Last week, the Consumer Financial Protection Bureau (“CFPB”) issued an advisory opinion to ensure that companies that use and share credit and background reports have a “permissible purpose” under the Fair Credit Reporting Act (“FCRA”). The credit, criminal, job, and rental records of individuals are a few items consumer reporting agencies gather, compile, and assess. This information is then packaged into a report and used across various industries by creditors, insurers, landlords, employers, and others to make eligibility and other decisions about consumers. This collection, assembly, evaluation, dissemination, and use of vast quantities of often highly sensitive personal and financial information contained within consumer reports pose significant risks to consumer privacy. Thus, to combat these risks and better safeguard individuals’ personal data, the CFPB’s new advisory opinion makes clear that users of credit reports also have express obligations to protect this sensitive data. For these reasons, entities must have a “permissible purpose” when obtaining such reports.
What is a “Permissible Purpose?”
The FCRA protects consumer privacy in multiple ways, including by limiting the circumstances under which consumer reporting agencies may disclose consumer information. One of those ways is by requiring a “permissible purpose.” Historically, the FCRA has prohibited credit reporting agencies from disclosing personal information contained in a consumer report, including a person’s credit history, without a “bona fide reason.” Under the advisory opinion, this “permissible purpose” rule now extends to all companies obtaining and using consumer report information from consumer reporting agencies. All entities issuing or obtaining consumer reports must determine whether a bona fide reason to collect and access such information exists to avoid liability under the FCRA. To illustrate, a permissible purpose exists when a lender requests a credit report to determine the terms and the amount on which it will offer a person a mortgage. Other examples of a “permissible purpose” include, but are not limited to, using an individual’s credit report when:
- considering applications for a line of credit (e.g., home loan, car loan, credit card);
- issuing insurance;
- assessing background checks for gainful employment;
- obtaining a report in connection with the review of an existing financial account; and
- any other legitimate business need in connection with a transaction that a consumer initiated.
Moving Forward: What Impact Does the CFPB’s Opinion Have On Businesses?
Consumer reports play a big role in a variety of industries. Entities that use such reports must ensure that they do not violate consumer privacy by obtaining consumer reports when they lack a permissible purpose for doing so. Plaintiffs most often raise claims alleging that a defendant violated the FCRA by negligently or willfully issuing or obtaining a consumer report for an impermissible purpose. After obtaining the reports, entities must also protect the sensitive personal information contained within the reports and safeguard the reports from potential security incidents and data breaches on their systems. Entities can mitigate potential exposure related to consumer reports by:
- Determining (and documenting) the permissible purpose for which the company is seeking the information, before requesting the consumer report;
- Determining whether the actual consumer report is needed or if a simple service that determines if the contents of the report meet or do not meet the company’s pre-existing requirements (i.e. getting a thumbs up or down on a candidate’s eligibility, as opposed to getting the full report).
- Similarly, examining whether other, less sensitive information, can be used to satisfy business needs other than obtaining a consumer report and using alternative information instead of such reports;
- Ensuring all consumer reports are securely stored; and
- Avoiding long-term storage of consumer reports (ideally, these reports are not kept longer than necessary for their intended purpose).
Taft’s privacy and data security attorneys can assist with questions related to the CFPB advisory opinion or, more generally, FCRA compliance obligations. Stay tuned to our Taft Privacy and Data Security Insights or download our app for more news and information.