The Consumer Financial Protection Bureau (CFPB) issued a new advisory regarding the obligation of credit reporting companies and users of credit reports to protect the public’s data privacy.  Companies using and sharing credit reports and background reports must have a permissible purpose under the Fair Credit Reporting Act.  There is potential criminal liability for certain misconduct.

The advisory opinion makes clear potential violations of the permissible purpose provisions, as described below:

  • Insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, which would violate consumers’ privacy rights: For example, when a credit reporting company uses name-only matching procedures, the items of information appearing on a credit report may not all correspond to a single individual. That means the user of a credit report could be provided a report about a person for whom the user does not have a permissible purpose.
  • It is unlawful to provide credit reports of multiple people as “possible matches”: Credit reporting companies may not provide reports on multiple individuals where the requester only has a permissible purpose to obtain a report on one individual. They must have adequate procedures to find the right person, or else the result may be that they provide a report on at least one wrong person.  
  • Disclaimers about insufficient matching procedures do not cure permissible purpose violations: Disclaimers will not cure a failure to take reasonable steps to ensure the information contained in a credit report is only about the individual for whom the user has a permissible purpose.  
  • Users of credit reports must ensure that they do not violate a person’s privacy by obtaining a credit report when they lack a permissible purpose for doing so: The Fair Credit Reporting Act strictly prohibits anyone from using or obtaining credit reports without a permissible purpose.

The advisory opinion outlines some of the criminal liability provisions in the Fair Credit Reporting Act, including the potential to face criminal liability by obtaining a background report under false pretenses or by providing a report to an unauthorized individual. Covered entities can face criminal liability for obtaining a background report on an individual under false pretenses or by providing a background report to an unauthorized individual.

Read the CFPB’s full press release regarding this advisory opinion, and view the advisory opinion here.

This Member Alert is intended for members of the Receivables Management Association International, is for informational purposes only, and is in no way intended to provide legal advice. Members are encouraged to consult with an attorney of their choice for legal advice concerning this matter.