New Advisory Opinion From the CFPB Aims to Protect Consumers’ Privacy
The Consumer Financial Protection Bureau (CFPB) has issued a legal interpretation that requires companies to have a permissible purpose for using or sharing background reports or credit reports. This advisory opinion specifies that users of credit reports and credit reporting companies have certain obligations to protect the data privacy of the public. Additionally, the advisory warns entities subject to these requirements that there could be criminal liability for specific misconduct. This new advisory is good for consumers because, as stated by CFPB Director Rohit Chopra, “Americans are now subject to round-the-clock surveillance by large commercial firms seeking to monetize their personal data.”
Congress has enacted several privacy laws that are sector-specific to protect personal data, including health and educational data. They also passed the Fair Credit Reporting Act (FCRA) in 1970, which provides privacy protection in many sectors. This Act requires companies that gather information about individual consumers, such as data brokers, credit reporting companies, and tenant screeners, to respect consumers’ right to privacy and execute their responsibilities with impartiality and fairness.
According to the FCRA, users who purchase consumer reports must have a legally permissible purpose. This requirement helps protect the consumer, as companies cannot check someone’s consumer information without a legitimate reason. Permissible purposes include, but are not limited to, obtaining credit reports for mortgage applicants, background checks for job applicants, and more.
Permissible Purpose Provisions
Additionally, according to the new advisory opinion, the user of a credit report can be criminally liable if they do not follow the FCRA’s permissible purpose provisions. The advisory opinion specifies:
- If a credit reporting company uses insufficient matching procedures, it may supply a report to an entity without having a permissible purpose. This action violates a consumer’s privacy rights.
- Credit reporting agencies are not permitted to provide several credit reports to an entity as “possible matches” for the intended consumer. The credit reporting agency must have sufficient procedures to obtain a report on the correct person.
- A disclaimer about not having sufficient matching procedures will not protect an agency from violations of permissible purpose requirements.
- Users of credit reports are not allowed to violate an individual’s privacy by obtaining a credit report without a permissible purpose.
The advisory does include some of the FCRA’s criminal liability provisions. For example, it states that entities covered by the FCRA may be criminally liable if they obtain a background check under pretenses or supply an unauthorized person with a background check.
The new advisory opinion provides a reminder of the protections provided by the FCRA. It will also help to ensure companies are held responsible if they violate the FCRA. First, however, consumers should ensure they are familiar with their rights under this Act to confirm that companies respect their rights.
Get a head start on your next job opportunity by running a Self Background Check and discovering the status of your online reputation.