. In recent remarks, FTC Commissioner Melissa Holyoak called for the FTC to “robustly enforce” the FCRA, highlighting it as a statute in which Congress explicitly directed the FTC to protect consumer privacy.
Notably, the FCRA is enforced by both the FTC and the Consumer Financial Protection Bureau (CFPB). The FTC was the original agency tasked with enforcing and interpreting the FCRA before the CFPB was formed, and the FTC’s role appears likely to continue even if CFPB enforcement is pulled back. In addition, the FCRA contains a private right of action that presents significant class action litigation risk.
Think a company that shares or sells data is not covered by FCRA? Check again.
Who is covered by and subject to FCRA’s requirements is a fact-intensive question, and the relevant statutory text is somewhat circular. The law’s coverage extends well beyond large, nationwide credit bureaus to reach other kinds of companies that are covered as “consumer reporting agencies” (CRAs), and data that may be covered as “consumer reports.”
Indeed, last year the CFPB initiated a rulemaking to attempt to expand coverage to certain data brokers. The CFPB’s proposed rule arguably would have made every sale of information about a consumer’s credit history, credit score, debt payments, or income tier a “consumer report” that triggers FCRA coverage – even if the information was sold for non-credit uses, including in targeted advertising or training AI models. The proposed regulation did that by indicating those four categories of information are “expected to be used” as a “factor in establishing the consumer’s eligibility for credit, insurance, employment,” or other transaction initiated by the consumer, regardless of the actual nature of the transaction. Although the CFPB later withdrew that rulemaking, the arguments supporting it point to greater scrutiny of financial-related information sold and shared even for non-credit reasons.
Moreover, even under the established legal framework sellers of data should consider the expected use of that data to determine coverage under FCRA, which applies to use of certain data even outside of credit-related purposes, including determining eligibility for insurance and employment. It also applies in cases where the recipient has a “legitimate business need” for the information in connection with a “transaction that is initiated by the consumer.”
Think your data purchase isn’t covered by FCRA because the seller isn’t a CRA? Check again.
Just like companies selling data, companies purchasing data need to determine FCRA applicability by looking at the nature of the transaction and data being purchased. Under FCRA, relevant data includes information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.” And when that data is sold to third parties, the data can become a “consumer report” under the FCRA if it is used or should be expected to be used “as a factor in establishing the consumer’s eligibility for credit, insurance, employment,” or business transactions initiated by the consumer. Even if the data is obtained from a company that is not holding itself out as a CRA, the data recipient can be subject to FCRA requirements if the data is found to be effectively a “consumer report.”
For the full story, please click here.