Protecting Americans From Harmful Data Broker Practices (Regulation V), 101402-101462 [2024-28690]

Agencies

• CONSUMER FINANCIAL PROTECTION BUREAU

[Federal Register Volume 89, Number 240 (Friday, December 13, 2024)]
[Proposed Rules]
[Pages 101402-101462]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-28690]



[[Page 101401]]

Vol. 89

Friday,

No. 240

December 13, 2024

Part VII





Consumer Financial Protection Bureau





-----------------------------------------------------------------------





12 CFR Part 1022





Protecting Americans From Harmful Data Broker Practices (Regulation V); 
Proposed Rule

Federal Register / Vol. 89, No. 240 / Friday, December 13, 2024 / 
Proposed Rules

[[Page 101402]]


-----------------------------------------------------------------------

CONSUMER FINANCIAL PROTECTION BUREAU

12 CFR Part 1022

[Docket No. CFPB-2024-0044]
RIN 3170-AB27


Protecting Americans From Harmful Data Broker Practices 
(Regulation V)

AGENCY: Consumer Financial Protection Bureau.

ACTION: Proposed rule; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Consumer Financial Protection Bureau (CFPB) is issuing a 
proposed rule for public comment to amend Regulation V, which 
implements the Fair Credit Reporting Act (FCRA). The proposed rule 
would implement the FCRA's definitions of consumer report and consumer 
reporting agency as well as certain of the FCRA's provisions governing 
when consumer reporting agencies may furnish, and users may obtain, 
consumer reports. The proposed rule is designed to, among other things, 
ensure that the FCRA's protections are applied to sensitive consumer 
information that the statute was enacted to protect, including 
information sold by data brokers.

DATES: Comments must be received on or before March 3, 2025.

ADDRESSES: You may submit comments, identified by Docket No. CFPB-2024-
0044 or RIN 3170-AB27, by any of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments. A brief summary of 
this document will be available at https://www.regulations.gov/docket/CFPB-2024-0044.
     Email: [email protected]. Include 
Docket No. CFPB-2024-0044 or RIN 3170-AB27 in the subject line of the 
message.
     Mail/Hand Delivery/Courier: Comment Intake--Protecting 
Americans from Harmful Data Broker Practices (Regulation V), c/o Legal 
Division Docket Manager, Consumer Financial Protection Bureau, 1700 G 
Street NW, Washington, DC 20552.
    Instructions: The CFPB encourages the early submission of comments. 
All submissions should include the agency name and docket number or 
Regulatory Information Number (RIN) for this rulemaking. Because paper 
mail is subject to delay, commenters are encouraged to submit comments 
electronically. In general, all comments received will be posted 
without change to https://www.regulations.gov.
    All submissions, including attachments and other supporting 
materials, will become part of the public record and subject to public 
disclosure. Proprietary information or sensitive personal information, 
such as account numbers or Social Security numbers, or names of other 
individuals, should not be included. Submissions will not be edited to 
remove any identifying or contact information.

FOR FURTHER INFORMATION CONTACT: George Karithanom, Regulatory 
Implementation and Guidance Program Analyst, Office of Regulations, at 
202-435-7700 or https://reginquiries.consumerfinance.gov/. If you 
require this document in an alternative electronic format, please 
contact [email protected].

SUPPLEMENTARY INFORMATION: Data brokers, including consumer reporting 
agencies, collect information about, among other things, the credit, 
criminal, employment, and rental histories of hundreds of millions of 
Americans. They analyze and package this information into reports used 
by creditors, insurers, landlords, employers, and others to make 
decisions about consumers. This collection, assembly, evaluation, 
dissemination, and use of vast quantities of often highly sensitive 
personal and financial data about consumers poses a significant threat 
to consumer privacy. It can also threaten national security and 
facilitate numerous tangible consumer harms, such as financial scams 
and the identification of victims for stalking and harassment.
    Congress enacted the Fair Credit Reporting Act (FCRA) \1\ in part 
to protect consumer privacy by regulating the communication of consumer 
information by consumer reporting agencies. The statute subjects such 
communications, which are referred to as consumer reports, to certain 
requirements and limitations, and it affords certain protections to 
consumers. For example, the FCRA imposes clear bright-line rules 
permitting people to obtain consumer reports from consumer reporting 
agencies only for certain specified purposes, known as permissible 
purposes, and forbidding consumer reporting agencies from furnishing 
consumer reports to users who lack a permissible purpose. In addition, 
consumers have various rights under the FCRA, such as the right to 
dispute the accuracy of information in their file and to be notified 
when, for example, a creditor, landlord, or employer relies on consumer 
report information to make a negative decision about the consumer's 
application for credit, housing, or employment.
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 1681 et seq.
---------------------------------------------------------------------------

    In recent years, the consumer reporting marketplace has evolved in 
ways that imperil Americans' privacy. There is an emerging consensus 
that intrusive surveillance and aggregation of sensitive data about 
consumers can create conditions for harming national security by 
exposing information that could be exploited by countries of 
concern.\2\ Stalkers and domestic abusers can also obtain sensitive 
contact information from data brokers to contact or locate people who 
do not wish to be contacted or located, such as domestic violence 
survivors. In addition, vast troves of sensitive data, including, for 
example, individualized data about a consumer's finances, are bought 
and sold, without consumers' knowledge or consent, by data brokers who 
believe that the FCRA does not apply to them or to some of their 
activities. This data can be leveraged to scam or defraud people. Data 
brokers evading coverage under the FCRA include traditional consumer 
reporting agencies and recent market entrants using new business models 
and technologies to collect and analyze consumer information on an 
unprecedented scale. The CFPB is proposing this rule to address when a 
data broker is covered by the FCRA, and to protect Americans from the 
harms and invasions of privacy created by certain data broker 
activities that violate the FCRA.
---------------------------------------------------------------------------

    \2\ See, e.g., E.O. No. 14117, 89 FR 15421 (Feb. 28, 2024); 
Justin Sherman et al., Data Brokers and the Sale of Data on U.S. 
Military Personnel: Risks to Privacy, Safety, and National Security 
(Nov. 2023) (hereinafter Duke Report on Data Brokers and Military 
Personnel Data), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/11/Sherman-et-al-2023-Data-Brokers-and-the-Sale-of-Data-on-US-Military-Personnel.pdf.
---------------------------------------------------------------------------

I. Summary of the Proposed Rule

    The CFPB proposes to implement the FCRA's definitions of consumer 
report and consumer reporting agency in several respects to ensure that 
the FCRA's protections apply to all data brokers that transmit the 
types of consumer information that Congress designed the statute to 
protect, and to the types of activities that Congress designed the 
statute to regulate. For example, the proposed rule:
     Provides that data brokers that sell information about a 
consumer's credit history, credit score, debt payments (including on 
non-credit obligations), or income or financial tier generally are 
consumer reporting agencies selling consumer reports, regardless of the

[[Page 101403]]

purpose for which any specific communication of such information is 
used or expected to be used;
     Provides that a communication by a consumer reporting 
agency of a portion of the consumer report that consists of personal 
identifiers such as the consumer's name, address, or age, is a consumer 
report if the information was collected for the purpose of preparing a 
consumer report about the consumer;
     Includes provisions intended to prevent privacy harms 
associated with the re-identification of de-identified consumer report 
information;
     Provides that a communication by a consumer reporting 
agency of information about a consumer is a consumer report if the 
information is used for an FCRA-covered purpose, regardless of whether 
there is evidence that the consumer reporting agency knew or expected 
that the information would be used for such a purpose;
     Provides that an entity that otherwise meets the 
definition of consumer reporting agency is a consumer reporting agency 
if it assembles or evaluates information about consumers, including by 
collecting, gathering, or retaining; assessing, verifying, or 
validating; or contributing to or altering the content of such 
information.
    The CFPB also proposes to address certain aspects of FCRA section 
604(a) regarding permissible purposes to furnish and obtain consumer 
reports. These proposals are designed to ensure that consumer reports 
are furnished for permissible purposes under the FCRA, and for no other 
reasons. For example, the proposed rule:
     Provides that a consumer reporting agency furnishes a 
consumer report to a person when the consumer reporting agency 
facilitates the person's use of the consumer report for the person's 
financial gain, even if the consumer reporting agency does not 
technically transfer the consumer report to the person;
     Provides that the FCRA provision that authorizes a 
consumer reporting agency to furnish a consumer report in accordance 
with the written instructions of the consumer can be used to obtain a 
consumer report for any reason specified by a consumer, but only if the 
consumer signs a separate authorization that is not hidden in fine 
print and that discloses certain information to the consumer, including 
the reason for obtaining the report; and
     Provides that the FCRA's permissible purpose relating to 
legitimate business needs for consumer reports does not authorize 
furnishing of consumer reports for marketing.
    The proposal would not interfere with consumer reporting agencies' 
ability to furnish consumer reports to either prevent fraud or verify 
the identity of a consumer when done in connection with a permissible 
purpose, like credit applications, government benefits, bank account 
opening, and rental applications, and in compliance with the FCRA's 
other requirements.

II. Background

A. History and Purposes of the FCRA

    Congress enacted the FCRA, one of the first data privacy laws in 
the world, in 1970. The FCRA's enactment was the culmination of 
multiple Congressional investigations into the growing data 
surveillance industry.\3\ By the late 1960s, the industry was already 
of ``vast size and scope.'' \4\ It involved: (1) the collection by 
private entities, known as consumer reporting agencies, of information 
about tens of millions of American consumers, including information 
about ``their employment, income, billpaying record, marital status, 
habits, character and morals''; \5\ (2) the assembly and evaluation of 
this information by consumer reporting agencies in order to create 
elaborate dossiers about individual consumers; and (3) the sale of 
those dossiers to a range of entities, including to potential creditors 
and employers, who used them to make eligibility determinations about 
consumers.\6\
---------------------------------------------------------------------------

    \3\ See generally Robert M. McNamara Jr., The Fair Credit 
Reporting Act: A Legislative Overview, 22 J. Public Law 67, 77-88 
(1973) (hereinafter Fair Credit Reporting Act: A Legislative 
Overview).
    \4\ 115 Cong. Rec. S2410 (daily ed. Jan. 31, 1969) (statement of 
Sen. William Proxmire) (``For example, the Associated Credit Bureaus 
of America have over 2,200 members serving 400,000 creditors in 
36,000 communities. These credit bureaus maintain credit files on 
more than 110 million individuals and in 1967 they issued over 97 
million credit reports.'').
    \5\ 115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement of 
Sen. William Proxmire).
    \6\ See generally 115 Cong. Rec. S2410-11 (daily ed. Jan. 31, 
1969) (statement of Sen. William Proxmire).
---------------------------------------------------------------------------

    Before the FCRA's passage, the consumer reporting industry was 
subject to ``an almost complete lack of regulation,'' \7\ leaving 
consumers largely powerless to protect themselves from a wide range of 
serious harms.\8\ Congressional hearings revealed an industry shrouded 
in secrecy. Many consumer reporting agencies prohibited consumer report 
users from disclosing to consumers that information in a consumer 
report was the reason for an adverse decision, such as the denial of 
credit, or the name of the consumer reporting agency that prepared the 
report on which the user relied.\9\ According to one contemporary 
commentator, ``[w]hether the consumer ever discovered the cause of his 
being rejected was largely a matter of an educated guess or 
clairvoyance bordering on blind luck.'' \10\ But even if a consumer 
knew the reason for an adverse decision and the name of the consumer 
reporting agency, this often was not enough: consumers were not always 
permitted to access their files or dispute inaccurate information.\11\ 
And even if a consumer overcame these obstacles and managed to file a 
dispute, the investigations conducted by consumer reporting agencies 
were often standardless and shoddy, in part because many consumer 
reporting agencies deemed investigations too costly to conduct.\12\
---------------------------------------------------------------------------

    \7\ S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969).
    \8\ See generally Fair Credit Reporting Act: A Legislative 
Overview, supra note 3, at 77-88; S. Rep. No. 517, 91st Cong., 1st 
Sess. 3-4 (1969); 115 Cong. Rec. S2410-14 (daily ed. Jan. 31, 1969) 
(statement of Sen. William Proxmire).
    \9\ S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969); 115 Cong. 
Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen. William 
Proxmire).
    \10\ Fair Credit Reporting Act: A Legislative Overview, supra 
note 3, at 79.
    \11\ S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969); 115 Cong. 
Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen. William 
Proxmire).
    \12\ Fair Credit Reporting Act: A Legislative Overview, supra 
note 3, at 81-82; S. Rep. No. 517, 91st Cong., 1st Sess. 3 (1969); 
115 Cong. Rec. S2412 (daily ed. Jan. 31, 1969) (statement of Sen. 
William Proxmire).
---------------------------------------------------------------------------

    Congressional hearings further revealed that many consumer 
reporting agencies at that time exhibited only a marginal commitment to 
accuracy. Consumer reports sometimes included information that was 
false or incomplete or that pertained to the wrong consumer 
altogether.\13\ Indeed, consumer reporting agencies often disclaimed 
the accuracy of their reports, portraying themselves as mere 
transmitters of information without responsibility for ensuring that 
the information was correct.\14\ Because consumers generally were 
unable to see the information for themselves and have it corrected, the 
harms that flowed from the communication of inaccurate, incomplete, 
irrelevant, and outdated information could be intractable.
---------------------------------------------------------------------------

    \13\ 115 Cong. Rec. S2411-12 (daily ed. Jan. 31, 1969) 
(statement of Sen. William Proxmire).
    \14\ Fair Credit Reporting Act: A Legislative Overview, supra 
note 3, at 80.
---------------------------------------------------------------------------

    Congressional hearings also revealed that the consumer reporting 
industry posed significant privacy risks to consumers, and the 
legislative history suggests that Congress was concerned about the 
invasion of consumer privacy generally, as well as the specific harms

[[Page 101404]]

that flow from such invasions.\15\ Consumer reporting agencies 
possessed huge quantities of sensitive information about tens of 
millions of Americans, but there were no ``public standards to [e]nsure 
that the information [was] kept confidential and used only for its 
intended purpose''--a fact that the primary sponsor of the FCRA, 
Senator William Proxmire, described as ``disturbing.'' \16\ As a 
result, it was relatively easy for one person to obtain confidential 
information about another person. In one example, a reporter was able 
to obtain 10 out of 20 reports requested at random from 20 consumer 
reporting agencies by using the name of a fictitious company under the 
guise of offering credit.\17\ As Senator Proxmire noted in introducing 
the bill that would become the FCRA, these threats to consumer privacy 
were only likely to increase with ``[t]he growing accessibility of this 
information through computer- and data-transmission techniques.'' \18\
---------------------------------------------------------------------------

    \15\ 115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement 
of Sen. William Proxmire).
    \16\ Id.
    \17\ S. Rep. No. 517, 91st Cong., 1st Sess. 4 (1969); 115 Cong. 
Rec. S2413 (daily ed. Jan. 31, 1969) (statement of Sen. William 
Proxmire).
    \18\ 115 Cong. Rec. S2413 (daily ed. Jan. 31, 1969) (statement 
of Sen. William Proxmire).
---------------------------------------------------------------------------

    Congress sought to address these and other consumer harms in the 
FCRA. In enacting the statute, it found that consumer reporting 
agencies played a ``vital role'' in assembling and evaluating consumer 
information to meet the needs of commerce, but that rules were 
necessary to ensure that consumer reporting agencies conduct their 
activities in a manner that is ``fair and equitable to the consumer, 
with regard to the confidentiality, accuracy, relevancy, and proper 
utilization'' of that information.\19\ Accordingly, the FCRA 
established a framework with four principal pillars: (1) a bright-line 
prohibition on using or disseminating consumer reports unless for one 
of the limited permissible purposes identified by Congress; (2) a 
requirement that consumer reporting agencies follow reasonable 
procedures to assure the maximum possible accuracy of consumer reports; 
(3) a consumer right to dispute inaccurate or incomplete information 
and have it corrected; and (4) a consumer right to see the information 
that a consumer reporting agency possesses about the consumer. In the 
years since its passage in 1970, the FCRA has been amended many times, 
including to expand the statute's reach so that it now imposes 
obligations not just on consumer reporting agencies and consumer report 
users, but also on the entities that furnish information to consumer 
reporting agencies.\20\
---------------------------------------------------------------------------

    \19\ FCRA section 602, 15 U.S.C. 1681 (Congressional findings 
and statement of purpose).
    \20\ See, e.g., Fair & Accurate Credit Transactions Act of 2003, 
Public Law 108-159 (2003); Consumer Credit Reporting Reform Act of 
1996, Public Law 104-208 (1996).
---------------------------------------------------------------------------

    The CFPB's Regulation V, 12 CFR part 1022, generally implements the 
FCRA. In 2003, Congress granted the Federal Trade Commission (FTC) and 
several other Federal agencies rulemaking authority for certain FCRA 
provisions.\21\ For some provisions the authority was joint; for others 
it was exclusive to a particular agency. Over the next several years, 
the FTC and those agencies issued multiple rules implementing various 
provisions of the statute.\22\ With the passage of the Consumer 
Financial Protection Act of 2010 (CFPA), Congress transferred 
rulemaking authority for most provisions of the FCRA to the CFPB.\23\
---------------------------------------------------------------------------

    \21\ See Fed. Trade Comm'n, 40 Years of Experience with the Fair 
Credit Reporting Act: An FTC Staff Report with Summary of 
Interpretations, at 5-6 (July 2011) (hereinafter FTC 40 Years Staff 
Report), https://www.ftc.gov/sites/default/files/documents/reports/40-years-experience-fair-credit-reporting-act-ftc-staff-report-summary-interpretations/110720fcrareport.pdf.
    \22\ See, e.g., 74 FR 31484 (July 1, 2009); 69 FR 63922 (Nov. 3, 
2004); 69 FR 35467 (June 24, 2004).
    \23\ See Dodd-Frank Wall Street Reform and Consumer Protection 
Act (Dodd-Frank Act), Public Law 111-203, section 1088, 124 Stat. 
1376, 2086 (2010); see also Dodd-Frank Act sections 1024, 1025, and 
1061, 124 Stat. 1987 (codified at 12 U.S.C. 5514, 5515, and 5581). 
Authority over FCRA sections 615(e) and 628, 15 U.S.C. 1681m(e) and 
1681w, is limited to the Federal banking agencies and the National 
Credit Union Administration, the FTC, the Commodity Futures Trading 
Commission, and the U.S. Securities and Exchange Commission. In 
addition, section 1029 of the Dodd-Frank Act generally excludes from 
the transfer of authority to the CFPB rulemaking authority over a 
motor vehicle dealer that is predominantly engaged in the sale and 
servicing of motor vehicles, the leasing and servicing of motor 
vehicles, or both. 12 U.S.C. 5519(a) and (c).
---------------------------------------------------------------------------

B. Goals of the Rulemaking

Protecting Consumer Information in the Data Broker Market
    Today, Americans regularly engage in activities that reveal 
personal information about themselves, often without realizing it. They 
may, for example, visit a website, download an app, charge an item to a 
credit card, use a loyalty card at a grocery store or pharmacy, order 
goods online, subscribe to a newspaper or magazine, or make a donation. 
In each instance, the entity with whom the consumer interacts might 
collect information about the consumer. These entities might sell the 
consumer's information to other entities with whom the consumer does 
not have a relationship, or they might keep or reuse the information 
for themselves. Entities that collect, aggregate, sell, resell, 
license, enable the use of, or otherwise share consumer information 
with other parties are commonly known as data brokers.\24\
---------------------------------------------------------------------------

    \24\ See 88 FR 16951, 16952-53 (Mar. 21, 2023).
---------------------------------------------------------------------------

    Different data brokers compile and sell different types of consumer 
information.\25\ Much of the information is private and highly 
sensitive, such as information about a consumer's finances, income, 
physical and mental health, sexual orientation, religious affiliation, 
and political preferences, as well as information about the websites 
and apps the consumer visits or uses, the stores the consumer 
frequents, the products the consumer buys, and the consumer's location 
throughout the day.\26\ Data brokers obtain this information from a 
variety of sources, including retailers, websites and apps, newspaper 
and magazine publishers, and financial service providers, as well as 
cookies and similar technologies that gather information about 
consumers' online activities.\27\ Other information is publicly 
available, such as criminal and civil record information maintained by 
Federal, State, and local courts and governments, and information 
available on the internet, including information posted by consumers on 
social media.\28\ The volume of data collected, bought,

[[Page 101405]]

and sold by data brokers is enormous. Some of the nation's largest data 
brokers boast that they possess information about hundreds of millions 
of American consumers consisting of billions of data points, with some 
data updated instantaneously.\29\
---------------------------------------------------------------------------

    \25\ See generally Urbano Reviglio, The Untamed and Discreet 
Role of Data Brokers in Surveillance Capitalism: A Transnational and 
Interdisciplinary Overview, 11 Internet Policy Review 3 (Aug. 4, 
2022), https://policyreview.info/articles/analysis/untamed-and-discreet-role-data-brokers-surveillance-capitalism-transnational-and; Fed. Trade Comm'n, Data Brokers: A Call for Transparency and 
Accountability, at 11-18, 24, B3-B6 (May 2014) (hereinafter FTC Data 
Broker Report), https://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf.
    \26\ See Am. Compl. For Permanent Inj. and Other Relief ]] 72-
76, 97-106, FTC v. Kochava, Inc., No. 2:22-cv-00377-BLW (D. Idaho 
June 5, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/26AmendedComplaint%28unsealed%29.pdf; Joanne Kim, Duke Sanford Cyber 
Policy Program, Data Brokers & the Sale of Americans' Mental Health 
Data (Feb. 2023) (hereinafter Duke Report on Data Brokers and Mental 
Health Data), https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2023/02/Kim-2023-Data-Brokers-and-the-Sale-of-Americans-Mental-Health-Data.pdf; FTC Data Broker Report, supra note 
25; Staff of S. Comm. on Com., Sci., & Transp., A Review of the Data 
Broker Industry: Collection, Use, and Sale of Consumer Data for 
Marketing Purposes, at ii, 13-21 (Dec. 18, 2013), https://www.commerce.senate.gov/services/files/0D2B3642-6221-4888-A631-08F2F255B577.
    \27\ See, e.g., Alfred Ng & Jon Keegan, Who is Policing the 
Location Data Industry?, The Markup (Feb. 24, 2022), https://themarkup.org/the-breakdown/2022/02/24/who-is-policing-the-location-data-industry; FTC Data Broker Report, supra note 25, at 11-14.
    \28\ See FTC Data Broker Report, supra note 25, at 11-13.
    \29\ Justin Sherman, Duke Sanford Cyber Policy Program, Data 
Brokers and Sensitive Data on U.S. Individuals: Threats to American 
Civil Rights, National Security, and Democracy, at 4-8 (2021) 
(hereinafter Duke Report on Data Brokers and Sensitive Data), 
https://techpolicy.sanford.duke.edu/wp-content/uploads/sites/4/2021/08/Data-Brokers-and-Sensitive-Data-on-US-Individuals-Sherman-2021.pdf.
---------------------------------------------------------------------------

    Certain data brokers compile the information they collect into 
reports about individual consumers, which they sell to third parties 
for use in assessing a consumer's eligibility for credit, employment, 
or insurance. Data brokers may also use the information, or the 
inferences they have drawn from that information, to create elaborate 
dossiers about consumers for targeted marketing purposes. For example, 
a data broker may use information about a consumer's income, location, 
purchases, or health condition to classify the consumer--including, for 
instance, as ``Financially Challenged,'' ``Modest Wages,'' ``Working-
class Mom,'' ``Senior Products Buyer,'' or ``Consumer[ ] with Clinical 
Depression''--and then sell lists of such consumers to advertisers.\30\ 
In addition, data brokers may use the information they collect to 
develop and maintain their own products, such as ``people search'' 
engines and other online lookup tools, to build proprietary algorithms, 
to test and run advertising campaigns, and to train machine learning 
systems.\31\ Some data brokers simply sell the consumer information 
they collect to individual purchasers, including to other data brokers 
and members of the general public.
---------------------------------------------------------------------------

    \30\ See Duke Report on Data Brokers and Mental Health Data, 
supra note 26, at 14; FTC Data Broker Report, supra note 25, at 20-
21.
    \31\ See, e.g., Will Knight, Generative AI Is Making Companies 
Even More Thirsty for Your Data, Wired (Aug. 10, 2023), https://www.wired.com/story/fast-forward-generative-ai-companies-thirsty-for-your-data/.
---------------------------------------------------------------------------

    Government agencies, technology and privacy experts, consumer 
advocates, and others have identified a range of consumer harms posed 
by data brokers that treat consumer information as though it is not 
subject to the FCRA.\32\ As discussed further in part IV, the data 
broker industry can threaten national security. For example, countries 
of concern can obtain from data brokers the financial information of 
active military members, such as income and level of indebtedness, to 
compromise or blackmail them in an effort to obtain sensitive national 
security information. The data broker industry also is used to 
facilitate a range of financial scams. For example, fraudsters can 
obtain from data brokers lists of people with income below a certain 
threshold, which can be used to pitch predatory and unlawful products 
to families in financial distress. The highly sensitive information 
collected and sold by data brokers also is an attractive target for 
other bad actors. For example, thieves can obtain information from data 
brokers that enables them to steal people's identities and open new 
accounts or drain existing ones. And stalkers, harassers, and other 
criminals can use sensitive information obtained from data brokers to 
contact people who do not wish to be contacted, such as domestic 
violence survivors.
---------------------------------------------------------------------------

    \32\ See, e.g., Elec. Privacy Info. Ctr., Disrupting Data Abuse: 
Protecting Consumers from Commercial Surveillance in the Online 
Ecosystem (Nov. 2022), https://epic.org/wp-content/uploads/2022/12/EPIC-FTC-commercial-surveillance-ANPRM-comments-Nov2022.pdf; Duke 
Report on Data Brokers and Sensitive Data, supra note 29; FTC Data 
Broker Report, supra note 25.
---------------------------------------------------------------------------

    To date, however, many data brokers have attempted to avoid 
liability under the FCRA by arguing that they are not consumer 
reporting agencies selling consumer reports, as those terms are defined 
in the statute. Many data brokers have made these arguments even though 
they collect, assemble, evaluate, or sell the same information as other 
consumer reporting agencies--and even though their activities pose the 
same risks to consumers that motivated the FCRA's passage. As explained 
further below, the proposed rule provides that the FCRA's definitions 
of consumer reporting agency and consumer report cover a wide range of 
data brokers and data broker activities under the FCRA. If the proposed 
rule is finalized, one practical effect would be that additional data 
brokers would be prohibited from selling information for non-FCRA 
purposes, thus limiting the transmission of information that is used to 
market products to consumers--and to scam, defraud, stalk, or harass 
them.
Protecting Consumer Information From Unauthorized Disclosure by 
Consumer Reporting Agencies
    The CFPB also has observed that consumer reporting agencies 
continue to engage in practices that may be harmful to consumers. The 
consumer credit reporting industry has consistently been a major source 
of consumer complaints to the CFPB. Complaints about credit or consumer 
reporting represented roughly 80 percent of consumer complaints 
submitted to the CFPB during 2023, far more than any other category of 
consumer product or service.\33\ Indeed, credit or consumer reporting 
has been the most-complained-about category of consumer financial 
product or service to the CFPB every year since 2017.\34\ One ongoing 
area of concern for the CFPB is consumer reporting agencies engaging in 
practices that may threaten consumer privacy.
---------------------------------------------------------------------------

    \33\ Consumer Fin. Prot. Bureau, Consumer Response Annual 
Report, at 11 (Mar. 2024), https://files.consumerfinance.gov/f/documents/cfpb_cr-annual-report_2023-03.pdf (noting that the CFPB 
received approximately 1.3 million credit or consumer reporting 
complaints in 2023, a 34 percent increase compared to 2022).
    \34\ Consumer Fin. Prot. Bureau, Consumer Response Annual 
Report, at 11 (Mar. 2023), https://files.consumerfinance.gov/f/documents/cfpb_2022-consumer-response-annual-report_2023-03.pdf; 
Consumer Fin. Prot. Bureau, Consumer Response Annual Report, at 3 
(Mar. 2022), https://files.consumerfinance.gov/f/documents/cfpb_2021-consumer-response-annual-report_2022-03.pdf; Consumer Fin. 
Prot. Bureau, Consumer Response Annual Report, at 9 (Mar. 2021), 
https://files.consumerfinance.gov/f/documents/cfpb_2020-consumer-response-annual-report_03-2021.pdf; Consumer Fin. Prot. Bureau, 
Consumer Response Annual Report, at 9 (Mar. 2020), https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2019.pdf; Consumer Fin. Prot. Bureau, Consumer Response 
Annual Report, at 9 (Mar. 2019), https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2018.pdf; Consumer 
Fin. Prot. Bureau, Consumer Response Annual Report, at 9 (Mar. 
2018), https://files.consumerfinance.gov/f/documents/cfpb_consumer-response-annual-report_2017.pdf.
---------------------------------------------------------------------------

    As discussed above, privacy was a key motivating factor for passage 
of the FCRA, and the FCRA protects consumer privacy in multiple ways, 
including by strictly limiting the circumstances under which consumer 
reporting agencies may disclose consumer information. For example, FCRA 
section 604, entitled ``Permissible purposes of consumer reports,'' 
identifies an exclusive list of permissible purposes for which consumer 
reporting agencies may furnish consumer reports, including in 
accordance with the written instructions of the consumer to whom the 
report relates and for purposes relating to credit, employment, and 
insurance.\35\ The FCRA's

[[Page 101406]]

permissible purpose provisions are central to the statute's protection 
of consumer privacy. The CFPB is concerned that sensitive consumer 
information that the statute was designed to protect is being furnished 
by consumer reporting agencies to users that do not have a permissible 
purpose under the FCRA to obtain the information, thereby threatening 
consumers' privacy, and causing reputational, emotional, economic, and 
physical harm to consumers. These threats have grown more acute as 
advances in technology have facilitated the easy sharing of such 
consumer information online.
---------------------------------------------------------------------------

    \35\ 15 U.S.C. 1681b(a). Other sections of the FCRA identify 
additional limited circumstances under which consumer reporting 
agencies are permitted or required to disclose certain information 
to government agencies. See FCRA sections 608, 626, and 627, 15 
U.S.C. 1681f, 1681u, 1681v; see also, e.g., FTC v. Manager, Retail 
Credit Co., Miami Beach Branch Off., 515 F.2d 988, 994-95 (D.C. Cir. 
1975) (holding that 15 U.S.C. 1681s(a) authorizes the FTC to obtain 
consumer reports in FCRA enforcement investigations). Further, the 
Debt Collection Improvement Act of 1996, Public Law 104-134, 110 
Stat. 1321, section 31001(m)(1), allows the head of an executive, 
judicial, or legislative agency to obtain a consumer report under 
certain circumstances relating to debt collection. See 31 U.S.C. 
3711(h). The proposed rule is not intended to alter the additional 
circumstances in which government agencies may obtain consumer 
report information.
---------------------------------------------------------------------------

    For example, consumer reporting agencies sell personal identifiers 
collected for the purpose of preparing consumer reports--often known as 
``credit header'' information--to third parties who may not have an 
FCRA-permissible purpose to obtain the information. The sale by 
consumer reporting agencies of personal identifiers, which may include 
sensitive information such as a consumer's Social Security number, 
contributes to the availability of such information for purchase 
online, potentially by fraudsters and other persons seeking to dox and 
expose consumers' personal information or otherwise exploit or harm 
consumers. The proposed rule would take steps to address this problem 
by providing that the term ``consumer report'' includes communications 
by a consumer reporting agency of personal identifiers that were 
collected for the purpose of preparing consumer reports and that such 
information therefore can be sold by consumer reporting agencies only 
to users who have a permissible purpose to obtain it.
    The CFPB is also aware that consumer reporting agencies offer and 
sell to users who do not have an FCRA permissible purpose a variety of 
products that include information that has been drawn from consumer 
reporting databases and that has been aggregated or otherwise 
purportedly de-identified to try to mask the identities of the 
individual consumers to whom the information relates. This information 
may be sold or made available, for example, for use in marketing 
campaigns, even though advertising and marketing generally are not 
permissible purposes under the FCRA.\36\ As with the sale of personal 
identifiers, the sale of purportedly de-identified information about 
consumers to users who do not have an FCRA permissible purpose to 
obtain it contributes to the proliferation of sensitive consumer 
information available for purchase online. The CFPB is concerned that 
advances in technology have made, and will continue to make, it easier 
for users to combine data and identify consumers within purportedly de-
identified data sets, and that the sale of such information by consumer 
reporting agencies thus threatens the privacy of consumer information 
in the very ways Congress designed the FCRA to prevent. The CFPB 
proposes three possible alternatives to address this problem and 
clarify when a communication by a consumer reporting agency of 
information about a consumer is a consumer report.
---------------------------------------------------------------------------

    \36\ An exception exists for the purpose of making firm offers 
of credit or insurance. FCRA section 604(c)(1)(B), 15 U.S.C. 
1681b(c)(1)(B). In addition, a consumer reporting agency may provide 
a consumer report to a user ``in accordance with the written 
instructions of the consumer'' to whom the report relates. FCRA 
section 604(a)(2), 15 U.S.C. 1681b(a)(2).
---------------------------------------------------------------------------

    In addition to general concerns regarding the privacy of consumers' 
sensitive information, the CFPB is concerned that consumer reporting 
agencies are monetizing consumer report information for use in 
marketing in ways that the FCRA prohibits. As noted, marketing and 
advertising generally are not permissible purposes for furnishing or 
obtaining consumer reports. Nevertheless, as technology has advanced, 
consumer reporting agencies have begun to employ techniques and 
business models designed to evade this restriction. The proposed rule 
would address these developments and would emphasize that the FCRA's 
legitimate business need permissible purpose does not authorize 
consumer reporting agencies to furnish consumer reports to users for 
solicitation or marketing purposes.
    The CFPB additionally proposes to specify what is needed to 
establish a permissible purpose based on the written instructions of a 
consumer. This proposed provision is intended to ensure that consumer 
reporting agencies and consumer report users do not abuse the written 
instructions permissible purpose by purportedly obtaining consumer 
consent to furnish or obtain a consumer report pursuant to disclosures 
buried within lengthy terms and conditions or otherwise presented to 
the consumer in a manner that interferes with the consumer's ability to 
make informed decisions.

C. Outreach and Engagement

Request for Information
    On March 15, 2023, the CFPB issued a Request for Information (RFI) 
regarding the data broker industry and business practices involving the 
collection and sale of consumer information.\37\ The RFI sought 
information about new business models that sell consumer data and about 
consumer harm that could result from such business models. The CFPB 
received over 7,000 comments in response to the RFI. The comments 
helped to inform the CFPB's approach to the proposed rule.
---------------------------------------------------------------------------

    \37\ 88 FR 16951 (Mar. 21, 2023) (hereinafter CFPB Data Broker 
RFI).
---------------------------------------------------------------------------

Small Business Review Panel
    Pursuant to the Small Business Regulatory Enforcement Fairness Act 
of 1996 (SBREFA),\38\ the CFPB issued an Outline of Proposals and 
Alternatives under Consideration in connection with this proposal in 
September 2023.\39\ The CFPB convened a Small Business Review Panel 
(Panel) on October 16, 2023, and held Panel meetings on October 18 and 
19, 2023. Representatives from 16 small businesses were selected as 
small entity representatives for the SBREFA process. These entities 
represented small businesses that the CFPB determined would likely be 
directly affected by one or more of the proposals under consideration. 
On December 15, 2023, the Panel completed the Final Report of the Small 
Business Review Panel on the CFPB's Proposals and Alternatives Under 
Consideration for the Consumer Reporting Rulemaking.\40\ The CFPB also 
invited and received feedback on the proposals under consideration from 
others, including stakeholders other than small entity representatives, 
although this feedback was not included in the Small Business Review 
Panel Report.\41\ The CFPB has considered the

[[Page 101407]]

feedback from small entity representatives and other stakeholders, as 
well as the findings and recommendations of the Small Business Review 
Panel, in preparing this proposed rule. Panel recommendations regarding 
specific proposals under consideration are addressed in part IV.
---------------------------------------------------------------------------

    \38\ Public Law 104-121, 110 Stat. 857 (1996).
    \39\ Consumer Fin. Prot. Bureau, Small Business Advisory Review 
Panel For Consumer Reporting Rulemaking--Outline of Proposals and 
Alternatives Under Consideration (Sept. 15, 2023) (hereinafter Small 
Business Review Panel Outline or Outline), https://files.consumerfinance.gov/f/documents/cfpb_consumer-reporting-rule-sbrefa_outline-of-proposals.pdf.
    \40\ Consumer Fin. Prot. Bureau, Final Report of the Small 
Business Review Panel on the CFPB's Proposals and Alternatives Under 
Consideration for the Consumer Reporting Rulemaking (Dec. 15, 2023) 
(hereinafter Small Business Review Panel Report or Panel Report), 
https://files.consumerfinance.gov/f/documents/cfpb_sbrefa-final-report_consumer-reporting-rulemaking_2024-01.pdf.
    \41\ Feedback received on the Small Business Review Panel 
Outline will be placed on the public docket for this rulemaking.
---------------------------------------------------------------------------

    This proposed rule does not address feedback received as part of 
the SBREFA process about proposals that were under consideration 
regarding medical debt collection information. Those proposals under 
consideration were addressed in the CFPB's proposed rule regarding 
consumer reporting of medical information.\42\ This proposed rule also 
does not address feedback received as part of the SBREFA process about 
proposals that were under consideration regarding data security and 
data breaches, disputes involving legal matters, and disputes involving 
systemic issues. Those topics are not included in this proposed rule.
---------------------------------------------------------------------------

    \42\ 89 FR 51692 (June 18, 2024) (hereinafter CFPB Medical Debt 
Proposed Rule).
---------------------------------------------------------------------------

Interagency and Stakeholder Consultations
    Consistent with section 1022(b)(2)(B) of the CFPA, the CFPB has 
consulted with the appropriate prudential regulators and other Federal 
agencies, including regarding consistency with any prudential, market, 
or systemic objectives administered by these agencies. The CFPB has 
also consulted with officials from certain State agencies. In addition, 
the CFPB has discussed the proposed rule with, and considered written 
feedback submitted by, a range of interested stakeholders. The CFPB 
discusses throughout this document feedback received through these 
various channels that is relevant to the proposed rule.

III. Legal Authority

    The CFPB is proposing to amend Regulation V pursuant to its 
authority under the FCRA and the CFPA. Section 1022(b)(1) of the CFPA 
authorizes the CFPB to prescribe rules ``as may be necessary or 
appropriate to enable the [CFPB] to administer and carry out the 
purposes and objectives of the Federal consumer financial laws, and to 
prevent evasions thereof.'' \43\ The FCRA is a Federal consumer 
financial law, except with respect to sections 615(e) and 628.\44\ 
Accordingly, the CFPB has authority under CFPA section 1022(b)(1) to 
issue regulations to administer and carry out the purposes and 
objectives of the FCRA and to prevent evasion thereof, except with 
respect to sections 615(e) and 628.
---------------------------------------------------------------------------

    \43\ 12 U.S.C. 5512(b)(1).
    \44\ CFPA section 1002(14), 12 U.S.C. 5481(14) (defining 
``Federal consumer financial law'' to include the ``enumerated 
consumer laws'' and the provisions of the CFPA); CFPA section 
1002(12), 12 U.S.C. 5481(12) (defining ``enumerated consumer laws'' 
to include the FCRA, except with respect to sections 615(e) and 
628).
---------------------------------------------------------------------------

    FCRA section 621(e) provides that, except with respect to sections 
615(e) and 628, the CFPB ``shall prescribe such regulations as are 
necessary to carry out the purposes of [the FCRA].'' \45\ Specifically, 
FCRA section 621(e) provides that the CFPB ``may prescribe regulations 
as may be necessary or appropriate to administer and carry out the 
purposes and objectives'' of the FCRA.\46\ The stated purpose of the 
FCRA is to ensure that ``consumer reporting agencies adopt reasonable 
procedures for meeting the needs of commerce for consumer credit, 
personnel, insurance, and other information in a manner which is fair 
and equitable to the consumer, with regard to the confidentiality, 
accuracy, relevancy, and proper utilization of such information.'' \47\ 
Except with respect to sections 615(e) and 628, the CFPB accordingly 
has authority to issue regulations ``necessary or appropriate to 
administer and carry out'' the provisions of the FCRA consistent with 
this purpose.\48\ FCRA section 621(e) further provides that the CFPB 
may prescribe regulations as may be necessary and appropriate to 
prevent evasions of the FCRA or to facilitate compliance therewith.\49\
---------------------------------------------------------------------------

    \45\ 15 U.S.C. 1681s(e).
    \46\ Id.
    \47\ FCRA section 602(b), 15 U.S.C. 1681(b).
    \48\ See Loper Bright Enters. v. Raimondo, 144 S. Ct. 2244, 2263 
(2024) (explaining that Congress's use of the term ``appropriate'' 
``leaves agencies with flexibility'' in regulating (citation 
omitted)).
    \49\ Cf. Consumer Fin. Prot. Bureau v. Townstone Fin., Inc., 107 
F.4th 768, 776 (7th Cir. 2024) (``In endowing the Board with 
authority to prevent `circumvention or evasion,' Congress indicated 
that the [Equal Credit Opportunity Act] must be construed broadly to 
effectuate its purpose of ending discrimination in credit 
applications.'').
---------------------------------------------------------------------------

    The CFPB has considered this proposed rule in the context of its 
legal authority under the FCRA and the CFPA and has developed the 
proposed provisions by relying on its expertise in understanding and 
developing policy regarding the consumer reporting market. The CFPB has 
preliminarily determined that each of the proposed provisions is 
consistent with the purpose of the FCRA and is authorized under FCRA 
section 621(e) and CFPA section 1022(b)(1). Pursuant to FCRA section 
621(e), any final rule prescribed by the CFPB would apply to all 
persons subject to the FCRA, except as described in section 1029(a) of 
the CFPA.\50\
---------------------------------------------------------------------------

    \50\ The CFPB also notes that, subject to certain exceptions, 
the FCRA states that it ``does not annul, alter, affect, or exempt 
any person subject to [the FCRA] from complying with the laws of any 
State with respect to the collection, distribution, or use of any 
information on consumers, or for the prevention or mitigation of 
identity theft, except to the extent that those laws are 
inconsistent with any provision of this subchapter, and then only to 
the extent of the inconsistency.'' 15 U.S.C. 1681t(a); see also 
Davenport v. Farmers Ins. Grp., 378 F.3d 839, 842 (8th Cir. 2004) 
(``The FCRA makes clear that it is not intended to occupy the entire 
regulatory field with regard to consumer reports''). Therefore, 
State laws that are not inconsistent with the FCRA--including State 
laws that are more protective of consumers than the FCRA--are 
generally not preempted. See 87 FR 41042 (July 11, 2022).
---------------------------------------------------------------------------

    As noted in proposed Sec.  1022.1(b)(1) regarding the scope of 
Regulation V, the regulation implements only certain provisions of the 
FCRA. In this rulemaking, the CFPB proposes to implement for the first 
time in Regulation V the definitions of consumer report and consumer 
reporting agency in FCRA section 603(d) and (f) and the permissible 
purposes of consumer reports as set forth in FCRA section 604(a).\51\ 
Unless specifically noted otherwise, the CFPB's mere restatement of 
statutory language is not intended to affect the status quo regarding 
caselaw or judicial or other interpretations that exist with respect to 
such restated language. Explaining the scope of Regulation V in 
proposed Sec.  1022.1(b)(1) and restating certain statutory text should 
facilitate compliance with the statute, but the CFPB requests comment 
on the proposed approach.
---------------------------------------------------------------------------

    \51\ The proposed rule does not restate all of FCRA sections 603 
and 604. Among other provisions in those sections, the proposed rule 
does not restate FCRA section 604(c) regarding credit or insurance 
transactions that are not initiated by the consumer.
---------------------------------------------------------------------------

IV. Discussion of the Proposed Rule

Subpart A--General Provisions

Section 1022.4 Definition; Consumer Report
    In general, a consumer report under the FCRA is a written, oral, or 
other communication by a consumer reporting agency of any information 
that: (1) bears on at least one of seven specified factors relating to 
a consumer; and (2) is used or expected to be used or collected in 
whole or in part for the purpose of serving as a factor in establishing 
the consumer's eligibility for credit or insurance, for employment 
purposes, or for any other purpose authorized under FCRA section 604 
(i.e., the section that establishes permissible purposes of consumer 
reports). The seven factors relating to a consumer specified in the 
definition of consumer report are a

[[Page 101408]]

consumer's creditworthiness, credit standing, credit capacity, 
character, general reputation, personal characteristics, or mode of 
living.\52\ The CFPB proposes Sec.  1022.4 to implement and interpret 
the FCRA definition of consumer report.
---------------------------------------------------------------------------

    \52\ FCRA section 603(d), 15 U.S.C. 1681a(d).
---------------------------------------------------------------------------

    Proposed Sec.  1022.4(a), (f), and (g) restate the FCRA definition 
with minor wording and organizational changes for clarity.\53\ Proposed 
Sec.  1022.4(a)(1) restates the ``bears on'' prong of the definition, 
proposed Sec.  1022.4(a)(2) restates the purposes listed in the 
definition, and proposed Sec.  1022.4(f) and (g) restate provisions 
addressing exclusions from the definition. The CFPB proposes Sec.  
1022.4(b) through (e) to address whether and when the communication of 
certain consumer information constitutes a consumer report, with the 
goal of ensuring the FCRA's protections are applied to such 
information. The CFPB also proposes to revise several provisions in 
existing Regulation V that cross-reference the definition of consumer 
report in FCRA section 603(d) to instead cross-reference the definition 
in proposed Sec.  1022.4.\54\
---------------------------------------------------------------------------

    \53\ In restating FCRA section 603(d)(2)(D), proposed Sec.  
1022.4(f) cross-references FCRA section 603(y) rather than FCRA 
section 603(x) because the CFPA re-designated FCRA section 603(x) as 
FCRA section 603(y). See 15 U.S.C. 1681a, n.1; Fed. Trade Comm'n, 
Fair Credit Reporting Act, 15 U.S.C. 1681, at 2 n.1 (Sept. 2018), 
https://www.ftc.gov/system/files/documents/statutes/fair-credit-reporting-act/545a_fair-credit-reporting-act-0918.pdf (noting that 
``(o) or (x)'' in FCRA section 603(d)(2)(D) ``[s]hould be read as 
`(o) or (y)' '').
    \54\ These provisions are Sec. Sec.  1022.20(b)(3), 1022.32(b), 
1022.71(f), 1022.130(c), and 1022.142(b)(2). If this proposal and 
the CFPB's Medical Debt Proposed Rule, supra note 42, are both 
finalized, the CFPB intends to revise in the same way cross-
references to the terms ``consumer report'' and ``consumer reporting 
agency'' in Sec.  1022.38, as proposed to be added to Regulation V 
by the Medical Debt Proposed Rule.
---------------------------------------------------------------------------

Is Used or Expected To Be Used
    Proposed Sec.  1022.4(b) and (c) address the phrase ``is used or 
expected to be used'' and surrounding elements of the statutory 
definition of consumer report. The proposed provisions address whether 
and when the applicable information is used (proposed Sec.  1022.4(b)) 
or is expected to be used (proposed Sec.  1022.4(c)) for one of the 
purposes specified in the definition--that is, for the purpose of 
serving as a factor in establishing a consumer's eligibility for 
consumer credit or insurance, for employment purposes, or for any other 
purpose authorized under FCRA section 604. The CFPB proposes these 
provisions to ensure that the FCRA's protections apply to certain 
communications of consumer information, including by incentivizing 
entities that sell consumer information to monitor the uses to which 
such information is put and by ensuring that certain types of consumer 
information are within the scope of the FCRA regardless of how any 
particular communication of that information is used.
    As explained further below, the FCRA's definition of the term 
``consumer report'' presents several interpretive questions relevant to 
this proposed rule. First, what is the item that might be ``used or 
expected to be used'' for the relevant purpose--the specific 
``communication'' (i.e., the actual transmittal of data) or the 
``information'' contained within that communication (i.e., the facts 
that the communication describes)? Courts have tended to focus their 
analysis on the specific communication, although it is unclear how many 
courts have been presented with the alternative.\55\ Second, given that 
the phrase is in the passive voice, by whom might a communication or 
information be ``used or expected to be used'' to qualify as a consumer 
report--the specific recipient of the communication or a broader 
population of parties? Again, courts have tended to consider the 
activities of the specific user in the case at issue, but it is unclear 
whether courts have been presented with the alternative.\56\ Third, 
whose expectations are relevant in determining whether a communication 
of information is ``expected to be used'' for a particular purpose--the 
person making the communication or someone else? And fourth, are that 
person's subjective expectations all that matter, or, as courts have 
held, does the analysis also consider what the person objectively 
should expect?
---------------------------------------------------------------------------

    \55\ See, e.g., Comeaux v. Brown & Williamson Tobacco Co., 915 
F.2d 1264, 1273-74 (9th Cir. 1990) (``The plain language of section 
1681a(d) reveals that a credit report will be construed as a 
`consumer report' under the FCRA if the credit bureau providing the 
information expects the user to use the report for a purpose 
permissible under the FCRA . . . .'' (second emphasis added)); cf. 
Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d 988, 994 (D. 
Nev. 2021) (applying the series-qualifier and nearest-reasonable-
referent cannons to conclude that, under the definition of consumer 
report, ``it is the information in the communication, not the 
communication itself, that must be of the kind that is used or 
expected to be used or collected in whole or in part for the 
purposes of serving as a favor [sic] in credit, employment, or 
insurance decisions or other reasons allowed under the FCRA'').
    \56\ See, e.g., Comeaux, 915 F.2d at 1273-74.
---------------------------------------------------------------------------

    With these interpretive questions in mind, the CFPB is proposing 
provisions to administer and carry out the statutory scheme, prevent 
evasion of the FCRA's requirements, and ensure that the statute's 
protections apply to communications of consumer information that raise 
concerns the FCRA was designed to address. In doing so, the CFPB is 
also proposing particular approaches to resolving the interpretive 
questions set forth above. First, the CFPB proposes to treat ``used or 
expected to be used'' as modifying ``information'' rather than 
``communication.'' Grammatically, the term to which ``used or expected 
to be used'' refers should also be the term to which ``collected'' 
refers, and a consumer reporting agency does not ``collect'' 
communications. Second, the CFPB proposes to interpret ``used'' to 
include use by persons other than the direct recipient of a 
communication. If ``used or expected to be used'' referred only to how 
the direct recipient used or was expected to use the information in a 
communication, then the recipient's use or expected use for a non-
permissible purpose would not violate the statute because, by virtue of 
that use or expected use, the communication would not be a consumer 
report.\57\ Moreover, if the analysis focused only on the initial 
recipient, the statute would be easy to evade by passing information 
through intermediaries before it reached the ultimate user. Third, the 
CFPB proposes to interpret ``expected to be used'' to refer to the 
expectations of the person communicating the information, which is 
consistent with longstanding case law and is a natural reading of the 
statutory language. Fourth, the CFPB proposes to interpret ``expected 
to be used'' to consider both what that person subjectively expected 
and what that person objectively should have expected about the use of 
the transmitted information. This interpretation is consistent with 
past agency and judicial interpretations and would emphasize that 
persons cannot sell consumer information and attempt to avoid coverage 
by willfully ignoring the purposes for which the information will be 
used.
---------------------------------------------------------------------------

    \57\ The communication of the information could still be a 
consumer report if the information was collected for a purpose 
described in FCRA section 603(d)(1), in which case it could be 
furnished only to a recipient with a permissible purpose.
---------------------------------------------------------------------------

    Since the FCRA's enactment in 1970, applications of the law have 
often undermined one of the statute's core commitments: protecting 
consumer privacy. The CFPB proposes to implement the statute in a 
manner that respects Congress's concern with limiting the purchase and 
sale of sensitive consumer information and restores the full meaning of 
the statute's permissible purpose provisions.

[[Page 101409]]

    The CFPB uses these threshold principles, described in more detail 
below, to guide the following proposals.
4(b) Is Used
    Proposed Sec.  1022.4(b) interprets the phrase ``is used'' in the 
definition of consumer report. It provides that information in a 
communication is used for a purpose described in proposed Sec.  
1022.4(a)(2) if a recipient of the information uses the information for 
such purpose. The proposal would clarify that the purpose for which 
information in a communication is used can cause the communication to 
be a consumer report, regardless of whether the person communicating 
the information collected it or expected it to be used for that 
purpose.
    This interpretation derives from a straightforward reading of the 
statute. As summarized above, section 603(d)(1) of the FCRA defines a 
consumer report as a communication of information by a consumer 
reporting agency bearing on any of seven, specified consumer factors 
that is ``[1] used or [2] expected to be used or [3] collected'' in 
whole or in part for a purpose described in proposed Sec.  
1022.4(a)(2). The principle that a statute must be construed to ``give 
effect, if possible, to every clause and word'' \58\ requires that the 
phrase ``is used'' be given a meaning independent of ``expected to be 
used'' and ``collected.'' \59\ The CFPB's proposed interpretation does 
so.
---------------------------------------------------------------------------

    \58\ Williams v. Taylor, 529 U.S. 362, 404 (2000) (quoting 
United States v. Menasche, 348 U.S. 528, 538-39 (1955)); see also 
Duncan v. Walker, 533 U.S. 167, 174 (2001) (discussing rule against 
surplusage).
    \59\ Similarly, the series-qualifier cannon requires reading the 
phrase ``in whole or in part'' as modifying each word or phrase in 
the series (i.e., ``is used,'' ``expected to be used,'' and 
``collected'') rather than just the final one (i.e., ``collected''). 
See Facebook, Inc. v. Duguid, 592 U.S. 395, 402 (2021) (describing 
the series-qualifier canon); United States v. MyLife.com, Inc., 499 
F. Supp. 3d 757, 764 (C.D. Cal. 2020) (finding that the complaint 
adequately pled that the defendant's reports ``were used or expected 
to be used in whole or in part for a FCRA purpose'').
---------------------------------------------------------------------------

    The proposed interpretation is consistent with guidance previously 
issued by FTC staff explaining that a report that is not otherwise a 
consumer report may become a consumer report if it is subsequently used 
by the recipient for an FCRA-covered purpose.\60\ That guidance also 
suggests that a communication of consumer information that is actually 
used for an FCRA-covered purpose might not be a consumer report if the 
person making the communication could not have reasonably expected the 
information to be used in such a way.\61\ Under the CFPB's proposed 
interpretation, however, a report including information that ``is 
used'' for a purpose described in proposed Sec.  1022.4(a)(2) (and that 
satisfies the other elements of the definition of consumer report) is a 
consumer report, irrespective of whether the person furnishing the 
report could have reasonably expected that use or took steps to prevent 
it.
---------------------------------------------------------------------------

    \60\ FTC 40 Years Staff Report, supra note 21, at 22.
    \61\ See id. (``If the entity supplying the report has taken 
reasonable steps to [e]nsure that the report is not used for such a 
purpose, and if it neither knows of, nor can reasonably anticipate 
such use, the report should not be deemed a consumer report by 
virtue of uses beyond the entity's control.'').
---------------------------------------------------------------------------

    Proposed Sec.  1022.4(b) also would clarify another aspect of the 
phrase ``is used'' in the FCRA's definition of consumer report. In the 
definition, the phrase ``for the purpose of serving as a factor in 
establishing the consumer's eligibility,'' which follows the phrase 
``is used,'' lacks a subject, making it unclear whose use of the 
information matters in determining whether information is used for a 
purpose described in proposed Sec.  1022.4(a)(2). Proposed Sec.  
1022.4(b) would clarify that information is used for a purpose 
described in proposed Sec.  1022.4(a)(2) if anyone, not merely the 
direct recipient of the communication, uses the information for such a 
purpose.
    Interpreting the phrase ``is used'' to encompass not just the 
immediate recipient of the information but also downstream users is 
necessary to carry out the purposes of the statute and prevent evasion. 
If all that mattered was what the immediate recipient would do with the 
information, a person could potentially avoid FCRA coverage even if the 
person had actual knowledge that the entity to which it communicated 
the information was selling the information to a downstream recipient 
who planned to use it for a purpose described in proposed Sec.  
1022.4(a)(2). Indeed, under such an interpretation, a person could 
potentially use intermediaries to ensure that they never sold 
information directly to a recipient who would use it for such a 
purpose, even if the person knew that was how the information would 
eventually be used. The CFPB's proposed interpretation is consistent 
with case law holding that the ``is used'' element of the definition of 
consumer report is satisfied if anyone--not just the initial recipient 
of the communication--uses the information for a purpose described in 
proposed Sec.  1022.4(a)(2).\62\
---------------------------------------------------------------------------

    \62\ Ernst v. Dish Network, LLC, 49 F. Supp. 3d 377, 383 
(S.D.N.Y. 2014) (``This means that if anyone uses, expects to use or 
collects the information for [a permissible purpose], the statutory 
definition of `consumer report' is satisfied.'') (emphasis added); 
see also Henderson v. Corelogic Nat'l Background Data, LLC, 161 F. 
Supp. 3d 389, 397-98 (E.D. Va. 2016).
---------------------------------------------------------------------------

    As a practical matter, this would mean that a person that sells 
information that is used for a purpose described in proposed Sec.  
1022.4(a)(2) would become a consumer reporting agency, regardless of 
whether the person knows or believes that the communication of that 
information is legally considered a consumer report, assuming the other 
elements of the definition of consumer reporting agency are satisfied. 
In other words, so long as a person acts for the purpose of furnishing 
a report that is or becomes a consumer report as that term is defined 
in proposed Sec.  1022.4, that person is a consumer reporting agency; a 
person need not know or believe it is furnishing a consumer report as 
that term is defined under the FCRA. For example, consider an entity 
that collects information about individual consumers' travel 
preferences for use in marketing and sells that information to a third 
party for marketing purposes with the belief that the communication of 
that information is not a consumer report. If the third party actually 
uses the information to establish a consumer's eligibility for credit, 
the report would be a consumer report (assuming the other elements of 
that definition were satisfied). The entity that sold the information 
would then be a consumer reporting agency (assuming the other elements 
of that definition were satisfied) because it intended to communicate 
to the third party the information that was in fact used for an FCRA-
covered purpose, even if it did not believe that it was furnishing 
consumer reports. The CFPB proposes that this conclusion flows from the 
definition of consumer reporting agency in FCRA section 603(f).
    In addition to being consistent with the regulatory text, this 
reading of the statute better prevents entities from evading FCRA 
coverage by disclaiming intent to furnish consumer reports. A 
requirement that a person selling consumer information is a consumer 
reporting agency only if it believes that its communications meet the 
FCRA's definition of consumer report would incentivize willful 
ignorance and undermine the purpose of the statute. The CFPB's 
interpretation, by contrast, provides a clear, bright-line rule that 
should be more difficult for entities, particularly data brokers, to 
evade. For that reason, it is more consistent with

[[Page 101410]]

the broad remedial purpose of the FCRA.\63\
---------------------------------------------------------------------------

    \63\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722 
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial 
statute that must be read in a liberal manner in order to effectuate 
the congressional intent underlying it''); Guimond v. Trans Union 
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that 
the FCRA's ``consumer oriented objectives support a liberal 
construction'' of the statute).
---------------------------------------------------------------------------

    The CFPB proposes Sec.  1022.4(b) as an interpretation of the 
phrase ``is used.'' The CFPB also preliminarily concludes that proposed 
Sec.  1022.4(b) is necessary to prevent evasion of the FCRA by entities 
that sell consumer information and ignore the uses to which that 
information is put by initial and downstream recipients.\64\ The CFPB 
requests comment on whether the proposed interpretation is likely to 
incentivize entities to monitor more carefully how a communication of 
consumer information ultimately is used, any potential alternatives to 
prevent entities from evading coverage under the FCRA, and any 
compliance challenges associated with the proposed interpretation.
---------------------------------------------------------------------------

    \64\ See supra part II.B, Goals of the Rulemaking, Protecting 
Consumer Information in the Data Broker Market.
---------------------------------------------------------------------------

4(c) Is Expected To Be Used
    Proposed Sec.  1022.4(c) would establish two tests for determining 
whether information is expected to be used for a purpose described in 
proposed Sec.  1022.4(a)(2). Under these tests, information in a 
communication is expected to be used for such a purpose if: (1) the 
person making the communication expects or should expect that a 
recipient of the information will use it for such a purpose; or (2) it 
is information about a consumer's credit history, credit score, debt 
payments, or income or financial tier. Information would need to 
satisfy only one of the tests for the ``expected to be used'' element 
of the definition of consumer report to be met. If either test were 
satisfied, the communication of the information would be a consumer 
report and the person communicating the information would be a consumer 
reporting agency, assuming the other elements of those definitions were 
met. As a result, the person's sale of the information would be subject 
to the FCRA.
4(c)(1)
    Under the first test, described in proposed Sec.  1022.4(c)(1), 
information in a communication is expected to be used for a purpose 
described in proposed Sec.  1022.4(a)(2) if the person making the 
communication expects or should expect that a recipient of the 
information in the communication will use the information for such a 
purpose.\65\ Proposed Sec.  1022.4(c)(1) would clarify four aspects of 
the meaning of the phrase ``expected to be used.''
---------------------------------------------------------------------------

    \65\ Regulation V, 12 CFR 1022.3(l) defines person to mean ``any 
individual, partnership, corporation, trust, estate cooperative, 
association, government or governmental subdivision or agency, or 
other entity.''
---------------------------------------------------------------------------

Information Is Expected To Be Used
    The ``expected to be used'' element of the definition of consumer 
report does not identify what item must be ``expected to be used'' for 
a purpose described in proposed Sec.  1022.4(a)(2). A consumer report 
is a ``communication'' of certain ``information'' about a consumer, so 
the phrase could reasonably refer to the communication itself (i.e., 
the actual transmittal of data), or the information contained within 
the communication (i.e., the facts that the communication describes).
    Proposed Sec.  1022.4(c) clarifies that, under the first test, the 
relevant inquiry is whether the information in a communication is 
expected to be used for a purpose described in proposed Sec.  
1022.4(a)(2). This proposed interpretation follows directly from the 
statutory language. As relevant here, the FCRA defines a consumer 
report as a communication of information by a consumer reporting agency 
``which is used or expected to be used or collected in whole or in 
part'' for a purpose described in proposed Sec.  1022.4(a)(2). 
Grammatically, the term to which ``expected to be used'' refers should 
also be the term to which ``collected in whole or in part'' refers. 
Consumer reporting agencies collect information, not communications. 
Accordingly, under the CFPB's proposed interpretation, the term 
``expected to be used'' refers to information.\66\
---------------------------------------------------------------------------

    \66\ See Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d 
988, 994 (D. Nev. 2021) (applying the series-qualifier and nearest-
reasonable-referent cannons to conclude that, under the definition 
of consumer report, ``it is the information in the communication, 
not the communication itself, that must be of the kind that is used 
or expected to be used or collected in whole or in part for the 
purposes of serving as a favor [sic] in credit, employment, or 
insurance decisions or other reasons allowed under the FCRA'').
---------------------------------------------------------------------------

Person Communicating the Information
    The ``expected to be used'' element of the FCRA's definition of 
consumer report is phrased in the passive voice; it does not identify 
the subject whose expectations are relevant in determining whether a 
communication of information is a consumer report. Proposed Sec.  
1022.4(c)(1) rephrases this element of the definition in the active 
voice to clarify that, under the first test, the expectations of the 
person communicating the information determine whether the information 
is expected to be used for a particular purpose. In other words, the 
proposal clarifies that a communication of information is a consumer 
report if the person communicating the information expects the 
information to be used for a purpose described in proposed Sec.  
1022.4(a)(2) and the other elements of that definition are met. This 
proposed interpretation, which is consistent with longstanding case 
law, is a natural reading of the statutory language and makes sense in 
the context of the statute.\67\ It is also necessary to prevent evasion 
by entities, such as data brokers, that have sufficient information to 
know that the consumer data they sell is likely being used for 
eligibility determinations.
---------------------------------------------------------------------------

    \67\ See, e.g., Fralish v. Transunion, LLC, No. 3:20-CV-969 JD, 
2021 WL 4990003, at *3 (N.D. Ind. Oct. 26, 2021) (``Information 
constitutes a `consumer report' if the consumer reporting agency 
which prepares and sends the report `expects' the report to be used 
for one of the `consumer purposes' set forth by the FCRA.''); 
Ippolito v. WNS, Inc., 864 F.2d 440, 449 (7th Cir. 1988) (``[A] 
consumer may establish that a particular credit report is a 
`consumer report' falling within the coverage of the FCRA if . . . 
the consumer reporting agency which prepares the report `expects' 
the report to be used for one of the `consumer purposes' set forth 
in the FCRA.''); Heath v. Credit Bureau of Sheridan, Inc., 618 F.2d 
693, 696 (10th Cir. 1980) (explaining that `` `expected to be used' 
would seem to refer to what the reporting agency believed'').
---------------------------------------------------------------------------

Knowledge Standard
    The FCRA does not define the term ``expected.'' Proposed Sec.  
1022.4(c)(1) would clarify that, under the first test, information is 
expected to be used for a purpose described in proposed Sec.  
1022.4(a)(2) if the person communicating the information subjectively 
expects that it will be used for such a purpose, or if the person 
objectively should expect that it will be used for such a purpose.
    Interpreting the phrase ``expected to be used'' to encompass a 
person's subjective and objective expectations is consistent with FTC 
staff's longstanding view that the definition of consumer report covers 
uses of information that the person can reasonably anticipate.\68\ And 
it is consistent with case law holding that a person's reasonable 
expectations about how information

[[Page 101411]]

will be used can establish whether the person is providing consumer 
reports.\69\
---------------------------------------------------------------------------

    \68\ FTC 40 Years Staff Report, supra note 21, at 22 (``If the 
entity supplying the report has taken reasonable steps to [e]nsure 
that the report is not used for such a purpose, and if it neither 
knows of, nor can reasonably anticipate such use, the report should 
not be deemed a consumer report . . . .'' (emphasis added)).
    \69\ See, e.g., Harrington v. ChoicePoint Inc., No. CV 05-1294 
MRP JWJX, 2005 WL 7979032, at *5 (C.D. Cal. Sept. 15, 2005) (holding 
that consumer reporting agency ``should have expected the 
information it disclosed would be used for FCRA purposes'' despite 
the entity's contractual language with users barring such uses); 
Mem. & Order at *6, Roybal v. Equifax, No. 2:05-CV-01207-MCE-KJM, 
2008 WL 4532447 (E.D. Cal. Oct. 9, 2008) (allowing an FCRA claim 
based on inaccuracies in the reporting of a joint account because 
that information ``could reasonably have been expected to be used'' 
in establishing consumer's eligibility for credit); cf. Intel Corp. 
Inv. Pol'y Comm. v. Sulyma, 589 U.S. 178 (2020) (``[T]he law will 
sometimes impute knowledge--often called `constructive' knowledge--
to a person who fails to learn something that a reasonably diligent 
person would have learned.'').
---------------------------------------------------------------------------

    Interpreting ``expected to be used'' in this way also is necessary 
to carry out the purposes of the FCRA and prevent evasion. If all that 
mattered was how a person subjectively expected the information to be 
used, the statute would reward willful ignorance: a person could 
potentially avoid FCRA coverage by, for example, choosing not to ask or 
deciding not to monitor how recipients of the information intended to 
use it. The proposed interpretation is therefore consistent with the 
statute's purpose.\70\
---------------------------------------------------------------------------

    \70\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722 
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial 
statute that must be read in a liberal manner in order to effectuate 
the congressional intent underlying it''); Guimond v. Trans Union 
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that 
the FCRA's ``consumer oriented objectives support a liberal 
construction'' of the statute).
---------------------------------------------------------------------------

    The proposed interpretation also makes sense in the context of the 
statute as a whole. Elsewhere in the FCRA, Congress imposed 
requirements that refer only to a person's actual knowledge. For 
example, FCRA section 605 requires the exclusion of certain information 
from a consumer report if, among other things, the consumer reporting 
agency ``has actual knowledge that the information is related to a 
veteran's medical debt.'' \71\ If Congress had intended the meaning of 
``expected to be used'' to turn only on the person's actual, subjective 
expectations in the same way, it would have said so.\72\
---------------------------------------------------------------------------

    \71\ 15 U.S.C. 1681c(a)(7), (8) (emphasis added).
    \72\ See DHS v. MacLean, 574 U.S. 383, 392 (2015) (``Congress 
generally acts intentionally when it uses particular language in one 
section of a statute but omits it in another.'').
---------------------------------------------------------------------------

    In enforcement actions and guidance documents, other regulators 
have identified a non-exhaustive list of factors that may be relevant 
to determining whether a person should expect that information will be 
used for an FCRA-covered purpose. These factors include, for example, 
whether the person screens potential users before allowing them to 
access information, whether the person advertises its information for 
non-FCRA-covered uses only, and whether the person maintains procedures 
to monitor and audit how its information is used.\73\ The CFPB requests 
comment on whether it would be helpful to identify in Regulation V 
factors that are or may be relevant to determining whether a person 
should expect that information will be used for an FCRA-covered 
purpose, and, if so, what those factors might be. The CFPB also 
requests comment on whether it would be helpful to identify the steps a 
person must or should take to ensure that the consumer information it 
sells is not used for an FCRA-covered purpose, absent which the person 
would be deemed to expect that the consumer information will be used 
for such a purpose.
---------------------------------------------------------------------------

    \73\ See, e.g., Compl. ] 9, United States v. Instant Checkmate, 
Inc., No. 3:14-CV-00675-H-JMA (S.D. Cal. Mar. 24, 2014), https://www.ftc.gov/system/files/documents/cases/140409instantcheckmatecmpt.pdf (alleging that Instant Checkmate, in 
its marketing and advertising, including through its Google Ad Words 
campaign, ``promoted the use of its reports as a factor in 
establishing a person's eligibility for employment or housing''); 
Compl. for Civil Penalties, Permanent Inj. & Other Equitable Relief 
] 13, United States v. ChoicePoint (N.D. Ga. Jan. 30, 2006), https://www.ftc.gov/sites/default/files/documents/cases/2006/01/0523069complaint.pdf (alleging that ChoicePoint failed to adequately 
verify or authenticate the identities and qualifications of 
prospective users of its database).
---------------------------------------------------------------------------

Downstream Recipients
    The phrase ``for the purpose of serving as a factor in establishing 
the consumer's eligibility,'' which follows the phrase ``expected to be 
used'' in the definition, lacks a subject, making it unclear whose use 
of the information matters in determining whether information is 
expected to be used for a purpose described in proposed Sec.  
1022.4(a)(2). For the same reasons described in the discussion of 
proposed Sec.  1022.4(b), proposed Sec.  1022.4(c)(1) would clarify 
that, under the first test, information is expected to be used for a 
purpose described in proposed Sec.  1022.4(a)(2) if the person 
communicating the information expects or should expect that any 
recipient of the information will use it for such a purpose.
    As discussed above, the CFPB proposes Sec.  1022.4(c)(1) as an 
interpretation of the phrase ``expected to be used.'' The CFPB also 
proposes Sec.  1022.4(c)(1) pursuant to its authority to prevent 
evasions of the FCRA. The CFPB preliminarily concludes that proposed 
Sec.  1022.4(c)(1) is necessary to prevent evasion of the FCRA by 
entities that sell consumer information and ignore the uses to which 
that information is put by initial and downstream recipients.\74\
---------------------------------------------------------------------------

    \74\ See supra part II.B, Goals of the Rulemaking, Protecting 
Consumer Information in the Data Broker Market.
---------------------------------------------------------------------------

4(c)(2)
    Under the second test, described in proposed Sec.  1022.4(c)(2), 
the CFPB preliminarily concludes that entities that sell consumer 
information generally expect certain types of that information to be 
used in the market at large for a purpose described in proposed Sec.  
1022.4(a)(2), because those types of information are typically used for 
such a purpose. Specifically, under proposed Sec.  1022.4(c)(2), a 
person selling any of four types of information about a consumer--
credit history, credit score, debt payments, and income or financial 
tier--for any purpose generally would qualify as a consumer reporting 
agency selling consumer reports because those information types are 
typically used to underwrite loans. Accordingly, the person's conduct 
would be governed by the FCRA's restrictions and requirements, 
including provisions that protect the privacy and promote the accuracy 
of consumer data.
    As discussed in part II, the data broker industry poses a range of 
significant harms to consumers and the nation. These include national 
security harms.\75\ As the U.S. Department of Justice (DOJ) has 
observed, countries of concern can use Americans' sensitive personal 
data ``to engage in malicious cyber-enabled activities and malign 
foreign influence, and to track and build profiles on U.S. individuals, 
including members of the military and Federal employees and 
contractors, for illicit purposes such as blackmail and espionage.'' 
\76\ They can also use that data ``to collect information on activists, 
academics, journalists, dissidents, political figures, or members of 
non-governmental organizations or marginalized communities in order to 
intimidate such persons; curb political opposition; limit freedoms of 
expression, peaceful assembly, or association; or enable other forms of 
suppression of civil liberties.'' \77\
---------------------------------------------------------------------------

    \75\ See, e.g., The White House, Fact Sheet: President Biden 
Issues Executive Order to Protect Americans' Sensitive Personal Data 
(Feb. 28, 2024), https://www.whitehouse.gov/briefing-room/statements-releases/2024/02/28/fact-sheet-president-biden-issues-sweeping-executive-order-to-protect-americans-sensitive-personal-data/.
    \76\ 89 FR 15780, 15781 (Mar. 5, 2024) (U.S. Dep't of Just. 
Advance Notice of Proposed Rulemaking seeking comment on topics 
related to the implementation of E.O. 14117).
    \77\ Id.

---------------------------------------------------------------------------

[[Page 101412]]

    Recent research funded by the U.S. Military Academy at West Point 
has highlighted the gravity of the threat posed by data brokers who 
sell information about the activities and private lives of United 
States military personnel, veterans, government employees, and their 
families.\78\ With virtually no vetting, researchers were able to 
purchase individually identified information about active-duty military 
members' income, net worth, and credit rating--information that could 
be used by foreign adversaries to identify individuals for purposes of 
coercion, blackmail, or espionage.\79\ Data brokers also facilitate the 
targeting of military members and government employees by allowing 
buyers to purchase lists that match multiple categories, such as lists 
that include individuals who fall into the ``Intelligence and 
Counterterrorism'' category and the ``Behind on Bills'' category.\80\ 
As President Biden noted in a February 2024 executive order addressing 
foreign access to Americans' data, ``[t]he continuing effort of certain 
countries of concern to access Americans' sensitive personal data and 
United States Government-related data constitutes an unusual and 
extraordinary threat . . . to the national security and foreign policy 
of the United States.'' \81\
---------------------------------------------------------------------------

    \78\ See Duke Report on Data Brokers and Military Personnel 
Data, supra note 2.
    \79\ Id. at 5.
    \80\ Consumer Fin. Prot. Bureau, Prepared Remarks of CFPB 
Director Rohit Chopra at the White House on Data Protection and 
National Security (Apr. 2, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-white-house-on-data-protection-and-national-security/.
    \81\ E.O. No. 14117, 89 FR 15421 (Feb. 28, 2024).
---------------------------------------------------------------------------

    The data broker industry also poses unique harms to individuals in 
financially precarious situations. Fraudsters can use information from 
data brokers to target individuals likely to purchase predatory 
financial products. For example, some data brokers sell consumer lists 
with titles such as ``Rural and Barely Making It,'' ``Retiring on 
Empty: Single,'' and ``Credit Crunched: City Families.'' \82\ As the 
Senate Committee on Commerce, Science, and Transportation observed over 
a decade ago, these lists ``appeal to companies that sell high-cost 
loans and other financially risky products to populations more likely 
to need quick cash.'' \83\ The purchase and sale of consumers' 
financial information can also be used to perpetrate outright scams 
against low-income individuals and individuals in financially 
precarious situations. In 2015, for example, the FTC brought suit 
against a data broker operation that sold payday loan applicants' 
financial information to phony internet merchants and fraudsters who 
used the information to debit consumers' bank accounts for financial 
products that the consumers never actually purchased.\84\
---------------------------------------------------------------------------

    \82\ S. Comm. on Com., Sci., & Transp., Off. of Oversight & 
Investigations Majority Staff, A Review of the Data Broker Industry: 
Collection, Use, and Sale of Consumer Data for Marketing Purposes, 
at 5 (Dec. 18, 2013), https://www.commerce.senate.gov/services/
files/0d2b3642-6221-4888-a631-08f2f255b577.
    \83\ Id.
    \84\ Compl. for Permanent Inj. and Other Equitable Relief, Fed. 
Trad Comm'n v. Sequoia One, LLC, No. 2:15-cv-01512-JCM-CWH (D. Nev. 
Aug. 7, 2015), https://www.ftc.gov/system/files/documents/cases/150812sequoiaonecmpt.pdf; Fed. Trade Comm'n, FTC Charges Data 
Brokers with Helping Scammer Take More Than $7 Million from 
Consumers' Accounts (Aug. 12, 2015), https://www.ftc.gov/news-events/news/press-releases/2015/08/ftc-charges-data-brokers-helping-scammer-take-more-7-million-consumers-accounts.
---------------------------------------------------------------------------

    The data broker industry also poses data security risks. The highly 
sensitive consumer information collected and sold by data brokers is an 
attractive target for hackers and identity thieves. In recent years, 
cyber criminals have stolen from data brokers information about 
hundreds of millions of Americans,\85\ some of which has been made 
available for sale.\86\ Purchasers can use this information to open new 
financial accounts in consumers' names, drain existing accounts, obtain 
loans, seek employment, apply for government benefits, and send 
``phishing'' communications to family and friends. According to the 
DOJ, in 2021 nearly 24 million U.S. residents over 16 had experienced 
identity theft in the past 12 months, with financial losses of over $16 
billion.\87\
---------------------------------------------------------------------------

    \85\ See, e.g., Brian Krebs, NationalPublicData.com Hack Exposes 
a Nation's Data, Krebs on Security (Aug. 15, 2024), https://krebsonsecurity.com/2024/08/nationalpublicdata-com-hack-exposes-a-nations-data/; Justin Sherman, Duke Sanford School of Public Policy, 
Data Brokers and Data Breaches (Sept. 27, 2022), https://techpolicy.sanford.duke.edu/blogroll/data-brokers-and-data-breaches; 
Brian Krebs, Hacked Data Broker Accounts Fueled Phone COVID Loans, 
Unemployment Claims, Krebs on Security (Aug. 6, 2020), https://krebsonsecurity.com/2020/08/hacked-data-broker-accounts-fueled-phony-covid-loans-unemployment-claims/; Lily Hay Newman, 1.2 Billion 
Records Found Exposed Online in a Single Server, Wired (Nov. 22, 
2019), https://www.wired.com/story/billion-records-exposed-online; 
Stacy Cowley, Equifax to Pay at Least $650 Million in Largest-Ever 
Data Breach Settlement, N.Y. Times (July 22, 2019), https://www.nytimes.com/2019/07/22/business/equifax-settlement.html.
    \86\ See, e.g., Brian Krebs, National Public Data Published Its 
Own Passwords, Krebs on Security (Aug. 19, 2024), https://krebsonsecurity.com/2024/08/national-public-data-published-its-own-passwords/; Brian Krebs, Data Broker Giants Hacked by ID Theft 
Service, Krebs on Security (Sept. 25, 2013), https://krebsonsecurity.com/2013/09/data-broker-giants-hacked-by-id-theft-service/.
    \87\ Erika Harrell & Alexandra Thompson, Bureau of Just. Stat., 
U.S. Dep't of Just., NCJ 306474, Victims of Identity Theft, 2021, at 
1 (Oct. 2023), https://bjs.ojp.gov/document/vit21.pdf.
---------------------------------------------------------------------------

    In addition, the data broker industry poses risks to the personal 
safety of American consumers. For example, domestic abusers and others 
can use data from data brokers to stalk, harass, and commit 
violence.\88\ Other bad actors can use data broker information to dox 
consumers, expose their personal information, and subject them to 
distress, embarrassment, shame, and stigma.\89\ Moreover, the data 
broker industry threatens consumers' right to privacy--the right to be 
left alone, free from wrongful intrusions into private activities.\90\ 
Surveys suggest that many consumers would be concerned to know that 
information about their personal lives was being bought and sold 
without their consent and outside their control by entities with whom 
they have no

[[Page 101413]]

relationship and whose actions they cannot trace.\91\ And the data 
broker industry raises questions of fundamental fairness to consumers. 
The consumer profiles that data brokers compile and sell can determine 
what offers, benefits, and opportunities consumers receive.\92\ Yet 
those profiles, often based on data of dubious veracity and sometimes 
merely on inferences drawn from that data, are typically constructed 
without consumers' knowledge, input, or permission, creating a 
significant risk that they contain inaccurate, incomplete, or outdated 
information that consumers are often powerless to correct.
---------------------------------------------------------------------------

    \88\ See, e.g., Letter from Amy Klobuchar & Lisa Murkowski, 
Sens., U.S. Senate, to Hon. Rebecca K. Slaughter, Acting Chair, Fed. 
Trade Comm'n (Mar. 4, 2021), https://www.klobuchar.senate.gov/
public/_cache/files/5/e/5e1e58a4-4b38-49e8-9a8b-37ea1604d9b9/
A6F005737B2A977445475E4E0C2E3685.ftc-privacy-and-domestic-violence-
letter-final_-signed.pdf (expressing ``serious concerns regarding 
recent reports that data brokers are publicizing the location and 
contact information of victims of domestic violence, sexual 
violence, and stalking''); Esther Salas, My Son Was Killed Because 
I'm a Federal Judge, N.Y. Times (Dec. 8, 2020), https://www.nytimes.com/2020/12/08/opinion/esther-salas-murder-federal-judges.html (recounting instance in which aggrieved litigant 
obtained Federal judge's address from data broker); Mara 
Hvistendahl, I Tried to Get My Name Off People-Search Sites. It Was 
Nearly Impossible., Consumer Reports (Aug. 20, 2020), https://www.consumerreports.org/personal-information/i-tried-to-get-my-name-off-peoplesearch-sites-it-was-nearly--a0741114794/ (recounting 
domestic abuse victim's effort to delete her information from data 
broker databases so that her abuser could not obtain it); Remsburg 
v. Docusearch, Inc., No. Civ. 00-211-B, 2002 WL 844403, at *2-3 
(D.N.H. Apr. 25, 2002) (describing stalker's use of data broker 
information to locate victim).
    \89\ See, e.g., Joseph Cox & Emanuel Maiberg, Fiverr Freelancers 
Offer to Dox Anyone With Powerful U.S. Data Tool, 404 Media (July 2, 
2024), https://www.404media.co/fiverr-freelancers-offer-to-dox-anyone-with-powerful-u-s-data-tool-tloxp/; Joseph Cox, The Secret 
Weapon Hackers Can Use to Dox Nearly Anyone in America for $15, 404 
Media (Aug. 22, 2023), https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/?curator=TechREDEF.
    \90\ Cf. In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 
589, 603-04 (9th Cir. 2020) (observing that ``[t]echnological 
advances . . . provide access to a category of information otherwise 
unknowable and implicate privacy concerns in a manner different from 
traditional intrusions as a ride on horseback is different from a 
flight to the moon'' (internal quotation marks and citations 
omitted)); FTC v. Kochava, Inc., 715 F. Supp. 3d 1319, 1324 (D. 
Idaho 2024) (noting that the Supreme Court has recognized ``the 
unique threat that modern technology can pose to privacy rights'' 
(citing Carpenter v. United States, 585 U.S. 296 (2018)).
    \91\ See, e.g., Brooke Auxier et al., Americans and Privacy: 
Concerned, Confused and Feeling Lack of Control Over Their Personal 
Information, Pew Rsch. Ctr. (Nov. 15, 2019), https://www.pewresearch.org/internet/2019/11/15/americans-and-privacy-concerned-confused-and-feeling-lack-of-control-over-their-personal-information/; cf. Tiffany Johnson et al., It's All Personal: A Study 
on Consumer Attitudes Towards Data Collection & Usage, PCH Consumer 
Insights, at 3 (Nov. 15, 2023), https://insights.pch.com/img/data-ethics-design.pdf (identifying data types that consumers regard as 
``personal'').
    \92\ See FTC Data Broker Report, supra note 25, at 31 (noting 
that score produced by data brokers ``could be used to determine the 
types of offers consumers may receive, the number of offers, or even 
the level of customer service provided to specific individuals'').
---------------------------------------------------------------------------

    Notwithstanding these harms, for years many data brokers have 
attempted to avoid liability under the FCRA by arguing that the 
``expected to be used'' portion of the statute's definition of consumer 
report is satisfied only if the person selling the communication 
expects that the buyer will use the communication for a purpose 
described in FCRA section 603(d)(1), such as to assess the consumer's 
eligibility for credit. According to this argument, if the seller 
expects that the buyer will use the communication for another purpose, 
such as to market products, the ``expected to be used'' portion of the 
definition is not satisfied. And as long as the communication was not 
actually used, and the information in the communication was not 
collected, for a purpose described in FCRA section 603(d)(1), this 
argument provides that there is no consumer report and the FCRA does 
not apply. Where courts have been presented with certain fact patterns, 
such as where the data broker took steps to monitor and prohibit the 
sale of data for FCRA uses, this has sometimes served as an adequate 
defense. However, it is unclear whether courts have been squarely 
presented with an alternative approach to the issue.\93\
---------------------------------------------------------------------------

    \93\ See, e.g., Ippolito v. WNS, Inc., 864 F.2d 440, 450-51 (7th 
Cir. 1988) (focusing on the purchaser's conduct in determining 
whether the entity that sold a report expected that it would be used 
for an FCRA-covered purpose).
---------------------------------------------------------------------------

    Construing the phrase ``expected to be used'' in this way leads to 
a result contrary to the FCRA's stated objective in section 602(a)(4) 
of ``respect[ing] . . . the consumer's right to privacy.'' Section 
604's prohibition on furnishing consumer reports for non-permissible 
purposes, such as marketing outside of the prescreening context, is 
evaded by the very acts that section 604 purportedly prohibits. This is 
because, as the FCRA defines the term ``consumer report'' in section 
603(d)(1)(C), a communication of information is not a consumer report 
unless it is used or expected to be used for a permissible purpose in 
the first place--i.e., for a purpose ``authorized under section 
[604].'' This reading of ``expected to be used'' would render section 
604's prohibitions a nullity with respect to the furnishing of consumer 
reports for non-permissible purposes, except for the fact that a 
communication of information could still be a consumer report if the 
information was ``collected in whole or in part'' for a permissible 
purpose. Under this reading, if an entity collects information for a 
permissible purpose, it cannot provide that same information for an 
impermissible purpose.
    But it would shortchange the FCRA's privacy-protecting objectives 
to conclude that consumer information collected by a consumer reporting 
agency for a purpose authorized under section 604 is subject to all of 
the FCRA's restrictions, including prohibitions on uses outside of what 
section 604 authorizes, while identical consumer information collected 
by a data broker solely for a purpose not authorized under section 604 
is subject to none of the FCRA's restrictions. Under such an 
interpretation, for example, Congress would have prohibited a consumer 
reporting agency that collects consumers' income information for use by 
banks in making credit eligibility decisions from selling that 
information for marketing purposes (or any other non-permissible 
purpose), but it would have permitted a data broker that collects the 
exact same income information solely for purposes Congress did not 
authorize in the FCRA to sell the information for those purposes. This 
has led to the unregulated proliferation of the very types of consumer 
information that the FCRA's framers intended to protect.\94\
---------------------------------------------------------------------------

    \94\ See 115 Cong. Rec. S2413 (Jan. 31, 1969) (statement of 
FCRA's primary sponsor expressing concern about companies that 
maintain ``files on millions of Americans, including their 
employment, income, billpaying record, marital status, habits, 
character and morals'' without adequate regulations restricting the 
files' use).
---------------------------------------------------------------------------

    Proposed Sec.  1022.4(c)(2) would avoid this result and conform 
with Congress's intent to protect consumers' right to privacy by 
providing that certain types of information about consumers--namely, 
credit history, credit score, debt payments, and income or financial 
tier--are expected to be used for a purpose described in proposed Sec.  
1022.4(a)(2) even if the specific communication in which the 
information is conveyed is not itself used or expected to be used for 
such a purpose.
    The CFPB proposes that the text of FCRA section 603(d)(1) alone may 
support proposed Sec.  1022.4(c)(2). In contrast to prior case law that 
did not consider this approach, the CFPB preliminarily determines that 
the part of the definition of consumer report referring to what the 
sender ``expects'' could be construed as referring not to how the 
sender expects the ``communication'' or report will be used, but rather 
to how the sender expects the ``information'' within the report will be 
used.\95\ ``Information'' is defined as ``knowledge obtained from 
investigation, study, or instruction; intelligence, news; facts, 
data.'' \96\ Accordingly, whether information ``is expected to be 
used'' for a particular purpose may depend, in part, on how the facts 
in a communication might be used in the future, even if they are 
provided by other entities in different ``communications'' or reports.
---------------------------------------------------------------------------

    \95\ Cf. Mintun v. Equifax Info. Servs., LLC, 535 F. Supp. 3d 
988, 994 (D. Nev. 2021).
    \96\ See Information, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/information (last visited Oct. 
15, 2024).
---------------------------------------------------------------------------

    The CFPB preliminarily concludes that a data broker selling 
information about a consumer's credit history, credit score, debt 
payments (including on non-credit obligations), or income or financial 
tier should know that such information is typically used in determining 
a consumer's eligibility for credit, and therefore should expect that 
such information will be used for an FCRA purpose. According to FICO, 
for example, its credit scores are used in 90 percent of all lending 
decisions.\97\ Moreover, in assessing a consumer's eligibility for a 
mortgage loan, the nation's largest lenders consider, among other 
things, a prospective borrower's income (often by reviewing a 
consumer's W-2 statements, tax returns, and pay stubs), as well as the 
borrower's credit history and level of indebtedness

[[Page 101414]]

(often by reviewing multiple or merged consumer reports).\98\ Indeed, 
the government-sponsored entities that purchase a substantial portion 
of residential mortgage loans \99\ require lenders to obtain a 
consumer's credit report and score, and consider a consumer's income 
and recurring debt payments, before making a loan.\100\ And the CFPB's 
ability-to-repay rules require lenders to consider similar 
information.\101\
---------------------------------------------------------------------------

    \97\ Basic Facts About FICO Scores, FICO, https://www.fico.com/en/latest-thinking/fact-sheet/basic-facts-about-fico-scores (last 
visited Oct. 30, 2024).
    \98\ See, e.g., What Documents Are Needed to Apply for a 
Mortgage?, Chase, https://www.chase.com/personal/mortgage/education/financing-a-home/mortgage-application (last visited Oct. 30, 2024); 
How to Apply for a Mortgage, Bank of America, https://www.bankofamerica.com/mortgage/learn/how-to-apply-for-a-mortgage/ 
(last visited Oct. 30, 2024); Home-Buying & Mortgage Process, US 
Bank, https://www.usbank.com/home-loans/mortgage/first-time-home-buyers/mortgage-process.html (last visited Oct. 30, 2024); 
Importance of Credit, Debt, and Savings When Buying a House, Wells 
Fargo, https://www.wellsfargo.com/mortgage/learning/getting-started/importance-of-credit-debt-savings-in-homebuying/ (last visited Oct. 
15, 2024); Hanna Kielar, Qualifying For A Mortgage: The Basics, 
Rocket Mortgage (Apr. 10, 2024), https://www.rocketmortgage.com/learn/mortgage-qualification.
    \99\ See Fed. Hous. Fin. Agency, FHFA Statistics, What Types of 
Mortgages Do Fannie Mae and Freddie Mac Acquire? (Apr. 14, 2021), 
https://www.fhfa.gov/blog/statistics/what-types-of-mortgages-do-fannie-mae-and-freddie-mac-acquire (listing enterprise share of 
mortgage originations by year).
    \100\ See, e.g., Fannie Mae, Selling Guide: Fannie Mae Single 
Family, at B3 (June 5, 2024), https://singlefamily.fanniemae.com/media/39241/display; Freddie Mac, Seller/Servicer Guide, at Series 
5000, https://guide.freddiemac.com/app/guide/series/5000 (last 
visited Oct. 30, 2024).
    \101\ Regulation Z, 12 CFR 1026.43(c).
---------------------------------------------------------------------------

    As a practical matter, if proposed Sec.  1022.4(c)(2) were 
finalized, then, under FCRA section 604, data brokers and similar 
entities that otherwise met the definition of a consumer reporting 
agency could not sell reports containing a consumer's credit history, 
credit score, debt payments, or income or financial tier to anyone who 
lacked a permissible purpose to obtain them, such as a company that 
intended to use the reports for marketing purposes outside of the 
statute's pre-screening provisions.\102\ Such entities also would need 
to comply with the FCRA's other prohibitions and requirements for 
consumer reporting agencies, such as the requirement in FCRA section 
607 to follow reasonable procedures to assure maximum possible accuracy 
of the information in their reports, and the requirements in FCRA 
sections 609 and 611 to disclose certain information to consumers and 
to investigate consumers' disputes.\103\
---------------------------------------------------------------------------

    \102\ 15 U.S.C. 1681b.
    \103\ 15 U.S.C. 1681e, 1681g, 1681i.
---------------------------------------------------------------------------

    If proposed Sec.  1022.4(c)(2) is finalized, a substantial number 
of additional data brokers operating today likely will qualify as 
consumer reporting agencies selling consumer reports under the FCRA, 
resulting in improved consumer protections and a substantial reduction 
in the volume of consumer information being bought and sold for non-
permissible purposes, such as marketing. In addition, proposed Sec.  
1022.4(c)(2), if finalized, should make it more difficult for bad 
actors to purchase consumer information from data brokers and threaten 
national security or facilitate financial scams and fraud. In these 
ways, proposed Sec.  1022.4(c)(2) would further the FCRA's broad 
remedial purpose \104\ and Congress's intent to protect consumers' 
right to privacy and to provide greater protections for particularly 
sensitive consumer information.\105\
---------------------------------------------------------------------------

    \104\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722 
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial 
statute that must be read in a liberal manner in order to effectuate 
the congressional intent underlying it''); Guimond v. Trans Union 
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that 
the FCRA's ``consumer oriented objectives support a liberal 
construction'' of the statute).
    \105\ See 15 U.S.C. 1681(a).
---------------------------------------------------------------------------

    In the Small Business Review Panel Outline, the CFPB described a 
proposal under consideration that would have provided that information 
in a communication is expected to be used for an FCRA purpose if the 
information is the type of information typically used for such a 
purpose. The Small Business Review Panel recommended that the CFPB 
consider how best to provide guidance on the types of information about 
consumers that are typically used for an FCRA purpose. Proposed Sec.  
1022.4(c)(2) is limited to the four types of information listed in that 
section: a consumer's credit history, credit score, debt payments, and 
income or financial tier. This limitation creates a bright-line rule 
that is responsive to the Small Business Review Panel's feedback, and 
that should simplify compliance and enforcement and reduce market 
uncertainty. The CFPB requests comment on whether it would be helpful 
to provide further guidance defining the four types of information 
listed in proposed Sec.  1022.4(c)(2).
    The CFPB notes that proposed Sec.  1022.4(c)(2) would cover, for 
example, a list of people with income or credit scores above or below a 
certain number or within a certain range, even if a consumer's precise 
income or credit score is not specified. If all other elements of the 
definitions of consumer report and consumer reporting agency were 
satisfied, the list would be a series of consumer reports and the 
entity communicating the list would be a consumer reporting agency. In 
addition, the CFPB reiterates that information would need to satisfy 
only one of the tests in proposed Sec.  1022.4(c) for the ``expected to 
be used'' element of the definition of consumer report to be met. In 
other words, the communication of information that is not specifically 
listed in proposed Sec.  1022.4(c)(2)--including, for example, criminal 
records, employment information, eviction history, and alternative data 
\106\--could still be a consumer report if the person communicating the 
information expects or should expect that a recipient of the 
information in the communication will use the information for an FCRA 
purpose.
---------------------------------------------------------------------------

    \106\ See generally 82 FR 11183 (Feb. 21, 2017) (request for 
information about the use or potential use of alternative data in 
the credit process).
---------------------------------------------------------------------------

    The CFPB proposes Sec.  1022.4(c)(2) as an administrable, bright-
line rule for certain categories of information to implement the phrase 
``expected to be used'' in the FCRA's definition of consumer report. 
The CFPB also proposes Sec.  1022.4(c)(2) pursuant to its authority to 
prescribe regulations necessary to carry out the purposes of the FCRA 
and prevent evasion. It is likely that a substantial number of data 
brokers sell the types of information listed in proposed Sec.  
1022.4(c)(2), and that a substantial number of the entities that buy 
such information from data brokers in fact use it for FCRA purposes--
including to make credit eligibility determinations. Nevertheless, many 
data brokers attempt to avoid the legal obligations of the FCRA by 
remaining ignorant of how their data ultimately is used, in some 
instances by selling data without inquiring into the buyer's identity 
or intended use of the data, in other instances by ignoring certain 
uses or disclaiming liability for them, and in other instances by 
selling data to intermediary entities that sell it further 
downstream.\107\ These practices--data brokers' sale of information 
that is typically used for credit eligibility determinations and data 
brokers' minimal oversight of the uses to which that information is

[[Page 101415]]

put \108\--have created a unique likelihood that the information sold 
by data brokers will be used by downstream buyers to evaluate a 
consumer's eligibility for credit.\109\ Data brokers collect, buy, and 
sell the same types of data that consumer reporting agencies assemble 
and disseminate, and the data broker industry poses many of the same 
risks that the FCRA was designed to address.\110\ Yet many data brokers 
have attempted to evade coverage under the statute. One purpose of 
proposed Sec.  1022.4(c)(2) is to prevent further evasion.
---------------------------------------------------------------------------

    \107\ See, e.g., Duke Report on Data Brokers and Military 
Personnel Data, supra note 2, at 25-29; Compl. For Permanent Inj., 
Monetary Relief, Other Equitable Relief, and Civil Penalties, FTC v. 
Instant Checkmate, LLC, No. 3:23-cv-01674 TWR (MSB) (S.D. Cal. Sept. 
11, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/truthfinder_complaint.pdf; Press Release, Fed. Trade Comm'n, FTC 
Warns Data Broker Operations of Possible Privacy Violations (May 7, 
2013), https://www.ftc.gov/news-events/news/press-releases/2013/05/ftc-warns-data-broker-operations-possible-privacy-violations.
    \108\ See, e.g., Duke Report on Data Brokers and Sensitive Data, 
supra note 29, at 4-8; FTC Data Broker Report, supra note 25, at B1-
B5.
    \109\ See 15 U.S.C. 1681a(d)(1)(A) through (C) and 1681b(a)(3).
    \110\ See 115 Cong. Rec. S2413 (Jan. 31, 1969).
---------------------------------------------------------------------------

    The CFPB requests comment on proposed Sec.  1022.4(c)(2) and other 
possible approaches to implementing the definition of consumer report, 
as well as on the potential impacts of each approach, including on 
whether they would advance the privacy interests of consumers and 
protect consumers from data misuses and abuses. In addition, the CFPB 
requests comment on the possible effects, if proposed Sec.  
1022.4(c)(2) is finalized, on entities that furnish data to, purchase 
data from, or rely on the services of entities that would qualify as 
consumer reporting agencies selling consumer reports.
4(d) Personal Identifiers for a Consumer
    Proposed Sec.  1022.4(d) relates to certain personal identifiers 
for a consumer that are often referred to as ``credit header'' 
information. Personal identifiers typically appear at the top of 
consumer reports and include, for example, names, date of birth, 
addresses, Social Security number (SSN), and telephone number. In Sec.  
1022.4(d)(1), the CFPB proposes to provide that the term ``consumer 
report'' includes a communication by a consumer reporting agency of a 
personal identifier for a consumer that was collected by the consumer 
reporting agency in whole or in part for the purpose of preparing a 
consumer report about the consumer. This would mean that a consumer 
reporting agency could only make such a communication if the user had a 
permissible purpose under the FCRA to obtain it. Proposed Sec.  
1022.4(d)(2) sets forth an enumerated list of information that would 
constitute personal identifiers for a consumer. The CFPB proposes Sec.  
1022.4(d) to prevent the misuse of personal identifiers collected by 
consumer reporting agencies to prepare consumer reports and to prevent 
evasions of the FCRA.
How Personal Identifiers Are Treated Today
    The FTC has addressed personal identifiers collected by consumer 
reporting agencies in various contexts over the last few decades and 
has generally taken a fact-specific approach in determining whether 
communications of identifying information by consumer reporting 
agencies are consumer reports. For example, in 2000, the FTC determined 
in an administrative opinion that age was consumer report information 
when communicated by a consumer reporting agency,\111\ but that various 
other types of personal identifiers were not, based on evidence in a 
proceeding regarding whether the different types of information bore on 
the seven factors specified in the definition of consumer report and 
how they were used or expected to be used.\112\ In its 2011 staff 
report, the FTC indicated that demographic and identifying information 
about consumers such as name and address generally is not considered 
consumer report information under the FCRA, unless it is used for 
eligibility determinations.\113\ The FTC stated that a report limited 
to identifying information does not constitute a consumer report if it 
does not bear on any of the seven factors specified in the definition 
and is not used to determine eligibility.\114\
---------------------------------------------------------------------------

    \111\ In re Trans Union Corp., FTC Docket No. 9255, at 31 (Feb. 
10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (``[T]he record shows 
that an individual's age does bear on their credit capacity and is 
used in credit granting decisions. . . . The record . . . 
demonstrates that lenders use age information as a factor in credit 
granting decisions. Further, age clearly bears on credit capacity 
where state laws restrict contracting with minors. Therefore, age 
information falls within the definition of a consumer report and its 
disclosure by a CRA to target marketers violates the FCRA.'') 
(citations omitted); see also 65 FR 33645, 33668 n.35 (May 24, 2000) 
(noting that age is consumer report information).
    \112\ In re Trans Union Corp., FTC Docket No. 9255, at 30-31 
(Feb. 10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (concluding that 
(1) name, mother's maiden name, generational designator, telephone 
number, and SSN were not consumer report information because the 
evidence presented in the proceeding did not show that they bore on 
any of the seven factors specified in the definition of consumer 
report, and (2) address was not consumer report information because, 
while it might bear on creditworthiness, the evidence presented in 
the proceeding did not show that address was used or expected to be 
used as a credit eligibility factor in scoring or as a credit 
criterion in prescreening).
    \113\ FTC 40 Years Staff Report, supra note 21, at 1 n.4.
    \114\ Id. at 21. The 2011 staff report indicated, for example, 
that ``[t]elephone and other directories that only provide names, 
addresses, and phone numbers, are not `consumer reports,' because 
the information is not collected to be used or expected to be used 
in evaluating consumers for credit, insurance, employment, or other 
purposes.'' The FTC recognized, however, that a list of consumers' 
names and addresses is a series of consumer reports if the list is 
assembled or defined by reference to characteristics or other 
information that is also used (even in part) in eligibility 
decisions. For example, the FTC noted that ``a list comprised solely 
of consumer names and addresses, but compiled based on the criterion 
that every name on the list has at least one active trade line, 
updated within six months, is a series of consumer reports.'' Id.
---------------------------------------------------------------------------

    In finalizing its initial privacy regulation under the Gramm-Leach-
Bliley Act (GLBA), the FTC explained that, to the extent that a 
consumer reporting agency's communication of ``credit header'' 
information is not a consumer report, GLBA and its implementing 
regulation limit consumer reporting agencies' redisclosure of 
information furnished by financial institutions pursuant to the GLBA's 
consumer reporting exception, which allows financial institutions to 
share nonpublic personal information with a consumer reporting agency 
in accordance with the FCRA without providing consumers notice and an 
opportunity to opt out of such sharing.\115\ Specifically, the FTC 
explained that GLBA and its implementing regulation do not allow a 
consumer reporting agency that receives information pursuant to this 
exception to redisclose the information to ``individual reference 
services, direct marketers, or any other party that does not have a 
permissible purpose to obtain that information as part of a consumer 
report.'' \116\ The FTC noted, however, that consumer reporting 
agencies may be able to sell consumer identifying information if they 
receive the information from financial institutions outside of a GLBA 
exception.\117\
---------------------------------------------------------------------------

    \115\ 65 FR 33646, 33668 (May 24, 2000) (citing 15 CFR 
313.15(a)(5), which the CFPB later restated in Regulation P as 12 
CFR 1016.15(a)(5)).
    \116\ 65 FR 33646, 33668 (May 24, 2000) (declining requests that 
the FTC create a new exception to the reuse and redisclosure 
limitations that would allow consumer reporting agencies to sell 
``credit header'' information); see also Trans Union LLC v. FTC, 295 
F.3d 42 (D.C. Cir. 2002) (rejecting challenges to FTC privacy rule, 
including to its handling of header information).
    \117\ 65 FR 33646, 33668-69 (May 24, 2000).
---------------------------------------------------------------------------

    Courts considering communications of personal identifiers by 
consumer reporting agencies have generally concluded that such 
communications are not consumer reports, largely on the ground that the 
information does not bear on the factors specified in the 
definition.\118\ However, similar to the

[[Page 101416]]

FTC's guidance, some decisions have recognized that communications of 
identifying information may meet the FCRA definition of consumer report 
in specific circumstances.\119\
---------------------------------------------------------------------------

    \118\ See, e.g., Gray v. Experian Info. Sols. Inc., No. 8:23-CV-
981-WFJ-AEP, 2023 WL 6895993, at *3-4 (M.D. Fla. Oct. 19, 2023); 
Bickley v. Dish Network, LLC, 751 F.3d 724, 729 (6th Cir. 2014); Ali 
v. Vikar Mgmt. Ltd., 994 F. Supp. 492, 497, 499 (S.D.N.Y. 1998); 
Dotzler v. Perot, 914 F. Supp. 328, 330-31 (E.D. Mo. 1996), aff'd, 
124 F.3d 207 (8th Cir. 1997).
    \119\ Steinmetz v. LexisNexis, No. 2:19-CV-00070-RFB-DJA, 2020 
WL 2198974, at *3 (D. Nev. May 5, 2020) (noting that ``it is not 
inconceivable that information like one's birthdate could be 
relevant for determining eligibility for certain consumer credit 
products'').
---------------------------------------------------------------------------

    Consumer reporting agencies and other industry stakeholders have 
generally taken the position that personal identifiers are not subject 
to the FCRA at all.\120\ Consumer reporting agencies thus currently 
sell ``credit header'' information for purposes that are not 
permissible purposes under the FCRA.\121\ For example, such information 
appears to be offered for sale for purposes not authorized under 
section 604, such as marketing \122\ that is not done in accordance 
with the statute's prescreening or written instructions 
provisions.\123\
---------------------------------------------------------------------------

    \120\ See, e.g., Comment from stakeholder Equifax, Re: CFPB's 
Small Business Advisory Review Panel for Consumer Reporting 
Rulemaking--Outline of Proposals and Alternatives Under 
Consideration, at 2 (Nov. 6, 2023) (``Credit header information, 
such as name, current and former addresses, Social Security number, 
date of birth, and phone number, does not meet the current, 
definitional standard for a consumer report.''). Indeed, an industry 
trade association has erroneously suggested that the FTC has 
categorically excluded identifying information from the definition 
of consumer report. Comment from stakeholder CDIA, Re: CFPB's Small 
Business Advisory Review Panel for Consumer Reporting Rulemaking--
Outline of Proposals and Alternatives Under Consideration, at 13 
(Nov. 6, 2023) (``The FTC's long-standing and unambiguous 
interpretation of the FCRA is that identifying information (i.e., 
credit header information) does not constitute a consumer 
report.'').
    \121\ See, e.g., What Is Credit Header?, Tracers (Oct. 22, 
2020), https://www.tracers.com/blog/what-is-credit-header/ (``You 
can see how beneficial all of this information can be if you're a 
business trying to reach out to brand new or existing customers. 
This type of data isn't regulated under the Fair Credit Reporting 
Act because it's not part of a customer's credit history, which 
means you can use it in a variety of ways for your business's 
benefit.'').
    \122\ See, e.g., Introducing Acxiom Auto 360: Data Solution for 
OEMs and Car Dealerships, Acxiom, https://www.acxiom.com/auto-360/ 
(last visited Oct. 30, 2024) (``What if you needed only one, 
incredibly powerful data-marketing tool? One solution using best-in-
industry capabilities combining household data sets with credit 
header data and adding insights to influence a customer's next 
buying decision.'').
    \123\ FCRA section 604(c)(1)(B) permits consumer reporting 
agencies to furnish consumer reports in connection with credit or 
insurance transactions not initiated by the consumer under certain 
conditions, including that the consumer reporting agency must allow 
consumers to opt out of the prescreening process, the user must 
provide a firm offer of credit or insurance to consumers whose 
information they receive, and both the consumer reporting agency and 
the user must comply with notice requirements. FCRA section 
604(a)(2) permits consumer reporting agencies to furnish a consumer 
report in accordance ``with the written instructions of the consumer 
to whom it relates.''
---------------------------------------------------------------------------

Implementing the FCRA's Definition of the Term ``Consumer Report''
    The CFPB proposes Sec.  1022.4(d) pursuant to its authority under 
FCRA section 621(e)(1) to ``prescribe regulations as may be necessary 
or appropriate to administer and carry out the purposes and 
objectives'' of the FCRA, including the definition of consumer report 
in FCRA section 603(d). As noted above, a consumer report under the 
FCRA is, in general, a communication by a consumer reporting agency of 
any information that: (1) bears on at least one of seven specified 
factors; and (2) is used or expected to be used or collected in whole 
or in part for the purpose of serving as a factor in establishing a 
consumer's eligibility for credit, insurance, or employment purposes or 
for any other purpose authorized under FCRA section 604. The CFPB 
preliminarily concludes that a consumer reporting agency's 
communication of a personal identifier for a consumer that the consumer 
reporting agency collected for the purpose of preparing a consumer 
report about the consumer meets both prongs of the definition and, 
therefore, that a communication of such information by a consumer 
reporting agency is a consumer report.
    The CFPB preliminarily concludes that personal identifiers for a 
consumer bear on one or more of the seven factors specified in the 
definition of consumer report. Those factors are a consumer's 
creditworthiness, credit standing, credit capacity, character, general 
reputation, personal characteristics, or mode of living.
    Webster's dictionary defines ``characteristic'' as ``a 
distinguishing trait, quality, or property.'' \124\ A consumer's names 
(including aliases), age or date of birth, addresses, telephone 
numbers, email addresses, and SSN or Individual Taxpayer Identification 
Number (ITIN) are all themselves personal characteristics of the 
consumer because they are personal traits, qualities, or properties 
that serve to distinguish the consumer.\125\
---------------------------------------------------------------------------

    \124\ See Characteristic, Merriam-Webster.com Dictionary, 
https://www.merriam-webster.com/dictionary/characteristic (last 
visited Oct. 30, 2024).
    \125\ See, e.g., Moreland v. CoreLogic SafeRent LLC, No. SACV 
13-470 AG ANX, 2013 WL 5811357, at *4 (C.D. Cal. Oct. 25, 2013) 
(``Where a person lives is a fundamental `personal characteristic [ 
].' '').
---------------------------------------------------------------------------

    Personal identifiers for a consumer also can bear on the specified 
factors in other ways. For example, a consumer's current and former 
names and aliases may bear on the consumer's mode of living by 
revealing family associations, marital history, and the names the 
consumer has chosen to use. Similarly, email addresses that the 
consumer uses or has used may, for example, provide information about 
the consumer's educational or employment associations. Addresses and 
telephone numbers provide information about where a consumer has lived, 
how often they have moved, and whether they receive mail at a post 
office box, which are part of the consumer's mode of living. The fact 
that no SSN is provided for a consumer or that another identification 
number (such as an ITIN or a matricula consular number) is provided can 
reveal information about the consumer's immigration status, which is a 
personal characteristic and bears on the consumer's mode of living.
    Additionally, the mere fact that a particular consumer reporting 
agency or type of consumer reporting agency has personal identifiers 
for a consumer can itself bear on one or more of the factors specified 
in the definition of consumer report. For example, the fact that a 
nationwide consumer reporting agency has personal identifiers for a 
consumer suggests that it has credit records about the consumer and the 
consumer is not ``credit invisible,'' which goes to the consumer's 
credit capacity or credit standing. Similarly, the fact that a 
particular type of specialty consumer reporting agency has personal 
identifiers for a consumer might suggest that the consumer rents rather 
than owns their home; has applied for individually underwritten life or 
health insurance; has had claims filed against their homeowner's or 
automobile insurance policies; or has a telecommunication, pay TV, or 
utility account.\126\
---------------------------------------------------------------------------

    \126\ See, e.g., Consumer Fin. Prot. Bureau, List of Consumer 
Reporting Companies (2024), https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/companies-list/ (last visited Oct. 15, 2024) (``Most 
tenant screening companies won't have information on you unless you 
apply for rental housing or otherwise authorize a landlord or 
property manager to obtain a report from them.''); Request Your MIB 
Underwriting Services Consumer File, MIB Group, https://www.mib.com/request_your_record.html (last visited Oct. 15, 2024) (``You will 
not have an MIB Underwriting Services Consumer File unless you have 
applied for individually underwritten life or health insurance in 
the last seven years.''); Natalie Todoroff & Jessa Claeys, What are 
CLUE reports in insurance? Bankrate (Sept. 3, 2024), https://www.bankrate.com/insurance/homeowners-insurance/clue-report/ 
(describing information included in CLUE reports); NCTUE empowers 
you to take control of your credit, NCTUE Consumers, https://nctue.com/consumers/ (last visited Oct. 15, 2024).
---------------------------------------------------------------------------

    The CFPB also preliminarily determines that personal identifiers 
collected by consumer reporting agencies to prepare consumer reports 
meet the second prong of the definition

[[Page 101417]]

of consumer report because they are used or expected to be used or 
collected in whole or in part for the purpose of serving as a factor in 
establishing the consumer's eligibility for consumer credit or 
insurance, employment purposes, or other purposes authorized under FCRA 
section 604. The personal identifiers at issue in this proposal are 
only information that comes from entities that are already consumer 
reporting agencies that furnish consumer reports, and the question is 
whether such entities can take the sensitive contact information that 
they collect to prepare consumer reports and sell it for purposes not 
authorized under the FCRA. In that fact pattern, the CFPB preliminarily 
determines that the sensitive contact information was ``collected in 
whole or in part'' to populate consumer reports to furnish to clients 
that use it for a permissible purpose. Proposed Sec.  1022.4(d) does 
not address data brokers that sell contact information that was not 
collected for the purpose of preparing consumer reports.
    Moreover, every time any information from a consumer report, such 
as income or employment history, is used as a factor in determining 
eligibility for an FCRA purpose, a personal identifier for the consumer 
must also be used. Otherwise, it would be impossible for users to be 
sure that the information used from the consumer report relates to the 
correct consumer.
    Indeed, personal identifiers provided by consumer reporting 
agencies can be critical in assessing whether applicable requirements 
are met. For example, employers may be required for certain positions 
to ensure that prospective employees do not appear on a sex offender 
registry and may use names and other personal identifiers from consumer 
reporting agencies to do so. Similarly, financial institutions and 
others may use names and other personal identifiers in determining 
whether an applicant for credit or other products or services is on the 
list of Specially Designated Nationals maintained by the Office of 
Foreign Assets Control (OFAC) or one of OFAC's other sanctions lists, 
to ensure that OFAC's regulations do not prohibit them from approving 
the transaction.\127\
---------------------------------------------------------------------------

    \127\ See generally Off. of Foreign Assets Control, U.S. Dep't 
of Treas., FFIEC, BSA/AML Manual: Office of Foreign Assets Control--
Overview, https://bsaaml.ffiec.gov/manual/OfficeOfForeignAssetsControl/01 (last visited Oct. 15, 2024); Cortez 
v. Trans Union, LLC, 617 F.3d 688, 707-08 (3rd Cir. 2010) (``Trans 
Union invites us to conclude that information that goes to the very 
legality of a credit transaction is somehow not `a factor in 
establishing the consumer's eligibility . . . for credit.'. . . . It 
is difficult to imagine an inquiry more central to a consumer's 
`eligibility' for credit than whether federal law prohibits 
extending credit to that consumer in the first instance. The 
applicability of the FCRA is not negated merely because the 
creditor/dealership could have used the OFAC Screen to comply with 
the USA PATRIOT Act, as well as deciding whether it was legal to 
extend credit to the consumer.''); Off. of Foreign Assets Control, 
U.S. Dep't of Treas., Frequently Asked Question #46 (Sept. 10, 
2002), https://ofac.treasury.gov/faqs/46 (last visited Oct. 15, 
2024) (discussing what to provide as a denial reason on an adverse 
action notice if a loan meets an institution's underwriting 
standards but is a true ``hit'' on the Specially Designated 
Nationals list).
---------------------------------------------------------------------------

    Personal identifiers provided by consumer reporting agencies can 
also serve as a factor in eligibility determinations in other ways. For 
example, age may be specifically considered in determining whether a 
consumer meets requirements for credit and insurance products and 
services. Minors, for example, may be ineligible to even enter into 
contracts under State law, and some products such as reverse mortgages 
are only offered to seniors.\128\ Age also can determine whether an 
applicant is eligible for a particular employment position or for 
benefits such as Social Security retirement benefits and Supplemental 
Security Income.\129\ Similarly, whether a consumer has an SSN can 
affect eligibility for employment, Social Security benefits, and 
certain other government benefits.\130\
---------------------------------------------------------------------------

    \128\ Fed. Trade Comm'n, Reverse Mortgages (Aug. 2022), https://consumer.ftc.gov/articles/reverse-mortgages (noting that you cannot 
legally commit to a regular mortgage until you are 18, unless you 
have a co-signer, and that you must be 62 or older to get a reverse 
mortgage); cf. In re Trans Union Corp., FTC Docket No. 9255, at 31 
(Feb. 10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (explaining 
various ways in which age had been used in credit granting 
decisions).
    \129\ See, e.g., Soc. Sec. Admin., Retirement Benefits, at 2-4 
(2024), https://www.ssa.gov/pubs/EN-05-10035.pdf (explaining age 
restrictions for Social Security retirement benefits); Soc. Sec. 
Admin., Supplemental Security Income (SSI) Eligibility Requirements 
(2024), Understanding SSI--SSI Eligibility (ssa.gov).
    \130\ Soc. Sec. Admin., Social Security Numbers for Noncitizens 
(Apr. 2023), https://www.ssa.gov/pubs/EN-05-10096.pdf (``You need an 
SSN to work, collect Social Security benefits, and receive other 
government services.'').
---------------------------------------------------------------------------

    Address information provided by consumer reporting agencies can 
also play a role in eligibility determinations. For example, many 
financial service providers and insurance companies are only licensed 
to operate in particular States and therefore can only offer their 
products or services to consumers residing in those jurisdictions. 
Federally regulated lenders are also prohibited from making a mortgage 
loan to a consumer if a property is not covered by flood insurance and 
is located in a Special Flood Hazard area where flood insurance is 
available.\131\ Employment positions may be limited to residents of 
certain localities.
---------------------------------------------------------------------------

    \131\ 42 U.S.C. 4012a(b).
---------------------------------------------------------------------------

    In light of all of these considerations, the CFPB preliminarily 
concludes that communications by consumer reporting agencies of 
personal identifiers for a consumer that are collected by a consumer 
reporting agency for the purpose of preparing consumer reports about 
the consumer are consumer reports. FCRA section 608 further supports 
this interpretation by specifically permitting consumer reporting 
agencies to share ``identifying information respecting any consumer, 
limited to his name, address, former addresses, places of employment, 
or former places of employment'' with a governmental agency 
notwithstanding the permissible purpose requirements for consumer 
reports.\132\ If identifying information were entirely excluded from 
the definition of consumer report as industry has suggested, there 
would have been no need for Congress to craft FCRA section 608 to 
expressly allow sharing of certain identifying information with 
government agencies.
---------------------------------------------------------------------------

    \132\ 15 U.S.C. 1681f.
---------------------------------------------------------------------------

Proposed Sec.  1022.4(d) Would Promote the FCRA's Goals and Prevent 
Misuse of Personal Identifiers
    Proposed Sec.  1022.4(d) would promote the FCRA's goals of ensuring 
accuracy and fairness in consumer reporting by ensuring that personal 
identifiers collected by consumer reporting agencies for the purpose of 
preparing consumer reports are subject to all of the FCRA's protections 
that apply to consumer reports. A primary purpose of the FCRA is ``to 
protect consumers from the transmission of inaccurate information about 
them, and to establish credit reporting practices that utilize 
accurate, relevant, and current information in a confidential and 
responsible manner.'' \133\ The CFPB has long recognized how important 
personal identifiers are in ensuring the accuracy of consumer 
reports.\134\ Specifying that such information is a consumer report 
when it is communicated on its own by a consumer reporting agency would 
ensure that consumers receive notice when adverse actions are taken 
based on the information, thereby alerting

[[Page 101418]]

consumers to inaccuracies in their personal identifiers as well as 
increasing visibility for consumers into users' decision-making. It 
would also help confirm that consumers have a right to dispute 
incorrect personal identifiers maintained by consumer reporting 
agencies and have their information corrected.\135\ For example, there 
may be consumers who are being denied credit, insurance, employment, or 
benefits due to an address or SSN discrepancy resulting from erroneous 
information and who would benefit from an adverse action notice so they 
can identify and clear up the error.
---------------------------------------------------------------------------

    \133\ Guimond v. Trans Union Credit Info. Co., 45 F.3d 1329, 
1333 (9th Cir. 1995) (citations omitted).
    \134\ For example, the CFPB highlighted in an advisory opinion 
regarding name-only matching the importance of consumer reporting 
agencies' matching procedures in ensuring accuracy. 86 FR 62468 
(Nov. 10, 2021). However, even the best matching procedures cannot 
prevent mistakes if the identifying information maintained by 
consumer reporting agencies is itself wrong.
    \135\ In the absence of a bright-line rule regarding personal 
identifiers, at least one consumer reporting agency has taken the 
position that consumer reporting agencies have no obligation to 
investigate consumer disputes about inaccurate identifying 
information that they use in generating consumer reports, 
notwithstanding the fact that the FCRA clearly requires them to do 
so. See Brief of Amici Curiae, Consumer Fin. Prot. Bureau and Fed. 
Trade Comm'n in Supp. of Plaintiff-Appellant, Nelson v. Experian 
Info. Sols., Inc., No. 4:21-cv-00894-CLM (11th Cir. filed Mar. 29, 
2024), https://files.consumerfinance.gov/f/documents/cfpb_amicus-brief-nelson-v-experian_2024-03.pdf.
---------------------------------------------------------------------------

    Providing that the term ``consumer report'' includes personal 
identifiers collected by consumer reporting agencies to prepare 
consumer reports would also protect consumers' privacy by limiting 
access to such information to entities that have one of the purposes 
recognized by Congress in the FCRA. As discussed elsewhere in this 
document, recent studies by Duke University have found that data 
brokers are openly and explicitly advertising for sale sensitive 
demographic and other information about U.S. individuals, including 
active-duty members of the military, their families, and veterans, 
which can be used to identify and compromise or blackmail them in order 
to obtain sensitive military information, threatening national 
security.\136\ Personal identifiers may include sensitive information, 
including SSNs and driver's license numbers, as well as addresses and 
telephone numbers for people who do not wish to be located, such as 
domestic violence survivors seeking to stay safe from their abusers. 
Consumer groups have noted that, because consumer reporting agencies 
sell ``credit header'' information, this information has become readily 
available for purchase online. They have expressed concern that this 
online marketplace for ``credit header'' information is used for 
doxing, identity theft, harassment, and physical violence.\137\ 
Investigative reporting by 404 Media indicates that criminals have 
obtained access to ``credit header'' information and are selling 
unfettered access to such data to other criminals.\138\
---------------------------------------------------------------------------

    \136\ Duke Report on Data Brokers and Military Personnel Data, 
supra note 2; Duke Report on Data Brokers and Sensitive Data, supra 
note 29.
    \137\ See, e.g., Comment from stakeholders Just Futures Law, 
Consumer Action, and six other nonprofits, Re: CFPB's Small Business 
Advisory Review Panel for Consumer Reporting Rulemaking--Outline of 
Proposals and Alternatives Under Consideration, at 2 (Nov. 6, 2023).
    \138\ Joseph Cox, The Secret Weapon Hackers Can Use to Dox 
Nearly Anyone in America for $15, 404 Media (Aug. 22, 2023), https://www.404media.co/the-secret-weapon-hackers-can-use-to-dox-nearly-anyone-in-america-for-15-tlo-usinfosearch-transunion/?curator=TechREDEF (``This is the result of a secret weapon 
criminals are selling access to online that appears to tap into an 
especially powerful set of data: the target's credit header. . . . 
Through a complex web of agreements and purchases, that data 
trickles down from the credit bureaus to other companies who offer 
it to debt collectors, insurance companies, and law enforcement. A 
404 Media investigation has found that criminals have managed to tap 
into that data supply chain, in some cases by stealing former law 
enforcement officer's identities, and are selling unfettered access 
to their criminal cohorts online.''); see also Joseph Cox & Emanuel 
Maiberg, Fiverr Freelancers Offer to Dox Anyone With Powerful U.S. 
Data Tool, 404 Media (July 2, 2024), https://www.404media.co/fiverr-freelancers-offer-to-dox-anyone-with-powerful-u-s-data-tool-tloxp/ 
(``Dozens of sellers on the freelancing platforming Fiverr claim to 
have access to a powerful data tool used by private investigators, 
law enforcement, and insurance firms which contains personal data on 
much of the U.S. population. The sellers are then advertising the 
ability to dig through that data for prospective buyers, including 
uncovering peoples' Social Security numbers for as little as $30, 
according to listings viewed by 404 Media. . . . The advertised tool 
is TLOxp, maintained by the credit bureau TransUnion, and can also 
provide a target's unlisted phone numbers, utilities, physical 
addresses, and more.'').
---------------------------------------------------------------------------

    Except for certain information that may be released to government 
agencies under specific FCRA provisions, the proposal would curtail 
consumer reporting agencies' ability to furnish without a permissible 
purpose personal identifiers that had been collected for the purpose of 
preparing consumer reports. The proposal would thus reduce the ability 
of consumer reporting agencies to disclose sensitive contact 
information that ultimately could be accessed and used by stalkers, 
doxxers, domestic abusers, and other lawbreakers, as discussed above. 
While the storage of Americans' sensitive data may be necessary to 
facilitate lending, employment background checks, and other beneficial 
uses prescribed under the FCRA, it cannot be used to facilitate crimes.
Impacts on Other Current Uses of Personal Identifiers
    The Small Business Review Panel recommended that the CFPB consider 
the impacts on current uses of ``credit header'' information 
(including, e.g., for identity verification, fraud prevention and 
detection, employment background checks, other investigations, and 
digital advertising) and ways to mitigate any negative effects if 
communications of ``credit header'' information are consumer 
reports.\139\ Small entity representatives and others have noted that 
``credit header'' information has numerous beneficial uses. For 
example, it is often used currently to comply with legal obligations 
related to identity verification. These obligations include customer 
identification programs and anti-money laundering compliance 
obligations pursuant to the USA PATRIOT Act and the Bank Secrecy Act, 
which are designed to prevent and detect money laundering and the 
financing of terrorism.\140\ According to industry trade associations, 
``credit header'' information is also used for other purposes, such as 
identifying and locating people in a range of contexts, including 
missing children, victims of natural disasters, and responsible parties 
and witnesses in insurance claims investigations and civil and criminal 
matters.\141\ Other uses cited include investigating human trafficking, 
ensuring that packages are sent to the correct address, preventing 
online purchase fraud, and ensuring age-restricted content and 
merchandise is not available to minors.
---------------------------------------------------------------------------

    \139\ Small Business Review Panel Report, supra note 40, at 47-
48 & section 9.3.3.
    \140\ For example, section 326 of the USA PATRIOT Act requires 
the U.S. Department of Treasury's Financial Crimes Enforcement 
Network (FinCEN) to prescribe regulations that require financial 
institutions to establish programs for account opening that include: 
(1) verifying the identity of any person seeking to open an account, 
to the extent reasonable and practicable; (2) maintaining records of 
the information used to verify the person's identity, including 
name, address, and other identifying information; and (3) 
determining whether the person appears on any lists of known or 
suspected terrorists or terrorist organizations provided to the 
financial institution by any government agency. 31 U.S.C. 5318(l).
    \141\ Other examples cited include identifying and locating 
owners of lost or stolen property, heirs, pension beneficiaries, 
organ and tissue donors, suspects, terrorists, fugitives, tax 
evaders, and parents and ex-spouses with delinquent child or spousal 
support obligations.
---------------------------------------------------------------------------

    Industry stakeholders have expressed concern that treating ``credit 
header'' information as consumer report information may increase costs, 
result in delays where time is of the essence, and cause consumer 
frustration, while undermining efforts to combat money laundering, 
terrorism, and other crimes. However, it appears that many of these 
predictions overstate the consequences of reading the FCRA's definition 
of consumer report to include communications of personal identifiers 
collected by consumer reporting

[[Page 101419]]

agencies to prepare consumer reports. If the proposal is finalized, 
identifying information would still be available in various ways. Many 
current uses of such information, such as confirming an applicant meets 
the minimum age requirement for a job or a loan, fall within specific 
permissible purposes. If an entity has a permissible purpose under FCRA 
section 604(a)(3) to obtain a consumer report, the entity can also use 
the consumer report for identity verification and fraud prevention 
activities conducted in connection with that permissible purpose. For 
example, a creditor has a permissible purpose to use consumer report 
information for identity verification and fraud prevention if such 
activities are conducted in connection with a credit transaction that 
involves an extension of credit to the consumer or review or collection 
of a credit account of the consumer.\142\ A court order or a subpoena 
can also provide an FCRA permissible purpose.\143\ Additionally, a 
consumer's written instructions can provide a permissible purpose, such 
as for any identity verification or fraud prevention activities that 
are not conducted in connection with another permissible purpose.\144\
---------------------------------------------------------------------------

    \142\ FCRA section 604(a)(3)(A), 15 U.S.C. 1681b(a)(3)(A).
    \143\ FCRA section 604(a)(1), 15 U.S.C. 1681b(a)(1).
    \144\ See infra discussion of proposed Sec.  1022.11.
---------------------------------------------------------------------------

    Furthermore, proposed Sec.  1022.4(d) would not affect access to 
identifying information from any sources that are not subject to the 
FCRA. Proposed Sec.  1022.4(d) would not, for example, affect the 
status or availability of an ordinary telephone directory or of any 
other repository of identifying information that is not collected for 
the purpose of preparing consumer reports. Other data sources could 
include, for example, public records directly from a government entity, 
such as property records, voter registrations, and professional license 
filings.\145\
---------------------------------------------------------------------------

    \145\ See discussion of government-run databases in the 
discussion of proposed Sec.  1022.5 below.
---------------------------------------------------------------------------

    Proposed Sec.  1022.4(d) also would not affect the status or 
availability of identifying information obtained from financial 
institutions for purposes other than to prepare consumer reports.\146\ 
The GLBA and Regulation P generally require financial institutions to 
provide consumers with notice and a right to opt out of the sharing of 
their nonpublic personal information with non-affiliated third parties, 
but an exception to these requirements provides that financial 
institutions can share such information ``to protect against or prevent 
actual or potential fraud, unauthorized transactions, claims, or other 
liability.'' \147\
---------------------------------------------------------------------------

    \146\ To the extent any repository included identifying 
information obtained from financial institutions, it would need to 
comply with the restrictions and requirements of the GLBA and its 
implementing regulations, including the limitations on reuse and 
redisclosure. See, e.g., 15 U.S.C. 6802(c); 12 CFR 1016.11.
    \147\ 15 U.S.C. 6802(e)(3)(B); 12 CFR 1016.15(a)(2)(ii). A 
financial institution may provide identifying information to a non-
affiliated third party for purposes of identity verification and 
fraud prevention pursuant to this exception, and Regulation P's 
reuse and redisclosure provisions would allow the recipient of such 
information to redisclose the information to other non-affiliated 
third parties for the same purposes. 15 U.S.C. 6802(c); 12 CFR 
1016.11(a)(1)(iii), (c)(3) (providing that information received 
pursuant to an exception, such as the fraud exception, may generally 
only be used or disclosed in the ordinary course of business to 
carry out the activity covered by the exception under which the 
recipient received the information). As long as the information was 
not received under Regulation P's exception to the notice and opt 
out requirements to allow disclosure of nonpublic personal 
information for consumer reporting purposes (see 12 CFR 
1016.15(a)(5)(i), allowing financial institutions to provide 
consumers' nonpublic information to consumer reporting agencies in 
accordance with the FCRA), or otherwise collected, expected to be 
used, or used for the purpose of serving as a factor in establishing 
the consumer's eligibility for an FCRA permissible purpose, the 
communication of such data would not be a consumer report under 
proposed Sec.  1022.4(d).
---------------------------------------------------------------------------

    Some stakeholders have raised questions about the impact that this 
proposed intervention might have on government agencies' access to 
identifying information originating from consumer reporting agencies 
for law enforcement and other purposes. Government agencies, including 
local, Tribal, State, and Federal law enforcement, access personal 
identifiers for numerous beneficial uses. These include for 
facilitating access to and administering government benefits, 
identifying and ruling out suspects for criminal investigations, 
identifying witnesses, and other uses that may serve the public 
interest.
    Law enforcement and other government agencies currently obtain data 
from a broad range of sources and proposed Sec.  1022.4(d) would not 
affect many of these sources, such as government-run databases 
addressed below in the discussion of proposed Sec.  1022.5. To the 
extent that government agencies currently use information that would be 
affected by proposed Sec.  1022.4(d), they would continue to be able to 
access such information in a variety of ways if the proposed rule were 
finalized. For example, FCRA section 608 provides that a consumer 
reporting agency may furnish to a governmental agency the name, 
address, former addresses, places of employment, or former places of 
employment of any consumer even if no permissible purpose exists. FCRA 
sections 626 and 627 also provide that, under specified circumstances, 
consumer reporting agencies must provide certain consumer reporting 
information to the FBI and a consumer report and all other information 
in a consumer's file to certain government agencies for 
counterintelligence or counterterrorism purposes.\148\ If government 
agencies required additional information beyond what is available 
pursuant to FCRA sections 608, 626, and 627, access could be obtained 
through a court order, a subpoena, a consumer's written instructions, 
or any other permissible purpose.
---------------------------------------------------------------------------

    \148\ 15 U.S.C. 1681u, 1681v.
---------------------------------------------------------------------------

    While personal identifiers would remain available to law 
enforcement and other government agencies through these various 
channels, the CFPB recognizes the value of government agencies' access 
to personal identifiers in efficient, consolidated, and timely ways. 
The CFPB therefore requests comment on proposed Sec.  1022.4(d) and how 
best to maintain government agencies' access to personal identifiers in 
order to ensure that the beneficial uses described above can continue 
as usual. In particular, the CFPB requests comment on a potential 
exemption from Sec.  1022.4(d) for communications consisting 
exclusively of personal identifiers that are solely furnished to, or 
solely used to furnish to, local, Tribal, State, and Federal 
governments.
    The CFPB is also continuing to consider the potential impacts of 
proposed Sec.  1022.4(d) on the other areas identified by the Small 
Business Review Panel. The CFPB requests comment on those impacts and 
on ways to mitigate any potentially negative impacts.
Preventing Evasions of the FCRA
    In addition to proposing Sec.  1022.4(d) pursuant to the CFPB's 
authority to ``prescribe regulations as may be necessary or appropriate 
to administer and carry out the purposes and objectives'' of the FCRA, 
the CFPB also proposes Sec.  1022.4(d) pursuant to its rulemaking 
authority under FCRA section 621(e) to prevent evasions of, and to 
facilitate compliance with, the FCRA. Proposed Sec.  1022.4(d) would 
facilitate compliance with the FCRA by establishing a clear, bright-
line rule on how the FCRA applies to personal identifiers. It also 
would help to prevent evasions of the FCRA where consumer reporting 
agencies willfully or otherwise ignore how the personal identifiers 
they sell are used or expected to be used or

[[Page 101420]]

wrongly assume such information cannot bear on the specified factors.
    The absence of a bright-line rule regarding personal identifiers 
could raise more compliance concerns and make the rule more susceptible 
to evasions than proposed Sec.  1022.4(d)'s categorical approach. As 
noted above, the FTC's staff guidance in the 40 Years Staff Report 
indicated that identifying information can be consumer report 
information if it bears on any of the seven factors identified in the 
FCRA and is used to determine eligibility.\149\ Rather than engaging in 
the communication-by-communication analysis required under the FTC's 
approach, many consumer reporting agencies and trade associations have 
instead taken the position that communication of personal identifiers 
is never a consumer report. Indeed, although the FTC recognized decades 
ago that communications of age information drawn from consumer 
reporting databases fall within the definition of a consumer 
report,\150\ consumer reporting agencies have continued to include age 
information, such as full or partial dates of birth, in the ``credit 
header'' information they sell to entities that have no permissible 
purpose under the FCRA, incorrectly claiming that such information is 
not covered by the FCRA.\151\ As technology advances, uses of 
identifying information in eligibility determinations are likely to 
expand and develop in ways that may not be visible to regulators and 
consumers, amplifying the concern that consumer reporting agencies may 
violate the FCRA in the absence of a bright-line rule regarding 
personal identifiers. The CFPB preliminarily determines that proposed 
Sec.  1022.4(d)'s categorical approach with respect to personal 
identifiers is necessary to facilitate compliance with the FCRA and to 
prevent evasion of the FCRA by consumer reporting agencies that sell 
personal identifiers without adequately considering whether the 
information they are selling constitutes a consumer report.
---------------------------------------------------------------------------

    \149\ FTC 40 Years Staff Report, supra note 21, at 21.
    \150\ In re Trans Union Corp., FTC Docket No. 9255, at 31 (Feb. 
10, 2000), https://www.ftc.gov/sites/default/files/documents/cases/2000/03/transunionopinionofthecommission.pdf (concluding based on 
the evidence presented that ``age information falls within the 
definition of a consumer report''); see also 65 FR 33645, 33668 n.35 
(May 24, 2000) (noting that the FTC's 2000 decision determined that 
age is consumer report information).
    \151\ See, e.g., Matt Wiley, What Is Header Data?, Equifax (Feb. 
22, 2021), https://www.equifax.com/business/blog/-/insight/article/what-is-header-data/); CLEAR Enhancements Overview, Thomson Reuters, 
https://legal.thomsonreuters.com/content/dam/ewp-m/documents/legal/en/pdf/fact-sheets/clear-enhancements-2021.pdf (announcing inclusion 
of full Equifax ``credit header'' information regarding date of 
birth in CLEAR database) (last visited Oct. 15, 2024); Letter from 
Ron Wyden, Sen., U.S. Senate, to Rohit Chopra, Director, CFPB (Dec. 
8, 2021), https://www.wyden.senate.gov/imo/media/doc/CFPB%20Letter%20120821.pdf (describing sale of ``credit header'' 
information from the National Consumer Telecom and Utilities 
Exchange including date of birth).
---------------------------------------------------------------------------

    The CFPB requests comment on whether, in lieu of adopting the 
approach of proposed Sec.  1022.4(d), a final rule should provide that 
a communication by a consumer reporting agency of personal identifiers 
can be a consumer report if the information meets the two-prong test in 
proposed Sec.  1022.4(a)'s definition of consumer report. If the CFPB 
adopted this alternative approach in a final rule, the final rule could 
provide illustrative examples of communications by consumer reporting 
agencies of personal identifiers that are consumer reports, such as 
communications of age or address information. The CFPB requests comment 
on examples that might be helpful to include if it were to adopt this 
alternative approach in a final rule.
4(e) De-Identification of Information
    Proposed Sec.  1022.4(e) addresses when a consumer reporting 
agency's communication of de-identified information should be 
considered a consumer report. Industry participants often assume that 
information drawn from a consumer reporting database is not a consumer 
report if the information has been aggregated or otherwise stripped of 
identifying information. However, information that has been aggregated 
or otherwise purportedly de-identified can often be used to re-identify 
individuals and to target individuals to receive or not receive 
marketing or used in other ways that may violate consumer privacy. The 
CFPB is considering a range of options to address the risk of re-
identification of consumer report information that has been de-
identified.\152\ The CFPB therefore proposes three alternative versions 
of Sec.  1022.4(e). The proposed alternatives are all designed to 
further the FCRA's goal of ensuring the privacy of consumer 
information, including by preventing targeted marketing using 
purportedly de-identified consumer reporting information that could be 
re-identified. Each alternative would have varying effects on the use 
of de-identified information as discussed below.
---------------------------------------------------------------------------

    \152\ In the Small Business Review Panel Outline, the CFPB 
indicated that it was considering proposals to clarify whether and 
when ``aggregated or anonymized'' consumer report information 
constitutes or does not constitute a consumer report. Small Business 
Review Panel Outline, supra note 39, at 11. The CFPB is using the 
terms ``de-identified information'' and ``de-identification'' in 
this proposal because it believes these terms capture information 
that has been stripped of identifiers, through aggregation or other 
means, and therefore can encompass information that has been 
aggregated or anonymized or both. The term ``de-identified'' is 
similar to the term ``anonymized'' that was used in the Outline but 
more aptly conveys that there is a possibility that data may be re-
identified.
---------------------------------------------------------------------------

    FCRA section 603(d)(1) defines consumer report, in part, as a 
``communication of . . . information by a consumer reporting agency 
bearing on a consumer's credit worthiness, credit standing, credit 
capacity, character, general reputation, personal characteristics, or 
mode of living.'' \153\ FCRA section 603(c) defines a consumer as ``an 
individual.'' \154\ Interpreting these terms, the FTC 40 Years Staff 
Report states that ``information may constitute a consumer report even 
if it does not identify the consumer by name if it could `otherwise 
reasonably be linked to the consumer.' '' \155\ Extrapolating from that 
statement, many stakeholders today believe that a communication of 
information by a consumer reporting agency is not a consumer report if 
the information is not linked or reasonably linkable to a specific 
individual. Many stakeholders also often seem to assume that 
information is not reasonably linkable when in fact it is.
---------------------------------------------------------------------------

    \153\ 15 U.S.C. 1681a(d)(1).
    \154\ 15 U.S.C. 1681a(c).
    \155\ FTC 40 Years Staff Report, supra note 21, at 21.
---------------------------------------------------------------------------

    In light of advances in technology and current industry practices, 
the CFPB is concerned that the reasonably linkable standard articulated 
in the FTC 40 Years Staff Report alone may not be sufficiently 
protective of consumer reporting information that, while nominally de-
identified, may in fact be re-identifiable. The CFPB is aware that, in 
many cases, consumers may be re-identified with relative ease from 
purportedly de-identified datasets.\156\ Indeed, there have been 
numerous reports over the years of supposedly de-identified data being 
re-identified and revealing potentially sensitive personal information 
such as web browsing

[[Page 101421]]

activity,\157\ medical information,\158\ and sexual orientation.\159\ 
For example, in one well-publicized case, researchers were able to 
identify individuals from anonymized Netflix data with the help of 
publicly available information.\160\ More recently, scientists reported 
developing an algorithm capable of identifying ``99.98 percent of 
Americans from almost any available data set with as few as 15 
attributes, such as gender, ZIP code or marital status.'' \161\ 
Presumably, the potential to re-identify data that has been de-
identified will only increase as artificial intelligence and data 
analytics technologies continue to improve.\162\ In the FCRA context, 
concerns about potential re-identification of data that have been de-
identified are particularly pronounced due to the sensitivity of 
consumer report information and the privacy goals that prompted 
Congress to enact the statute.
---------------------------------------------------------------------------

    \156\ See Kristen Cohen, Fed. Trade Comm'n, Location, Health, 
and Other Sensitive Information: FTC Committed to Fully Enforcing 
the Law Against Illegal Use and Sharing of Highly Sensitive Data 
(July 11, 2022), https://www.ftc.gov/business-guidance/blog/2022/07/location-health-and-other-sensitive-information-ftc-committed-fully-enforcing-law-against-illegal; The White House, Exec. Off. of the 
President, Big Data: Seizing Opportunities, Preserving Values, at 8 
(May 2014), https://obamawhitehouse.archives.gov/sites/default/files/docs/big_data_privacy_report_may_1_2014.pdf; Fed. Trade 
Comm'n, Protecting Consumer Privacy in an Era of Rapid Change: 
Recommendations for Businesses and Policymakers, at iv, 18-22 (Mar. 
2012) (hereinafter 2012 FTC Privacy Report), https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers; see also Fed Trade Comm'n, 
FTC Staff Report: Self-Regulatory Principles for Online Behavioral 
Advertising: Tracking, Targeting, and Technology, at 20-21 (Feb. 
2009), https://www.ftc.gov/reports/federal-trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising.
    \157\ See Press Release, Fed. Trade Comm'n, FTC Order Will Ban 
Avast from Selling Browsing Data for Advertising Purposes, Require 
It to Pay $16.5 Million Over Charges the Firm Sold Browsing Data 
After Claiming Its Products Would Block Online Tracking (Feb. 22, 
2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/ftc-order-will-ban-avast-selling-browsing-data-advertising-purposes-require-it-pay-165-million-over (browsing history combined with 
persistent identifiers could be re-identified and connected to 
individual consumers).
    \158\ Chris Culnane et al., Health Data in an Open World: A 
Report on Re-Identifying Patients in the MBS/PBS Dataset and the 
Implications for Future Releases of Australian Government Data (Dec. 
18, 2017), https://arxiv.org/pdf/1712.05627.
    \159\ Marisa Iati & Michelle Boorstein, Case of High-Ranking 
Cleric Allegedly Tracked on Grindr App Poses Rorschach Test for 
Catholics, Wash. Post (July 21, 2021), https://www.washingtonpost.com/religion/2021/07/21/catholic-official-grindr-reaction/.
    \160\ Letter from Maneesha Mithal, Assoc. Dir., Div. of Privacy 
& Identity Prot., Fed. Trade Comm'n, to Reed Freeman, Counsel for 
Netflix, Morrison & Foerster LLP, at 2 (Mar. 12, 2010), https://www.ftc.gov/legal-library/browse/cases-proceedings/closing-letters/netflix-inc.
    \161\ Gina Kolata, Your Data Were `Anonymized'? These Scientists 
Can Still Identify You, N.Y. Times (July 23, 2019), https://www.nytimes.com/2019/07/23/health/data-privacy-protection.html; see 
generally Paige Collings, Debunking the Myth of `Anonymous' Data, 
Elec. Frontier Found. (Nov. 10, 2023), https://www.eff.org/deeplinks/2023/11/debunking-myth-anonymous-data.
    \162\ See 2012 FTC Privacy Report, supra note 156, at 20.
---------------------------------------------------------------------------

    The CFPB is aware that consumer reporting agencies offer and sell a 
variety of products that include information that has been drawn from 
consumer reporting databases and that has been aggregated or otherwise 
purportedly de-identified.\163\ Some of these products include 
information that has been aggregated at a household or neighborhood 
level (e.g., a ZIP Code or ZIP-plus-four Code segmentation); others may 
include information aggregated according to specific behavioral 
characteristics (e.g., consumers who shop at high-end retailers). Given 
the potential ease with which household and other data can be re-
identified, the sale of these types of data raises concerns that 
sensitive consumer reporting information may be disclosed in 
circumstances where no FCRA permissible purpose exists, such as for 
marketing. In light of these concerns, the CFPB is proposing three 
alternative versions of Sec.  1022.4(e) and, as noted below, requests 
comment on how each alternative, or combinations thereof, would affect 
current uses of de-identified information drawn from consumer reporting 
databases.
---------------------------------------------------------------------------

    \163\ See, e.g., Robinson + Yu, Knowing the Score: New Data, 
Underwriting, and Marketing in the Consumer Credit Marketplace, A 
Guide for Financial Inclusion Stakeholders, at 2, 17-19 & tbl. 10 
(Oct. 2014), https://www.upturn.org/static/files/Knowing_the_Score_Oct_2014_v1_1.pdf (providing examples of 
aggregated marketing scores and noting that such scores ``have 
become a primary way for credit bureaus to sell, and for creditors 
and other actors to use, consumers' credit histories to market to 
them with greater precision''); FTC Data Broker Report, supra note 
25, at 19-21 (describing the creation of lists of consumers who 
share similar characteristics, including lists that segment 
consumers based on their financial status, e.g., underbanked, credit 
worthiness, and upscale retail card holder); In re Trans Union, 129 
FTC 417, 493-94 (2000), https://www.ftc.gov/system/files/documents/commission_decision_volumes/volume-129/vol129complete_0.pdf 
(discussing a ZIP-plus-four aggregation, i.e., an average of the 
credit data of a geographical area covering 5 to 15 households 
divided by the number of people in the area who have credit 
reports).
---------------------------------------------------------------------------

Proposed Alternative One
    The first proposed version of Sec.  1022.4(e) is a bright-line 
approach under which de-identification of information would not be 
relevant to a determination of whether the definition of consumer 
report is met. Under this alternative, a consumer reporting agency's 
communication of de-identified information that would constitute a 
consumer report if the information were not de-identified would be a 
consumer report, regardless of the measures taken to de-identify the 
information. While different methods of de-identification, including 
different methods of aggregation, may present varying levels of re-
identification risk, this alternative would set a bright-line rule that 
de-identification of information in a communication does not affect 
whether the communication is a consumer report. Of the three proposed 
alternatives, this would be the most protective of consumer privacy and 
would place the greatest restriction on information sharing. This 
alternative could address concerns about consumer reporting information 
being used for differentiated marketing and pricing, such as sending or 
not sending advertisements to certain consumers based on aggregated 
indicators of the financial well-being of their neighborhood. This 
approach would also provide a bright line for supervisory and 
enforcement purposes that would make it easier to identify and prove 
violations. However, it would also constrict or eliminate the 
availability of de-identified information from consumer reporting 
databases for policy analysis and development, research, advocacy work, 
model and risk score development, and market monitoring. For example, 
the National Mortgage Database (NMDB), which the CFPB and the Federal 
Housing Finance Agency (FHFA) jointly established, uses de-identified 
information from a nationwide consumer reporting agency to facilitate 
Federal agencies' monitoring of the U.S. mortgage markets. Such 
information would no longer be available to assist with such monitoring 
if the first alternative version of proposed Sec.  1022.4(e) were 
finalized. Under this alternative, a consumer reporting agency could 
generally only disclose information drawn from a consumer reporting 
database for a purpose that is permissible under the FCRA, regardless 
of the extent to which the information is de-identified.
Proposed Alternative Two
    The second proposed version of Sec.  1022.4(e) would provide that 
de-identification of information is not relevant to a determination of 
whether the definition of consumer report in Sec.  1022.4(a) is met if 
the information is still linked or linkable to a consumer. Under this 
alternative, a consumer reporting agency's communication of de-
identified information that would constitute a consumer report if the 
information were not de-identified is a consumer report if the 
information is still linked or linkable to a consumer. The Office of 
Management and Budget (OMB), the National Institute of Standards and 
Technology, and various other Federal agencies have used similar 
``linked or linkable'' standards in defining ``personally identifiable

[[Page 101422]]

information.'' \164\ For example, the U.S. Securities and Exchange 
Commission's crowdfunding regulation defines ``personally identifiable 
information'' as ``information that can be used to distinguish or trace 
an individual's identity, either alone or when combined with other 
personal or identifying information that is linked or linkable to a 
specific individual.'' \165\ The ``linked or linkable'' test in the 
second proposed version of Sec.  1022.4(e) would be similar to the 
``linked or reasonably linkable'' standard in the third proposed 
version of Sec.  1022.4(e) (discussed below) but omits the word 
``reasonably'' and therefore would be more protective of consumer 
privacy and more restrictive of information flows.
---------------------------------------------------------------------------

    \164\ E.g., 6 CFR 37.3 (defining personally identifiable 
information in Department of Homeland Security's regulation on Real 
ID Driver's Licenses and Identification Cards); 45 CFR 75.2 
(defining personally identifiable information for purposes of 
uniform administrative requirements, cost principles, and audit 
requirements for Department of Health and Human Services awards); M-
17-12, Memorandum for Heads of Exec. Dep'ts & Agencies from Shaun 
Donovan, Off. of Mgmt. & Budget, at 8 (Jan. 3, 2017), https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf (defining personally identifiable 
information for purposes of Federal agency data breaches); U.S. Gen. 
Servs. Admin., Order CIO 2180.2, GSA Rules of Behavior for Handling 
Personally Identifiable Information (PII) (Oct. 8, 2019), https://www.gsa.gov/directives-library/gsa-rules-of-behavior-for-handling-personally-identifiable-information-pii-2; Erika McCallister et al., 
Nat'l Inst. of Standards and Tech., U.S. Dep't of Com., Special 
Publ'n 800-122, Guide to Protecting the Confidentiality of 
Personally Identifiable Information (PII) at ES-1 (Apr. 2010), 
https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=904990; U.S. 
Dep't of Def., DoD 5400.11-R, Dep't of Def. Privacy Program, at 9 
(May 14, 2007), https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodm/540011r.pdf.
    \165\ 17 CFR 227.305.
---------------------------------------------------------------------------

Proposed Alternative Three
    The third proposed version of Sec.  1022.4(e) would provide that 
de-identification of information is not relevant to a determination of 
whether the definition of consumer report is met if at least one of the 
conditions set forth in proposed Sec.  1022.4(e)(1)(i) through (iii) is 
met. The CFPB designed this proposed alternative to allow uses of de-
identified data that present less risk for consumers, such as research 
conducted by academic institutions and government agencies, to 
continue, while nonetheless ensuring the FCRA's protections apply where 
appropriate (for example, to sales of de-identified consumer report 
information when such information is re-identified). Under this 
alternative, a consumer reporting agency's communication of de-
identified information that would constitute a consumer report if the 
information were not de-identified is a consumer report if at least one 
of the conditions set forth in proposed Sec.  1022.4(e)(1)(i) through 
(iii) is met. The CFPB could finalize any of the conditions alone or in 
combination. The conditions in a final rule thus could include one or 
more of the following: (i) the information is still linked or 
reasonably linkable to a consumer; (ii) the information is used to 
inform a business decision about a particular consumer, such as a 
decision whether to target marketing to that consumer; or (iii) a 
person that directly or indirectly receives the communication, or any 
information from the communication, identifies the consumer to whom 
information from the communication pertains.
    Using the ``linked or reasonably linkable'' standard set forth in 
proposed Sec.  1022.4(e)(1)(i) as a condition in the third proposed 
version would be the most consistent with how the FTC has approached 
the issue of de-identified information under the FCRA.\166\ A 
reasonableness test also is embedded in various other Federal 
provisions that address personally identifiable information or other 
types of information in identifiable form, such as the Family 
Educational Rights and Privacy Act (FERPA) and the Health Insurance 
Portability and Accountability Act (HIPAA).\167\ Additionally, the 
comprehensive privacy laws that various States have enacted incorporate 
a ``linked or reasonably linkable'' approach in defining ``personal 
data'' or similar concepts.\168\ While almost any piece of data 
theoretically could be linked to a consumer, a reasonableness standard 
would consider whether such a link is practical or likely in light of 
current technology and context, and could evolve over time as 
technology advances. Including ``reasonably'' in the condition might 
help to ensure that the rule does not unnecessarily limit the use of 
data that does not pose a meaningful risk to consumers, such as 
research conducted by government and academic institutions. On the 
other hand, it might make Sec.  1022.4(e) more difficult to enforce 
than the first and second proposed alternatives, particularly if the 
examples and other conditions in the third proposed alternative are not 
finalized.
---------------------------------------------------------------------------

    \166\ FTC 40 Years Staff Report, supra note 21, at 21.
    \167\ See 34 CFR 99.3 (defining personally identifiable 
information for purposes of FERPA to include ``information that, 
alone or in combination, is linked or linkable to a specific student 
that would allow a reasonable person in the school community, who 
does not have personal knowledge of the relevant circumstances, to 
identify the student with reasonable certainty''); 45 CFR 160.103 
(defining individually identifiable health information for purposes 
of the HIPPA as ``information that is a subset of health 
information, including demographic information collected from an 
individual . . . [t]hat identifies the individual; or [w]ith respect 
to which there is a reasonable basis to believe the information can 
be used to identify the individual'').
    \168\ See, e.g., Cal. Civ. Code section 1798.140(v)(1) (defining 
personal information as ``information that identifies, relates to, 
describes, is reasonably capable of being associated with, or could 
reasonably be linked, directly or indirectly, with a particular 
consumer or household''); Colo. Rev. Stat. section 6-1-1303(17) 
(defining personal data as ``information that is linked or 
reasonably linkable to an identified or identifiable individual'' 
and providing that the term ``[d]oes not include de-identified data 
or publicly available information''); Va. Code section 59.1-575 
(similar).
---------------------------------------------------------------------------

    The third proposed version includes in Sec.  1022.4(e)(2) three 
examples of information that would be considered linked or reasonably 
linkable to a consumer. The three examples are intended to clarify the 
``linked or reasonably linkable'' condition in proposed Sec.  
1022.4(e)(1)(i) and to ensure the condition is read in a way that is 
protective of consumer privacy. The examples could help to clarify when 
information that has nominally been aggregated or otherwise stripped of 
identifiers is reasonably linkable to a consumer. The first two 
examples, in proposed Sec.  1022.4(e)(2)(i) and (ii), are information 
that identifies a specific household or that identifies a specific 
ZIP+4 Code in which a consumer resides. The risk of re-identification 
of information is extremely high when data is provided at the household 
level, as households may contain a small number of occupants, and 
household data may be merged with other available sources of 
information to tease out information about specific occupants. 
Similarly, the ZIP+4 Code denotes a highly specific delivery segment 
for U.S. mail and can identify a small population, such as the people 
who live on one side of a block or in a specific building or house or 
who use a specific Post Office box.\169\ Data provided about consumers 
in a specific ZIP+4 Code thus raise similar concerns about potential 
re-identification as data identifying a specific household.
---------------------------------------------------------------------------

    \169\ U.S. Postal Serv., Postal Facts: 41,704 ZIP Codes, https://facts.usps.com/42000-zip-codes/; U.S. Postal Serv., The United 
States Postal Service: An American History, at 68 (2022), https://about.usps.com/publications/pub100.pdf?_gl=1*2lqbsa*_gcl_au*Njg4MjQ2MzU4LjE3MTU4OTA3MDM.*_ga*MTkzNTkxMDUwNy4xNzE1ODkwNzAz*_ga_3NXP3C8S9V*MTcxNTg5MDcwMy4xLjAuMTcxNTg5MDcwMy4wLjAuMA.
---------------------------------------------------------------------------

    The third example, in proposed Sec.  1022.4(e)(2)(iii), relates to 
persistent identifiers, such as a cookie identifier, an internet 
Protocol (IP) address, a

[[Page 101423]]

processor or device serial number, or a unique device identifier.\170\ 
Improper collection or misuse of persistent identifiers can raise 
substantial privacy concerns.\171\ Persistent identifiers that can be 
used to recognize the consumer over time and across different websites 
or online services would be considered ``reasonably linkable'' to a 
consumer under the third proposed version because of the risk that they 
could be used to identify a specific consumer.
---------------------------------------------------------------------------

    \170\ Proposed Sec.  1022.4(e)(2)(iii) is similar to part of the 
definition of personal information in the FTC's regulation 
implementing the Children's Online Privacy Protection Act. See 16 
CFR 312.2 (defining personal information to include ``[a] persistent 
identifier that can be used to recognize a user over time and across 
different websites or online services'' and noting that ``[s]uch 
persistent identifier includes, but is not limited to, a customer 
number held in a cookie, an internet Protocol (IP) address, a 
processor or device serial number, or unique device identifier'').
    \171\ See, e.g., Press Release, Fed. Trade Comm'n, Developer of 
Apps Popular with Children Agrees to Settle FTC Allegations It 
Illegally Collected Kids' Data without Parental Consent (June 4, 
2020), https://www.ftc.gov/news-events/news/press-releases/2020/06/developer-apps-popular-children-agrees-settle-ftc-allegations-it-illegally-collected-kids-data (collection of persistent identifiers 
to track users to deliver targeted advertising in violation of 
Children's Online Privacy Protection Act); Press Release, Fed. Trade 
Comm'n, Google and YouTube Will Pay Record $170 Million for Alleged 
Violations of Children's Privacy Law (Sept. 4, 2019), https://www.ftc.gov/news-events/news/press-releases/2019/09/google-youtube-will-pay-record-170-million-alleged-violations-childrens-privacy-law 
(same); Press Release, Fed. Trade Comm'n, Online Advertiser Settles 
FTC Charges ScanScout Deceptively Used Flash Cookies to Track 
Consumers Online (Nov. 8, 2011), https://www.ftc.gov/news-events/news/press-releases/2011/11/online-advertiser-settles-ftc-charges-scanscout-deceptively-used-flash-cookies-track-consumers 
(misrepresentations of consumers' ability to control online tracking 
through persistent identifiers); Press Release, Fed. Trade Comm'n, 
FTC Puts an End to Tactics of Online Advertising Company That 
Deceived Consumers Who Wanted to ``Opt Out'' from Targeted Ads (Mar. 
14, 2011), https://www.ftc.gov/news-events/news/press-releases/2011/03/ftc-puts-end-tactics-online-advertising-company-deceived-consumers-who-wanted-opt-out-targeted-ads (same).
---------------------------------------------------------------------------

    The second condition in the third proposed alternative, as set 
forth in proposed Sec.  1022.4(e)(1)(ii), is if the information is used 
to inform a business decision about a particular consumer. Including 
this condition would mean, for example, that a consumer reporting 
agency's communication of income information from a consumer reporting 
database that is aggregated at the ZIP Code level would be a consumer 
report if the aggregated information was used to target marketing to a 
particular consumer who lives in that ZIP Code (such as by sending a 
mailing to an address). The proposal also would help to prevent the use 
of consumer report information to facilitate targeted advertising, such 
as in generating ``look-alike'' audiences, where an entity might use 
information--such as consumer characteristics, behaviors, and credit 
history--from an existing audience to determine the types of offers to 
present to a different audience bearing the same or similar identified 
characteristics. The CFPB preliminarily determines that such use of 
consumer reporting information to facilitate targeted marketing is 
counter to the FCRA's purpose to limit the ways in which such sensitive 
data can be used. The CFPB is concerned that such marketing techniques 
might be used to unfairly exclude certain types of consumers from 
particular offers or to single them out for less favorable offers or 
terms. The business decision condition would not affect the use of de-
identified consumer reporting information to develop scoring or other 
models, since model development does not involve a business decision 
about a particular consumer for purposes of proposed Sec.  
1022.4(e)(1)(ii). As noted below, the CFPB requests comment on whether 
business decision condition would prevent the use of de-identified 
consumer reporting information for any potentially beneficial uses and, 
if so, whether the CFPB should take any steps to address that.
    The final condition included in the third proposed version, as set 
forth in proposed Sec.  1022.4(e)(1)(iii), is if a person that directly 
or indirectly receives the communication, or any information from it, 
identifies the consumer to whom information pertains. This condition 
would address the concern that subsequent users may be able to re-
identify data that has been nominally de-identified. Finalizing this 
condition would give consumer reporting agencies a strong incentive to 
ensure de-identified consumer report information is not re-identified 
through a number of tactics, including contractual limitations, 
stronger due diligence on the recipients of de-identified consumer 
report information, or technological means to prevent re-identification 
because, if either the initial recipient or a downstream recipient of 
such information identifies the consumer to whom the information 
pertains, the communication would be deemed a consumer report subject 
to all of the FCRA's protections.
    The Small Business Review Panel recommended that, in evaluating 
whether and when the communication of aggregated consumer report 
information constitutes a consumer report, the CFPB should continue to 
consider both the consumer harms it is seeking to prevent and whether 
the CFPB's definition might preclude the continued use of aggregated 
consumer reporting data for purposes like internal account reviews by 
financial institutions and economic research by government agencies and 
others. Some small entity representatives noted that such data 
currently are used for many reasons other than marketing, such as by 
financial institutions to refine their credit and pricing policies to 
avoid losses and offer consumers the most competitive pricing possible. 
As discussed above, the CFPB has proposed a range of alternatives. The 
CFPB recognizes that the proposed alternatives that are likely to more 
fully address consumer harms related to privacy, including targeted 
marketing, are also likely to have impacts on other uses of aggregated 
or otherwise de-identified information. In contrast, the CFPB 
preliminarily determines that proposed alternative three would not 
impact the uses of aggregated consumer reporting data that the Small 
Business Review Panel raised but requests comment on whether that is 
the case. As noted below, the CFPB also requests comment on the extent 
to which each alternative would protect consumer privacy and preclude 
use of aggregated or otherwise de-identified information for beneficial 
purposes.
    The CFPB proposes the alternative versions of Sec.  1022.4(e) 
pursuant to its authority under FCRA section 621(e) to ``prescribe 
regulations as may be necessary or appropriate to administer and carry 
out the purposes and objectives'' of the FCRA because information that 
purportedly has been de-identified through aggregation or other means 
nevertheless can bear on a consumer where it is derived from identified 
information and can be re-identifiable. The CFPB also proposes Sec.  
1022.4(e) pursuant to its authority under FCRA section 621(e) to 
prevent evasions of, and to facilitate compliance with, the FCRA. 
Permitting the sale of purportedly de-identified consumer reporting 
information to entities that lack a permissible purpose may allow 
market participants to evade the FCRA's permissible purpose 
restrictions where the information can be re-identified. Because it is 
not possible to know ex ante with certainty whether a particular item 
of de-identified information will be re-identified, it may be necessary 
to include within the consumer report definition some communications of 
de-identified consumer reporting information that never will be re-
identified in practice in order to ensure that the definition covers 
all such communications that will be re-identified.

[[Page 101424]]

    The CFPB requests comment on the likelihood that de-identified 
information drawn from consumer reporting databases will be re-
identified and on the extent to which such information is currently 
used for marketing purposes. The CFPB also requests comment on the 
extent to which such information is used for purposes that may be 
beneficial for consumers, such as research or policy analysis and 
development, and whether other data sources exist that could be used 
for any or all of those purposes if a final rule were to constrict the 
availability of de-identified information drawn from consumer reporting 
databases.
    The CFPB also requests comment on the three alternative versions of 
proposed Sec.  1022.4(e), and on which of the three if any (or 
combinations thereof), it should adopt in a final rule and, if it 
adopts the third alternative version, on what condition(s) it should 
adopt. If the CFPB adopts the third alternative version with the linked 
or reasonably linkable condition, the CFPB also requests comment on 
whether it should finalize the examples of information that is 
reasonably linkable in proposed Sec.  1022.4(e)(2) and on whether, as 
part of the ``reasonably linkable'' condition, it should consider any 
other additional, more specific, or alternative requirements or 
examples, such as ones that affirm the ability of government and 
academic institutions to conduct research using de-identified 
information.\172\ The CFPB also requests comment on whether there are 
any other conditions that it should consider as part of the proposed 
third alternative for when de-identified information is or is not a 
consumer report. The CFPB also requests comment on the extent to which 
each of the three proposed alternatives would (1) protect consumer 
privacy and curtail targeted marketing using information drawn from 
consumer reporting databases and (2) preclude use of aggregated or 
otherwise de-identified information for any purposes that are 
beneficial. In addition, the CFPB requests comment on whether there are 
other approaches, in addition to the three alternative versions of 
proposed Sec.  1022.4(e), that it should consider for addressing when a 
consumer reporting agency's communication of de-identified information 
is a consumer report.
---------------------------------------------------------------------------

    \172\ The CFPB seeks comment on whether it should consider 
adding any portions of the three-prong test for a reasonably 
linkable standard that the FTC articulated in a 2012 privacy report 
or any other additional or more specific requirements to the 
reasonably linkable standard. See 2012 FTC Privacy Report, supra 
note 156, at 18-21. Although the FTC did not develop its three-prong 
standard specifically to apply in the FCRA context, the CFPB seeks 
comment on whether some or all of the test's elements could be 
relevant to the reasonably linkable standard in this rulemaking. If 
applied in the FCRA context, such a test could, for example, provide 
that the following three conditions would need to be met for data 
not to be reasonably linkable: (1) the consumer reporting agency 
must take reasonable measures to ensure that the data are de-
identified; (2) the initial recipient must publicly commit not to 
try to re-identify the data; and (3) any downstream recipients must 
be contractually prohibited from trying to re-identify the data. 
Similar three-prong tests appear in some State laws defining the 
term ``de-identified'' and in proposed Federal legislation on data 
privacy. See, e.g., Cal. Civ. Code section 1798.140(m); Utah Code 
Ann. section 13-61-101(14); Press Release, Energy & Com. Chair 
Rodgers, Committee Chairs Rodgers, Cantwell Unveil Historic Draft 
Comprehensive Data Privacy Legislation (Apr. 7, 2024), https://energycommerce.house.gov/posts/committee-chairs-rodgers-cantwell-unveil-historic-draft-comprehensive-data-privacy-legislation.
---------------------------------------------------------------------------

Section 1022.5 Definition; Consumer Reporting Agency

    In general, a consumer reporting agency under FCRA section 603(f) 
is a person that regularly engages in assembling or evaluating consumer 
credit or other information about consumers for the purpose of 
furnishing consumer reports to third parties. To be a consumer 
reporting agency, the person must undertake these activities for 
monetary fees, dues, or on a cooperative nonprofit basis and must use a 
means of interstate commerce to prepare or furnish the reports. The 
CFPB proposes Sec.  1022.5 to implement and interpret this definition. 
Proposed Sec.  1022.5(a) restates the FCRA definition with minor 
wording and organizational changes for clarity. Proposed Sec.  
1022.5(b) interprets the phrase ``assembling or evaluating.'' The CFPB 
also proposes to revise several provisions in existing Regulation V 
that currently cross-reference the definition of consumer reporting 
agency in FCRA section 603(f) to instead cross-reference the definition 
in proposed Sec.  1022.5.\173\
---------------------------------------------------------------------------

    \173\ These provisions are 12 CFR 1022.41(c)(2); 1022.71(g); 
1022.130(d); and 1022.142(a), (b)(3). If this proposal and the 
Medical Debt Proposed Rule, supra note 42, are both finalized, the 
CFPB intends to revise in the same way cross-references to the terms 
``consumer report'' and ``consumer reporting agency'' in Sec.  
1022.38, as proposed to be added to Regulation V by the Medical Debt 
Proposed Rule.
---------------------------------------------------------------------------

    As discussed in the analysis of proposed Sec.  1022.4(b) and (c), 
if certain other provisions of the CFPB's proposed rule are finalized, 
many additional data broker products will qualify as consumer reports, 
and the data brokers who sell those products will qualify as consumer 
reporting agencies (assuming they satisfy the other elements of that 
definition). For example, if proposed Sec.  1022.4(c)(2) is finalized, 
all data brokers that sell information about a consumer's credit 
history, credit score, debt payments, or income or financial tier 
generally will qualify as consumer reporting agencies selling consumer 
reports.\174\
---------------------------------------------------------------------------

    \174\ This would include, for example, enrollment management 
companies that sell or use financial data, including information 
about income and creditworthiness, to help educational institutions 
set tuition prices and scholarship award amounts. See, e.g., Lilah 
Burke, Why colleges are using algorithms to determine financial aid 
levels, Higher Ed Dive (Sept. 5, 2023), https://www.highereddive.com/news/colleges-enrollment-algorithms-aid-students/692601/. An enrollment management company could also 
qualify as a consumer reporting agency if a recipient of the 
information uses it for an FCRA purpose (such as credit 
underwriting), see proposed Sec.  1022.4(b), or if the company 
expects or should expect that a recipient of the information will 
use it for such a purpose, see proposed Sec.  1022.4(c)(1).
---------------------------------------------------------------------------

    However, the proposed rule would not turn into consumer reporting 
agencies a range of non-data broker entities that have long been 
outside the FCRA's scope. For example, newspapers and similar entities 
that publish news or information that concerns local, national, or 
international events or other matters of public interest would not be 
consumer reporting agencies based on those activities--even if their 
reporting includes information about a consumer's credit history, 
credit score, debt payments, or income or financial tier--because they 
do not assemble or evaluate information about consumers for the purpose 
of furnishing consumer reports to third parties.\175\ Rather, these 
entities assemble or evaluate information on consumers for the purpose 
of reporting news to the public. Their incidental reporting of an 
information type listed in proposed Sec.  1022.4(c)(2) does not change 
that their purpose is to report news to the public. The same analysis 
would apply when such information appears in a book, blog post, motion 
picture, or podcast episode: the presence of that information would not 
turn the publisher of the book, post, movie, or podcast into a consumer 
reporting agency because the publisher is not acting for the purpose of 
furnishing consumer reports.\176\ This interpretation

[[Page 101425]]

is logical given the protections accorded to the press by the First 
Amendment.
---------------------------------------------------------------------------

    \175\ See Barge v. Apple Computer, Inc., 164 F.3d 617 (2d Cir. 
1998) (unpublished table decision) (holding that a newspaper article 
was not a consumer report provided by a consumer reporting agency).
    \176\ Additionally, a person that does not engage in the 
practice of assembling or evaluating consumer information ``for 
monetary fees, dues, or on a cooperative nonprofit basis'' is not a 
consumer reporting agency under FCRA section 603(f) and proposed 
Sec.  1022.5(a). Thus, even if a person produces what would 
otherwise appear to be a consumer report, the person is not a 
consumer reporting agency if it does not charge for the report. This 
requirement provides an additional reason why news organizations, 
website operators, and other sources that make information available 
to the public for free are not consumer reporting agencies under the 
proposed interpretation.
---------------------------------------------------------------------------

    Likewise, this proposal is not intended to alter the longstanding 
interpretation of the FCRA that a government agency or government-run 
database that provides information only to other branches of the 
government is not a consumer reporting agency--regardless of the 
purposes for which it provides information or the types of information 
it provides--because no information is provided to third parties. For 
example, as FTC staff have stated, although the Office of Personnel 
Management collects data on current and potential Federal employees and 
transmits it to other government agencies, the Office of Personnel 
Management ``is not a CRA . . . because the recipient is another 
governmental branch and not a `third party.' '' \177\
---------------------------------------------------------------------------

    \177\ FTC 40 Years Staff Report, supra note 21, at 31. It is 
also the case that many of these databases do not charge a fee to 
users. See supra note 176.
---------------------------------------------------------------------------

    Nor is this proposal intended to alter the longstanding 
interpretation that the FCRA's consumer reporting agency requirements 
generally do not apply to government agencies or government-run 
databases that provide information to the public, such as the Federal 
Public Access to Court Electronic Records (PACER) website. These 
entities are required by statute to carry out certain information-
sharing purposes, and treating them as consumer reporting agencies 
would run counter to those statutes and the FCRA itself.\178\ Further, 
the FCRA imposes obligations on consumer reporting agencies--such as 
FCRA section 609(a)'s requirement to disclose information in consumers' 
files at their request and section 605(a)'s requirement to exclude most 
information more than seven years old--that may be incompatible with 
the operations of these entities.\179\ Treating these entities as 
consumer reporting agencies also could lead to absurd results, such as 
potentially turning the entities or individuals who provide information 
to them into furnishers under the FCRA.\180\
---------------------------------------------------------------------------

    \178\ Ollestad v. Kelley, 573 F.2d 1109, 1111 (9th Cir. 1978); 
see also FTC 40 Years Staff Report, supra note 21, at 31; FTC 
Informal Staff Opinion Letter to Copple (June 10, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-copple-06-10-98; FTC Informal Staff Opinion Letter to Pickett (July 
10, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-pickett-07-10-98; FTC Informal Staff 
Opinion Letter to Goeke (June 9, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-goeke-06-09-98.
    \179\ 15 U.S.C. 1681g(a) and 1681c(a).
    \180\ See FTC 40 Years Staff Report, supra note 21, at 8-10.
---------------------------------------------------------------------------

5(b) Assembling or Evaluating
In General
    Proposed Sec.  1022.5(b) interprets the phrase ``assembling or 
evaluating'' in the definition of consumer reporting agency. Proposed 
Sec.  1022.5(b)(1) would clarify that a person assembles or evaluates 
consumer credit information or other information about consumers if the 
person: (1) collects, brings together, gathers, or retains such 
information; (2) appraises, assesses, makes a judgment regarding, 
determines or fixes the value of, verifies, or validates such 
information; or (3) contributes to or alters the content of such 
information. Proposed Sec.  1022.5(b)(2) provides examples of conduct 
that would constitute assembling or evaluating under the interpretation 
in proposed Sec.  1022.5(b)(1). The CFPB proposes Sec.  1022.5(b) as an 
interpretation of the FCRA's definition of consumer reporting agency 
and to facilitate compliance with the statute.
    The FCRA does not define the terms ``assembling'' and 
``evaluating.'' But the FCRA is a remedial statute \181\ with a focus 
on ensuring the accuracy of information in consumer reports. FCRA 
section 602(b) provides that the purpose of the FCRA is to require 
consumer reporting agencies to adopt reasonable procedures to meet the 
needs of commerce for information about consumers in a manner that is 
fair and equitable to the consumer with regard to accuracy and other 
factors.\182\ In light of this purpose, the CFPB preliminarily 
determines that Congress intended for the terms ``assembling'' and 
``evaluating'' to be interpreted broadly \183\ to protect consumers. 
Whenever an entity assembles or evaluates consumer information, the 
entity may introduce inaccuracies into consumer reports that can harm 
consumers. Consumer reports play an important role in key aspects of 
consumers' lives such as credit, housing, and employment. Accuracy in 
consumer reports therefore is of vital importance to consumers and the 
consumer reporting system. Consistent with these FCRA purposes, the 
CFPB proposes Sec.  1022.5(b) to clarify that assembling or evaluating 
encompasses the activities described in the proposed regulatory text. 
Proposed Sec.  1022.5(b) should also facilitate compliance by 
interpreting key terms that are undefined in the FCRA.
---------------------------------------------------------------------------

    \181\ See, e.g., Cortez v. Trans Union, LLC, 617 F.3d 688, 722 
(3d Cir. 2010) (describing the FCRA as ``undeniably a remedial 
statute that must be read in a liberal manner in order to effectuate 
the congressional intent underlying it''); Guimond v. Trans Union 
Credit Info. Co., 45 F.3d 1329, 1333 (9th Cir. 1995) (observing that 
the FCRA's ``consumer oriented objectives support a liberal 
construction'' of the statute).
    \182\ See, e.g., 115 Cong. Rec. 2410, 2411 (1969) (The FCRA's 
principal Congressional sponsor described ``inaccurate or misleading 
information'' as ``perhaps the most serious problem in the credit 
reporting industry.''); 15 U.S.C. 1681(a)(1) (``The banking system 
is dependent upon fair and accurate credit reporting. Inaccurate 
credit reports directly impair the efficiency of the banking system, 
and unfair credit reporting methods undermine the public confidence 
which is essential to the continued functioning of the banking 
system.'').
    \183\ Interpreting assembling or evaluating broadly is 
consistent with FTC staff opinion letters and legislative history. 
See, e.g., FTC Informal Staff Opinion Letter to LeBlanc (June 9, 
1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-leblanc-06-09-98 (``[I]t is clear from a review of 
the legislative history that Congress intended for the FCRA to cover 
a very broad range of `assembling' or `evaluating' activities.'').
---------------------------------------------------------------------------

    The activities identified in proposed Sec.  1022.5(b) are 
consistent with dictionary definitions of assemble or evaluate, which 
plainly encompass a wide range of activity. Dictionary definitions of 
assemble include ``to bring together'' \184\ and ``to gather, collect, 
convene.'' \185\ Dictionary definitions of evaluate include ``to 
determine or fix the value of'' \186\ and ``[t]o determine the 
importance, effectiveness, or worth of; assess.'' \187\
---------------------------------------------------------------------------

    \184\ See Assemble, Merriam-Webster.com Dictionary Online, 
https://www.merriam-webster.com/dictionary/
assemble#:~:text=1,fit%20together%20the%20parts%20of (last visited 
Oct. 15, 2024).
    \185\ See Assemble, Oxford English Dictionary Online, https://www.oed.com/dictionary/assemble_v1 (last visited Oct. 15, 2024).
    \186\ See Evaluate, Merriam-Webster.com Dictionary Online, 
https://www.merriam-webster.com/dictionary/evaluate (last visited 
Oct. 15, 2024).
    \187\ See Evaluate, Am. Heritage Dictionary of the English 
Language Online (2022), https://www.ahdictionary.com/word/search.html?q=evaluate (last visited Oct. 15, 2024).
---------------------------------------------------------------------------

    The activities identified in proposed Sec.  1022.5(b)(1) are also 
consistent with longstanding FTC staff guidance regarding the meaning 
of the terms ``assemble'' and ``evaluate.'' FTC staff have opined that 
assembling as used in the definition of consumer reporting agency 
means, for example, ``gathering, collecting, or bringing together 
consumer information such as data obtained from [consumer reporting 
agencies] or other third parties, or items provided by the consumer in 
an application.'' \188\ And FTC staff have opined that evaluating 
encompasses a broad range of activities, including ``appraising, 
assessing, determining or

[[Page 101426]]

making a judgment on . . . information.'' \189\ For example, FTC staff 
noted that, ``[i]f an intermediary contributes to (or takes an action 
that determines) the content of the information conveyed to'' a third 
party, the intermediary is ``assembling or evaluating'' the 
information.\190\
---------------------------------------------------------------------------

    \188\ FTC 40 Years Staff Report, supra note 21, at 29.
    \189\ Id.
    \190\ FTC Informal Staff Opinion Letter to Islinger (June 9, 
1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-islinger-06-09-98.
---------------------------------------------------------------------------

    Proposed Sec.  1022.5(b)(1) is also consistent with how courts have 
interpreted assembling and evaluating. For example, one court opined 
that assembling requires only ``that the assembler gather or group the 
information''; it does not require the entity assembling the 
information to change the information's contents.\191\ Thus, for 
example, when an entity gathered arrest data from sheriff's offices and 
``grouped [the arrest data] together into a database,'' the court 
deemed that ``action sufficient to satisfy the `assemble' requirement 
of FCRA.'' \192\ Another court found that the terms ``assembling'' and 
``evaluating'' applied to the activities of a background screening 
agency that combined a criminal history report that the agency had not 
created with the results of a personal interview.\193\ Similarly, a 
court found that an entity assembled consumer information when it 
combined a list of open judgments and other public records information 
pertaining to consumers.\194\
---------------------------------------------------------------------------

    \191\ Lewis v. Ohio Pro. Elec. Network LLC, 190 F. Supp. 2d 
1049, 1057-58 (S.D. Ohio 2002) (noting that ``one who assembles 
information does not necessarily change its contents'').
    \192\ Id.
    \193\ Poore v. Sterling Testing Sys., Inc., 410 F. Supp. 2d 557, 
569 (E.D. Ky. 2006); see also Adams v. Nat'l Eng'g Serv. Corp., 620 
F. Supp. 2d 319, 324-28 (D. Conn. 2009).
    \194\ McGrath v. Credit Lenders Serv. Agency, Inc., No. CV 20-
2042, 2022 WL 580566, at *6 & n.9 (E.D. Pa. Feb. 25, 2022).
---------------------------------------------------------------------------

Proposed Examples of Assembling or Evaluating
    Proposed Sec.  1022.5(b)(2) provides five non-exhaustive examples 
of when a person assembles or evaluates consumer credit information or 
other information about consumers for purposes of the proposed 
interpretation of assembling or evaluating in Sec.  1022.5(b)(1). These 
examples only illustrate when a person assembles or evaluates for 
purposes of the definition of consumer reporting agency and do not 
address the other elements of that definition. In order to be a 
consumer reporting agency, a person would need to meet every element of 
that definition.
    The first example, in proposed Sec.  1022.5(b)(2)(i), illustrates 
that a person assembles or evaluates when the person collects 
information from a data source and then groups or categorizes it, 
regardless of whether the person alters or changes the information. 
When a person groups or categorizes information, the person necessarily 
assesses or makes a judgment regarding the information to determine in 
which group or category the information belongs. The example thus 
provides that a person assembles or evaluates when the person collects 
information from a consumer's bank account and assesses it, such as by 
grouping or categorizing it based on transaction type. The CFPB 
understands that data aggregators often engage in such activities. The 
CFPB understands, for instance, that, when a data aggregator collects 
information from a consumer's bank account, the data aggregator may 
apply its own taxonomy to group or categorize the collected 
information. To take just one factual scenario, a data aggregator that 
collects bank account information pursuant to consumer authorization in 
connection with a loan application may group or categorize deposits or 
withdrawals by type of income or expense, such as ``rent'' and ``loan 
repayment,'' prior to sharing it with the lender. In doing so, the data 
aggregator assembles or evaluates the information.
    The second example, in proposed Sec.  1022.5(b)(2)(ii), illustrates 
that a person assembles or evaluates when the person alters or modifies 
the content of consumer information, including for formatting purposes. 
For example, when a person collects consumer information from multiple 
sources, the formats in which the information is received may not be 
uniform, e.g., the person may receive date fields with four digits for 
the year from one data source and receive date fields with two digits 
for the year from a different data source. The proposed example 
provides that a person assembles or evaluates when the person modifies 
date fields in this circumstance to ensure consistency.
    The third example, in proposed Sec.  1022.5(b)(2)(iii), illustrates 
that a person assembles or evaluates consumer information when the 
person determines the value of such information, such as by arranging 
or ordering it based on perceived relevance to the user. For example, 
when entities bring together online search results related to consumer 
information, they may need to determine the value of the information to 
make decisions about how the results will be ordered. Entities can use 
a variety of methods, such as algorithms or an individual's judgment, 
to make such decisions. Regardless of the method, under proposed Sec.  
1022.5(b)(1), a person that makes a judgment about the order in which 
to display search results has assembled or evaluated the information. 
The proposed example thus provides that a person assembles or evaluates 
when the person hosts a searchable online database regarding consumers' 
criminal histories and orders search results in order of perceived 
relevance to the user.
    The fourth example, in proposed Sec.  1022.5(b)(2)(iv), illustrates 
that a person assembles or evaluates consumer information when the 
person retains information about consumers. Given that retention of 
consumer information typically involves gathering information, it is 
consistent with the plain meaning of the statutory term ``assemble.'' 
Similarly, retention of information typically involves a periodic 
evaluation of which data to retain, in what manner, and for how long. 
The proposed example thus provides that a person assembles or evaluates 
when it retains information about a consumer, such as by retaining data 
files containing consumers' payment histories in a database or 
electronic file system.
    The fifth example, in proposed Sec.  1022.5(b)(2)(v), illustrates 
that a person assembles or evaluates consumer information when the 
person verifies or validates information received about a consumer. 
Verification and validation of information involve assessing 
information for errors to ensure accuracy and determining the 
trustworthiness of the information. For example, when a person verifies 
or validates that a consumer's date of birth received from a third 
party matches the consumer's date of birth as listed in an external 
database or is properly formatted, the person assesses the data for any 
errors or incompleteness. A person verifying or validating data would 
be assembling or evaluating the data regardless of whether the person 
takes action to correct any errors it finds.
    The Small Business Review Panel recommended that, given the CFPB's 
intent to define the phrase assembling or evaluating, the CFPB should 
further clarify the activities that fall within that phrase.\195\ The 
details in proposed Sec.  1022.5(b), including the examples in proposed 
Sec.  1022.5(b)(2), are responsive to the Panel's recommendation to 
provide a more bright-line definition for when entities, such as data 
brokers that facilitate consumer-authorized data

[[Page 101427]]

sharing, are assembling or evaluating for purposes of the definition of 
consumer reporting agency. The Panel also recommended that the CFPB 
should, in developing its proposal regarding assembling or evaluating, 
take into consideration its Personal Financial Data Rights rulemaking. 
The CFPB has considered its proposed interpretation of assembling or 
evaluating in light of that rulemaking and acknowledges concerns 
expressed by small entity representatives that an expansive 
interpretation of assembling or evaluating may cause some entities, 
like data aggregators, to stop transmitting consumer data to avoid 
becoming consumer reporting agencies. The CFPB requests comment on this 
issue.
---------------------------------------------------------------------------

    \195\ Small Business Review Panel Report, supra note 40, at 47.
---------------------------------------------------------------------------

    Pursuant to a Panel recommendation, the CFPB also requests comment 
on the implications of its proposed interpretation of assembling or 
evaluating for technology providers and platforms used by consumer 
reporting agencies and others in mortgage lending and other industries. 
Noting that assembling or evaluating is just one component of the 
definition of consumer reporting agency, the CFPB generally requests 
comment on the kinds of entities that could be covered as consumer 
reporting agencies if the proposed definition of assembling or 
evaluating were finalized.

Subpart B--Permissible Purposes of Consumer Reports

    The CFPB proposes Sec. Sec.  1022.10 through 1022.13 to implement 
FCRA section 604(a), which describes circumstances under which a 
consumer reporting agency may furnish a report, referred to as 
permissible purposes of consumer reports. Except as specifically 
discussed in the analysis of subpart B below, the CFPB proposes to 
restate the statutory provisions with only minor wording or 
organizational changes for clarity. Relatedly, the CFPB proposes to 
revise the cross-reference to FCRA section 604(a) in Sec.  
1022.41(c)(1) in existing Regulation V to instead cross-reference the 
permissible purposes of consumer reports as set forth in proposed Sec.  
1022.10 through Sec.  1022.13.
Section 1022.10 Permissible Purposes of Consumer Reports; In General
10(a) In General
    FCRA section604(a) provides that, subject to FCRA section 604(c), a 
consumer reporting agency may furnish a consumer report only under 
specific enumerated circumstances, i.e., permissible purposes. The CFPB 
proposes to implement this general provision in Sec.  1022.10(a) with 
only minor wording or organizational changes for clarity.
10(b) Furnish a Consumer Report
    Proposed Sec.  1022.10(b) would address what it means for a 
consumer reporting agency to ``furnish'' a consumer report, as that 
term is used in FCRA section 604(a) and proposed Sec.  1022.10(a).
10(b)(1)
    Proposed Sec.  1022.10(b)(1) states that a consumer reporting 
agency furnishes a consumer report if it provides the consumer report 
to a person. The FCRA does not define either the term ``furnish'' or 
the phrase ``furnish a consumer report.'' However, the ordinary meaning 
of the term ``furnish'' is ``to provide'' or ``supply.'' \196\ The CFPB 
proposes Sec.  1022.10(b)(1) to implement the term consistent with 
these definitions and the FCRA's purposes.
---------------------------------------------------------------------------

    \196\ See Furnish, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/furnish (last visited Oct. 15, 
2024).
---------------------------------------------------------------------------

10(b)(2)
    A core pillar of the FCRA is the limitation in section 604(a) on 
the dissemination of consumer reports except for one of the permissible 
purposes identified by Congress. For instance, except in narrowly 
defined circumstances, consumer reporting agencies generally are 
prohibited from furnishing a consumer report to a third party for 
marketing or advertising purposes. Consistent with the FCRA's 
prohibition on the use of consumer report information for non-
permissible purposes, proposed Sec.  1022.10(b)(2) provides that the 
term ``furnish'' includes instances where a consumer reporting agency 
does not technically transfer a consumer report but facilitates a 
person's use of any information in the consumer report for that 
person's financial gain. The proposed provision would thus further the 
FCRA's general prohibition on the use of consumer report information 
for marketing and advertising purposes without a permissible purpose 
and prevent evasion thereof, regardless of whether the report is 
provided to the user.
    The CFPB understands that, despite the general prohibition in the 
FCRA, some consumer reporting agencies use information from consumer 
reports to present advertisements to consumers from third parties. For 
example, a merchant might want to advertise to an audience of consumers 
based on income, credit score, education, and credit usage ratio. The 
merchant might provide the relevant attributes of the target audience 
to a consumer reporting agency, which might use its consumer report 
data to identify that audience. Then, the consumer reporting agency or 
its service provider might deliver the merchant's advertisement to 
consumers in the target audience. The consumer reporting agency might 
believe that, because it is not technically transferring the consumer 
report to the merchant in this scenario but rather is using a 
workaround to allow the merchant to still obtain the financial benefit 
of the consumer report information, no consumer report has been 
furnished and, therefore, that the activity is permissible under the 
FCRA.
    However, this business model is incompatible with the goals of the 
FCRA's general prohibition on the use of consumer reports for marketing 
or advertising purposes. The FCRA's prescreening provision strictly 
limits the use of consumer reports for marketing or advertising 
purposes unless the consumer authorizes such use. Congress provided 
that, absent such authorization, consumer reporting agencies must allow 
consumers to opt out of the prescreening process, third parties must 
provide firm offers of credit or insurance to consumers whose 
information they receive, and both consumer reporting agencies and 
third parties must comply with notice requirements.\197\ However, some 
entities have used the business model described above to deliver 
advertisements to consumers without these statutory protections. This 
business model allows third parties to advance their private financial 
interests as if they had delivered advertising in compliance with the 
prescreening provision. The proposed provision would make clear that 
consumer reporting agencies cannot use technological and contractual 
workarounds to profit off consumers' sensitive consumer report 
information in circumstances that fall outside the FCRA's permissible 
purposes, and that run counter to the protections Congress intended to 
provide under the FCRA.
---------------------------------------------------------------------------

    \197\ 15 U.S.C. 1681b(c), (e), 1681m(d).
---------------------------------------------------------------------------

    Not only can the business model described above run counter to the 
FCRA's statutory limitations on when consumer reporting agencies may 
furnish a consumer report, but it also undermines the FCRA's core 
interest in protecting consumer privacy against certain types of 
marketing.\198\ If the advertisement is unwanted, then its delivery 
alone is an intrusion on the

[[Page 101428]]

consumer's right to be left alone. And modern advertising poses 
additional privacy harms. Most advertising is delivered online,\199\ 
and online advertisement business models may reveal personal 
information to a third party. For example, online advertisements could 
allow a third party to determine if a consumer visiting the third 
party's website has navigated there through an advertisement delivered 
by a consumer reporting agency or its service provider.\200\ This could 
enable the third party to connect the consumer's identifying 
information, such as their IP address or browser fingerprint, to the 
consumer report criteria used to target the advertisement, thereby 
revealing sensitive consumer reporting information about particular 
consumers.\201\ Indeed, this information is similar to what a third 
party would gain through prescreening under FCRA section 604(c)(2)--
where the third party knows the consumer report criteria of the 
advertisement's audience and receives the consumer's identifying 
information from the consumer reporting agency--but without any of the 
protections or restrictions that Congress intended to afford under that 
provision.\202\ In contrast, using consumer report information for 
other purposes, such as academic research, may pose less risk of re-
identification because it involves third parties that are generally 
interested in researching broader economic trends in order to try to 
advance public welfare rather than initiating a business relationship 
with an individual consumer. More broadly, the use of consumers' 
sensitive financial information in an advertising system, often 
involving many intermediaries with limited accountability, contributes 
to a commercial surveillance apparatus that harms people by invading 
their privacy.\203\
---------------------------------------------------------------------------

    \198\ 115 Cong. Rec. 2415 (Jan. 31, 1969) (Senator Proxmire, who 
introduced the FCRA, believed it would ``preclude the furnishing of 
information . . . to market research firms or to other business 
firms who are simply on fishing expeditions.'').
    \199\ Digital advertising in the United States--statistics & 
facts, Statista (June 18, 2024), https://www.statista.com/topics/1176/online-advertising/#topicOverview.
    \200\ See, e.g., Learn about final URLs and tracking templates, 
Google, https://support.google.com/google-ads/answer/6273460?hl=en 
(last visited Oct. 15, 2024); URL Tracking with Upgraded URLs, 
Microsoft (Mar. 19, 2023), https://learn.microsoft.com/en-us/advertising/guides/url-tracking-upgraded-urls?view=bingads-13.
    \201\ A similar possibility for linking a consumer to the 
consumer report criteria used to target the advertisement exists for 
marketing and advertising delivered by mail, if for example the 
mailed advertisement contains a QR code or other method for the 
consumer to navigate to a specific page on the third party's website 
created for a particular advertising campaign.
    \202\ 15 U.S.C. 1681b(c)(2).
    \203\ See Michelle Faverio, Key Findings About Americans and 
Data Privacy, Pew Rsch. Ctr. (Oct. 18, 2023), https://www.pewresearch.org/short-reads/2023/10/18/key-findings-about-americans-and-data-privacy/ (finding that 61 percent of respondents 
feel skeptical that anything they do to manage their privacy online 
will make much difference).
---------------------------------------------------------------------------

    Proposed Sec.  1022.10(b)(2) would provide that, consistent with 
the FCRA's purposes and Congress' intent to strictly limit use of 
consumer reports for marketing or advertising purposes, the phrase 
``furnish a consumer report'' includes facilitating a third party's use 
of any information from the consumer report for the third party's 
financial gain. Under proposed Sec.  1022.10(b)(2), if a consumer 
reporting agency engages in the business model described above by 
allowing a third party to seek financial gain from consumer report 
information, regardless of whether such information is transmitted to 
the third party, the information is a consumer report, and the consumer 
reporting agency would have furnished it to a third party. Proposed 
Sec.  1022.10(b)(2) would thus help ensure that consumer reporting 
agencies do not use technological or contractual maneuvers to enable 
third parties to use consumer report information for marketing or 
advertising in a manner not permitted under the FCRA.
    The CFPB proposes Sec.  1022.10(b)(2) to implement FCRA section 
604(a). Proposed Sec.  1022.10(b)(2) provides that a consumer reporting 
agency furnishes a consumer report if it facilitates a person's use of 
the consumer report for the person's financial gain. The CFPB 
preliminarily determines that this approach is necessary or appropriate 
to carry out the protections afforded under the statute. The CFPB also 
preliminarily determines that proposed Sec.  1022.10(b)(2) is necessary 
or appropriate to prevent evasion. In allowing prescreening (subject to 
the consumer's opt-out rights), Congress endeavored to balance the 
privacy invasion created by the use of sensitive consumer report 
information for marketing and advertising without the consumer's 
consent with the potential benefit to consumers of a firm offer of 
credit or insurance.\204\ The CFPB preliminarily determines that 
proposed Sec.  1022.10(b)(2) reflects the balance Congress intended to 
strike. Proposed Sec.  1022.10(b)(2) specifically addresses uses of 
consumer report information that further a third party's profit-seeking 
activity because the CFPB has preliminarily determined that those uses 
present the greatest risk of evasion at this time. Specifically, 
facilitating a person's use of a consumer report for that person's 
financial gain presents a significant risk of evasion of the FCRA's 
limitations on the use of consumer reports for marketing or 
advertising.
---------------------------------------------------------------------------

    \204\ See S. Rep. No. 103-209, at 13-14 (1993); Trans Union 
Corp. v. FTC, 267 F.3d 1138, 1143 (D.C. Cir. 2001) (``Congress 
apparently believe[d] that people are more willing to reveal 
personal information in return for guaranteed offers of credit than 
for catalogs and sales pitches.'').
---------------------------------------------------------------------------

    The Small Business Review Panel recommended that the CFPB consider 
whether the proposal could permit targeted marketing in situations 
where there might be low risk of consumer harm. The CFPB notes that the 
proposal would not limit either the use of non-consumer reports for 
advertising purposes or the use of consumer reports pursuant to written 
instructions or for prescreening purposes in compliance with FCRA 
section 604(c). But the CFPB preliminarily determines that using 
consumer reports for general advertising purposes is a harmful practice 
that the statute prohibits.
    The CFPB requests comment on proposed Sec.  1022.10(b)(2), 
including on the proposal's impact on purposes other than marketing and 
advertising where consumer reporting agencies might facilitate the use 
of consumer reports for a third party's financial gain without directly 
transferring the reports to the third party. The CFPB also requests 
comment on examples a final rule could provide to further clarify when 
a consumer reporting agency ``facilitates the use'' of a consumer 
report and when such use would be for a person's ``financial gain.'' 
Proposed Sec.  1022.10(b)(2) would not prohibit academics, nonprofit 
organizations, and government agencies from seeking the assistance of 
consumer reporting agencies in analyzing consumer report information or 
delivering surveys to consumers based on consumer report information. 
Such entities generally do not use consumer reports for financial gain. 
However, the CFPB requests comment on whether other beneficial uses of 
consumer reports might be prohibited by proposed Sec.  1022.10(b)(2), 
and on alternatives that would accomplish the goals of proposed Sec.  
1022.10(b) while preserving those uses.
Section 1022.11 Permissible Purpose Based on a Consumer's Written 
Instructions
    Proposed Sec.  1022.11 would implement the written instructions 
permissible purpose in FCRA section 604(a)(2). FCRA section 604(a)(2) 
provides that a consumer reporting agency may furnish a consumer report 
in accordance with the written instructions of the consumer to whom it 
relates. Proposed Sec.  1022.11 implements FCRA section 604(a)(2) by 
specifying the conditions that would need to be satisfied for a 
consumer

[[Page 101429]]

reporting agency to furnish a consumer report under this permissible 
purpose. The CFPB also proposes Sec.  1022.11 to prevent evasion of 
FCRA section 604's restrictions and to further the consumer privacy 
purposes of the permissible purpose provisions in FCRA section 604.
    The conditions, which are set forth in proposed Sec.  1022.11(b), 
include, among other provisions, a disclosure requirement; limitations 
on the procurement, use, and retention of consumer reports obtained 
pursuant to a consumer's written instructions; and a requirement 
regarding revocation. While either the consumer reporting agency or the 
person to whom the consumer report will be furnished would be 
authorized to obtain the consumer's express consent to the furnishing 
of the consumer report and to provide the required disclosure, the 
consumer reporting agency ultimately would be responsible for ensuring 
that it furnishes a consumer report in accordance with FCRA section 
604(a)(2) and proposed Sec.  1022.11.\205\ Proposed Sec.  1022.11(b) 
and (c) align closely with the requirements for third-party 
authorization in subpart D of the CFPB's Personal Financial Data Rights 
final rule.\206\
---------------------------------------------------------------------------

    \205\ To use or obtain a consumer report, a user is 
independently responsible for ensuring it has one of the permissible 
purposes in FCRA section 604. See FCRA section 604(f), 15 U.S.C. 
1681b(f).
    \206\ 89 FR 90838 (Nov. 18, 2024) (hereinafter PFDR Rule).
---------------------------------------------------------------------------

Meaning of ``In Accordance With the Written Instructions of the 
Consumer''
    The CFPB preliminarily determines that proposed Sec.  1022.11 is 
``necessary or appropriate to administer and carry out the purposes and 
objectives'' of the FCRA as stated in FCRA section 621(e)(1). The CFPB 
proposes that the phrase ``in accordance with the written instructions 
of the consumer'' requires, at a minimum, that the consumer 
affirmatively directs a consumer reporting agency to furnish their 
consumer report to a third party, that the consumer is informed of and 
reasonably expects the scope of the use of their consumer report, and 
that the consumer retains control over such access and use. The term 
``instruction'' means ``a direction,'' an ``authoritative order,'' or a 
``command.'' \207\ The phrase ``in accordance with'' means to ``agree 
with'' or ``follow.'' \208\ Taken together, Congress's use of the term 
``written instructions'' suggests that, for the written instructions 
permissible purpose to apply, the consumer must provide affirmative, 
written direction for a consumer reporting agency to furnish a consumer 
report to a third party, and the consumer report must be furnished and 
used in accordance with those instructions.
---------------------------------------------------------------------------

    \207\ See Instructions, Merriam-Webster.com Dictionary, https://www.merriam-webster.com/dictionary/instructions (last visited Oct. 
15, 2024) (defining ``instructions'' to mean ``a direction calling 
for compliance: order''). See also Instruction, Oxford English 
Dictionary Online, https://www.oed.com/dictionary/instruction_n?tab=meaning_and_use#387233 (last visited Oct. 15, 
2024) (``An authoritative order to be obeyed; an oral or written 
command. Frequently in plural or as a mass noun: orders, 
directives'').
    \208\ See In accordance with, Merriam-Webster.com Dictionary, 
https://www.merriam-webster.com/dictionary/in%20accordance%20with 
(last visited Oct. 15, 2024) (defining ``in accordance with'' to 
mean ``in a way that agrees with or follows (something, such as a 
rule or request)'').
---------------------------------------------------------------------------

    Similarly, the CFPB preliminarily determines that FCRA section 
604(a)(2) also requires that the consumer is informed of and can 
reasonably anticipate at the very least how their consumer report will 
be used, including by whom, for how long, and for what purposes. It 
stands to reason that a consumer report cannot meaningfully be provided 
``in accordance with the consumer's written instructions'' if the 
consumer does not understand or cannot reasonably anticipate how their 
consumer report will be used. Such an interpretation of the written 
instructions permissible purpose is also in accordance with FTC staff 
guidance, which has previously cautioned against purported 
``instructions'' that are based on language that is ``not a 
sufficiently specific instruction from the consumer to authorize a 
[consumer reporting agency] to provide a consumer report.'' \209\ 
Broad, lengthy, or otherwise confusing consent forms are inadequate to 
meet the statute's requirement that the consumer be informed and able 
to reasonably anticipate how their consumer report will be used.
---------------------------------------------------------------------------

    \209\ FTC 40 Years Staff Report, supra note 21, at 43 n.1.
---------------------------------------------------------------------------

    Finally, a consumer's ability to direct the furnishing and use of 
their consumer report suggests that the consumer must have the power to 
revoke such consent. Accordingly, the CFPB proposes that the written 
instructions permissible purpose requires that a consumer may revoke 
any prior consent without interference.
    The CFPB also preliminarily determines that interpreting the 
written instructions permissible purpose to require the consumer's 
affirmative, knowing, and revocable consent is consistent with the 
overall structure and purpose of the FCRA's permissible purpose 
provisions. As stated in FCRA section 602(a)(4), Congress enacted the 
FCRA to, among other things, ``[e]nsure that consumer reporting 
agencies exercise their grave responsibilities with . . . respect for 
the consumer's right to privacy.'' \210\ As courts have also 
recognized, ``[a] major purpose of the [FCRA] is the privacy'' of 
consumer data.\211\ A central component of how the FCRA protects 
consumer privacy is by limiting the circumstances under which consumer 
reporting agencies may disclose consumer information. Specifically, 
FCRA section 604 identifies an exclusive list of permissible purposes 
for which consumer reporting agencies may furnish consumer reports, 
including, in section 604(a)(2), in accordance with the written 
instructions of the consumer to whom the report relates. Section 604(a) 
states that a consumer reporting agency may furnish consumer reports 
under these circumstances ``and no other.'' \212\
---------------------------------------------------------------------------

    \210\ See S. Rep. No. 91-517, at 1 (1969) (The statute was 
enacted to ``prevent an undue invasion of the individual's right of 
privacy in the collection and dissemination of credit 
information.'').
    \211\ Trans Union Corp. v. FTC, 81 F.3d 228, 234 (D.C. Cir. 
1996).
    \212\ See also supra note 35 (discussing other provisions 
establishing additional limited circumstances under which consumer 
reporting agencies are permitted or required to disclose certain 
information to government agencies).
---------------------------------------------------------------------------

    The phrase ``[i]n accordance with the written instructions of the 
consumer'' should be construed in a manner that is consistent with the 
central role FCRA section 604 plays in protecting consumer privacy. The 
CFPB preliminarily determines that, if the written instructions 
permissible purpose is construed to allow consumer reporting agencies 
to furnish, or third parties to obtain, a consumer report in 
circumstances in which the consumer does not understand that their 
consumer report will be furnished, to whom, or for what purposes, it 
would undermine the core consumer privacy purposes of the permissible 
purpose provisions.\213\ Therefore, the CFPB preliminarily determines 
that, consistent with the purposes of the FCRA, FCRA section 604(a)(2) 
requires a demanding standard of consent that does not subvert a 
consumer's intent.
---------------------------------------------------------------------------

    \213\ The CFPB notes that, in addition to section 604(a)(2), the 
FCRA includes other permissible purpose provisions requiring 
consumer authorization or consent in various circumstances. See, 
e.g., FCRA section 604(b)(2)(A), 15 U.S.C. 1681b(b)(2)(A), and FCRA 
section 604(c)(1)(A), 15 U.S.C. 1681b(c)(1)(A). The CFPB is not 
addressing the scope or meaning of those provisions in this 
document.
---------------------------------------------------------------------------

    Finally, the conditions set forth in proposed Sec.  1022.11 are 
also necessary to prevent evasion of the written instructions 
permissible purpose. The CFPB is concerned that companies are evading 
the written instructions permissible purpose by purportedly

[[Page 101430]]

obtaining consumer consent to furnish or procure consumer reports 
through vague authorizations buried in lengthy terms and conditions, as 
a result of which consumers likely do not understand that they are 
providing consent or understand the scope of such consent. For example, 
the CFPB understands that many credit card issuers include, as part of 
lengthy account agreements, language granting themselves the ongoing 
authority to obtain and use consumer reports for reasons unrelated to 
underwriting and servicing the account, such as sending the consumer 
new marketing offers. Similarly, the CFPB understands that some 
entities that provide credit monitoring services include language in 
customer service agreements that consumers must sign prior to receiving 
the services that grants the credit monitoring service provider the 
authority to use the consumer report to provide unsolicited 
advertisements to the consumer for other financial products or services 
on behalf of a third party.
    The CFPB preliminarily concludes that such agreements are not in 
accordance with the written instructions of the consumer because the 
consumer likely is not informed or able to reasonably anticipate such 
uses of their consumer reports when signing up for such products. For 
example, research suggests consumers often do not understand how 
companies will use their behavioral or transactional data, even when 
such use is purportedly obtained pursuant to consumer consent.\214\ 
Moreover, research also indicates that, as a general matter, consumers 
often affirmatively do not want their personal or financial data to be 
accessed or used,\215\ providing further evidence that consumers are 
not affirmatively and knowingly directing that such information be 
shared. Often, when companies include terms and conditions that grant 
themselves access to consumer reports, the terms set few or no limits 
on the duration of the access and with whom or for what purposes the 
company can further share a consumer report with third parties.\216\ As 
a result, consumers are not informed about the scope of the consent 
they are purportedly providing.
---------------------------------------------------------------------------

    \214\ See Ramy El-Dardiry et al., Brave New Data: Policy 
Pathways for the Data Economy in an Imperfect World, CPB Netherlands 
Bureau for Econ. Policy Analysis, at 10 (July 2021), https://www.cpb.nl/sites/default/files/omnidownload/CPB-uk-Policy-Brief-Brave-new-datah.pdf (``Consumers cannot see what companies are doing 
with their data, nor can they read all of the data terms of use or 
oversee the consequences.'').
    \215\ See, e.g., Colleen McClain et al., How Americans View Data 
Privacy: The Role of Technology Companies, AI and Regulation--Plus 
Personal experiences with Data Breaches, Passwords, Cybersecurity 
and Privacy Policies, Pew Rsch. Ctr., at 15 (Oct. 18, 2023), https://www.pewresearch.org/internet/wp-content/uploads/sites/9/2023/10/PI_2023.10.18_Data-Privacy_FINAL.pdf (stating that ``81 [percent of 
consumers] say they feel very or somewhat concerned with how 
companies use the data they collect about them'').
    \216\ See, e.g., Krystal Scanlon, Even financial services 
businesses want a piece of the ad pie now, Digiday (June 3, 2024), 
https://digiday.com/marketing/even-financial-services-businesses-want-a-piece-of-the-ad-pie-now/ (describing increasing push for 
financial services companies to include advertising and data mining 
in standard contracts); Brogan v. Fred Beans Chevrolet, Inc., 855 F. 
App'x 825, 827 (3d Cir. 2021) (consumer alleged that he did not 
understand at the time he signed a contract that his consumer report 
would be furnished to multiple banks over a longer period of time). 
See also Malbrough v. State Farm Fire & Cas. Co., No. Civ. A. 96-
1540, 1997 WL 159511, at *4-5 (E.D. La. Mar. 31, 1997) (noting that 
misrepresentations or misunderstanding could cause a consumer's 
written instructions to be invalid).
---------------------------------------------------------------------------

Proposed Conditions Implementing Written Instructions Permissible 
Purpose
    As discussed above, the CFPB preliminarily determines that the 
written instructions permissible purpose should be interpreted to mean 
that a consumer is informed of and reasonably expects the scope of a 
given use, and the consumer retains control over such use. Proposed 
Sec.  1022.11 sets forth conditions intended to ensure that these core 
components of FCRA section 604(a)(2) are satisfied and to prevent 
evasion thereof.
    In proposing Sec.  1022.11, the CFPB has considered its PFDR 
rulemaking, and particularly the authorized third-party provisions in 
that rulemaking. Similar to the aims of the written instructions 
permissible purpose in the FCRA, the PFDR Rule seeks to ensure that the 
consumer understands and clearly directs how and for what purpose their 
data will be used by a third party.\217\ In addition, the CFPB 
recognizes that certain entities that are subject to the PFDR Rule may 
also have obligations under the FCRA. For example, certain companies 
seeking to become authorized third parties under the PFDR Rule may also 
be required to comply with the FCRA as users of consumer reports from 
consumer reporting agencies because they are using the services of 
aggregators that are consumer reporting agencies to obtain consumer-
permissioned data. Certain of these companies may be obtaining consumer 
reports pursuant to the FCRA written instructions permissible purpose. 
In light of these interactions and the similarities between the FCRA 
written instructions permissible purpose and the requirements for 
authorized third parties under the PFDR Rule, the CFPB has carefully 
considered as part of this proposal the legal, research, and policy 
considerations described in the PFDR rulemaking and proposes to align 
the requirements of Sec.  1022.11 with the PFDR Rule requirements for 
authorized third parties.
---------------------------------------------------------------------------

    \217\ See PFDR Rule, supra note 206 (describing limits on third-
party collection, use, and retention of covered data).
---------------------------------------------------------------------------

    Proposed Sec.  1022.11 sets forth conditions intended to ensure 
that these core components of FCRA section 604(a)(2) are satisfied and 
to prevent evasion thereof.
Consumer Disclosure and Consent
    Proposed Sec.  1022.11(b)(1) would require, among other things, 
that the consumer provide express, informed consent to the furnishing 
of their report. The proposed provision would require the consumer 
reporting agency or person to whom the consumer report will be provided 
to give the consumer a disclosure setting forth the key terms and scope 
of how their report will be used. As set forth in proposed Sec.  
1022.11(c), the disclosure must be clear, conspicuous, and segregated 
from other material, and include the name of the person the report will 
be obtained from; who the report will be provided to; the product or 
service, or specific use, for which the consumer report will be 
furnished or obtained; limitations on the scope of such use; and how a 
consumer may revoke consent. Together, these proposed provisions are 
designed to ensure that the consumer has provided affirmative 
``instructions'' regarding the furnishing and use of their consumer 
report and to provide the consumer with information necessary to be 
informed and form reasonable expectations about how their report will 
be used in the future.
Reasonably Necessary to a Consumer's Requested Product, Service, or Use
    The CFPB is proposing several conditions intended to ensure that 
consumer reports furnished pursuant to written instructions are 
furnished in connection with a specific product, service, or use the 
consumer has actually requested (proposed Sec.  1022.11(b)(2)), and 
that once consent is obtained, the user of the report procures, uses, 
retains, or shares the report with a third party only as reasonably 
necessary to provide the product or service requested by the consumer, 
or the specific use \218\ the

[[Page 101431]]

consumer has identified (proposed Sec.  1022.11(b)(3)).
---------------------------------------------------------------------------

    \218\ An example of a specific use requested by the consumer 
that is not a product or service is when a consumer requests the 
furnishing of a consumer report to a potential business partner.
---------------------------------------------------------------------------

    When obtaining a product or service, consumers might provide 
written instructions to furnish their consumer report if doing so is 
necessary to obtain the benefits of the sought-after product or 
service. For example, a consumer could provide written instructions to 
an entity that provides credit monitoring to obtain their consumer 
report so that the entity could provide the consumer with the credit 
monitoring service they desire. In such cases, the consumer's reason 
for allowing the consumer report to be furnished is that they want to 
receive the credit monitoring service. However, in such circumstances, 
the consumer likely does not expect (much less affirmatively intend to 
authorize) that their consumer report will be used for purposes other 
than credit monitoring--such as to provide targeted marketing to the 
consumer.\219\ Consistent with the CFPB's proposed interpretation of 
the written instructions permissible purpose, proposed Sec.  
1022.11(b)(2) and (3) are intended to ensure that the furnishing of the 
consumer report is in accordance with the consumer's affirmative 
instructions and intent, that the consumer is informed about the scope 
of such use, and that such use aligns with the consumer's reasonable 
expectations. The proposed provisions are also designed to prevent 
evasion of the written instructions permissible purpose by ensuring 
that each product or service (or use, if not in connection with a 
product or service) is authorized by one, separate written instruction. 
For example, a company could otherwise evade the written instructions 
permissible purpose when it obtains written instructions in connection 
with one product or service, but then exploits such consent through 
obscure and lengthy terms and conditions language to use consumer 
reports for purposes other than as reasonably necessary to provide the 
product or service the consumer requested.
---------------------------------------------------------------------------

    \219\ See generally Yosuke Uno et al., The Economics of Privacy: 
A Primer Especially for Policymakers, at 8-9, Bank of Japan, Working 
Paper Series No.21-E-11 (Aug. 6, 2021), https://www.boj.or.jp/en/research/wps_rev/wps_2021/data/wp21e11.pdf (surveying research 
demonstrating that consumers generally do not understand the scope 
or risks of sharing private data even after having agreed to do so).
---------------------------------------------------------------------------

    Proposed Sec.  1022.11(d) provides examples of uses of consumer 
reports that would not be reasonably necessary to provide a product or 
service. For example, proposed Sec.  1022.11(d) provides that certain 
activities--such as targeted advertising, cross-selling of other 
products or services, or the sale of information in the consumer 
report--are not part of, or reasonably necessary to provide, any other 
product or service.\220\ When a consumer seeks a particular product or 
service--such as signing up for a credit monitoring service--the use of 
a consumer report for the types of purposes described in proposed Sec.  
1022.11(d) is generally not contemplated or reasonably expected by the 
consumer, and is instead a tactic used by companies to evade the 
permissible purpose limitations, including the strict limitations on 
use of consumer reports for marketing purposes.\221\ In such 
circumstances, any ``consent'' to such purposes would be unknowingly or 
reluctantly provided and accordingly not sufficient to meet the 
requirement that the consumer report be shared at the affirmative 
direction of the consumer. Having said that, companies are free to 
procure separate written instructions for different products or 
services, which the CFPB preliminarily concludes would ensure consumers 
are truly providing informed consent.
---------------------------------------------------------------------------

    \220\ The proposed rule would not prevent a user from engaging 
in an activity described in proposed Sec.  1022.11(d) as a stand-
alone product or service. To the extent that the consumer seeks such 
a product or service and the consumer's consumer report is 
reasonably necessary to provide that product or service, the 
consumer report could be furnished or obtained pursuant to the 
consumer's written instructions consistent with, and subject to, 
proposed Sec.  1022.11.
    \221\ See supra notes 36 and 197 and accompanying text.
---------------------------------------------------------------------------

Duration Limitations
    Proposed Sec.  1022.11(b)(3)(ii) would prevent a user from 
procuring a consumer report more than one year after the date on which 
the consumer provides consent for the consumer reporting agency to 
furnish the report. The CFPB recognizes that some products or services, 
such as credit monitoring, require consumer reporting agencies to 
repeatedly furnish consumer reports over time, and, if separate written 
instructions were required each time the consumer report were 
furnished, consumers as well as persons offering these services could 
be frustrated or burdened. On the other hand, for products and services 
that rely on standing instructions to furnish consumer reports, such as 
credit monitoring, instructions with no or lengthy duration limits may, 
over time, result in the consumer report being used outside the 
consumer's knowledge and reasonable expectations. The CFPB 
preliminarily determines that the proposed limitation of one year 
reasonably balances these concerns and serves as an effective check 
against consumer reports being furnished for longer periods than the 
consumer needs or wants.\222\ After the one-year period has elapsed, if 
the consumer wishes to continue to receive the requested product or 
service, the consumer would be able to provide new consent to the 
furnishing of the report as described in proposed Sec.  
1022.11(b)(1)(i).
---------------------------------------------------------------------------

    \222\ Pursuant to proposed Sec.  1022.11(b)(3)(i), a user would 
be limited to procuring, using, or retaining a consumer report for 
less than a year if these activities were not reasonably necessary 
to provide the product or service the consumer requested or for the 
specific use the consumer identified. For example, a product or 
service or specific use the consumer identified that requires only 
one instance of access to a consumer report, such as furnishing a 
consumer report to a potential business partner, would not authorize 
the consumer reporting agency to continue to furnish, or the 
potential business partner to obtain, more than one consumer report.
---------------------------------------------------------------------------

Revocation
    A final condition included in proposed Sec.  1022.11 is a 
consumer's right to revoke consent previously granted. Specifically, 
proposed Sec.  1022.11(b)(4) would require that the consumer is 
provided a method to revoke consent that is as easy to access and 
operate as the method by which the consumer initially provided consent 
to the furnishing of their consumer report. The proposal would also 
provide that a consumer could not be charged any costs or penalties to 
revoke consent.
    As discussed above, the CFPB preliminarily determines that the text 
of FCRA section 604(a)(2) supports this proposed provision. The notion 
of a consumer providing ``instructions'' suggests that the consumer is 
able to revoke such instructions. For the right to revocation to be 
meaningful, the method of revocation should be familiar and easily 
accessible to the consumer and should not involve additional costs or 
penalties to the consumer.
Facilitation of Compliance for Authorized Third Parties Under the PFDR 
Rule
    As described above, the CFPB has carefully considered the PFDR 
rulemaking in developing this proposal. To facilitate compliance for 
entities that would seek to comply with both proposed Sec.  1022.11 and 
the PFDR Rule, the CFPB is proposing to expressly provide that a 
consumer reporting agency furnishes a consumer report in accordance 
with the written instructions of the consumer for purposes of the FCRA 
and Regulation V if the person to whom the report is furnished is an 
authorized third party under subpart D of the PFDR Rule. The CFPB 
anticipates that this proposal, if finalized, would be

[[Page 101432]]

reflected in the regulatory text of the FCRA final rule.\223\
---------------------------------------------------------------------------

    \223\ See PFDR Rule, supra note 206. The PFDR Rule is not yet in 
effect. As a result, this proposed method of compliance with Sec.  
1002.11 has not been included in the proposed regulatory text here.
---------------------------------------------------------------------------

Small Business Review Panel Recommendations
    The conditions set forth in proposed Sec.  1022.11 are responsive 
to the Small Business Review Panel's recommendations related to the 
written instructions permissible purpose.\224\ For example, proposed 
Sec.  1022.11(b) and (c), which would require that consumers be 
presented with a clear and conspicuous description of who may obtain 
their consumer report and how it will be used, is responsive to the 
Panel's recommendation that the proposal maximize consumer 
understanding. Similarly, proposed Sec.  1022.11(b)(1)(i)(B), which 
would require a consumer reporting agency or the person to whom the 
consumer report will be furnished to obtain the consumer's signature, 
either in writing or electronically, is responsive to the Panel's 
recommendation that the CFPB permit consumers' written instructions to 
be obtained electronically or through more traditional methods. 
Finally, as discussed above, the CFPB's proposal is responsive to the 
Panel's recommendation to ensure that the written instructions 
permissible purpose proposal does not conflict with other regulatory 
frameworks for consumer authorization of data sharing.
---------------------------------------------------------------------------

    \224\ Small Business Review Panel Report, supra note 40, at 48.
---------------------------------------------------------------------------

    The Panel also recommended that the CFPB consider an alternative 
approach of requiring that, upon a consumer's request, users delete 
consumer reports previously obtained, rather than obtain one-time-use 
consumer authorizations.\225\ The CFPB considered this approach but has 
preliminarily determined that it would be insufficient to establish a 
written instructions permissible purpose under the statute. As 
discussed above, the CFPB preliminarily determines that, under FCRA 
section 604(a)(2), the consumer must provide affirmative, knowing, and 
revocable consent for a consumer reporting agency to furnish their 
consumer report to a third party. Requiring entities that have obtained 
consumer reports to delete them upon the consumer's request would not 
achieve this result. Putting the burden on consumers to affirmatively 
take steps to request deletion of their sensitive data, rather than 
putting the responsibility on the consumer reporting agency and user to 
limit their provision and use of such reports as originally 
``instructed'' by the consumer, would be inconsistent with the FCRA's 
statutory language and purposes. The CFPB also notes that proposed 
Sec.  1022.11(b)(3)(ii) does not contemplate a one-time-use consumer 
authorization but allows a consumer's written instructions to permit 
access for up to one year so long as access to a consumer's consumer 
report remains reasonably necessary to provide the consumer's requested 
product or service or use.
---------------------------------------------------------------------------

    \225\ Id.
---------------------------------------------------------------------------

    Finally, consistent with the Panel's recommendation, the CFPB 
requests public comment on the appropriate scope and duration of a 
consumer's written instructions, as well as whether the consumer 
reporting agency or the person to whom the consumer report will be 
furnished should be required to memorialize or confirm consumers' 
written instructions.
Section 1022.12 Permissible Purposes Based on a Consumer Reporting 
Agency's Reasonable Belief About a Person's Intended Use
    The CFPB proposes Sec.  1022.12 to incorporate into Regulation V 
the permissible purposes listed in FCRA section 604(a)(3)(A) through 
(F).\226\ As noted above, FCRA section 604(a) permits a consumer 
reporting agency to furnish a consumer report under specific enumerated 
circumstances and no other. The permissible purposes in FCRA section 
604(a)(3)(A) through (E) cover circumstances in which a consumer 
reporting agency has reason to believe that a person intends to use the 
information in the consumer report for certain purposes related to 
credit, employment, insurance, license or benefit eligibility, and 
valuing or assessing credit or prepayment risks associated with 
existing credit obligations. These permissible purposes are restated in 
proposed Sec.  1022.12(a)(1) through (5) without interpretation. The 
permissible purpose in FCRA section 604(a)(3)(F) is implemented in 
proposed Sec.  1022.12(b), as discussed below.
---------------------------------------------------------------------------

    \226\ 15 U.S.C. 1681b(a)(3)(A) through (F).
---------------------------------------------------------------------------

12(b) Permissible Purpose Based on Legitimate Business Need
    Proposed Sec.  1022.12(b) would implement and interpret the 
legitimate business need permissible purpose in FCRA section 
604(a)(3)(F). FCRA section 604(a)(3)(F) provides that a consumer 
reporting agency may furnish a consumer report to a person which it has 
reason to believe has a legitimate business need for the information in 
two scenarios: (1) in connection with a business transaction that is 
initiated by the consumer (the consumer-initiated transaction prong) 
and (2) to review an account to determine whether the consumer 
continues to meet the terms of the account (the account review prong). 
The CFPB proposes to restate both prongs in Sec.  1022.12(b)(1) and to 
provide clarifications and examples in Sec.  1022.12(b)(2) and (3). 
Among other things, proposed Sec.  1022.12(b) would highlight that the 
legitimate business need permissible purpose does not authorize use of 
consumer report information for marketing.
Consumer-Initiated Transactions
    Proposed Sec.  1022.12(b)(2) would clarify that the consumer-
initiated transaction prong of the legitimate business need permissible 
purpose authorizes a consumer reporting agency to furnish a consumer 
report to a person only if the consumer reporting agency has reason to 
believe that the consumer has initiated a business transaction. 
Proposed Sec.  1022.12(b)(2) sets forth examples to illustrate the 
types of interactions between a consumer and a prospective user that 
would and would not establish a consumer-initiated transaction. Among 
other things, the examples clarify that a consumer may interact with a 
business without initiating a transaction, such as by asking about the 
availability or pricing of products or services. The CFPB preliminarily 
determines that the examples in proposed Sec.  1022.12(b)(2) would 
facilitate compliance with the FCRA for consumer reporting agencies 
furnishing consumer reports to users pursuant to the consumer-initiated 
transaction prong of the legitimate business need permissible purpose 
and prevent evasion of the FCRA. The proposed examples are consistent 
with prior interpretations by FTC staff.\227\
---------------------------------------------------------------------------

    \227\ See, e.g., FTC 40 Years Staff Report, supra note 21, at 
14, 48 (citing 1990 comment 604(3)(E)-3); FTC Informal Staff Opinion 
Letter to Greenblatt (Oct. 27, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-greenblatt-10-27-98; FTC Informal Staff Opinion Letter to Kaiser (July 16, 1998), 
https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-kaiser-07-16-98; FTC Informal Staff Opinion Letter to Coffey 
(Feb. 11, 1998), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-coffey-02-11-98.
---------------------------------------------------------------------------

Solicitation or Marketing
    As discussed elsewhere in this document, the CFPB is concerned 
about reports of unauthorized use of consumer report information for 
marketing purposes. Proposed Sec.  1022.12(b)(3) would emphasize that 
neither prong of the legitimate business need permissible

[[Page 101433]]

purpose authorizes a consumer reporting agency to furnish a consumer 
report to a person if the consumer reporting agency has reason to 
believe the person is seeking information from the report to solicit 
the consumer for a transaction the consumer did not initiate or to 
otherwise market products or services to the consumer. Proposed Sec.  
1022.12(b)(3) also includes an example to illustrate this point, as 
well as a cross-reference to FCRA section 604(c) related to prescreened 
offers for credit or insurance transactions, which permits the release 
of consumer report information for marketing. The plain language of the 
FCRA, legislative history, and prior agency guidance and caselaw make 
clear that Congress did not intend for the legitimate business need 
permissible purpose to be exploited for marketing purposes.
    The proposal is supported by the plain language of the FCRA. With 
respect to the consumer-initiated transaction prong of the legitimate 
business need permissible purpose, FCRA section 604(a)(3)(F)(i) 
provides that a consumer reporting agency may furnish a consumer report 
to a person that the consumer reporting agency has reason to believe 
has a legitimate business need for the information in connection with a 
business transaction that is initiated by the consumer. FCRA section 
604(a)(3)(F)(i) does not, by its plain language, authorize a consumer 
reporting agency to furnish a consumer report to a person that the 
consumer reporting agency has reason to believe is seeking the 
information from the report to solicit a consumer for a transaction 
that the consumer did not initiate or to otherwise market products or 
services to the consumer. Similarly, FCRA section 604(a)(3)(F)(ii) does 
not authorize account reviews for marketing purposes; instead, by its 
plain language, it merely authorizes reviews to determine whether the 
consumer continues to meet the terms of the account.
    Under the FCRA, a person is prohibited from using a consumer report 
for a purpose that is not authorized under FCRA section 604, and the 
permissible purposes authorized by FCRA section 604 do not include 
solicitation or marketing (except as permitted under the statute's 
prescreening and written instructions provisions). FCRA section 604(f) 
provides that a person shall not use or obtain a consumer report unless 
the report is obtained for a permissible purpose and that purpose is 
certified by the prospective user. FCRA section 607(a) requires 
prospective users to certify the purposes for which the information is 
sought and that ``the information will be used for no other purpose.'' 
\228\ The legitimate business need permissible purpose thus does not 
authorize a consumer reporting agency to furnish a consumer report to a 
person if the consumer reporting agency has reason to believe the 
person is seeking information from the report for solicitation and 
marketing purposes. Moreover, a person that obtains a consumer report 
under either prong of the legitimate business need permissible purpose 
may not then use the consumer report for solicitation or marketing.
---------------------------------------------------------------------------

    \228\ 15 U.S.C. 1681e(a).
---------------------------------------------------------------------------

    Where Congress did permit consumer reporting agencies to disclose 
certain consumer report information for marketing, it did so explicitly 
and mandated specific guardrails to protect consumers. The FCRA's 
prescreening provisions authorize consumer reporting agencies to 
furnish a consumer report in connection with credit or insurance 
transactions not initiated by the consumer but provide specific 
limitations in these circumstances, as discussed above.\229\ Congress 
would have imposed similar safeguards for the legitimate business need 
permissible purpose if Congress had intended for the legitimate 
business need permissible purpose to authorize solicitation and 
marketing.
---------------------------------------------------------------------------

    \229\ See supra note 197 and accompanying text.
---------------------------------------------------------------------------

    The legislative history is also instructive. Senate Report 103-209 
explains that ``[t]he permissible purpose created by this provision . . 
. is limited to an account review for the purpose of deciding whether 
to retain or modify current account terms. It does not permit access to 
consumer report information for the purpose of offering unrelated 
products or services.'' \230\
---------------------------------------------------------------------------

    \230\ S. Rep. No. 103-209, at 11 (1993) (discussing S.783, a 
predecessor bill that included language later adopted in the 1996 
FCRA amendments).
---------------------------------------------------------------------------

    The D.C. Circuit recognized that targeted marketing did not fall 
within the legitimate business need permissible purpose, even under the 
original version of this permissible purpose that broadly referred to a 
``legitimate business need for the information in connection with a 
business transaction involving the consumer.'' \231\ In doing so, the 
court noted that protecting the privacy of consumer report information 
is a major purpose of the FCRA and explained that such information 
should be kept private unless a ``consumer could be expected to wish 
otherwise or, by entering into some relationship with a business, could 
be said to implicitly waive the [FCRA]'s privacy to help further that 
relationship.'' \232\
---------------------------------------------------------------------------

    \231\ 15 U.S.C. 1681b(3)(E) (1994) (emphasis added); Trans Union 
Corp. v. FTC, 81 F.3d 228, 233-34 (D.C. Cir. 1996).
    \232\ Trans Union Corp. v. FTC, 81 F.3d 228, 234 (D.C. Cir. 
1996).
---------------------------------------------------------------------------

    Prior FTC staff interpretations have similarly concluded that 
marketing is not authorized by the legitimate business need permissible 
purpose. For example, the FTC 40 Years Staff Report explains that the 
account review prong provides a permissible purpose to banks that have 
a legitimate need to consult a current customer's consumer report in 
order to determine whether the terms of a consumer's current non-credit 
(savings or checking) accounts should be modified, but it does not 
allow consumer reporting agencies to provide businesses with consumer 
reports to market other products or services.\233\
---------------------------------------------------------------------------

    \233\ FTC 40 Years Staff Report, supra note 21, at 42, 48-49 
(citing FTC Informal Staff Opinion Letter to Gowen (Apr. 29, 1999), 
https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-gowen-04-29-99).
---------------------------------------------------------------------------

    With respect to the proposal related to the legitimate business 
need permissible purpose discussed during the Small Business Review 
Panel meeting, the Panel recommended that the CFPB consider clarifying 
in general how the proposal under consideration would relate to or 
impact other FCRA permissible purposes.\234\ To clarify, the proposed 
legitimate business need provisions interpret solely the FCRA section 
604(a)(3)(F) legitimate business need permissible purpose.
---------------------------------------------------------------------------

    \234\ Small Business Review Panel Report, supra note 40, at 48 & 
section 9.3.6.
---------------------------------------------------------------------------

Section 1022.13 Permissible Purposes Based on Certain Agency or Other 
Official Requests
    The CFPB proposes Sec.  1022.13 to incorporate into Regulation V 
the permissible purposes listed in FCRA section 604(a)(1), 
604(a)(3)(G), and 604(a)(4) through (6).\235\ As noted above, FCRA 
section 604(a) permits a consumer reporting agency to furnish a 
consumer report under specific enumerated circumstances and no other. 
The permissible purposes in the FCRA sections incorporated in proposed 
Sec.  1022.13 cover circumstances under which a consumer reporting 
agency may furnish a consumer report in connection with certain agency 
or other official requests. These permissible purposes are restated in 
proposed Sec.  1022.13(a)(1) through (5).
---------------------------------------------------------------------------

    \235\ 15 U.S.C. 1681b(a)(1), 1681b(a)(3)(G), 1681b(a)(4) through 
(6).
---------------------------------------------------------------------------

    FCRA section 604(a)(3)(G) sets forth a permissible purpose related 
to government-sponsored individually billed travel charge cards. In the 
statute, this permissible purpose is grouped with the permissible 
purposes based on

[[Page 101434]]

a consumer reporting agency's reasonable belief about a person's 
intended use, which the CFPB otherwise proposes to incorporate into 
Regulation V in proposed Sec.  1022.12. The CFPB proposes to 
incorporate FCRA section 604(a)(3)(G) into Regulation V in proposed 
Sec.  1022.13 because the permissible purpose appears most similar in 
kind to those that appear in FCRA section 604(a)(5) and (6) and does 
not fit grammatically within the structure of FCRA section 604(a)(3). 
Proposed Sec.  1022.13(a)(5) provides that a permissible purpose exists 
for a consumer reporting agency to furnish a consumer report to an 
executive department or agency in connection with the issuance of a 
government-sponsored, individually billed travel charge card.\236\ The 
CFPB requests comment on the proposed approach.
---------------------------------------------------------------------------

    \236\ Consistent with proposed Sec.  1022.13(a)(5), the FTC 40 
Years Staff Report notes that ``[s]ection 604(a)(3)(G) allows CRAs 
to provide consumer reports to `executive departments and agencies 
in connection with the issuance of government sponsored 
individually-billed travel charge cards.' '' FTC 40 Years Staff 
Report, supra note 21, at 49.
---------------------------------------------------------------------------

V. Proposed Effective Date

    The CFPB requests comment on an effective date for the proposed 
rule. For example, the CFPB is considering whether a final rule should 
take effect six months or one year after publication in the Federal 
Register. Consistent with recommendations of the Small Business Review 
Panel, the CFPB specifically requests comment on whether either a six-
month or one-year implementation period would provide sufficient time 
for entities, including small entities, that are not currently 
complying with the FCRA to begin to do so. The CFPB also requests 
comment on whether either a six-month or one-year implementation period 
would provide sufficient time for vendors to complete the work 
necessary to assist small entities in coming into compliance with any 
final rule. The CFPB further requests comment on ways that it might 
facilitate implementation for small entities, such as by providing for 
a longer implementation period for small entities and what that period 
should be.

VI. CFPA Section 1022(b) Analysis

    The CFPB is considering the potential benefits, costs, and impacts 
of the proposed rule in accordance with section 1022(b)(2)(A) of the 
Consumer Financial Protection Act of 2010 (CFPA).\237\ The CFPB 
requests comment on the analysis presented below, as well as 
submissions of information and data that could inform its consideration 
of the impacts of the proposed rule. This section contains an analysis 
of the benefits and costs of the proposed rule for consumers, consumer 
reporting agencies, and other covered persons.
---------------------------------------------------------------------------

    \237\ 12 U.S.C. 5512(b)(2)(A).
---------------------------------------------------------------------------

A. Statement of Need

    By enacting the FCRA in 1970, Congress sought to ensure the 
accuracy, fairness, and privacy of consumer information collected, 
maintained, and furnished by consumer reporting agencies. In recent 
years, the consumer reporting marketplace has evolved in ways that 
imperil Americans' privacy. Today, Americans regularly engage in 
activities that reveal personal information about themselves, often 
without realizing it. Entities with whom the consumer interacts might 
collect, aggregate, and sell information about the consumer to other 
entities with whom the consumer does not have a relationship, such as 
data brokers. Technological advancements have also made it increasingly 
feasible to re-identify consumers in datasets that have otherwise been 
de-identified, and at times even identify consumers from aggregated 
data. In the FCRA context, these concerns about re-identification of 
data are particularly pronounced due to the sensitivity of consumer 
report information and the privacy goals that prompted Congress to 
enact the statute. The CFPB is concerned that some of these data are 
shared by consumer reporting agencies with users who do not have an 
FCRA permissible purpose, or who otherwise use consumer report 
information for marketing in ways that the FCRA prohibits. In addition, 
many data brokers attempt to avoid liability under the FCRA by arguing 
that they are not consumer reporting agencies selling consumer reports. 
Consequently, they do not treat the consumer information they sell as 
subject to the requirements of the FCRA, even though they collect, 
assemble, evaluate, and sell the same information as other consumer 
reporting agencies--and even though their activities pose the same 
risks to consumers that motivated the FCRA's passage.
    Under this current state of the world, the activities of data 
brokers, including consumer reporting agencies, potentially harm 
consumers. Inaccurate information can cause consumers to be denied 
access to products, services, or opportunities that they would have 
qualified for had the information been accurate; often, consumers are 
unaware of these inaccuracies and, even if they are aware, may lack 
recourse to dispute such inaccuracies. The proliferation of sensitive 
information being exchanged in the data broker marketplace, often 
without consumers' knowledge or consent, harms consumer privacy. While 
consumers theoretically may be willing to part with their private 
information for a price, this choice is not typically provided in the 
activities that would be subject to the proposed rule. Moreover, 
sensitive consumer information can be used to target certain consumers 
for identity theft, fraud, or predatory scams, potentially causing 
consumers significant monetary losses.
    The proposed rule would mitigate these consumer harms by addressing 
the definitions of consumer reporting agency and consumer report and 
certain responsibilities of consumer reporting agencies. This would 
help safeguard consumer information and help ensure it is only used as 
permitted by the FCRA. The provisions in the proposed rule would cause 
many additional data brokers to be subject to the FCRA and necessitate 
that they and other consumer reporting agencies modify their operations 
and activities to be in compliance with the FCRA.

B. Baseline

    In evaluating the proposed rule's impacts, the CFPB considers the 
impacts against a baseline in which the CFPB takes no action. This 
baseline includes existing regulations, State and Federal laws, and the 
current state of the marketplace. In particular, the baseline includes 
current industry practices and current applications of the law.

C. Data and Evidence

    The CFPB's analysis of costs, benefits, and impact is informed by 
information and data from a range of sources. As discussed in part 
II.C, the CFPB convened a Small Business Review Panel on October 16, 
2023, and held Panel meetings on October 18 and 19, 2023, to gather 
input from small businesses. The discussions at the Panel meetings and 
the comment letters submitted by small entity representatives during 
this process were presented in the Small Business Review Panel Report 
completed in December 2023. The CFPB also invited and received feedback 
on the proposals under consideration from other stakeholders, including 
stakeholders who were not small entity representatives. To estimate the 
number of entities that may be subject to the proposed rule, the CFPB 
used the December 2022 National Credit Union Administration (NCUA) and 
Federal Financial Institutions Examination Council (FFIEC) Call Report 
data, the 2017 Economic Census data from the U.S. Census Bureau, the 
California and

[[Page 101435]]

Vermont data broker registries, and the CFPB's list of consumer 
reporting agencies.\238\ The impact analysis is further informed by 
academic research, reports on research by industry and trade groups, 
practitioner studies, comments received in response to the CFPB's Data 
Broker RFI, and letters received by the CFPB. Where used, these 
specific sources are cited in this analysis.
---------------------------------------------------------------------------

    \238\ See Off. of the Att'y Gen., State of Cal. Dep't of Just., 
Data Broker Registry, https://oag.ca.gov/data-brokers (list of data 
brokers registered in California) (last visited Oct. 15, 2024); Vt. 
Sec'y of State, Data Broker Search, https://bizfilings.vermont.gov/online/DatabrokerInquire/ (list of data brokers registered in 
Vermont) (last visited Oct. 15, 2024). See Consumer Fin. Prot. 
Bureau, List of consumer reporting companies, https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/ (last visited Oct. 15, 2024). The 
CFPB's list of consumer reporting agencies is not intended to be 
all-inclusive and does not cover every company in the industry.
---------------------------------------------------------------------------

D. Coverage of the Proposed Rule

    Part VII.B.3 provides a discussion of the estimated number and 
types of entities potentially affected by the proposed rule.

E. Potential Benefits and Costs of the Proposed Rule to Consumers and 
Covered Persons

    The CFPB discusses the potential benefits and costs to consumers 
and covered persons of each of the main provisions of the proposed rule 
below. For purposes of this discussion, the CFPB has grouped proposed 
provisions that the CFPB expects would have similar benefits and costs 
though notes that some provisions could be grouped in multiple 
categories due to their potential effects. The discussion will note 
where the CFPB expects provisions would have both distinct and 
overlapping impacts. Provisions have been grouped as follows:
     Provisions addressing the definitions of consumer report 
and consumer reporting agency that could affect which entities are 
consumer reporting agencies (``consumer reporting agency coverage''). 
These are:
    [cir] Proposed Sec.  1022.4(b), addressing the phrase ``is used'' 
in the definition of consumer report;
    [cir] Proposed Sec.  1022.4(c), addressing the phrase ``expected to 
be used'' in the definition of consumer report; and
    [cir] Proposed Sec.  1022.5(b), addressing the phrase ``assembling 
or evaluating'' in the definition of consumer reporting agency.
     Provisions addressing the definition of consumer report 
that could affect what constitutes a consumer report (``consumer report 
coverage''). These are:
    [cir] Proposed Sec.  1022.4(d), addressing certain personal 
identifiers for a consumer that are often referred to as ``credit 
header'' information; and
    [cir] Proposed Sec.  1022.4(e), addressing when a consumer 
reporting agency's communication of de-identified information is a 
consumer report.
     Provisions clarifying the FCRA's general prohibition on 
using consumer report information for marketing and advertising. These 
are:
    [cir] Proposed Sec.  1022.10(b)(1) and (2), addressing what it 
means for a consumer reporting agency to furnish a consumer report; and
    [cir] Proposed Sec.  1022.12(b)(3), highlighting that the 
legitimate business need permissible purpose does not authorize use of 
consumer report information for marketing.
     Provisions clarifying certain responsibilities of consumer 
reporting agencies. These are:
    [cir] Proposed Sec.  1022.11, clarifying the written instructions 
permissible purpose; and
    [cir] Proposed Sec.  1022.12(b)(2), clarifying the consumer-
initiated transaction prong of the legitimate business need permissible 
purpose.
    In this discussion, the CFPB focuses on direct costs and benefits. 
However, the CFPB acknowledges that the covered persons that would be 
affected by the proposed rule operate in interconnected industries, and 
that costs may be passed through beyond the entity initially impacted. 
For instance, to the extent that the proposed rule would increase costs 
to consumer reporting agencies, those consumer reporting agencies may 
respond by increasing the cost of consumer reports. The CFPB estimates 
that the cost of a single credit report for an individual is between 
$18 to $30.\239\ A data broker in the baseline that does not consider 
itself to be a consumer reporting agency but may indeed be covered by 
the FCRA could also experience cost increases they would pass along to 
users. Some data brokers currently charge less than a dollar per 
record, several dollars for a search, or under $30 for monthly access 
to an unlimited number of reports.\240\ The costs each of these 
entities incur as a result of the rule would likely differ in 
magnitude, leading to differences in the change in future pricing for 
their products if the rule is finalized. Covered persons with consumer-
facing businesses may pass these costs on to consumers in the form of 
higher prices as well. The CFPB does not separately discuss each 
instance but acknowledges the possibility of pass through. Because this 
is speculative and the CFPB does not have data that would allow it to 
estimate the likelihood and amount of any industry-to-industry or 
industry-to-consumer pass through in the consumer reporting industry 
and related industries, the CFPB requests comment on this issue.
---------------------------------------------------------------------------

    \239\ See Press Release, Rohit Chopra, Consumer Fin. Prot. 
Bureau, Prepared Remarks of CFPB Director Rohit Chopra at the 
Mortgage Bankers Association (May 20, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-mortgage-bankers-association.
    \240\ An online search of people-search sites in August 2024 
revealed at least one data broker that was selling unlimited person 
and location reports for $28.33 per month. Separately, some 
researchers have reported prices of information from data brokers 
for less than a dollar. See Justin Sherman, People Search Data 
Brokers, Stalking, and `Publicly Available Information' Carve-Outs, 
The Lawfare Inst. (Oct. 30, 2023), https://www.lawfaremedia.org/article/people-search-data-brokers-stalking-and-publicly-available-information-carve-outs.
---------------------------------------------------------------------------

    In addition, the CFPB acknowledges that it does not possess data to 
quantify the magnitude of many of the potential effects of the proposed 
rule. The CFPB requests information and comment that would enable it to 
quantify such impacts.
Provisions That Could Affect Consumer Reporting Agency Coverage
    The proposed rule would clarify that certain entities, such as many 
additional data brokers, are covered by the FCRA. The effect of 
proposed Sec.  1022.4(b) would be that a person that sells information 
that is used for a purpose described in proposed Sec.  1022.4(a)(2) 
would become a consumer reporting agency, regardless of whether the 
person knows or believes that the communication of that information is 
legally considered a consumer report, assuming the other elements of 
the definition of consumer reporting agency are satisfied. In addition, 
the effect of proposed Sec.  1022.4(c) addressing the phrase ``expected 
to be used'' in the definition of consumer report would be to require 
many companies, such as additional data brokers, that currently sell 
information about consumers' credit history, credit score, debt 
payments (including on non-credit obligations), or income or financial 
tier to comply with the FCRA. The CFPB proposes that an entity selling 
any of these four data types--credit history, credit score, debt 
payments, and income or financial tier--for any purpose generally would 
qualify as a consumer reporting agency selling consumer reports, 
because these information types are typically used to

[[Page 101436]]

underwrite loans.\241\ Proposed Sec.  1022.5(b) addressing the phrase 
``assembling or evaluating'' in the definition of consumer reporting 
agency would make clear that certain data aggregators that are engaged 
in assembling or evaluating consumer information are consumer reporting 
agencies (assuming the other elements of that definition are 
satisfied).
---------------------------------------------------------------------------

    \241\ For brevity, information about a consumers' credit 
history, credit score, debt payments, and income or financial tier 
are referred to throughout this discussion as the ``four data 
types.''
---------------------------------------------------------------------------

    Since marketing is not a permissible purpose, other than in the 
limited circumstances expressly provided for in the FCRA, data brokers 
would generally be unable to sell the four data types to target 
marketing to consumers. As described in more detail in Provisions to 
reduce the use of consumer report information for marketing and 
advertising, data brokers sometimes employ the four data types to place 
consumers into categories. Many of these categories reflect sensitive 
information and potentially inaccurate inferences about consumers, such 
as that the consumer is ``financially challenged,'' is ``behind on 
bills,'' or is an ``upscale retail card holder.'' \242\ Data brokers 
then sell lists of these consumers to advertisers who are interested in 
targeting certain types of consumers.
---------------------------------------------------------------------------

    \242\ See Duke Report on Data Brokers and Mental Health Data, 
supra note 26, at 14; FTC Data Broker Report, supra note 25, at 20-
21; Consumer Fin. Prot. Bureau, Prepared Remarks of CFPB Director 
Rohit Chopra at the White House on Data Protection and National 
Security (Apr. 2, 2024), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-at-the-white-house-on-data-protection-and-national-security/.
---------------------------------------------------------------------------

Potential Benefits to Consumers of Provisions That Could Affect 
Consumer Reporting Agency Coverage
    The provisions that could impact which entities are consumer 
reporting agencies would extend the responsibilities of the FCRA to 
additional entities. This would have the net effect of reducing the 
overall supply of available consumer information for sale and transfer 
for non-permissible purposes. Additional entities would bear the 
responsibilities and limitations of consumer reporting agencies under 
the FCRA, thus overall reducing the available amount of consumer 
information, including particularly sensitive data such as consumers' 
credit history and income.
    This overall reduction in the supply of available consumer 
information could confer privacy benefits on consumers in several ways. 
First, consumers might intrinsically value privacy in the sense of 
being generally uneasy about their data being shared. The revelation of 
personal information about consumers can lead to a variety of non-
monetary costs, such as distress, embarrassment, shame, and 
stigma.\243\ The availability of personal information could also lead 
to stalking, harassment, and doxing, where a consumer's private 
information is publicly published with malicious intent.\244\ There is 
existing evidence that consumers feel unaware of how their personal 
data is being used and that this could cause concern. On surveys, 
consumers report feeling that they are ``concerned, lack control and 
have a limited understanding about how the data collected about them is 
used.'' \245\ Several empirical studies have documented by revealed 
preference the existence and magnitude of such intrinsic 
valuations.\246\ Consumers are concerned about financial data and 
maintaining the privacy of these data.\247\ For example, a 2021 survey 
found that 94 percent of banked consumers preferred that their primary 
financial institution not share their financial data with other 
companies for marketing purposes.\248\
---------------------------------------------------------------------------

    \243\ See, e.g., Am. Compl. For Permanent Inj. & Other Relief ]] 
97-106, FTC v. Kochava, Inc., No. 2:22-cv-00377-BLW (D. Idaho June 
5, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/26AmendedComplaint%28unsealed%29.pdf; Charles Duhigg, How Companies 
Learn Your Secrets, N.Y. Times (Feb. 16, 2012), https://www.nytimes.com/2012/02/19/magazine/shopping-habits.html (recounting 
instance in which a retailer developed a ``pregnancy predictor 
model'' and sent coupons for baby supplies to a consumer, thereby 
revealing to members of the consumer's household that she was 
pregnant, a fact that she had kept private).
    \244\ A 2012 survey conducted by the National Network to End 
Domestic Violence found that 54 percent of victim service agencies 
surveyed reported that they work with victims whose stalker used 
public information gathered online to stalk the victim. At least 
half of victim service agencies also reported working with victims 
on help with safety and privacy strategies on using their cell phone 
and other privacy-related practices. See Safety Net Project, New 
Survey: Technology Abuse & Experiences of Survivors and Victim 
Service Agencies, Nat'l Network to End Domestic Violence (Apr. 29, 
2014), https://www.techsafety.org/blog/2014/4/29/new-survey-technology-abuse-experiences-of-survivors-and-victim-services.
    \245\ See, e.g., Colleen McClain et al., How Americans View Data 
Privacy, Pew Rsch. Ctr. (Oct. 18, 2023), https://www.pewresearch.org/internet/2023/10/18/views-of-data-privacy-risks-personal-data-and-digital-privacy-laws/.
    \246\ See, e.g., Tesary Lin, Valuing Intrinsic and Instrumental 
Preferences for Privacy, 41 (4) Mktg. Sci. (May 13, 2022), https://pubsonline.informs.org/doi/epdf/10.1287/mksc.2022.1368; Huan Tang, 
The Value of Privacy: Evidence from Online Borrowers (Dec. 2019), 
https://wpcarey.asu.edu/sites/default/files/2021-11/huan_tang_seminar_paper.pdf.
    \247\ See, e.g., Consumer Reports, American Experiences Survey: 
A Nationally Representative Multi-Mode Survey (Dec. 2023), https://article.images.consumerreports.org/image/upload/v1704482298/prod/content/dam/surveys/Consumer_Reports_AES_December-2023.pdf; Michelle 
Cao, National Telecomm. and Info. Admin., U.S. Dep't of Com., Nearly 
Three-Fourths of Online Households Continue to Have Digital Privacy 
and Security Concerns (Dec. 13, 2021), https://www.ntia.gov/blog/2021/nearly-three-fourths-online-households-continue-have-digital-privacy-and-security-concerns; Dan Murphy et al., Financial Data: 
The Consumer Perspective (June 30, 2021), https://finhealthnetwork.org/research/financial-data-the-consumer-perspective/.
    \248\ Dan Murphy et al., Financial Data: The Consumer 
Perspective (June 30, 2021), https://finhealthnetwork.org/research/financial-data-the-consumer-perspective/.
---------------------------------------------------------------------------

    Consumers' data might be used (or they may fear that it could be 
used) by careless or malicious actors to directly harm them. This could 
include identity theft, of which many instances occur in the U.S. every 
year.\249\ Personal data could also be used to target vulnerable 
consumers with pitches for predatory financial products and scams.\250\ 
Consumers may also fear that their personal data could be used to 
discriminate against them according to a personal characteristic. The 
proposed rule would mitigate the risk of consumer report information 
being used to target consumers, as data brokers would be prohibited 
from selling the four data types to those lacking a permissible 
purpose.
---------------------------------------------------------------------------

    \249\ The DOJ estimates that 23.9 million U.S. residents 16 or 
older (9 percent of the population) had experienced identify theft 
in the past 12 months in 2021. See Press Release, U.S. Bureau of 
Just. Stat., Victims of Identity Theft, 2021 (Oct. 12, 2023), 
https://bjs.ojp.gov/press-release/victims-identity-theft-
2021#:~:text=As%20of%202021%2C%20about%201,email%20or%20social%20medi
a%20account.
    \250\ The FTC reported that consumers lost more than $10 billion 
to fraud in 2023. See Press Release, Fed. Trade Comm'n, As 
Nationwide Fraud Losses Top $10 Billion in 2023, FTC Steps Up 
Efforts to Protect the Public (Feb. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public.
---------------------------------------------------------------------------

    Consumers' data, in particular data about income and financial 
tier, could also be purchased by entities to engage in more targeted 
and precise forms of price discrimination. Price discrimination occurs 
when an entity charges differentiated prices to consumers based, at 
least in part, on their willingness to pay.\251\ While price 
discrimination may lead to higher revenue and profits for firms, it 
would come at the expense of consumers who would obtain less surplus in 
the market (the difference between the price and the price the consumer 
was willing to pay). Firms can currently purchase or use consumers' 
financial data to charge them higher prices or present targeted offers 
to achieve such an effect. For

[[Page 101437]]

example, enrollment management companies use consumer financial 
information to predict the probability that students would enroll given 
different net tuition prices, which educational institutions could use 
for pricing decisions.\252\ The potential for price discrimination 
using consumer data is an increasing concern across consumer protection 
agencies.\253\ The proposed rule could have the effect of reducing the 
likelihood of price discrimination to the extent that consumers' data 
are used, or have the potential to be used, for price discrimination at 
baseline.
---------------------------------------------------------------------------

    \251\ See, e.g., Alessandro Acquisti et al., The Economics of 
Privacy, 54(2) J. of Econ. Literature 442 (June 2016), https://www.aeaweb.org/articles?id=10.1257/jel.54.2.442.
    \252\ See, e.g., Educ. Advisory Board (EAB) Webinar 
Presentation, Optimizing Pricing and Aid Dollars for Graduate and 
Adult Students (Sept. 12, 2024), https://pages.eab.com/rs/732-GKV-655/images/ALR-GradFAO092024-update-PDF?version=0?x_id=&utm_source=prospect&utm_medium=presentation&utm_campaign=alr-faowebinar-0924&utm_term=&utm_content=inline; EAB, 
Enroll360, Enrollment Management Solution for Higher Education, 
https://eab.com/solutions/enroll360/ (last visited Nov. 4, 2024); 
Enrollment Management Association, Recruiting Private School 
Students With PROSPECT (Oct. 27, 2021), https://www.enrollment.org/articles/recruiting-private-school-students-with-prospect.
    \253\ See, e.g., Fed. Trade Comm'n Staff, Behind the FTC's 
Inquiry into Surveillance Pricing Practices, FTC Tech. Blog (July 
23, 2024), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2024/07/behind-ftcs-inquiry-surveillance-pricing-practices#ftn_3.
---------------------------------------------------------------------------

    Valuing the benefits to consumers from increased privacy is 
difficult. It is common to find that consumers express a stated 
preference for digital privacy. Empirical studies have estimated 
consumers' willingness to pay for privacy through methods that elicit 
revealed preferences. While many find a positive valuation on privacy, 
the empirical estimates are highly varied and range from positive but 
quite low, to estimates that are much more significant in 
magnitude.\254\ Studies have also found large differences in this 
valuation across consumers. This variation in the estimated value of 
privacy complicates a quantitative estimate of the proposed rule's 
benefits to consumers' privacy.
---------------------------------------------------------------------------

    \254\ To illustrate the breadth of estimates, Tesary Lin, for 
example, finds that consumers are willing to accept, on average, $10 
to share a demographic profile, while Huan Tang finds that consumers 
are willing to pay on average $32 to hide a social network ID and 
employer contact information on a loan application. See Tang, Lin 
supra note 246. In contrast, Athey et al. find that half of their 
subjects were willing to disclose contact information of their close 
friends in exchange for pizza. See Susan Athey et al., The Digital 
Privacy Paradox: Small Money, Small Costs, Small Talk, Stanford 
Graduate Sch. of Bus. (Feb. 13, 2017), https://gsb-faculty.stanford.edu/susan-athey/files/2022/04/digital_privacy_paradox_02_13_17.pdf.
---------------------------------------------------------------------------

    An additional complication with placing a direct value on privacy 
is the observation that, despite stated preferences for privacy, 
consumers tend to freely share their data. This can be seen by the 
proliferation of online data sharing through social networks. Some 
studies have also documented that consumers can be induced to share 
data with quite small incentives.\255\ The difference between stated or 
realized preferences for privacy and the other evidence of a 
willingness to share data has been referred to as the ``privacy 
paradox,'' though there are multiple potential explanations, including 
consumers' confusion about how their data is used, consumers not having 
fixed preferences over privacy, and that systems can be designed to 
result in the oversharing of data even if consumers do value privacy 
highly.\256\
---------------------------------------------------------------------------

    \255\ Athey, supra note 254.
    \256\ See, e.g., Daron Acemoglu et al., Too Much Data: Prices 
and Inefficiencies in Data Markets, 14(4) Am. Econ. J. 
Microeconomics 218 (Nov. 2022), https://www.aeaweb.org/articles?id=10.1257/mic.20200200&&from=f; Alessandro Acquisti et 
al., What is Privacy Worth?, 42(2) J. of Legal Studies 249 (June 
2013), https://www.cmu.edu/dietrich/sds/docs/loewenstein/WhatPrivacyWorth.pdf.
---------------------------------------------------------------------------

    The CFPB does not have data to quantify these privacy benefits to 
consumers, which are in some ways unquantifiable. This includes the 
benefits from reducing harms that arise from sensitive information 
about consumers being sold without a permissible purpose. Examples of 
these harms that are expected to be reduced include those related to 
financial scams; fraud and identity theft; and stalking, harassment, 
and doxing. The CFPB requests information and comment on these issues.
    Scammers can use data from data brokers, including the four data 
types, to facilitate scams and predatory behavior. For example, 
fraudsters can obtain lists of people with income below a certain 
threshold and use that information to pitch predatory and unlawful 
products to families in financial distress. Data brokers have marketed 
financial-related lists including those with names such as ``Bad 
Credit--Card Declines,'' ``Paycheck to Paycheck Consumers,'' 
``Suffering Seniors,'' ``Cash Cows--Underbanked File,'' and 
``Bankruptcy Filers,'' among others.\257\ The information in these 
lists have included ``both explicit and implied signals about consumer 
financial behavior.'' \258\ In helping identify vulnerable targets for 
scammers, these lists have helped to facilitate concrete financial 
harms. For instance, the DOJ charged one data broker, Macromark, in 
relation to its dissemination of such lists of potential victims for 
fraudulent mass-mailing schemes.\259\ Macromark admitted that the lists 
it provided to clients engaged in fraud resulted in losses to victims 
of at least $9.5 million.\260\ The CFPB expects that the reduced 
transmission of the four data types would likely benefit consumers by 
making it more difficult to target people for such fraudulent schemes. 
The CFPB requests comment on the potential benefit to consumers due to 
reduced fraud as a result of the proposed rule.
---------------------------------------------------------------------------

    \257\ CFPB Data Broker RFI, Comments of U.S. Public Interest 
Research Group (PIRG) and Center for Digital Democracy (CDD), at 8, 
Docket No. CFPB-2023-0020, Comment ID 2023-0020-3412 (July 2023), 
https://www.regulations.gov/comment/CFPB-2023-0020-3412.
    \258\ Id. at 9.
    \259\ Press Release, Off. of Pub. Affs., U.S. Dep't of Just., 
List Brokerage Firm Pleads Guilty To Facilitating Elder Fraud 
Schemes (Sept. 28, 2020), https://www.justice.gov/opa/pr/list-brokerage-firm-pleads-guilty-facilitating-elder-fraud-schemes.
    \260\ Id.
---------------------------------------------------------------------------

    In addition to these privacy gains, the CFPB expects consumers 
would benefit through their ability, under the FCRA, to receive adverse 
action notices and address inaccuracies in consumer reports sold by 
entities that do not currently operate as consumer reporting agencies. 
As a result of their ability to address and correct inaccuracies, 
consumers may also benefit through improved outcomes in the decisions 
that are made based on this more-accurate information. For example, 
many risk mitigation services that are used to detect fraudulent 
applications or suspicious activities at financial institutions will be 
subject to the provisions in the FCRA designed to promote accuracy. To 
the extent these services rely on information in the baseline from data 
brokers that do not currently comply with the FCRA's accuracy 
requirements, the improved accuracy of information subject to the FCRA 
could increase the accuracy of such services. In turn, this could 
reduce the number of consumers who are denied accounts or other access 
to financial services as a result of decisions based on inaccurate 
information used for risk mitigation.
Potential Benefits to Covered Persons of Provisions That Could Affect 
Consumer Reporting Agency Coverage
    Covered persons would benefit from provisions of the proposed rule 
that could affect consumer reporting agency coverage through an 
anticipated reduction in fraud and identity theft. For example, by 
requiring many companies, such as data brokers, that currently sell one 
of the four data types to comply with the FCRA, the CFPB expects the 
risk of data being obtained by unauthorized parties and used to commit 
fraud and identity theft to decrease. Therefore, covered persons,

[[Page 101438]]

such as banks, would benefit, as they typically face costs associated 
with fraud and identity theft.
Potential Costs to Consumers of Provisions That Could Affect Consumer 
Reporting Agency Coverage
    Proposed Sec.  1022.4(c) would restrict the use of the four data 
types to permissible purposes. The CFPB is not aware of consumer 
products and services facilitated by the four data types for non-
permissible purposes or the extent that consumers may experience 
increased costs and/or reductions in service. Similarly, proposed Sec.  
1022.5(b) may increase costs for certain data aggregators, online 
databases, and other entities that would satisfy the proposed consumer 
reporting agency definition but do not currently comply with the FCRA. 
Depending on other market factors, companies might pass-through the 
increase in input costs partially or in full to the price of consumer 
products or services. It is also possible that consumers would incur 
costs due to changes or reductions in services and products made 
available by users of the current data. The CFPB requests comment on 
the types of products and services, if any, that would be impacted and 
on the expected impact to consumers.
Potential Costs to Covered Persons of Provisions That Could Affect 
Consumer Reporting Agency Coverage
    This proposed rule would have significant impacts on the business 
models of firms that currently use the four data types for activities 
not permitted under the FCRA. For instance, with certain exceptions, 
entities that sell consumers' income data generally would be consumer 
reporting agencies under the proposal, and thus generally would no 
longer be permitted to sell such income information for use in 
marketing. These users of the four data types would face costs 
associated with finding alternative data to substitute into their 
business models. To the extent that these alternatives are not as 
effective as the four data types, these firms would potentially 
experience decreased revenues. Alternatively, if users of the four data 
types opt to try to continue using the four data types for non-
permissible purposes, they generally would need to rely upon the 
written instructions provision in order to have a permissible purpose. 
Thus, they would incur technological and legal costs to create systems 
and procedures to obtain consumers' written instructions, as well as 
ongoing costs associated with proving that they have obtained 
consumers' written instructions in compliance with the proposed rule. 
To the extent that consumers would be unwilling to provide their 
written instructions to allow use of their consumer report data, these 
firms would potentially experience decreased revenues.
    One industry that would be particularly impacted by this proposal 
is the digital advertising ecosystem. When consumers browse online, 
they interface with programmatic advertisements that are bought and 
sold individually via an automated, instantaneous auction process that 
leverages data from a range of sources, including cookies, device IDs, 
browsing history, demographics, and other personal data. There are a 
variety of business types that help facilitate this digital ecosystem. 
To the extent that any of these entities rely on the four data types, 
they would generally qualify as consumer reporting agencies selling 
consumer reports. Thus, these entities would generally be unable to 
sell services that use this data for non-permissible purposes like 
advertising. Given this, these entities could face impacts to their 
businesses, such as costs associated with adjustments to targeting 
algorithms to avoid using the four data types. To the extent that ad 
algorithms not relying on the four data types are less effective at 
targeting ads, entities may also experience a loss in revenues. In 
particular, firms generally would no longer be able to provide the 
service of specifically targeting ads to people based on their income 
or financial tier.
    Proposed Sec.  1022.5(b) addressing the phrase ``assembling or 
evaluating'' could also impact data aggregators that provide 
information or products, for non-permissible purposes, that involve 
assembling or evaluating consumer information. To the extent data 
aggregators engage in these activities, they may face costs associated 
with adjusting their business practices to comply with the FCRA. The 
CFPB does not have data on the extent to which data aggregators engage 
in these practices, and requests comment on this issue.
    In addition, entities that the proposed rule would clarify are 
consumer reporting agencies under the proposed rule but that do not 
currently comply with the FCRA would incur both one-time costs to 
develop FCRA-compliant systems, processes, policies, and procedures, as 
well as ongoing costs to maintain them. For example, such entities 
would be required to comply with the FCRA's dispute resolution and 
accuracy requirements. During the SBREFA process, small entity 
representatives argued that investigating disputes, if and when they 
were to arise, would be very costly due to increased staffing, 
technical, and legal costs.\261\ Some data broker small entity 
representatives asserted that they would face compliance costs so high 
that they might cease operation.\262\ The CFPB does not have data 
allowing it to quantify these one-time and ongoing costs and requests 
comment on this issue.
---------------------------------------------------------------------------

    \261\ Small Business Review Panel Report, supra note 40, at 17.
    \262\ Id. at 19.
---------------------------------------------------------------------------

    The FCRA includes a private right of action, so entities newly 
considered to be consumer reporting agencies could incur costs related 
to FCRA litigation. These entities would also face ongoing compliance 
costs, for example those associated with ensuring that they are only 
furnishing consumer reports for FCRA section 604 permissible purposes. 
These entities would also likely need to retain personnel with 
professional skills related to software development, general and 
operational management, legal expertise, and customer support. The CFPB 
does not have data indicating the magnitude of these costs and requests 
comment on this issue.
    Entities newly considered to be consumer reporting agencies would 
face costs associated with credentialing and monitoring recipients' 
actual use of the consumer reports that they furnish. The CFPB does not 
have data indicating the magnitude of these costs and requests comment 
on this issue.
    Under the proposed rule, entities that provide data to other 
entities that would newly be considered consumer reporting agencies 
could, depending on the facts and circumstances, qualify as furnishers 
subject to the FCRA. Furnishers would incur one-time costs to develop 
FCRA-compliant systems, processes, policies, and procedures, as well as 
ongoing costs to maintain them. Entities newly considered to be 
furnishers could also experience increased legal expenses, to the 
extent that they face litigation associated with disputes. Indeed, 
furnishers would likely need to retain personnel with skills related to 
software development, general and operational management, legal 
expertise, and customer support. If the ongoing cost of furnishing in 
compliance with the FCRA exceeds the benefits companies currently 
receive from furnishing, those entities may cease furnishing 
information to consumer reporting agencies.

[[Page 101439]]

Provisions Addressing What Constitutes a Consumer Report
    The proposed rule would address when communications by consumer 
reporting agencies constitute consumer reports. Proposed Sec.  
1022.4(d) would provide that any communication by a consumer reporting 
agency of a personal identifier for a consumer that was collected in 
whole or in part by a consumer reporting agency for the purpose of 
preparing a consumer report about the consumer (also known as ``credit 
header'' information) is a consumer report, therefore limiting the sale 
of this information to FCRA permissible purposes.
    The three alternative versions of proposed Sec.  1022.4(e) 
regarding de-identified information would effectively limit the sale of 
aggregated or otherwise de-identified data derived from a consumer 
reporting database by specifying when this information constitutes a 
consumer report, and thus may only be sold for FCRA permissible 
purposes.
     Proposed Alternative One would provide that de-
identification of information is not relevant to a determination of 
whether the definition of consumer report is met. This alternative 
would mean that a consumer reporting agency's communication of consumer 
report information would still constitute a consumer report even if the 
consumer report information was de-identified.
     Proposed Alternative Two would instead provide that de-
identification of information is not relevant to a determination of 
whether the definition of consumer report is met if the data is 
``linked or linkable'' to an individual consumer.
     Proposed Alternative Three would provide that de-
identification of information is not relevant to a determination of 
whether the definition of consumer report is met if at least one of the 
specific conditions listed is met, including that the information is 
``still linked or reasonably linkable'' to a consumer, is ``used to 
inform a business decision about a particular consumer,'' or ultimately 
is used to identify the consumer in practice. This proposed alternative 
was designed to permit research using de-identified data so long as it 
is not re-identified. The CFPB is requesting comment as to which 
condition or combinations of conditions should be included in a final 
rule consistent with that goal and whether any additional conditions 
should be added if the third alternative approach is finalized.
    Although Proposed Alternative One would technically be a more 
stringent restriction on the use of de-identified consumer report 
information than Proposed Alternative Two, because almost any data from 
a consumer report could theoretically be linked to a consumer, the 
ultimate impacts appear to be similar. Thus, Proposed Alternatives One 
and Two would have qualitatively similar benefits and costs for 
consumers and covered persons by eliminating a broad range of current 
uses of de-identified consumer report information. For example, 
Proposed Alternative One would prohibit researchers from government and 
other reputable entities from obtaining de-identified consumer report 
data for research on topics including the state of consumer finances, 
as research is not an FCRA permissible purpose, and Proposed 
Alternative Two would likely have a similar effect. In contrast, 
Proposed Alternative Three generally would not prohibit researchers 
from obtaining de-identified consumer report data for use in research, 
and the CFPB requests comment on which conditions under this 
alternative would allow for research to continue.
Potential Benefits to Consumers of Provisions Addressing What 
Constitutes a Consumer Report
    A consequence of the proposed definition of consumer report is that 
additional information would be treated as having FCRA protections and 
limitations on sharing as compared to the baseline. This would confer 
privacy benefits to consumers similar to those discussed above 
regarding clarifying which entities are consumer reporting agencies. 
Defining personal identifiers obtained from a consumer reporting agency 
as consumer report information, for example, would reduce the ability 
of entities to share and sell that information and would likely have 
the net effect of reducing the total amount of consumers' private 
information available in the marketplace.
    Reduction of this sensitive information in the marketplace, such as 
contact information, including phone numbers, could have benefits for 
consumers by decreasing the risk of these data being obtained by 
unauthorized parties for uses that can harm consumers, such as for 
fraudulent purposes. Though the CFPB does not have information to 
quantify this reduction in risk, the FTC reported that consumers lost 
$10 billion to fraud and scams in 2023, and that the second most 
commonly reported contact method by scammers was contacting people by 
phone, leading to the highest per person reported median loss of 
$1,480.\263\ Certain consumer populations may experience distinct 
impact from scammers. For example, elder fraud is a significant 
subcategory of fraud that can be facilitated by the unauthorized use of 
contact information. The FBI's Internet Crime Complaint Center (IC3) 
reported that call center schemes overwhelmingly target older adults 
and consumers over the age of 60 lost more to these scams than any 
other age group.\264\ In 2023, ``total losses reported to the IC3 by 
those over the age of 60 topped $3.4 billion, an almost 11% increase in 
reported losses from 2022.'' \265\ To the extent that financial fraud 
and identity theft is facilitated by such sensitive consumer 
information from consumer reporting agencies, the CFPB expects that 
limiting transmission of this information to permissible purposes would 
reduce unauthorized access by fraudsters, which could reduce incidences 
of fraud and the associated losses to consumers. The CFPB requests 
information that can be used to quantify the expected changes in fraud 
or identity theft related to this information.
---------------------------------------------------------------------------

    \263\ See Press Release, Fed. Trade Comm'n, As Nationwide Fraud 
Losses Top $10 Billion in 2023, FTC Steps Up Efforts to Protect the 
Public (Feb. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public.
    \264\ See Press Release, Fed. Bureau of Investigation Los 
Angeles, U.S. Dep't of Just., FBI Releases 2023 Elder Fraud Report 
with Tech Support Scams Generating the Most Complaints and 
Investment Scams Proving the Costliest (May 2, 2024), https://www.fbi.gov/contact-us/field-offices/losangeles/news/fbi-releases-2023-elder-fraud-report-with-tech-support-scams-generating-the-most-complaints-and-investment-scams-proving-the-costliest.
    \265\ See Fed. Bureau of Investigation, U.S. Dep't of Just., 
2023 Elder Fraud Report (Dec. 12, 2023), https://www.ic3.gov/AnnualReport/Reports/2023_IC3ElderFraudReport.pdf.
---------------------------------------------------------------------------

    Reducing the flow of personal identifiers that are available for 
purchase may also benefit consumers who may become targets for doxing, 
stalking, harassment, or violence as a result of their contact 
information being made available by data brokers. These include 
consumers who are targeted for their profession, such as abortion care 
providers, military service members, judges, prosecutors, police 
officers, and other members of law enforcement.\266\

[[Page 101440]]

Additionally, a DOJ report found that about 3.4 million people aged 16 
or older were victims of stalking in 2019,\267\ and a study by the 
National Network to End Domestic Violence found that over half of 
victim service agencies surveyed reported that they work with victims 
whose stalker used public information gathered online to stalk 
them.\268\ The survey did not specify if the information was obtained 
through data brokers but previous court cases have documented how a 
stalker can use data broker services to locate and harm their 
victims.\269\ While it is difficult to quantify the costs to consumers 
who experience these harms, stalking can cause victims to experience 
``higher rates of depression, anxiety, insomnia and social dysfunction 
than people in the general population.'' \270\ Given that, at baseline, 
consumers' personal information is widely proliferated and sold online, 
sometimes for as little as $0.95 per record,\271\ the CFPB expects the 
use of this data for stalking, harassment, and doxing would be reduced 
under the proposed rule to the extent that sensitive personal 
identifiers from consumer reports are being used to facilitate these 
activities in the baseline. The CFPB requests information that can be 
used to quantify the benefits to consumers as it relates to these data 
and any reduction in these harms.
---------------------------------------------------------------------------

    \266\ See CFPB Data Broker RFI, Comment from Digital Defense 
Fund, The National Network of Abortion Funds, and Apiary for 
Practical Support (July 17, 2023), CFPB Data Broker RFI, Comment ID 
2023-0020-3946, https://www.regulations.gov/comment/CFPB-2023-0020-3946; Herbert B. Dixon & James L. Anderson, The Evolving Nature of 
Security Threats to Judges, Am. Bar Ass'n (Aug. 4, 2023), https://www.americanbar.org/groups/judicial/publications/judges_journal/2023/summer/evolving-nature-security-threats-to-judges/; Esther 
Salas, My Son Was Killed Because I'm a Federal Judge, N.Y. Times 
(Dec. 8, 2020), https://www.nytimes.com/2020/12/08/opinion/esther-salas-murder-federal-judges.html.
    \267\ Rachel E. Morgan & Jennifer L. Truman, Bureau of Just. 
Stat., U.S. Dep't of Just., Stalking Victimization, 2019 (Feb. 
2022), https://www.justice.gov/d9/2023-06/2022%20Report%20to%20Congress%20on%20Stalking.pdf.
    \268\ See Safety Net Project, New Survey: Technology Abuse & 
Experiences of Survivors and Victim Service Agencies, Nat'l Network 
to End Domestic Violence (Apr. 29, 2014), https://www.techsafety.org/blog/2014/4/29/new-survey-technology-abuse-experiences-of-survivors-and-victim-services.
    \269\ See, e.g., Remsburg v. Docusearch, Inc., No. Civ. 00-211-
B, 2002 WL 844403, at *2-3 (D.N.H. Apr. 25, 2002).
    \270\ Stalking Prevention, Awareness, and Resource Center, 
Stalking Fact Sheet (Jan. 2019), https://www.stalkingawareness.org/wp-content/uploads/2019/01/SPARC_StalkngFactSheet_2018_FINAL.pdf.
    \271\ See, e.g., Justin Sherman, People Search Data Brokers, 
Stalking, and `Publicly Available Information' Carve-Outs, The 
Lawfare Inst. (Oct. 30, 2023), https://www.lawfaremedia.org/article/people-search-data-brokers-stalking-and-publicly-available-information-carve-outs.
---------------------------------------------------------------------------

    Likewise, clarifying that consumer information that has been de-
identified, whether through aggregation or other means, may constitute 
a consumer report additionally could limit the sharing and sale of 
consumers' data relative to baseline. Aggregation and other methods 
have been longstanding approaches to preventing the disclosure of 
information linked to a specific individual that can be used to 
identify a consumer, even among government agencies.\272\ However, 
recent research has illuminated how even carefully aggregated data may 
still present a risk of being identified, depending on the context. For 
example, research from the U.S. Census Bureau has shown how information 
linked to specific individuals can at times be obtained from publicly 
available aggregate-level information.\273\ In many other examples, 
researchers have been able to re-identify individuals from seemingly 
de-identified data.\274\ To the extent that consumers can be re-
identified from the aggregated or otherwise de-identified data 
currently derived from consumer reporting databases at baseline, the 
proposed rule may benefit consumers by reducing the amount of personal 
information obtained about them. The benefits would be similar to those 
discussed above related to the overall reduction in the supply of 
consumer information. The CFPB does not have data to quantify these 
benefits to consumers and requests information and comment on these 
issues.
---------------------------------------------------------------------------

    \272\ Report on Statistical Disclosure Limitation Methodology, 
Fed. Comm. on Stat. Methodology (Exec. Off. of the President of 
U.S., OMB, Working Paper No. 22, Dec. 2005), https://nces.ed.gov/FCSM/pdf/SPWP22_rev.pdf.
    \273\ John M. Abowd & Michael B. Hawes, 21st Century Statistical 
Disclosure Limitation: Motivations and Challenges, at 8 (U.S. Census 
Bureau, Working Paper No. ced-wp-2023-002, Mar. 03, 2023), https://www.census.gov/library/working-papers/2023/adrm/ced-wp-2023-002.html.
    \274\ See, e.g., Jane Henriksen-Bulmer & Sheridan Jeary, Re-
identification attacks--A systemic literature review, 36(6)(B) Int'l 
J. of Info. Mgmt. (Dec. 2016), https://www.sciencedirect.com/science/article/abs/pii/S0268401215301262.
---------------------------------------------------------------------------

    Providing that communications of personal identifiers by consumer 
reporting agencies are consumer reports would also benefit consumers by 
confirming they have protection under the FCRA when personal 
identifiers are used to make certain decisions that bear on them. For 
example, personal identifiers are purchased from consumer reporting 
agencies by data brokers in order to provide end users with identity 
verification services designed to prevent financial fraud. When these 
entities rely on outdated personal identifiers or otherwise introduce 
inaccuracies into these data, it could result in false positives that 
can impact a consumer's access to financial products and services. In 
recent years, reports of financial fraud have increased along with 
reports of increased account closures (``debanking'') and denial of 
services to consumers.\275\ Additionally, consumers who are denied 
financial services may turn to other more costly financial 
alternatives, such as check cashing, or miss out on the benefits of 
building credit. \276\ By providing that communications of personal 
identifiers on their own by consumer reporting agencies are consumer 
reports, the proposed rule would apply the FCRA's accuracy provisions 
to data brokers who receive personal identifiers from consumer 
reporting agencies to provide risk mitigation services. While the CFPB 
does not have data to quantify the impact that inaccurate information 
plays in the decisions resulting from risk mitigation services provided 
by such data brokers, the CFPB expects that by improving the accuracy 
of such information, the proposed rule could mitigate the associated 
harms of such decisions based on inaccurate information. The CFPB 
requests comment on the role personal identifiers play in risk 
mitigation services and the associated impacts for consumers.
---------------------------------------------------------------------------

    \275\ See, e.g., Press Release, Fed. Trade Comm'n, As Nationwide 
Fraud Losses Top $10 Billion in 2023, FTC Steps Up Efforts to 
Protect the Public (Feb. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/02/nationwide-fraud-losses-top-10-billion-2023-ftc-steps-efforts-protect-public; Tara Siegel Bernard & Ron 
Lieber, Banks Are Closing Customer Accounts, With Little 
Explanation, N.Y. Times (Apr. 8, 2023), https://www.nytimes.com/2023/04/08/your-money/bank-account-suspicious-activity.html; 
Kristine Lazar, On Your Side: Bank customers report unexpected 
account closures, CBS News (July 17, 2023) https://www.cbsnews.com/losangeles/news/on-your-side-bank-customers-report-unexpected-account-closures/.
    \276\ Tyler Desmond & Charles Sprenger, Estimating the Cost of 
Being Unbanked, Fed. Rsrv. Bank of Boston (Spring 2007), https://www.bostonfed.org/-/media/Documents/cb/PDF/article9.pdf.
---------------------------------------------------------------------------

    In addition, users of reports consisting solely of personal 
identifiers purchased from consumer reporting agencies would be 
required to send adverse action notices to consumers in situations 
where an adverse action is taken against a consumer based on the 
information. Consumers would benefit from receiving such adverse action 
notices to the extent that it alerts them to potentially incorrect 
information and their right to dispute such information, and prompts 
them to address adverse actions that may have resulted, such as denial 
of government benefits or bank accounts due to an inability to verify 
the identity of the consumer. The CFPB does not have data to quantify 
how often users of personal identifiers provide adverse action notices 
based on this information at baseline and requests comment on these 
issues.

[[Page 101441]]

Potential Benefits to Covered Persons of Provisions Addressing What 
Constitutes a Consumer Report
    Many financial institutions use risk mitigation services provided 
by data brokers to detect fraudulent applicants and suspicious activity 
to reduce the cost of fraud against the financial institution, or fraud 
against consumers that the financial institution must cover pursuant to 
the Electronic Fund Transfer Act or payment network rules. The proposed 
rule would ensure the FCRA's protections apply to these risk mitigation 
services if the data broker purchased personal identifiers from the 
consumer reporting agencies. These data brokers would be required to 
comply with FCRA provisions applicable to consumer reporting agencies, 
including the legal requirement to maintain policies and procedures to 
assure maximum possible accuracy.\277\ In addition, consumers would 
receive greater notice and ability to dispute inaccurate personal 
identifiers used for risk mitigation purposes if proposed Sec.  
1022.4(d) is finalized. To the extent that correction of inaccurate 
reports increases as a result of the proposed rule, covered persons 
that rely on these services would benefit from the improved accuracy of 
risk mitigation. For example, financial institutions that use data 
brokers that purchase personal identifiers from consumer reporting 
agencies for identity verification services would have better 
information to detect fraudulent applications. By improving the 
accuracy of information used for risk mitigation, the CFPB also expects 
the proposed rule to reduce costs to financial institutions, which 
currently expend resources, incur fraud losses, or may lose business 
due to decisions resulting from inaccurate data used in risk mitigation 
in the baseline.\278\ The CFPB does not have data to quantify these 
benefits and requests information and comment on these issues.
---------------------------------------------------------------------------

    \277\ 15 U.S.C. 1681e.
    \278\ David Vergara, The banking industry's multi-billion dollar 
fraud problem and how to solve it, Bank Admin. Inst. (Jan. 16, 
2019), https://www.bai.org/banking-strategies/the-banking-industrys-multi-billion-dollar-problem/.
---------------------------------------------------------------------------

    The CFPB does not anticipate that any covered persons would benefit 
from any of the three alternative versions of proposed Sec.  1022.4(e).
Potential Costs to Consumers of Provisions Addressing What Constitutes 
a Consumer Report
    Regarding proposed Sec.  1022.4(d), at baseline, personal 
identifiers from consumer reporting agencies are used in a variety of 
activities, some of which involve FCRA permissible purposes and some of 
which do not. Personal identifiers from consumer reporting agencies are 
used for risk mitigation activities, such as identity verification and 
fraud prevention, which overlap but can be distinct from each other. 
Generally, entities will have a permissible purpose to purchase 
personal identifiers from consumer reporting agencies for risk 
mitigation services on current or prospective customers, either because 
there is an applicable permissible purpose or the user is able to 
obtain the consumer's written instruction. The CFPB requests comment on 
the extent to which risk mitigation strategies and services that use 
personal identifiers from consumer reporting agencies could be impacted 
under the proposal and subsequent impacts on consumers.
    In some instances, law enforcement agencies purchase personal 
identifiers from consumer reporting agencies via data brokers. However, 
law enforcement currently obtains personal identifiers from a broad 
range of other sources, and proposed Sec.  1022.4(d) would not affect 
many of these sources.\279\ If law enforcement is able to obtain 
necessary information pursuant to these other sources, or through other 
sources that are not subject to the FCRA, the CFPB expects the impacts 
of the proposed rule to law enforcement would be small and seeks 
comment on whether there would be any subsequent impacts to consumers. 
Furthermore, as noted above, the CFPB is requesting comment on a 
potential exemption from proposed Sec.  1022.4(d) for communications 
consisting exclusively of personal identifiers that are solely 
furnished to, or solely used to furnish to, local, Tribal, State, or 
Federal governments, which would likely ameliorate this impact.
---------------------------------------------------------------------------

    \279\ See supra pp. 4-6, Part I: Summary of the Proposed Rule.
---------------------------------------------------------------------------

    Consumers could also face impacts related to use of de-identified 
data by entities that develop and test financial models if the first or 
second alternative version of proposed Sec.  1022.4(e) is finalized. 
For example, financial institutions and other entities use de-
identified consumer reporting agency data to develop, test, and 
validate credit, fraud, and similar risk-management models (such as 
VantageScore and FICO scores), develop and test products, manage credit 
portfolios, and for other purposes. While existing risk-management 
scores that have already been developed could still be used if the 
proposed rule were finalized, without access to de-identified consumer 
report data, entities would be unable to test and improve such scores 
as they currently do. Similarly, entities attempting to develop new 
models would not be able to do so using de-identified consumer report 
data. To the extent that risk-management scores created without access 
to de-identified consumer report data are less accurate in predicting 
consumers' ability to repay than existing scores, there could be 
downstream effects on processes and products that rely upon such 
metrics. While financial institutions would be able to rely on consumer 
reporting agencies, particularly nationwide consumer reporting 
agencies, to develop risk-management scores, reduced competition in 
developing risk-management scores could impose costs on consumers in 
the form of higher prices and less accurate scores. Small entity 
representatives noted during the Small Business Review Panel that, if 
creditors could not use de-identified data for their own models, they 
would need to tighten their credit policies or increase pricing, both 
of which would harm consumers, particularly those who do not have 
access to traditional financial products and services.\280\ The CFPB 
requests information on the potential impacts to risk-management models 
and the subsequent impacts to consumers.
---------------------------------------------------------------------------

    \280\ Small Business Review Panel Report, supra note 40, at 25.
---------------------------------------------------------------------------

    Consumers may also lose benefits from research, policymaking, or 
market monitoring activities that rely on de-identified information. 
Currently, consumer reporting agencies regularly sell de-identified 
information from their consumer reporting databases to government 
agencies, nonprofits, and academic institutions to facilitate research. 
Research using de-identified consumer report information has become 
increasingly common, as it allows policymakers to identify current 
trends in consumer welfare and identify emerging financial risks to 
consumers. For example, the CFPB uses its Consumer Credit Information 
Panel (CCIP), a comprehensive, national 1-in-50 longitudinal sample of 
de-identified credit records, sourced from one of the three nationwide 
consumer reporting agencies, to conduct economic research, monitor 
financial markets, and inform rulemakings that support consumers in the 
financial marketplace. Similarly, the CFPB and FHFA jointly fund and 
manage the National Mortgage Database (NMDB), a de-identified 
nationally representative five percent sample of closed-end first-lien 
residential

[[Page 101442]]

mortgages in the United States.\281\ The FHFA not only relies on the 
NMDB to fulfill its mandate to conduct a monthly mortgage market survey 
but also uses the database to benefit consumers through activities such 
as evaluating impacts of borrower counseling and loan modification 
programs.\282\ Many nonprofits (e.g., Eviction Lab, Urban Institute, 
FinRegLab) and academic institutions (e.g., University of California, 
Indiana University) use similar de-identified data from the nationwide 
consumer reporting agencies to conduct research on a wide array of 
topics, such as the effect of government policies on consumer access to 
credit.\283\
---------------------------------------------------------------------------

    \281\ Fed. Hous. Fin. Agency, National Mortgage Database 
Program, https://www.fhfa.gov/programs/national-mortgage-database-program (last visited Oct. 15, 2024). The core data in NMDB is de-
identified data drawn from the files of Experian, one of the three 
national credit bureaus. Fed. Hous. Fin. Agency, Technical Report 1: 
National Mortgage Database Technical Documentation, at 1-2 (Dec. 28, 
2022), https://www.fhfa.gov/sites/default/files/documents/NMDB-Technical-Documentation-20221228.pdf.
    \282\ 12 U.S.C. 4544(c)(1); see also Fed. Hous. Fin. Agency, 
National Mortgage Database Program, https://www.fhfa.gov/programs/national-mortgage-database-program (last visited Oct. 15, 2024).
    \283\ Univ. of Cal. Consumer Credit Panel (UC-CCP), California 
Policy Lab, https://www.capolicylab.org/data-resources/university-of-california-consumer-credit-panel/, (last visited Oct. 15, 2024).
---------------------------------------------------------------------------

    Under the first alternative version of proposed Sec.  1022.4(e), 
government agencies, nonprofits, and academic institutions would 
generally no longer be able to obtain de-identified data from consumer 
reporting databases and numerous other sources, as they do not 
generally have an FCRA permissible purpose to do so; the second 
alternative would have similar effects where the de-identified data is 
linkable back to individual consumers. To the extent that consumers 
currently benefit from such research, consumers would face costs 
associated with its prohibition under the first and second proposed 
alternatives.
    Depending on which conditions are finalized and how they are 
implemented, the third alternative could also impact government 
agencies' and other researchers' ability to engage in research 
practices that use de-identified data from consumer reporting agencies 
going forward. To the extent that consumers and covered persons receive 
value from these research activities that use de-identified information 
from consumer reporting databases, a version of the de-identified data 
provision that would prohibit these practices would impose costs on 
consumers by eliminating the benefits of that research. The CFPB 
requests information on the potential impacts to research activities 
and the subsequent impacts to consumers.
Potential Costs to Covered Persons of Provisions Addressing What 
Constitutes a Consumer Report
    The provisions relating to personal identifiers and de-identified 
data purchased from consumer reporting agencies could reduce the 
ability of consumer reporting agencies to sell current products or 
services, potentially reducing their revenues. For example, consumer 
reporting agencies sell de-identified consumer report data to 
government agencies, nonprofits, and academic institutions for use in 
research and policy work, as well as to financial institutions and 
other entities for a variety of finance-related modeling purposes. 
Revenues from such sales could be reduced or eliminated, depending on 
the version of the de-identified data provision that is finalized. The 
CFPB is aware that some nationwide consumer reporting agencies sell 
personal identifiers and de-identified consumer report information but 
does not have information to determine the extent to which other 
entities that meet the definition of consumer reporting agency engage 
in similar practices.
    Additionally, entities that currently use de-identified consumer 
report data for credit and other financial models could face impacts 
and costs associated with the loss of or change to this data access, 
such as those noted in the above discussion on costs to consumers. 
Examples of costs include, but are not limited to, operational costs to 
adjust their processes and models, costs associated with finding 
alternative data, and potential business and revenue impacts to the 
extent these changes are not as effective as the current models that 
use de-identified consumer report data. The CFPB requests information 
from entities on the use cases of de-identified data for these purposes 
and the potential impacts on entities of the alternatives under 
consideration.
    Some data brokers that purchase personal identifiers from consumer 
reporting agencies for resale would themselves be considered consumer 
reporting agencies. Those firms would have similar additional costs as 
described above in the section pertaining to costs to covered persons 
of provisions that could affect consumer reporting agency coverage. For 
example, these firms would be subject to FCRA compliance requirements 
for how consumer report information can be used and distributed. The 
CFPB requests information and comment that can be used to quantify 
potential revenue losses and compliance costs to these entities.
    Some consumer reporting agencies sell personal identifiers to 
financial institutions for their in-house risk mitigation activities, 
including identity verification or fraud detection, or to users who 
provide risk mitigation services to financial institutions. For 
example, financial institutions use credit header data for identity 
verification when a consumer applies for a loan, opens a checking 
account, or applies for a credit limit increase.\284\ Users of personal 
identifiers for identity verification services could continue to obtain 
identifying information drawn from a consumer reporting database if 
they have an FCRA permissible purpose. For example, if an entity has a 
permissible purpose under FCRA section 604(a)(3) to obtain a consumer 
report, a consumer reporting agency could provide that entity with a 
consumer report for identity verification conducted in connection with 
that permissible purpose (such as a creditor seeking to confirm the 
identity of an applicant in connection with a loan application). In 
other cases, users could obtain a consumer's written instructions. 
However, the CFPB received feedback from the Small Business Review 
Panel that obtaining written instructions might lead to increased 
operational costs, slow down consumer-initiated transactions, or cause 
confusion among customers.\285\ The CFPB does not have information to 
quantify these potential costs but preliminarily determines that some 
of the cost to entities that would rely on the written instructions 
permissible purpose could be minimized by obtaining a consumer's 
written instructions electronically. The CFPB requests comment on this 
issue.
---------------------------------------------------------------------------

    \284\ Small Business Review Panel Report, supra note 40, at 22.
    \285\ Id. at 23.
---------------------------------------------------------------------------

    If the proposal is finalized, consumer reporting agencies would 
generally not be able to provide personal identifiers that they collect 
for the purpose of preparing consumer reports to entities that want to 
use the information for identity verification in connection with a 
transaction that is not a permissible purpose, absent written 
instructions from the consumer. Given that identity verification is 
primarily conducted by entities on their customers or prospective 
customers who submit an application to the entity, the CFPB expects 
that many users of personal identifiers from consumer reports will be 
able to obtain written instructions in

[[Page 101443]]

the absence of other permissible purposes, thus mitigating impacts on 
their use. However, in cases where an entity that would otherwise use 
personal identifiers from consumer reporting agencies for risk 
mitigation services does not have a permissible purpose and does not 
obtain a consumer's written instructions, the user could face costs 
such as identifying and integrating alternative sources of personal 
identifiers for identity verification if the proposed rule is 
finalized. If these users fail to identify suitable alternative data 
sources, impacted entities might instead require consumers to take 
additional validation steps before they approve an action. These 
additional validation steps may impose costs on impacted entities, such 
as operational costs to conduct additional checks, the cost of 
acquiring additional verification tools, and potential loss of consumer 
transactions or relationships related to the increased friction imposed 
on a consumer. The CFPB is requesting comment on whether there are 
entities that conduct identity verification without a permissible 
purpose or the ability to obtain written instructions (such as data 
brokers that use personal identifiers purchased from consumer reporting 
agencies to perform risk mitigation services on behalf of companies 
regarding consumers who are not the companies' customers) and if so, 
what impact this rule would have on those services and what obstacles 
or costs may be associated with obtaining suitable alternatives from 
other sources (such as directly from financial institutions).
    Debt collectors may also use data brokers that purchase personal 
identifiers from consumer reporting agencies to locate consumers to 
collect unpaid debts on credit accounts at baseline. If the personal 
identifier proposal is finalized, debt collectors collecting on such 
credit accounts could continue to use personal identifiers purchased 
from consumer reporting agencies in compliance with the FCRA under FCRA 
section 604(a)(3)(A). The CFPB received feedback from the Small 
Business Review Panel that some debt collectors would increase reliance 
on litigation as a collection tool.\286\ Since collecting on a credit 
account is a permissible purpose under the FCRA, the CFPB does not have 
information on the likelihood of debt collectors changing collection 
approaches or other costs related to the rule and requests comment.
---------------------------------------------------------------------------

    \286\ Small Business Review Panel Report, supra note 40, at 24.
---------------------------------------------------------------------------

Provisions To Reduce the Use of Consumer Report Information for 
Marketing and Advertising
    The proposed rule includes provisions intended to further the 
FCRA's general prohibition on the use of consumer report information 
for marketing and advertising without a permissible purpose, i.e., 
without compliance with the FCRA's prescreening provisions set out in 
FCRA section 604(c) or the consumer's written instructions under FCRA 
section 604(a)(2). Under proposed Sec.  1022.10(b)(2), if a consumer 
reporting agency facilitates a third party's use of consumer report 
information for that person's financial gain, regardless of whether 
such information is transmitted to the third party, the consumer 
reporting agency has furnished the consumer report to a third party for 
purposes of FCRA section 604 and proposed Sec.  1022.10(a). In 
addition, proposed Sec.  1022.12(b)(3) would highlight that the 
legitimate business need permissible purpose in FCRA section 
604(a)(3)(F) does not authorize use of consumer report information for 
marketing. Given that proposed Sec.  1022.12(b)(3) does not change the 
baseline, the CFPB does not anticipate any significant impacts of this 
provision. Additionally, while not the focus of this analysis, proposed 
Sec.  1022.4(e) regarding when de-identified consumer information 
constitutes a consumer report, discussed above, may also deter the use 
of consumer report information for marketing and advertising without a 
permissible purpose.
Potential Benefits to Consumers of Provisions To Reduce the Use of 
Consumer Report Information for Marketing and Advertising
    To the extent that entities rely on consumer reporting agencies to 
facilitate their use of consumer report information to target marketing 
to consumers without receiving such information and without a 
permissible purpose, the proposed rule would prevent such marketing. 
Specifically, the proposals would cause consumer reporting agencies to 
cease facilitating advertisers' ability to target ads based on consumer 
report information, except in limited circumstances (i.e., with 
consumer authorization or under the limited circumstances permitted by 
the FCRA for firm offers of credit or insurance). While companies may 
instead use alternative data that could proxy for consumer report 
information so as to avoid FCRA restrictions, alternative data may be 
prohibitively expensive or of lower quality.\287\ To the extent that 
companies fail to identify suitable proxies for consumer report 
information, the proposed rule could reduce the amount of targeted 
marketing presented to consumers.
---------------------------------------------------------------------------

    \287\ See, e.g., Eric Farkas, How accurate third-party data 
leads the way for advertisers, Experian (Jan. 5, 2024), https://www.experian.com/blogs/marketing-forward/how-accurate-third-party-data-leads-the-way-for-advertisers/.
---------------------------------------------------------------------------

    Reductions in targeted marketing and advertising based on consumer 
report information could result in benefits to consumer privacy. Some 
existing research suggests that consumers can find targeted advertising 
intrusive and may even respond negatively if the targeting is made more 
salient.\288\ Researchers have also found evidence that consumers value 
the European Union's General Data Protection Regulation's right to 
object to profiling provision, which provides consumers a limited 
ability to object to companies using their personal data for marketing 
purposes.\289\ To the extent consumers find targeted advertising based 
on consumer report information intrusive, then consumers may benefit 
from any reduction in this type of targeted marketing stemming from the 
proposed rule.
---------------------------------------------------------------------------

    \288\ Avi Goldfarb & Catherine Tucker, Online Display 
Advertising: Targeting and Obtrusiveness, 30(3) Mktg. Sci. (Feb. 9, 
2011), https://pubsonline.informs.org/doi/10.1287/mksc.1100.0583.
    \289\ Maciej Sobolewski & Michal Palinski (2017), How much to 
consumers value on-line privacy? Welfare assessment of new data 
protection regulation (GDPR) (Univ. of Warsaw, Faculty of Econ. 
Sci., Working Papers No. 17/2017 (246) 2017), https://www.wne.uw.edu.pl/files/7915/1505/9038/WNE_WP246.pdf.
---------------------------------------------------------------------------

    It is also possible for marketing based on consumer report 
information to negatively impact consumers. For example, targeted 
marketing based on financial characteristics, such as income, credit 
score, or payment of debts, might enable the targeting of consumers in 
financial distress with advertisements for predatory products and 
services, which may result in financial or other harms to consumers. 
Firms could also use consumer report information, for example, to 
target only expected higher-income consumers and prevent lower-income 
consumers from seeing advertisements for products that may benefit 
them. To the extent the proposed provisions affect targeted advertising 
based on these types of characteristics, the proposed rule may benefit 
consumers. Consistent with the discussion above about price 
discrimination, advertising based on income or financial tier can lead 
to consumers being offered products at prices closer to the consumer's 
willingness to pay, resulting in higher

[[Page 101444]]

revenue for companies but lower consumer surplus. The CFPB requests 
information that can be used to quantify these potential benefits to 
consumers of reductions in marketing and advertising based on consumer 
report information, as well as information that can be used to quantify 
the amount of marketing or advertising presented to consumers that 
depends on consumer reporting agencies facilitating use of consumer 
report information.
Potential Benefits to Covered Persons of Provisions To Reduce the Use 
of Consumer Report Information for Marketing and Advertising
    The CFPB does not anticipate that any covered persons would benefit 
from the provisions in the proposed rule intended to reduce the use of 
consumer report information for marketing and advertising.
Potential Costs to Consumers of Provisions To Reduce the Use of 
Consumer Report Information for Marketing and Advertising
    To the extent that the proposed provisions impact targeted 
advertising or marketing by reducing companies' ability to rely on 
consumer report information, such as income and financial tier, for 
targeted marketing, they may impose some costs on consumers. For 
consumers, advertising can serve an informative purpose.\290\ In 
targeting consumers based on personalized information (including 
consumer report information such as income or financial tier) for 
profit-maximizing purposes, companies may be informing certain 
consumers of products or discounts that they would be interested in, 
and potentially would not have known about otherwise. While the 
proposed rule would not prohibit companies from using targeting 
algorithms, the reduced ability to rely on consumer report information 
for targeted marketing could reduce the amount and usefulness of the 
marketing consumers receive. However, these potential costs to 
consumers would be small if targeted marketing based on consumer report 
information currently has limited value for consumers. The CFPB is not 
aware of research that examines whether using consumer report 
information specifically in targeting algorithms affects the amount and 
degree to which ads meet consumer preferences. Existing empirical 
research concerning the value of targeted marketing, in general, to 
consumers is mixed.\291\ The CFPB does not have information to quantify 
the value to consumers of targeted advertising that uses consumer 
report information, or the change in value that could result if this 
use were to cease under the proposed rule, and requests information on 
the potential impact to consumers.
---------------------------------------------------------------------------

    \290\ See, e.g., Yehuda Kotowitz & Frank Mathewson, Informative 
Advertising and Welfare, 69(3), The American Econ. Review 284 (June 
1979), https://www.jstor.org/stable/1807364.
    \291\ See, e.g., Erik Brynjolfsson et al., The Consumer Welfare 
Effects of Online Ads: Evidence from a 9-year Experiment (NBER 
Working Paper No. 32846, Aug. 2024), https://www.nber.org/papers/w32846; Eduardo Schnadower Mustri et al., Behavioral Advertising and 
Consumer Welfare, Soc. Sci. Rsch. Network (Mar. 23, 2023), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4398428; Navdeep S. 
Sahni & Charles Zhang, Are Consumers Averse to Sponsored Messages? 
The Role of Search Advertising in Information Discovery, Stanford 
Univ. Graduate Sch. of Bus. Rsch. Paper No. 3441786 (Mar. 27, 2022), 
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3441786.
---------------------------------------------------------------------------

    By providing that the FCRA prohibits consumer reporting agencies 
from facilitating a third party's use of consumer report information 
for financial gain without a permissible purpose, the proposed rule 
would also impact some surveys. Since academics, nonprofit 
organizations, and government agencies do not conduct or sponsor 
surveys for financial gain, their use of consumer reporting agencies to 
facilitate surveys would not be prohibited, and consumers would 
continue to benefit from research that relies upon these types of 
surveys. However, to the extent that consumers benefit from surveys 
that rely on or elicit consumer report information and are conducted 
for financial gain, consumers would face reduced benefits associated 
with their prohibition. While it is likely that entities would simply 
cease relying on consumer reporting agencies to facilitate surveys 
rather than abandon the surveys entirely, this could reduce the 
efficacy of such surveys, and in turn, reduce their value to consumers. 
The CFPB requests comment on the extent to which consumers benefit from 
surveys facilitated by consumer reporting agencies for a person's 
financial gain.
    The CFPB requests information that can be used to quantify these 
costs to consumers, as well as comment on whether there are additional 
use cases outside of targeted marketing and research that one would 
expect to be impacted by the proposed rule.
Potential Costs to Covered Persons of Provisions To Reduce the Use of 
Consumer Report Information for Marketing and Advertising
    There are several ways in which consumer reporting agencies would 
lose revenues under the provisions of the proposed rule related to 
marketing. If the provision clarifying that furnishing includes 
facilitating a person's use of a consumer report for financial gain is 
finalized, consumer reporting agencies would forgo revenues that they 
previously could have generated from certain activities, such as 
facilitating marketing or conducting surveys that rely upon consumer 
report information on behalf of other entities for those entities' 
financial gain. In addition to lost revenue, consumer reporting 
agencies could incur costs of compliance associated with changing 
processes, policies, and procedures related to these activities if the 
provision is finalized. The proposed provisions are expected to have 
fewer impacts on consumer reporting agencies that do not at baseline 
engage in these activities. The CFPB requests comment on these issues, 
especially data that can be used to quantify these potential losses in 
revenue, such as data on the sales of consumer report information that 
would be affected by the proposed provisions.
    Companies may also incur costs due to the proposed provisions 
pertaining to marketing and advertising. Companies target ads for a 
variety of purposes, including to build an applicant pool or customer 
base meeting certain criteria, or to increase the percentage of ads 
that lead to customer acquisition or purchases. Companies generally use 
a variety of advertising methods to increase customer volume at the 
lowest customer acquisition cost possible. In the modern economy, 
targeted digital ads using consumer data is one method for doing so, 
along with contextual digital ads, behavioral digital ads, physical 
mailings, email, texts, telemarketing, television, billboards, radio, 
podcasts, and other ad types. This proposed rule could impact the 
efficacy of digital advertising by preventing consumer reporting 
agencies from facilitating companies' use of consumer report 
information, such as that pertaining to income or financial tier, in 
the design and development of targeting algorithms, which is not a 
permissible purpose. The CFPB is not aware of research demonstrating 
whether, and the degree to which, the inclusion of consumer report data 
like income or financial tier in targeting algorithms increases 
customer acquisition efficiency. But in theory, the proposed rule may 
result in a higher customer acquisition cost for firms with a heavier 
reliance on digital advertising (in particular targeted marketing based 
on surveillance data, as opposed to contextual or behavioral ads) and 
with

[[Page 101445]]

a target audience in specific subgroups defined by certain consumer 
report information. Having said that, as noted above, targeted 
advertising based on consumer data would remain viable with the many 
other variables available to advertisers, so the impact on customer 
acquisition cost for even those firms would likely be limited.
    In recent years, large firms such as Google and Apple,\292\ and 
some States (e.g., California, Colorado, Connecticut, Virginia, and 
Utah) have considered or have implemented changes to strategies and 
policies related to consumer privacy. While the proposed provisions 
would specifically affect targeted advertising based on consumer report 
information, companies' prior adjustments to industry and State-level 
changes could potentially mitigate the additional costs that they may 
incur if this proposed rule is finalized. Some companies may choose to 
instead rely on written instructions as a means of obtaining consumer 
reports for marketing or advertising purposes, which could increase 
paperwork and processes associated with requesting consumer 
information, or to comply with the FCRA's prescreening provisions. The 
CFPB requests data and information that can be used to estimate the 
potential revenue losses or additional costs that may be incurred by 
companies that would be affected by the proposals.
---------------------------------------------------------------------------

    \292\ Tim Bajarin, Apple's Do Not Track Me Rules Are Having 
Significant Impact On Digital Advertising, Forbes (July 26, 2022), 
https://www.forbes.com/sites/timbajarin/2022/07/26/apples-do-not-track-me-rules-are-having-significant-impact-on-digital-advertising/.
---------------------------------------------------------------------------

Provisions Clarifying the Responsibilities of Consumer Reporting 
Agencies
    The proposed rule would clarify certain responsibilities of 
consumer reporting agencies. Proposed Sec.  1022.11 would clarify the 
conditions that must be met for a consumer reporting agency to furnish 
or a person to obtain a consumer report in accordance with the written 
instructions of the consumer, including consumer disclosure and consent 
requirements, and limitations on procurement, use, and retention of 
consumer reports, including that such activities must be reasonably 
necessary to provide the product or service the consumer requested or 
the specific use identified by the consumer. Proposed Sec.  1022.11 
would also provide that a consumer reporting agency furnishes a 
consumer report in accordance with the written instructions of the 
consumer if the report is furnished to a person that is an authorized 
third party under subpart D of the PFDR Rule.
    Proposed Sec.  1022.12(b)(2) would provide examples of the types of 
transactions that would and would not establish a consumer-initiated 
transaction for purposes of the legitimate business need permissible 
purpose in FCRA section 604(a)(3)(F). For instance, the proposal 
clarifies that a consumer does not initiate a business transaction for 
purposes of the legitimate business need permissible purpose by 
inquiring about the availability or pricing of products or services.
Potential Benefits to Consumers of Provisions Clarifying the 
Responsibilities of Consumer Reporting Agencies
    Proposed Sec. Sec.  1022.11 and 1022.12(b) would enhance consumer 
protections by limiting the risk of unauthorized use and sharing of 
consumer report information. The written instructions permissible 
purpose in proposed Sec.  1022.11 provides this benefit in several 
ways. First, by limiting the permissible purpose to users who will 
obtain, use, and retain a consumer report only as reasonably necessary 
to provide a product or service or use requested by a consumer, 
consumers are protected from unknowingly agreeing to uses of their 
consumer report that they do not want. Indeed, by providing that users 
may only share a consumer report as reasonably necessary for these 
purposes, the proposal would decrease the chance that the information 
would be obtained by unauthorized or unanticipated users, including 
through data leaks.\293\ Next, by requiring consumer reporting agencies 
or consumer report users to disclose key information to consumers 
concerning the requested written instructions, the proposal would 
enable consumers to make informed decisions as to how their consumer 
report information is used. In addition, by limiting the duration for 
which a consumer's written instructions provide a permissible purpose 
to up to one year, the proposed rule would allow consumers to provide 
standing instructions to furnish consumer reports where required to 
provide the requested product or service but would provide a check 
against consumer reports being furnished for longer periods of time 
than the consumer needs or wants. The CFPB does not have data that 
would allow it to quantify how much consumers would benefit from these 
additional protections.
---------------------------------------------------------------------------

    \293\ See supra note 85.
---------------------------------------------------------------------------

    Similarly, proposed Sec.  1022.12(b)(2), which clarifies the 
legitimate business need permissible purpose, could benefit consumers 
by minimizing the risk of unauthorized information sharing and reducing 
market-based harms to consumers. The CFPB is concerned that some 
companies could impermissibly obtain consumer reports before a consumer 
initiates a business transaction, which could lead to the consumer 
report being used to make decisions about the consumer in ways not 
authorized by the FCRA. For example, in theory, companies might use 
consumer report information to assess consumers and then discriminate 
against certain consumers in terms of attention paid and differential 
pricing. These situations could lead to higher prices for some 
consumers. The proposed rule could further deter such conduct by 
clarifying that users do not have a legitimate business need 
permissible purpose for this information before the consumer has 
initiated a transaction. To quantify the impact, the CFPB would need to 
know how often and to what extent consumer report information is 
currently used in this manner or in other ways that might harm certain 
consumers.
    Taken together, proposed Sec. Sec.  1022.11 and 1022.12(b)(2) would 
minimize the unauthorized flow of consumer report information and 
provide consumers with other privacy-related benefits. The CFPB invites 
comments and feedback on the privacy implications of these proposals 
for consumers.
Potential Benefits to Covered Persons of Provisions Clarifying the 
Responsibilities of Consumer Reporting Agencies
    The examples provided in proposed Sec.  1022.12(b)(2), regarding 
the legitimate business need permissible purpose, could benefit 
consumer reporting agencies by providing clarity and thus reduce legal 
uncertainty that the consumer reporting agency impermissibly furnishes 
consumer report information, enabling them to make more efficient 
business decisions. The CFPB does not anticipate that any covered 
persons would benefit from the written instructions provisions in 
proposed Sec.  1022.11. The CFPB requests comment on benefits to 
covered persons of these proposed provisions.
Potential Costs to Consumers of Provisions Clarifying the 
Responsibilities of Consumer Reporting Agencies
    Consumers would face additional burdens and frictions associated 
with proposed Sec.  1022.11. Regarding proposed

[[Page 101446]]

Sec.  1022.11, at baseline, consumer written instructions to furnish 
consumer reports often are included as part of larger terms and 
conditions language provided to the consumer. Under the proposed rule, 
the consumer's written instructions would need to be segregated from 
other material. Similarly, since users of consumer report information 
would only be allowed to use a consumer report obtained pursuant to the 
written instructions permissible purpose for a single product or 
service per instruction, consumers may be required to provide multiple, 
separate written instructions in some circumstances. In addition, 
consumers would be required to provide multiple, separate written 
instructions if the user seeks to obtain a consumer report from more 
than one consumer reporting agency. Thus, the proposed rule could 
result in consumers reviewing multiple, separate disclosures. These 
changes generally would increase the amount of time consumers spend to 
provide written instructions for a user to obtain their consumer report 
when signing up for a product or service for which this permissible 
purpose is necessary.
    Under proposed Sec.  1022.11, consumers may also face frictions 
associated with the proposal to limit consumer instructions to a 
duration that is reasonably necessary to provide the product or service 
or use but no longer than one year. For example, if a consumer is 
signed up for a credit monitoring service, consumers may be required to 
reauthorize the entity to access their consumer reports on at least an 
annual basis.
    The cost of certain products and services that rely on consumer 
report information may increase for consumers if proposed Sec.  1022.11 
were adopted. For example, today users may obtain a consumers' written 
instructions to obtain their consumer report without specifying the 
consumer reporting agency from which the user will obtain it, and 
afterwards change which consumer reporting agency they want to use to 
acquire the report. Under the proposed rule, however, entities would no 
longer be able to do this (or would need to obtain a new written 
instruction), as they would be required to include in the disclosure 
the name of the consumer reporting agency from which they intend to 
obtain the consumer report. Therefore, the proposed rule may 
disincentivize users from changing which consumer reporting agency they 
use, even if a different consumer reporting agency offers less 
expensive reports. To the extent that users pass through the increased 
costs of consumer reports, as well as other costs associated with 
complying with the proposed rule, consumers would face increased costs. 
The CFPB does not have data to quantify these costs to consumers and 
requests information and comment on these issues.
Potential Costs to Covered Persons of Provisions Clarifying the 
Responsibilities of Consumer Reporting Agencies
    Covered persons, including consumer reporting agencies and users of 
consumer report information, would face costs associated with complying 
with proposed Sec.  1022.11 regarding the written instructions 
permissible purpose. Specifically, these covered persons that rely upon 
the written instructions permissible purpose to furnish or obtain 
consumer report information would experience legal and technological 
costs associated with updating their processes and procedures to comply 
with this proposed rule. All covered persons' systems would need to be 
updated to present consumers with a segregated consumer authorization 
disclosure. Covered persons' systems would also need to identify the 
consumer reporting agency from which the user intends to pull the 
consumers' report information, the name of the person for whom the 
consumer is providing consent to obtain their consumer report, and 
other information that would be required to be included in the 
disclosure. Moreover, since consumer authorizations would only be valid 
for as long as is reasonably necessary to provide the requested product 
or service or identified use, up to one year, entities' systems would 
need to be updated to reobtain consumers' written instructions after 
the initial instructions lapse, should continued authorization be 
needed. In addition, these systems would need to be updated to allow 
for consumers to revoke their written instructions. Beyond the 
technical and legal costs, these added frictions may also result in 
decreased revenues for users.
    Consumer reporting agencies would face frictions associated with 
ensuring that consumers' written instructions comply with the proposed 
rule. Likewise, users would face costs associated with proving to 
consumer reporting agencies they have obtained consumers' written 
instructions in a manner that comports with the proposed rule.
    Today, consumers may not realize that they are providing written 
instructions authorizing access to their consumer reports, such as when 
such authorizations are buried in terms and conditions. Under this 
proposed rule, entities would instead be required to provide consumers 
with a ``clear and conspicuous'' disclosure. Therefore, in light of 
this proposed rule, consumers may be more likely to decline authorizing 
such access when a user or consumer reporting agency seeks written 
instructions as required under the proposal. To the extent that this 
occurs, the user requesting written permission, as well as the consumer 
reporting agency that would have provided the consumer report, could 
have decreased revenue due to the proposed rule. The CFPB requests 
comment on this issue, particularly information on the extent to which 
users and consumer reporting agencies would experience decreased 
revenue.
    Regarding proposed Sec.  1022.12(b)(2), consumer reporting agencies 
that, in compliance with existing law, are already operating within the 
scope of the legitimate business need permissible purpose as clarified 
in the proposed rule are expected to face relatively few costs 
associated with this proposal. However, consumer reporting agencies 
that are currently selling consumer report information to users for 
purposes outside of this scope and realize that they need to change 
their practices due to the clarifications in the proposed rule would 
lose revenue from the resulting decreased sale of consumer reports. The 
CFPB does not have data available to quantify this revenue loss. The 
CFPB requests comment on this issue, particularly information on the 
extent to which the sale of consumer report information would cease 
under the proposal.\294\
---------------------------------------------------------------------------

    \294\ Small Business Review Panel Report, supra note 40, at 29.
---------------------------------------------------------------------------

F. Potential Reduction of Access by Consumers to Consumer Financial 
Products or Services

    The provisions addressing the definitions of consumer report and 
consumer reporting agency that could affect which entities are consumer 
reporting agencies may impose significant compliance costs on data 
brokers and other entities that would become consumer reporting 
agencies under the proposed rule. To the extent this occurs, data 
brokers may, depending on market factors, pass through some or all of 
those costs to creditors and depository institutions that use their 
services. Creditors and depository institutions could then pass through 
some or all of that increase to consumers in the form of higher prices. 
This price impact may be mitigated to the extent that creditors and 
depository

[[Page 101447]]

institutions choose to absorb part of the compliance costs borne by 
data brokers. The CFPB does not have information to quantify these 
potential impacts and requests comment on financial access issues that 
may arise from the proposed rule if finalized.

G. Potential Impacts on Depository Institutions and Credit Unions With 
$10 Billion or Less in Total Assets, as Described in Section 1026

    The CFPB has preliminarily concluded that, relative to larger 
depository institutions and credit unions, the proposed rule would not 
have significantly different impacts on depository institutions and 
credit unions with $10 billion or less in total assets. The CFPB 
requests comment on its analysis of the potential impacts on these 
smaller financial institutions.

H. Potential Impacts on Consumers in Rural Areas

    The potential impacts of the proposed rule on consumers in rural 
areas would likely be the same, on average, as those impacts on 
consumers who do not reside in rural areas. For example, data brokers 
that would become consumer reporting agencies if the proposed rule was 
finalized likely operate similarly for rural and non-rural consumers. 
Likewise, the CFPB is not aware of reasons why, at baseline, marketing 
based on consumer report information currently impacts consumers 
differently depending on whether they live in rural areas or not. The 
CFPB requests comment on its analysis of potential impacts on consumers 
in rural areas.

VII. Regulatory Flexibility Act Analysis

    The Regulatory Flexibility Act (RFA) requires the CFPB to conduct 
an initial regulatory flexibility analysis (IRFA) and convene a panel 
to consult with small entity representatives before proposing a rule 
subject to notice-and-comment requirements,\295\ unless it certifies 
that the rule will not have a significant economic impact on a 
substantial number of small entities.\296\ The CFPB has not certified 
that the proposed rule would not have a significant economic impact on 
a substantial number of small entities within the meaning of the RFA. 
Accordingly, the CFPB convened a Small Business Review Panel under the 
Small Business Regulatory Enforcement Fairness Act (SBREFA) on October 
16, 2023, and held two Panel meetings on October 18 and 19, 2023, to 
consider the impacts on small entities that would be subject to the 
proposals under consideration and to obtain feedback from 
representatives of such small entities. The Small Business Review Panel 
for this proposed rule is discussed in part VII.A. The CFPB is also 
publishing an IRFA. Among other things, the IRFA contains estimates of 
the number of small entities that may be subject to the proposed rule 
and describes the impact on those entities. The IRFA for this proposed 
rule is set forth in part VII.B.
---------------------------------------------------------------------------

    \295\ 5 U.S.C. 603, 609(b), (d)(2).
    \296\ 5 U.S.C. 605(b).
---------------------------------------------------------------------------

A. Small Business Review Panel

    Under section 609(b) of the RFA, as amended by SBREFA and the CFPA, 
in certain circumstances, the CFPB must seek, prior to conducting the 
IRFA, information from representatives of small entities that may 
potentially be affected by a proposed rule to assess the potential 
impacts of that rule on such small entities. The CFPB complied with 
this requirement. Details on the Small Business Review Panel and Panel 
Report for this proposed rule are described in part II.C.

B. Initial Regulatory Flexibility Analysis

1. Description of the Reasons Why Agency Action Is Being Considered
    Developments in the consumer reporting marketplace have resulted in 
vast amounts of sensitive consumer information being bought and sold, 
often without the knowledge or consent of consumers, involving entities 
(commonly known as data brokers) some of whom do not believe that the 
FCRA applies to them or their activities. Data brokers use consumer 
information to engage in or facilitate a variety of activities, 
including targeting consumers for marketing. The CFPB is also aware 
that data brokers that are consumer reporting agencies engage in 
activities that may threaten consumer privacy and potentially disclose 
consumer information to third parties who do not have a permissible 
purpose to obtain the information. The proliferation of consumer 
information in the market potentially leads to national security, 
consumer privacy, consumer fraud, and data security risks that data 
brokers, including consumer reporting agencies, might not be fully 
accounting for. In addition, technological advancements have made it 
increasingly feasible to identify or re-identify consumers from 
aggregated or otherwise de-identified data using fewer data fields or 
variables than before.\297\
---------------------------------------------------------------------------

    \297\ Gina Kolata, Your Data Were `Anonymized'? These Scientists 
Can Still Identify You, N.Y. Times (July 23, 2019), https://www.nytimes.com/2019/07/23/health/data-privacy-protection.html.
---------------------------------------------------------------------------

    The activities of data brokers, including consumer reporting 
agencies, pose a range of potential harms to consumers. For example, 
lists of individuals with income information could potentially be used 
to facilitate predatory marketing or financial scams. Personal 
identifying information about consumers could potentially be used to 
stalk or harass consumers who do not wish to be contacted. Consumers 
might not be able to monitor or dispute the accuracy of information 
that is bought and sold by data brokers when they do so outside of the 
FCRA. The CFPB has preliminarily determined that clarifying that 
certain activities and entities are covered by the FCRA would mitigate 
these harms, as well as improve consumer privacy. Further details are 
discussed in part II.B.
2. Succinct Statement of the Objectives of, and Legal Basis for, the 
Proposed Rule
    The objective of the proposed rule is to ensure that the FCRA's 
protections are applied to sensitive consumer information that Congress 
designed the statute to protect, including information sold by data 
brokers, and to the types of activities Congress designed the statute 
to regulate. Specifically, the proposed rule aims to clarify when 
entities such as data brokers are consumer reporting agencies and to 
ensure that consumer reports are furnished for permissible purposes 
under the FCRA, and for no other reasons. The CFPB expects that the 
proposed rule, if finalized, would protect Americans from the harms and 
invasions of privacy created by certain activities that violate the 
FCRA. These objectives are described in more detail in part II.B.
    The CFPB proposes this rule pursuant to its authority under the 
FCRA and the CFPA. Section 1022(b)(1) of the CFPA authorizes the CFPB 
to prescribe rules ``as may be necessary or appropriate to enable the 
[CFPB] to administer and carry out the purposes and objectives of the 
Federal consumer financial laws, and to prevent evasions thereof.'' 
Under section 621(e) of the FCRA, the CFPB ``may prescribe regulations 
as may be necessary or appropriate to administer and carry out the 
purposes and objectives'' of the FCRA. FCRA section 621(e) further 
provides that the CFPB may prescribe regulations as may be necessary 
and appropriate to prevent evasions of the FCRA or to facilitate 
compliance therewith. Part III contains a more detailed discussion of 
the legal authority for the proposed rule.

[[Page 101448]]

3. Description and, Where Feasible, Provision of an Estimate of the 
Number of Small Entities To Which the Proposed Rule Will Apply
    The proposed rule would primarily affect three types of small 
entities: (1) entities, including data brokers, that meet or would meet 
(if the proposals were finalized) the definition of consumer reporting 
agency in FCRA section 603(f), (2) entities that furnish information to 
entities that would meet (if the proposals were finalized) the 
definition of consumer reporting agency in FCRA section 603(f), and (3) 
entities that use consumer reports from consumer reporting agencies or 
consumer information from entities that would meet the definition of 
consumer reporting agency if the proposed rule were finalized. 
Collectively, these entities would include data aggregators and data 
brokers, including consumer reporting agencies, as well as furnishers 
and financial institutions or other users.
    For purposes of assessing the impacts of the proposed rule on small 
entities, ``small entities'' are defined in the RFA to include small 
businesses, small nonprofit organizations, and small government 
jurisdictions. Small businesses are those that meet standards set by 
the Small Business Administration (SBA) Office of Size Standards for 
all industries in the North American Industry Classification System 
(NAICS).\298\
---------------------------------------------------------------------------

    \298\ See U.S. Small Bus. Admin., Table of Small Business Size 
Standards (effective Mar. 17, 2023) https://www.sba.gov/document/support-table-size-standards (last visited Oct. 15, 2024).
---------------------------------------------------------------------------

    The first type of small entity that may be subject to the proposed 
rule are entities that meet or would meet (if the proposed rule is 
finalized) the definition of consumer reporting agency in FCRA section 
603(f). The provisions addressing the definitions of consumer report 
and consumer reporting agency that could affect which entities are 
consumer reporting agencies would, if adopted, broaden or clarify the 
type of entities subject to the FCRA as consumer reporting agencies, 
including some small entities. The small entities that would 
potentially be most affected by these provisions include certain small 
data brokers and data aggregators. The provisions would also affect 
small consumer reporting agencies that specialize in providing consumer 
reports for purposes such as employment screening, tenant screening, 
checking account screening, and insurance, sometimes using consumer 
information purchased from the nationwide consumer reporting 
agencies.\299\ Entities that meet the definition of consumer reporting 
agency in FCRA section 603(f) would be subject to several proposed 
provisions, such as those intended to prevent targeted marketing using 
consumer report information.
---------------------------------------------------------------------------

    \299\ An overview of many of the types of consumer reporting 
agencies is accessible at Consumer Fin. Prot. Bureau, List of 
consumer reporting companies, https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/consumer-reporting-companies/ (last visited Oct. 15, 2024). This list is not intended 
to be all-inclusive and does not cover every company in the 
industry.
---------------------------------------------------------------------------

    Furthermore, the provisions that could affect which entities are 
consumer reporting agencies would affect entities that furnish consumer 
information to entities, including data brokers, that would meet the 
definition of consumer reporting agency in the proposed rule if 
finalized. Such entities would acquire new or additional FCRA 
obligations if they provide consumer information to such consumer 
reporting agencies.
    Finally, the proposed rule would affect users of consumer 
information. Entities that currently obtain the four data types from 
data brokers who currently do not consider themselves consumer 
reporting agencies would generally only be able to access such 
information for a permissible purpose under the FCRA going forward if 
the proposed rule is finalized. These users might look to obtain 
consumers' written instructions or rely upon a ``legitimate business 
need'' in order to establish a permissible purpose to access consumer 
reports. Proposals related to these permissible purposes would clarify 
the responsibilities of consumer reporting agencies and may lead to 
changes in the ways that users obtain consumer reports when relying 
upon either the ``written instructions'' or ``legitimate business 
need'' permissible purposes.
    The SBA size standards are based on assets held, annual revenues, 
or number of employees. For example, consumer reporting agencies, which 
are primarily contained in NAICS category ``Credit Bureaus'' (561450), 
are considered small if they receive less than $41 million in annual 
revenues, ``Credit Unions'' (522130) are considered small if they have 
less than $850M in assets and ``Directory and Mailing List Publishers'' 
(511140) are considered small if they have fewer than 1,000 
employees.\300\
---------------------------------------------------------------------------

    \300\ Thee NAICS descriptions and codes used in the 2017 
Economic Census are used throughout this part, rather than the NAICS 
descriptions and codes used in the Table of Small Business Size 
Standards.
---------------------------------------------------------------------------

    Table 1 shows the estimated number of small data brokers, including 
consumer reporting agencies, within NAICS categories that may be 
subject to the proposed rule if finalized. Table 2 shows the estimated 
number of small current furnishers. To estimate the number of small 
entities in Tables 1 and 2, the CFPB used data from the December 2023 
NCUA and FFIEC Call Report data, the 2017 Economic Census data from the 
U.S. Census Bureau, the California and Vermont data broker registries, 
and the CFPB's list of consumer reporting agencies.\301\ The CFPB also 
used the North American Product Classification System (NAPCS) codes in 
the 2017 Economic Census to estimate the fraction of small entities 
within each NAICS category that sell products that are likely to be 
subject to the proposed rule.
---------------------------------------------------------------------------

    \301\ Because size standards are adjusted each year in part for 
inflation, the entity counts based on reported revenues in the 2017 
Economic Census represent a potential overestimate of the number and 
fraction of small entities. Calculations for NAICS 522110, 522130, 
and 522180 are based on credit union and Call Report data from 
December 2023 using current SBA size standards. See Table of Small 
Business Size Standards, supra note 298. Calculations for all other 
NAICS codes are based on revenue or employee size from the latest 
2017 Economic Census data by the U.S. Census Bureau. See U.S. Census 
Bureau, The Number of Firms and Establishments, Employment, Annual 
Payroll, and Receipts by Industry and Enterprise Receipts Size: 2017 
(May 28, 2021), https://www2.census.gov/programs-surveys/susb/tables/2017/us_6digitnaics_rcptsize_2017.xlsx; U.S. Census Bureau, 
The Number of Firms and Establishments, Employment, Annual Payroll, 
and Receipts by State, Industry, and Enterprise Employment Size: 
2017 (May 28, 2021), https://www2.census.gov/programs-surveys/susb/tables/2017/us_state_naics_detailedsizes_2017.xlsx. Calculations 
based on NAPCS codes are based on U.S. Census Bureau, 2017: ECN Core 
Statistics Economic Census, https://data.census.gov/table/ECNNAPCSPRD2017.EC1700NAPCSPRDIND.
---------------------------------------------------------------------------

    Entities that currently consider themselves as meeting the 
definition of consumer reporting agency in FCRA section 603(f) are 
mostly contained in the NAICS category ``Credit Bureaus'' (561450), 
while a very small number may also be contained in the NAICS category 
``Investigation Services'' (561611). The proposed rule would also 
clarify that some other entities meet the definition of consumer 
reporting agency in FCRA section 603(f). These entities may be 
contained in a range of additional NAICS categories, depending on what 
they view their primary activities to be.
    The types of entities listed in Table 1 include entities that meet 
or would meet the definition of consumer reporting agency in FCRA 
section 603(f) under the proposed rule. While a particular entity can 
only be of one type (i.e., a particular entity can be either an 
existing consumer reporting agency or new consumer reporting agency) an 
industry NAICS code may contain both new and existing consumer 
reporting agencies.

[[Page 101449]]

    On the other hand, while entities that furnish to or use consumer 
information from entities that are or would be consumer reporting 
agencies under the proposed rule if finalized could be affected by the 
proposed rule, these entities are not easily delineated by NAICS codes 
and are therefore not listed in Table 1. Instead, entities that may 
furnish consumer information to consumer reporting agencies (whether at 
baseline or as new furnishers after the proposed rule is finalized) are 
listed in Table 2. Similarly, because any entity that has a permissible 
purpose to access consumer reports is potentially a new or current user 
under the FCRA, users may be found in a broad array of industries. 
Generally, entities listed in Table 2, and entities that provide 
consumer information to the entities listed in Table 1 or procure 
information from the entities listed in Table 1, could be affected by 
the proposed rule.
    Not all entities within each NAICS category would be affected by 
the proposed rule. It is possible that some small entities in these 
NAICS categories are already in compliance, in whole or in part, with 
the proposed rule at baseline. Alternatively, some small entities may 
not engage in activities that would be subject to the proposed rule if 
finalized.
    To provide an estimate of the number of small entities that would 
likely be affected by the proposed rule, the CFPB identified an initial 
list of NAICS categories that may contain affected entities. The CFPB 
also compiled a list of data brokers and other potentially covered 
entities from three sources: the California Data Broker Registry 
(including ``incomplete registrations''), the Vermont Data Broker 
Registry, and the CFPB's list of consumer reporting agencies.\302\ The 
CFPB purchased from the NAICS Association a list of NAICS codes that 
likely apply to the firms in the compiled data broker list. To account 
for the possibility that not every firm in each NAICS category would be 
affected by the proposed rule, the CFPB used NAPCS codes to estimate 
the fraction of small establishments within each NAICS category that 
sell products that may be subject to the proposed rule if finalized, 
whether as small data brokers, or small entities that furnish or 
otherwise provide consumer information to data brokers.
---------------------------------------------------------------------------

    \302\ See supra note 238.
---------------------------------------------------------------------------

    NAPCS are codes used by establishments to report what products they 
sell. Because it is possible for an entity (referred to as a ``firm'' 
in the data) to have multiple establishments, the CFPB only uses this 
approach to calculate a fraction of likely affected establishments and 
assumes that this fraction would be comparable to the fraction of 
likely affected entities or firms. Moreover, for estimating the number 
of furnishers or data providers, this approach also assumes that there 
is no correlation between firm size and the likelihood that consumer 
information is actually provided at baseline to data brokers, including 
consumer reporting agencies. Because companies with a larger number of 
consumer accounts likely have greater incentives to sell or furnish 
consumer information, the CFPB expects that this assumption would cause 
the number of furnishers or data providers to be overestimated.
    To account for potential double-counting of establishments that 
report multiple product codes, for each NAICS code the CFPB takes the 
sum of the number of establishments that report selling a product 
(identified by the NAPCS code) that are likely to be subject to the 
proposed rule. The sum is then divided by the total number of 
establishments that report NAPCS codes within that NAICS category. The 
resulting fraction is then multiplied by the total number of small 
entities in a NAICS category to obtain an estimate of the number of 
small entities likely subject to the proposed rule if finalized. For 
some NAICS categories, the CFPB adapted the estimation approach to data 
availability. For NAICS categories ``Commercial Banking'' (522110) and 
``Saving Institutions and Other Depository Credit Intermediation'' 
(522180), the estimate of the number of small entities likely affected 
is assumed to be the estimated number of small entities from the 
previous column because data on NAPCS codes was not available.\303\ For 
NAICS categories ``Lessors of Residential Buildings and Dwellings'' 
(531110), ``Offices of Real Estate Agents and Brokers'' (531210) and 
``Residential Property Managers'' (531311), the CFPB relied on industry 
findings and data from the 2021 Rental Housing Finance Survey of the 
U.S. Census Bureau to estimate the number of current small furnishers 
or data providers.\304\ Finally, as discussed above, while a particular 
entity can only be of one type, an industry may contain multiple types 
of entities, making it possible for the same NAICS code to appear in 
both Tables 1 and 2.
---------------------------------------------------------------------------

    \303\ These NAICS codes are highlighted with an asterisk in 
Table 2.
    \304\ The CFPB assumed that property managers of single-unit 
dwellings do not report rental payment information and referred to 
the TransUnion survey of property managers for an estimate of the 
fraction of multi-unit property managers that report rental payment 
information. These NAICS codes are also highlighted with a ``+'' in 
Table 2. See TransUnion, More Property Managers Embrace Rent Payment 
Reporting: Here's Why, https://www.transunion.com/content/dam/transunion/us/business/collateral/sheet/rent_payment_reporting_insight_guide.pdf (last visited Oct. 15, 
2024); U.S. Census Bureau, Rental Housing Finance Survey (RHFS), 
https://www.census.gov/programs-surveys/rhfs.html (last visited Oct. 
15, 2024).
---------------------------------------------------------------------------

    Using this approach, the CFPB estimates that 80,130 small entities, 
including small data brokers and other small consumer reporting 
agencies, would be subject to the proposed rule if finalized, as 
summarized in Table 1. Because the CFPB does not have the information 
to assess with certainty which covered entity types are contained 
within each NAICS code, the CFPB is not able to provide a breakdown of 
the estimated number of affected small entities by covered entity type. 
As summarized in Table 2, the CFPB estimates that there are potentially 
34,448 small furnishers to consumer reporting agencies. Because the 
CFPB cannot verify whether these small entities furnish pursuant to the 
FCRA at baseline, the CFPB is unable to provide a more precise estimate 
of the number of small furnishers that would be affected by the 
proposed rule or delineate which NAICS codes may contain current FCRA 
furnishers or data providers that may acquire new obligations as FCRA 
furnishers.
    While the CFPB lacks the data to more precisely quantify the number 
of small entities that would be affected by the proposed rule if 
finalized, comments received during the SBREFA process indicate that 
small entity representatives expect many small entities to be impacted 
by at least one of the proposed provisions. The CFPB requests 
information on small entities that may be affected by the proposed rule 
if finalized and information that can be used to quantify potential 
impacts.
BILLING CODE 4810-AM-P

[[Page 101450]]

[GRAPHIC] [TIFF OMITTED] TP13DE24.080


[[Page 101451]]


[GRAPHIC] [TIFF OMITTED] TP13DE24.081


[[Page 101452]]


[GRAPHIC] [TIFF OMITTED] TP13DE24.082


[[Page 101453]]


[GRAPHIC] [TIFF OMITTED] TP13DE24.083


[[Page 101454]]


[GRAPHIC] [TIFF OMITTED] TP13DE24.084

BILLING CODE 4810-AM-C
4. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements of the Proposed Rule, Including an Estimate of the Classes 
of Small Entities Which Will Be Subject to the Requirement and the Type 
of Professional Skills Necessary for the Preparation of the Report
---------------------------------------------------------------------------

    \305\ These NAICS codes correspond to the codes used in the 2017 
Economic Census.
    \306\ Table of Small Business Size Standards, supra note 298.
    \307\ While under the proposed rule, newspaper entities would 
not be considered consumer reporting agencies based on activities 
that constitute publishing news concerning local, national, or 
international events or other matters of public interest, some 
establishments under the NAICS category ``Newspaper Publishers'' 
report the NAPCS code for internet advertising.
    \308\ These NAICS codes correspond to the codes used in the 2017 
Economic Class.
    \309\ Table of Small Business Size Standards, supra note 298.
---------------------------------------------------------------------------

    The proposed rule may impose reporting, recordkeeping, and other 
compliance requirements on small entities subject to the proposal. 
These requirements generally differ for small entities in the following 
three classes: (1) entities that meet or would meet (if the proposals 
were finalized) the definition of consumer reporting agency in FCRA 
section 603(f), (2) entities that furnish information to entities that 
would meet (if the proposals were finalized) the definition of consumer 
reporting agency in FCRA section 603(f), and (3) entities that use 
consumer reports from entities that meet or would meet (if the 
proposals were finalized) the definition of consumer reporting agency 
in FCRA section 603(f). Based on Table 1, these requirements would be 
imposed on an estimated 80,130 small entities that are or would be 
consumer reporting agencies under the proposed rule if finalized, an 
unknown number of users, and an unknown number of new furnishers. Based 
on Table 2, there are an estimated 34,448 small entities that 
potentially furnish consumer information to consumer reporting agencies 
at baseline or after the proposed rule is finalized. The CFPB requests 
information that can be used to estimate the number of small entities 
that could become new FCRA furnishers that are in NAICS categories not 
listed in Table 2. For the reasons discussed above, the CFPB views the 
estimates presented in Tables 1 and 2 as potential overestimates, as 
some small entities within each NAICS category might not be subject to 
the proposed rule. Moreover, the costs associated with the reporting, 
recordkeeping, and other compliance requirements would depend on 
whether affected entities currently comply with the FCRA. The CFPB 
requests information that can be used to more precisely quantify the 
number of small entities that would be affected by the proposed rule.
Requirements for Consumer Reporting Agencies
    The CFPB expects that entities that already consider themselves to 
meet the definition of consumer reporting agency in FCRA section 603(f) 
at baseline already have FCRA-compliant systems, processes, and 
policies and procedures. Compliance with the proposed rule would likely 
require some or all of these systems, processes, and policies and 
procedures to be updated, imposing a

[[Page 101455]]

one-time cost on small consumer reporting agencies. For example, 
proposed Sec.  1022.4(d) regarding personal identifiers would classify 
communications by a consumer reporting agency of personal identifiers 
that were collected for the purpose of preparing consumer reports as 
consumer reports. Compliance could require updates to consumer 
reporting agencies' systems. Further discussion of these and other 
impacts to consumer reporting agencies may be found in part VI.E 
Provisions addressing what constitutes a consumer report, Provisions to 
reduce the use of consumer report information for marketing and 
advertising, and Provisions clarifying the responsibilities of consumer 
reporting agencies. Compliance for affected small consumer reporting 
agencies would generally require professional skills related to 
software development, legal expertise, compliance, and customer 
support. The CFPB does not have the data to estimate the one-time and 
ongoing costs of reporting, recordkeeping, dispute resolution, and 
other compliance requirements for small consumer reporting agencies, 
and requests information to quantify these costs.
    The proposed rule, if finalized, would cause some small entities, 
such as certain data brokers, to be considered consumer reporting 
agencies subject to the FCRA and may clarify the application of the 
statute to some data aggregators and other entities. The CFPB expects 
that many of these small entities may not currently have FCRA-compliant 
systems, processes, and policies and procedures at baseline, and would 
need to incur one-time costs to develop them, as well as ongoing 
operational costs to maintain them. Because such small entities 
currently do not operate as though they are subject to liability under 
the FCRA, they would also incur increased ongoing or operational costs 
to manage dispute resolution and other requirements of the FCRA. One 
small entity representative stated that they have already invested in 
FCRA-compliant infrastructure, which would mitigate the additional 
costs that they would incur if the proposed rule was finalized.\310\ 
Compliance for small entities that would be considered consumer 
reporting agencies under the proposed rule if finalized would generally 
require professional skills related to software development, legal 
expertise, compliance, and customer support. Small entities might need 
to work with third parties for assistance with building FCRA-compliant 
systems or updating existing systems. The CFPB requests information 
that can be used to quantify impacts to small entities that would be 
considered consumer reporting agencies if the proposed rule is 
finalized.
---------------------------------------------------------------------------

    \310\ Small Business Review Panel Report, supra note 40, at 42.
---------------------------------------------------------------------------

Requirements for Furnishers
    Some small entities may acquire new FCRA obligations as furnishers 
if the entities they currently furnish consumer information to are 
entities that would become consumer reporting agencies under the 
proposed rule if finalized. Under sections 611 and 623 of the FCRA, 
consumers have a right to dispute incomplete or inaccurate information 
on their consumer reports.\311\ While consumers typically initiate 
disputes with the relevant consumer reporting agencies, the consumer 
reporting agencies (and, if the proposed rule is finalized, the 
entities that would be considered consumer reporting agencies) must 
forward disputes to furnishers, who would then have the obligation to 
investigate the dispute and report the results of their investigation 
back to the consumer reporting agencies.\312\ Furnishers generally must 
also investigate disputes that consumers directly submit to them.\313\ 
If, upon investigating, furnishers determine that the disputed consumer 
information was inaccurate, furnishers are subject to obligations to 
relay the corrected information to consumer reporting agencies that 
received the inaccurate information.\314\ Dispute resolution required 
by the FCRA may therefore impose costs on furnishers.
---------------------------------------------------------------------------

    \311\ 15 U.S.C. 1681i(a)(1)(A), 1681s-2.
    \312\ 15 U.S.C. 1681s-2(b).
    \313\ See 15 U.S.C. 1681s-2(a)(8); 12 CFR 1022.43.
    \314\ 15 U.S.C. 1681s-2(b)(1)(D); 12 CFR 1022.43(e)(4).
---------------------------------------------------------------------------

    In addition, furnishers could incur potentially significant costs 
associated with accuracy obligations under FCRA section 623(a) and 
Regulation V.\315\ To comply with FCRA section 623(a) and Regulation V, 
furnishers are required to implement accuracy policies and procedures 
and are not permitted to furnish information to consumer reporting 
agencies that do not satisfy accuracy requirements. Further discussion 
of these and other impacts on new furnishers due to the provisions 
clarifying which entities are consumer reporting agencies may be found 
in part VI.E, Provisions that could affect consumer reporting agency 
coverage.
---------------------------------------------------------------------------

    \315\ See 15 U.S.C. 1681s-2(a); 12 CFR 1022.42.
---------------------------------------------------------------------------

    Compliance for affected small furnishers would generally require 
professional skills related to software development and compliance. For 
example, a small entity that furnishes consumer information to an 
entity that would be considered a consumer reporting agency under the 
CFPB's proposal to interpret ``expected to be used'' (proposed Sec.  
1022.4(c)) would then acquire new FCRA obligations as a furnisher, if 
the proposed rule is finalized. The furnisher would likely need to 
possess detailed and organized records in their databases in order to 
conduct a reasonable investigation of consumer disputes. Modifying 
their systems and databases to meet these requirements would require 
professional skills related to software development and compliance. 
Many small entities might need to hire more staff to assist with 
dispute resolution and work with third parties for assistance with 
systems updates. The CFPB does not have the data to estimate the one-
time and ongoing costs of reporting, recordkeeping, and other 
compliance requirements for small furnishers, and requests information 
to quantify these costs.
Requirements for Users
    Small entity users of consumer reports from consumer reporting 
agencies may need to update their processes and procedures in order to 
comply with the proposed rule. For example, small entities that rely 
upon the ``written instructions'' permissible purpose to obtain 
consumer report information would need to ensure that consumers are 
presented with a segregated consumer authorization disclosure, which 
may be provided by either the consumer reporting agency or the user. 
The disclosure would also need to identify the consumer reporting 
agency from which the user intends to pull the consumer's consumer 
report information and include the name of the person for whom the 
consumer is providing consent to obtain their consumer report, as well 
as other information that would be required to be in the disclosure. 
Small entity users' systems would also need to be updated to ensure 
consumers' written instructions are reobtained after the initial 
instructions lapse should continued authorization be needed, and to 
allow for consumers to revoke their written instructions.
    Some small users may be affected by proposed provisions that would 
increase the number of data brokers and other entities that meet the 
definition of consumer reporting agency under the FCRA. Specifically, 
small entities that currently obtain the four data types from data 
brokers that would be considered

[[Page 101456]]

consumer reporting agencies under the FCRA if the proposed rule is 
finalized would no longer be able to obtain that information without a 
permissible purpose. Affected small entities that plan to continue 
accessing consumer information under the ``written instructions'' 
permissible purpose would need to develop the procedures and processes 
detailed above. Compliance for affected small users would generally 
require professional skills related to customer support, software 
development, and compliance. The CFPB does not have the data to 
estimate the one-time and ongoing costs of reporting, recordkeeping, 
and other compliance requirements for small users, and requests 
information to quantify these costs.
5. Identification, to the Extent Practicable, of All Relevant Federal 
Rules Which May Duplicate, Overlap, or Conflict With the Proposed Rule
    The CFPB has identified the following Federal statutes and 
regulations that address consumer credit eligibility and privacy issues 
as having provisions that may duplicate, overlap, or conflict with 
certain aspects of the proposed rule.
    The GLBA and the CFPB's implementing regulation, Regulation P, 12 
CFR part 1016, require financial institutions subject to the CFPB's 
jurisdiction to provide their customers with notices concerning their 
privacy policies and practices, among other things. They also place 
certain limitations on the disclosure of nonpublic personal information 
to nonaffiliated third parties, and on the redisclosure and reuse of 
such information. Other parts of the GLBA, as implemented by 
regulations and guidelines of certain other Federal agencies (e.g., the 
FTC's Safeguards Rule and the prudential regulators' Safeguards 
Guidelines), set forth standards for administrative, technical, and 
physical safeguards with respect to financial institutions' customer 
information.
    During the SBREFA process, some small entity representatives also 
stated that the CFPB should consider the potential implications of the 
proposals under consideration for entities' compliance with the Bank 
Secrecy Act and the USA PATRIOT Act. A few small entity representatives 
noted that the CFPB should consider the intersection between the 
proposals under consideration and the CFPB's PFDR rulemaking.
    The CFPB requests comment on whether there are other Federal 
statutes or regulations that may duplicate, overlap, or conflict with 
the proposed rule and on methods to minimize such conflicts to the 
extent they might exist.
6. Description of Any Significant Alternatives to the Proposed Rule 
Which Accomplish the Stated Objectives of Applicable Statutes and 
Minimize Any Significant Economic Impact of the Proposed Rule on Small 
Entities
    The CFPB is considering alternatives to the proposed rule that 
would possibly result in lower costs for small entities. These include: 
(1) different compliance timetables, and (2) clarifying compliance 
requirements for small entities. The CFPB has not identified any legal 
or policy basis to exempt certain or all small entities from coverage 
of the rule, in whole or in part, based on their small-entity status.
    As discussed in part V, the CFPB is considering alternative 
compliance dates for the proposed rule, which may mitigate the burden 
on all entities, including small entities. For example, the CFPB is 
considering whether a final rule should take effect six months or one 
year after publication in the Federal Register. The CFPB requests 
comment on whether this compliance timetable would provide sufficient 
time for entities, including small entities, to comply with the 
provisions of the proposed rule, as well as ways the CFPB could 
facilitate implementation for small entities, such as by providing for 
a longer implementation period for small entities and what that period 
should be.
    The CFPB is also considering clarifying compliance requirements for 
all entities, including small entities. In part IX, the CFPB requests 
comment on whether the provisions of the proposed rule are sufficiently 
clear and whether clarifying revisions or additional examples are 
needed.
7. Discussion of Impact on Cost of Credit for Small Entities
    The CFPB expects that the proposal may have a limited impact on the 
cost of credit for small entities. One small entity representative 
stated during the SBREFA process that the proposed rule may affect the 
cost and ease of accessing credit for small entities. In particular, 
the written instructions provision may slow down the application 
process for small business loans because creditors lending to small 
businesses check the personal credit of the small business owner and 
may need to rely on the small business owner's written authorization to 
do so.\316\ In theory, the proposed rule could increase the cost of 
credit for small businesses if the compliance costs discussed above are 
passed on to small businesses in the form of higher prices on loans 
from lenders. Small entity representatives did not provide further 
comments on potential impacts on cost of credit for small entities. The 
CFPB requests comment on this topic, and requests data or evidence that 
can be used to quantify the potential impact of the proposed rule on 
the cost of credit to small entities.
---------------------------------------------------------------------------

    \316\ Small Business Review Panel Report, supra note 40, at 43.
---------------------------------------------------------------------------

VIII. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA),\317\ Federal 
agencies are required to seek approval from OMB for data collection, 
disclosure, and recordkeeping requirements (collectively, information 
collection requirements) prior to implementation. Under the PRA, the 
CFPB may not conduct or sponsor, and, notwithstanding any other 
provision of law, a person is not required to respond to, an 
information collection unless the information collection displays a 
valid control number assigned by OMB. As part of its continuing effort 
to reduce paperwork and respondent burden, the CFPB conducts a 
preclearance consultation program to provide the general public and 
Federal agencies with an opportunity to comment on the information 
collection requirements in accordance with the PRA. This helps ensure 
that the public understands the CFPB's requirements or instructions, 
respondents can provide the requested data in the desired format, 
reporting burden (time and financial resources) is minimized, 
information collection instruments are clearly understood, and the CFPB 
can properly assess the impact of information collection requirements 
on respondents.
---------------------------------------------------------------------------

    \317\ 44 U.S.C. 3501 et seq.
---------------------------------------------------------------------------

    This proposed rule would amend 12 CFR part 1022 (Regulation V). The 
CFPB's OMB control number for Regulation V is 3170-0002, which 
currently expires on October 31, 2025. As described below, the proposed 
rule would revise existing information collections and create the 
following new information collection requirements in Regulation V.
    The proposed rule would provide that entities that sell information 
about a consumer's credit history, credit score, debt payments, and 
income or financial tier generally are consumer reporting agencies 
selling consumer reports, regardless of whether any specific 
communication of such information is used or expected to be used for 
FCRA

[[Page 101457]]

purposes. If these provisions were finalized, certain entities that 
today are not consumer reporting agencies would become consumer 
reporting agencies and would need to comply with FCRA requirements 
applicable to consumer reporting agencies. Existing information 
collection requirements would be expanded to these newly covered 
entities to the extent required to comply with the FCRA.
    The proposed rule also would specify the conditions that would need 
to be satisfied for an entity to establish a ``written instructions'' 
permissible purpose to furnish or obtain a consumer report, thereby 
creating several new information collection requirements.
    First, entities would be required to provide consumers a disclosure 
specifying:
     The name of the person to whom the consumer is providing 
consent to obtain the consumer report;
     The name of the consumer reporting agency that will 
furnish the consumer report;
     A brief description of the product or service that the 
consumer is requesting, or, when no product or service is requested, 
the specific use the consumer identified;
     Statements notifying the consumer about limitations on the 
procurement, use, and retention of their consumer report; and
     A description of an easy to access and operate method by 
which a consumer may revoke their consent and that the consumer will 
not incur any costs or penalties to revoke their consent.
    The disclosure would need to be clear, conspicuous, and segregated 
from other material. After providing the disclosure, entities would be 
required to obtain the consumer's express, informed consent for their 
consumer report to be furnished, and the consumer's signature, either 
in writing or electronically, authorizing the consumer reporting agency 
to furnish the report. Currently, entities often obtain consumers' 
written instructions as part of larger terms and conditions language, 
and Regulation V does not currently require entities to provide 
consumers with specific disclosures or specify how entities must obtain 
consumers' consent.
    Second, a written instructions permissible purpose could be 
established only with respect to one consumer reporting agency per 
disclosure, and only as reasonably necessary to provide the product or 
service the consumer has requested, or for the use the consumer has 
specified. Currently, consumer reporting agencies and users often 
obtain consent to furnish consumer reports to multiple users or from 
multiple consumer reporting agencies, respectively, in a single 
authorization. Therefore, if the proposal were finalized, the number of 
disclosures that consumer reporting agencies and consumer report users 
would need to provide would increase.
    Third, users would only be allowed to continue accessing a consumer 
report for up to one year after the date on which the particular 
consumer consents for the report to be furnished. After one year, users 
would be required to reobtain the consumer's written consent if they 
wished to continue obtaining the consumer report. Currently, there is 
no explicit duration limitation in Regulation V governing consumers' 
written instructions.
    Fourth, consumers must be provided a method by which to revoke 
consent for their consumer report to be furnished that is as easy to 
access and operate as the method by which the consumer provided consent 
to the furnishing of their consumer report, and consumers could not be 
charged any costs or penalties to revoke their consent. Currently, 
there are no explicit requirements or prohibitions in Regulation V 
related to revocation of consumers' consent.
    There are estimated to be 81,922 additional respondents to the 
information collections contained in Regulation V (FCRA) as a result of 
the new requirements that would be imposed if this proposal were 
finalized. There are estimated to be 37,296 existing respondents 
(furnishers and consumer reporting agencies currently subject to 
Regulation V) who would have new obligations if this proposal were 
finalized. The CFPB estimates that there would be 7.1 million 
additional annual burden hours stemming from new information 
collections if the proposal were finalized. The collections of 
information contained in this proposed rule, and identified as such, 
have been submitted to OMB for review under section 3507(d) of the PRA. 
A complete description of the information collection requirements 
(including the burden estimate methods) is provided in the supporting 
statement accompanying the information collection request (ICR) that 
the CFPB has submitted to OMB under the requirements of the PRA. Please 
send your comments to the Office of Information and Regulatory Affairs, 
OMB, Attention: Desk Officer for the Bureau of Consumer Financial 
Protection. Send these comments by email to [email protected] 
or by fax to 202-395-6974. If you wish to share your comments with the 
CFPB, please send a copy of these comments as described in the 
ADDRESSES section above. The ICR submitted to OMB requesting approval 
under the PRA for the information collection requirements contained 
herein is available at www.regulations.gov as well as on OMB's public-
facing docket at www.reginfo.gov.
    Title of Collection: Protecting Americans from Harmful Data Broker 
Practices (Regulation V).
    OMB Control Number: 3170-0002.
    Type of Review: Revision of a currently approved collection.
    Affected Public: Private sector.
    Estimated Number of Respondents: 81,922.
    Estimated Total Annual Burden Hours: 7,127,600.
    Comments are invited on:
    1. Whether the collection of information is necessary for the 
proper performance of the functions of the CFPB, including on whether 
the information will have practical utility;
    2. The accuracy of the CFPB's estimate of the burden of the 
collection of information, including the validity of the methods and 
the assumptions used;
    3. Ways to enhance the quality, utility, and clarity of the 
information to be collected; and
    4. Ways to minimize the burden of the collection of information on 
respondents, including through the use of automated collection 
techniques or other forms of information technology.
    Comments submitted in response to this notification will be 
included or summarized in the request for OMB approval. All comments 
will become a matter of public record.
    If applicable, the final rule will inform the public of OMB's 
approval of the new information collection requirements proposed herein 
and adopted in the final rule. If OMB has not approved the new 
information collection requirements prior to publication of the final 
rule in the Federal Register, the CFPB will publish a separate 
notification in the Federal Register announcing OMB's approval prior to 
the effective date of the final rule.

IX. Request for Comments

    The CFPB requests comment on all aspects of this proposed rule. In 
addition to the requests regarding specific topics in parts III through 
VIII, the CFPB generally requests comment on:
    1. Whether each proposed provision is sufficiently clear so that 
entities that would be covered under a final rule could comply, or 
whether clarifying revisions are needed and, if so, what they are;

[[Page 101458]]

    2. Whether additional examples regarding any of the proposed 
provisions would be helpful and, if so, what those examples should be;
    3. Any anticipated drawbacks of any of the proposed provisions, 
such as any unintended negative consequences for consumers or covered 
entities or potential conflicts with other laws, and any alternatives 
that would achieve the goals of the proposed rule while reducing or 
avoiding such consequences or conflicts;
    4. The anticipated benefits and costs of each proposed provision to 
consumers and to entities that would be covered if the proposed rule 
were adopted as proposed, and any alternatives that would reduce costs; 
and
    5. With respect to questions 1 through 4, any considerations 
particular to small entities that the CFPB should consider.

X. Severability

    The CFPB preliminarily intends that, if the proposed rule is 
finalized, and if any provision of the final rule, or any application 
of a provision, is stayed or determined to be invalid, the remaining 
provisions or applications are severable and shall continue to be in 
effect.

List of Subjects in 12 CFR Part 1022

    Banks, Banking, Consumer protection, Credit unions, Holding 
companies, National banks, Privacy, Reporting and recordkeeping 
requirements, Savings associations.

Authority and Issuance

    For the reasons set forth in the preamble, the CFPB proposes to 
amend Regulation V, 12 CFR part 1022, as set forth below:

PART 1022--FAIR CREDIT REPORTING (REGULATION V)

0
1. The authority citation for part 1022 continues to read as follows:

    Authority: 12 U.S.C. 5512, 5581; 15 U.S.C. 1681a, 1681b, 1681c, 
1681c-1, 1681c-3, 1681e, 1681g, 1681i, 1681j, 1681m, 1681s, 1681s-2, 
1681s-3, and 1681t; Sec. 214, Pub. L. 108-159, 117 Stat. 1952.

Subpart A--General Provisions

0
2. Section 1022.1 is amended by revising the section heading and adding 
paragraph (b)(1) to read as follows:


Sec.  1022.1  Purpose, scope, model forms and disclosures, and 
organization.

* * * * *
    (b) * * *
    (1) FCRA provisions implemented. This part implements only certain 
provisions of the FCRA. Other Federal agencies' regulations also 
implement only certain provisions of the FCRA. See 12 CFR part 41 
(Office of the Comptroller of the Currency), 12 CFR part 222 (Board of 
Governors of the Federal Reserve System), 12 CFR part 334 (Federal 
Deposit Insurance Corporation), 12 CFR part 717 (National Credit Union 
Administration), and subchapter F of chapter I of title 16 (Federal 
Trade Commission). Statutory text contains additional requirements.
* * * * *
0
3. Section 1022.3 is amended by revising the section heading to read as 
follows:


Sec.  1022.3  Definitions; in general.

* * * * *
0
4. Sections 1022.4 and 1022.5 are added to read as follows:


Sec.  1022.4  Definition; consumer report.

    (a) In general. For purposes of this part, unless explicitly stated 
otherwise, the term consumer report means any written, oral, or other 
communication of any information by a consumer reporting agency that:
    (1) Bears on a consumer's creditworthiness, credit standing, credit 
capacity, character, general reputation, personal characteristics, or 
mode of living; and
    (2) Is used or expected to be used or collected in whole or in part 
for the purpose of serving as a factor in establishing the consumer's 
eligibility for:
    (i) Credit or insurance to be used primarily for personal, family, 
or household purposes;
    (ii) Employment purposes; or
    (iii) Any other purpose authorized under section 604 of the FCRA, 
15 U.S.C. 1681b.
    (b) Is used. Information in a communication is used for a purpose 
described in paragraph (a)(2) of this section if a recipient of the 
information uses it for such purpose.
    (c) Is expected to be used. Information in a communication is 
expected to be used for a purpose described in paragraph (a)(2) of this 
section if:
    (1) The person making the communication expects or should expect 
that a recipient of the information in the communication will use the 
information for such a purpose; or
    (2) The information is about a consumer's:
    (i) Credit history;
    (ii) Credit score;
    (iii) Debt payments; or
    (iv) Income or financial tier.
    (d) Personal identifier for a consumer. (1) A communication by a 
consumer reporting agency of a personal identifier for a consumer that 
was collected by the consumer reporting agency in whole or in part for 
the purpose of preparing a consumer report about the consumer is a 
consumer report as defined in paragraph (a) of this section, regardless 
of whether the communication contains any information other than the 
personal identifier.
    (2) For purposes of this paragraph (d), a personal identifier for a 
consumer means:
    (i) The consumer's:
    (A) Current or former name or names, including any aliases;
    (B) Age or date of birth;
    (C) Current or former address or addresses;
    (D) Current or former telephone number or numbers;
    (E) Current or former email address or addresses; or
    (F) Social Security number (SSN) or Individual Taxpayer 
Identification Number (ITIN); or
    (ii) Any other personal identifier for the consumer similar to 
those listed in paragraph (d)(2)(i) of this section.

Alternative 1--Paragraph 4(e)

    (e) De-identification of information. De-identification of 
information is not relevant to a determination of whether the 
definition of consumer report in paragraph (a) of this section is met.

Alternative 2--Paragraph 4(e)

    (e) De-identification of information. De-identification of 
information is not relevant to a determination of whether the 
definition of consumer report in paragraph (a) of this section is met 
if the information is still linked or linkable to a consumer.

Alternative 3--Paragraph 4(e)

    (e) De-identification of information. (1) In general. De-
identification of information is not relevant to a determination of 
whether the definition of consumer report in paragraph (a) of this 
section is met if:
    (i) The information is still linked or reasonably linkable to a 
consumer;
    (ii) The information is used to inform a business decision about a 
particular consumer, such as a decision whether to target marketing to 
that consumer; or
    (iii) A person that directly or indirectly receives the 
communication, or any information from the communication, identifies 
the consumer to whom information from the communication pertains.
    (2) Examples. The following are examples of information that is 
linked or reasonably linkable to a consumer for purposes of paragraph 
(e)(1)(i) of this section:

[[Page 101459]]

    (i) Information that identifies a specific household;
    (ii) Information that identifies a specific ZIP+4 Code in which a 
consumer resides; or
    (iii) Information that includes a persistent identifier (such as a 
cookie identifier, an internet Protocol (IP) address, a processor or 
device serial number, or a unique device identifier) that can be used 
to recognize the consumer over time and across different websites or 
online services.
    (f) Exclusions. Except as provided in paragraph (g) of this 
section, the term consumer report does not include:
    (1) Subject to section 624 of the FCRA, 15 U.S.C. 1681s-3, any:
    (i) Report containing information solely as to transactions or 
experiences between the consumer and the person making the report;
    (ii) Communication of information described in paragraph (f)(1)(i) 
of this section among persons related by common ownership or affiliated 
by corporate control; or
    (iii) Communication of information other than information described 
in paragraph (f)(1)(i) of this section among persons related by common 
ownership or affiliated by corporate control, if:
    (A) It is clearly and conspicuously disclosed to the consumer that 
the information may be communicated among such persons; and
    (B) The consumer is given the opportunity, before the information 
is initially communicated, to direct that the information not be 
communicated among such persons;
    (2) Any authorization or approval of a specific extension of credit 
directly or indirectly by the issuer of a credit card or similar 
device;
    (3) In circumstances in which a third party has requested that a 
person make a specific extension of credit directly or indirectly to a 
consumer, any report in which such person conveys his or her decision 
with respect to such request, if:
    (i) The third party advises the consumer of the name and address of 
the person to whom the request was made; and
    (ii) Such person makes the disclosures to the consumer required 
under section 615 of the FCRA, 15 U.S.C. 1681m; or
    (4) A communication described in section 603(o) or (y) of the FCRA, 
15 U.S.C. 1681a(o) or (y).
    (g) Restriction on sharing of medical information. Except for 
information or any communication of information disclosed as provided 
in section 604(g)(3) of the FCRA, 15 U.S.C. 1681b(g)(3), the exclusions 
in paragraph (f) of this section do not apply with respect to 
information disclosed to any person related by common ownership or 
affiliated by corporate control, if the information is:
    (1) Medical information, as that term is defined in Sec.  
1022.3(k);
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.


Sec.  1022.5  Definition; consumer reporting agency.

    (a) In general. For purposes of this part, unless explicitly stated 
otherwise, the term consumer reporting agency means any person that:
    (1) For monetary fees, dues, or on a cooperative nonprofit basis, 
regularly engages in whole or in part in the practice of assembling or 
evaluating consumer credit information or other information about 
consumers for the purpose of furnishing consumer reports to third 
parties; and
    (2) Uses any means or facility of interstate commerce for the 
purpose of preparing or furnishing consumer reports.
    (b) Assembling or evaluating. (1) In general. For purposes of 
paragraph (a)(1) of this section, a person assembles or evaluates 
consumer credit information or other information about consumers if the 
person:
    (i) Collects, brings together, gathers, or retains such 
information;
    (ii) Appraises, assesses, makes a judgment regarding, determines or 
fixes the value of, verifies, or validates such information; or
    (iii) Contributes to or alters the content of such information.
    (2) Examples. A person assembles or evaluates consumer credit 
information or other information about consumers for purposes of 
paragraph (a)(1) of this section if, for example, the person:
    (i) Collects such information from a consumer's bank account and 
assesses it, such as by grouping or categorizing it based on 
transaction type;
    (ii) Alters the content of information the person has received 
about a consumer, such as by modifying the year date fields to all 
reflect four, rather than two, digits to ensure consistency;
    (iii) Determines the value of such information, such as when a 
company that hosts an online database regarding consumers' criminal 
histories arranges or orders search results in order of perceived 
relevance to users, or provides scores, color coding, or other indicia 
of weight or import to users;
    (iv) Retains information about consumers, such as by retaining data 
files containing consumers' payment histories in a database or 
electronic file system; or
    (v) Verifies or validates information the person has received about 
a consumer, such as by checking whether a consumer's date of birth 
received from a third-party data provider matches the consumer's date 
of birth as listed in an external database or is properly formatted 
regardless of whether the person takes any action to correct any errors 
found.
0
5. Subpart B is added to read as follows:
Subpart B--Permissible Purposes of Consumer Reports
Sec.
1022.10 Permissible purposes of consumer reports; in general.
1022.11 Permissible purpose based on a consumer's written 
instructions.
1022.12 Permissible purposes based on a consumer reporting agency's 
reasonable belief about a person's intended use.
1022.13 Permissible purposes based on certain agency or other 
official requests.

Subpart B--Permissible Purposes of Consumer Reports


Sec.  1022.10  Permissible purposes of consumer reports; in general.

    (a) In general. Subject to section 604(c) of the FCRA, 15 U.S.C. 
1681b(c), any consumer reporting agency may furnish a consumer report 
under the circumstances described in Sec. Sec.  1022.11 through 1022.13 
and no other.
    (b) Furnish a consumer report. For purposes of paragraph (a) of 
this section, a consumer reporting agency furnishes a consumer report 
if the consumer reporting agency:
    (1) Provides the consumer report to a person; or
    (2) Facilitates a person's use of the consumer report for that 
person's financial gain.


Sec.  1022.11  Permissible purpose based on a consumer's written 
instructions.

    (a) In general. A consumer reporting agency may furnish a consumer 
report in accordance with the written instructions of the consumer to 
whom the report relates.
    (b) Conditions for permissible purpose based on consumer's written 
instructions. A consumer reporting agency furnishes a consumer report 
in accordance with the written instructions of the consumer only if the 
conditions in this paragraph (b) are satisfied.
    (1) Consumer disclosure and consent. (i) The consumer reporting 
agency or the person to whom the consumer reporting agency will furnish 
the consumer report:

[[Page 101460]]

    (A) Provides the consumer, either in writing or electronically, a 
disclosure that satisfies the requirements of paragraph (c) of this 
section;
    (B) Obtains the consumer's express, informed consent to the 
furnishing of a consumer report in accordance with the limitation 
described in paragraph (b)(2) of this section; and
    (C) Obtains the consumer's signature, either in writing or 
electronically, authorizing the consumer reporting agency to furnish 
the consumer report.
    (ii) The consumer has not revoked consent to such furnishing.
    (2) Limitation on furnishing. The consumer reporting agency 
furnishes the consumer report to a person only in connection with the 
person's provision to the consumer of a specific product or service the 
consumer has requested, or, if the consumer has not requested a product 
or service, in connection with a specific use the consumer has 
identified.
    (3) Procurement, use, and retention. The person to whom the 
consumer reporting agency furnishes the consumer report:
    (i) Procures, uses, or retains the consumer report, or provides the 
report to a third party, only as reasonably necessary to provide the 
product or service the consumer has requested or, if the consumer has 
not requested a product or service, for the specific use the consumer 
has identified;
    (ii) Procures the consumer report no more than one year after the 
date on which the consumer consents to the furnishing of the report as 
described in paragraph (b)(1)(i)(B) of this section; and
    (iii) Provides the consumer report to a third party only if the 
third party agrees by contract to comply with the limitations described 
in this paragraph (b)(3).
    (4) Revocation of consent. (i) The consumer reporting agency or the 
person to whom the consumer reporting agency will furnish the consumer 
report provides the consumer a method by which to revoke consent for 
their report to be furnished that is as easy to access and operate as 
the method by which the consumer provided consent for their report to 
be furnished.
    (ii) No person charges the consumer any costs or penalties to 
revoke their consent.
    (c) Disclosure format and content. The disclosure required by 
paragraph (b)(1) of this section must be clear, conspicuous, and 
segregated from other material and must include:
    (1) The name of the person for whom the consumer is providing 
consent to obtain their consumer report, which name must be readily 
understandable to the consumer;
    (2) The name of the consumer reporting agency that will furnish the 
consumer report to the person identified in paragraph (c)(1) of this 
section, which name must be readily understandable to the consumer;
    (3) A brief description of the specific product or service that the 
consumer is requesting from the person identified in paragraph (c)(1) 
of this section and in connection with which that person will use the 
consumer report, or, if the consumer is not requesting a product or 
service, the specific use for which the report will be furnished;
    (4) Statements notifying the consumer of the procurement, use, and 
retention limitations described in paragraph (b)(3) of this section, 
and a statement that the person identified in paragraph (c)(1) of this 
section, and any third party to whom the consumer report is provided, 
will comply, or will be required to comply, with those limitations; and
    (5) A description of the method by which the consumer may revoke 
consent for their consumer report to be furnished that is as easy to 
access and operate as the method by which the consumer provided consent 
for their report to be furnished, and a statement that the consumer 
will not incur any costs or penalties to revoke their consent.
    (d) Reasonably necessary; examples. For purposes of paragraph 
(b)(3)(i) of this section, examples of uses of consumer reports that 
are not part of, or reasonably necessary to provide, any other product 
or service include:
    (1) Targeted advertising;
    (2) Cross-selling of other products or services; and
    (3) The sale of information in the consumer report.


Sec.  1022.12  Permissible purposes based on a consumer reporting 
agency's reasonable belief about a person's intended use.

    (a) In general. A consumer reporting agency may furnish a consumer 
report to a person that the consumer reporting agency has reason to 
believe intends to use the information as follows:
    (1) Credit transaction involving a consumer. In connection with a 
credit transaction involving the consumer on whom the information is to 
be furnished and involving the extension of credit to, or review or 
collection of an account of, that consumer.
    (2) Employment purposes. For employment purposes.
    (3) Insurance underwriting. In connection with the underwriting of 
insurance involving the consumer.
    (4) Eligibility for governmental license or other benefit. In 
connection with a determination of the consumer's eligibility for a 
license or other benefit granted by a governmental instrumentality 
required by law to consider an applicant's financial responsibility or 
status.
    (5) Assessment of an existing credit obligation. As a potential 
investor or servicer, or current insurer, in connection with a 
valuation of, or an assessment of the credit or prepayment risks 
associated with, an existing credit obligation.
    (b) Legitimate business need. (1) In general. In addition to 
furnishing a consumer report to a person for any purpose described in 
paragraph (a) of this section, a consumer reporting agency may furnish 
a consumer report to a person that the consumer reporting agency has 
reason to believe otherwise has a legitimate business need for the 
information:
    (i) In connection with a business transaction that is initiated by 
the consumer; or
    (ii) To review an account to determine whether the consumer 
continues to meet the terms of the account.
    (2) Initiated by the consumer. (i) In general. Paragraph (b)(1)(i) 
of this section authorizes a consumer reporting agency to furnish a 
consumer report to a person only if the consumer reporting agency has 
reason to believe that the consumer has initiated a business 
transaction.
    (ii) Examples. (A) Business transactions initiated by a consumer. A 
consumer initiates a business transaction for purposes of paragraph 
(b)(1)(i) of this section if, for example, the consumer:
    (1) Applies to rent an apartment;
    (2) Applies to open a brokerage account or checking account; or
    (3) Offers to pay for merchandise by personal check.
    (B) Interactions that are not business transactions initiated by a 
consumer. A consumer does not initiate a business transaction for 
purposes of paragraph (b)(1)(i) of this section by, for example, asking 
about the availability or pricing of products or services.
    (3) Solicitation or marketing. (i) In general. Paragraphs (b)(1)(i) 
and (ii) of this section do not authorize a consumer reporting agency 
to furnish a consumer report to a person if the consumer reporting 
agency has reason to believe the person is seeking information from the 
report to solicit the consumer for a transaction the consumer did not 
initiate or to otherwise market products or services to the consumer. 
For requirements related to furnishing consumer reports in connection 
with prescreened offers for credit or

[[Page 101461]]

insurance transactions that are not initiated by a consumer, see 
section 604(c) of the FCRA, 15 U.S.C. 1681b(c).
    (ii) Example; account review. Assume a consumer has a checking 
account with a bank. Paragraph (b)(1)(ii) of this section authorizes a 
consumer reporting agency to furnish a consumer report to the bank if 
the consumer reporting agency has reason to believe the bank needs the 
report to determine, as part of an account review, whether to modify 
the terms of the consumer's existing checking account based on whether 
there are credible and meaningful indicia that the consumer used the 
account to defraud others. However, paragraph (b)(1)(ii) of this 
section does not authorize the consumer reporting agency to furnish a 
consumer report to the bank if the consumer reporting agency has reason 
to believe the bank is seeking the information from the report to 
market other products or services to the consumer.


Sec.  1022.13  Permissible purposes based on certain agency or other 
official requests.

    (a) In general. A consumer reporting agency may furnish a consumer 
report as follows:
    (1) Court order or subpoena. In response to:
    (i) The order of a court having jurisdiction to issue such an 
order;
    (ii) A subpoena issued in connection with proceedings before a 
Federal grand jury; or
    (iii) A subpoena issued in accordance with 31 U.S.C. 5318 or 18 
U.S.C. 3486.
    (2) Request by child support enforcement agency. In response to a 
request by the head of a State or local child support enforcement 
agency (or a State or local government official authorized by the head 
of such an agency), if the person making the request certifies to the 
consumer reporting agency that:
    (i) The consumer report is needed for the purpose of establishing 
an individual's capacity to make child support payments, determining 
the appropriate level of such payments, or enforcing a child support 
order, award, agreement, or judgment;
    (ii) The parentage of the consumer for the child to which the 
obligation relates has been established or acknowledged by the consumer 
in accordance with State laws under which the obligation arises (if 
required by those laws); and
    (iii) The consumer report will be kept confidential, will be used 
solely for a purpose described in paragraph (a)(2)(i) of this section, 
and will not be used in connection with any other civil, 
administrative, or criminal proceeding, or for any other purpose.
    (3) Request related to State plans for child support. To an agency 
administering a State plan under 42 U.S.C. 654 for use to set an 
initial or modified child support award.
    (4) Request related to insured depository institutions or insured 
credit unions. To the Federal Deposit Insurance Corporation or the 
National Credit Union Administration:
    (i) As part of its preparation for its appointment as, or as part 
of its exercise of powers as, conservator, receiver, or liquidating 
agent for an insured depository institution or insured credit union 
under the Federal Deposit Insurance Act, 12 U.S.C. 1811 et seq., the 
Federal Credit Union Act, 12 U.S.C. 1751 et seq., or other applicable 
Federal or State law; or
    (ii) In connection with the resolution or liquidation of a failed 
or failing insured depository institution or insured credit union, as 
applicable.
    (5) Request related to government-sponsored, individually billed 
travel charge cards. To executive departments and agencies in 
connection with the issuance of government-sponsored, individually 
billed travel charge cards.
    (b) [Reserved]

Subpart C--Affiliate Marketing

0
6. In Sec.  1022.20, introductory text of paragraph (b) is republished 
and paragraph (b)(3) is revised to read as follows:


Sec.  1022.20  Coverage and definitions.

* * * * *
    (b) Definitions. For purposes of this subpart:
* * * * *
    (3) Eligibility information. The term ``eligibility information'' 
means any information the communication of which would be a consumer 
report if the exclusions from the definition of consumer report in 
Sec.  1022.4(f)(1) did not apply. Eligibility information does not 
include aggregate or blind data that does not contain personal 
identifiers such as account numbers, names, or addresses.
* * * * *

Subpart D--Medical Information

0
7. Section 1022.32 is amended by revising paragraphs (b) and (c) to 
read as follows:


Sec.  1022.32  Sharing medical information with affiliates.

* * * * *
    (b) In general. The exclusions from the term consumer report in 
Sec.  1022.4(f) that allow the sharing of information with affiliates 
do not apply to a person described in paragraph (a) of this section if 
that person communicates to an affiliate:
    (1) Medical information;
    (2) An individualized list or description based on the payment 
transactions of the consumer for medical products or services; or
    (3) An aggregate list of identified consumers based on payment 
transactions for medical products or services.
    (c) Exceptions. A person described in paragraph (a) of this section 
may rely on the exclusions from the term consumer report in Sec.  
1022.4(f) to communicate the information in paragraph (b) of this 
section to an affiliate:
    (1) In connection with the business of insurance or annuities 
(including the activities described in section 18B of the model Privacy 
of Consumer Financial and Health Information Regulation issued by the 
National Association of Insurance Commissioners, as in effect on 
January 1, 2003);
    (2) For any purpose permitted without authorization under the 
regulations promulgated by the Department of Health and Human Services 
pursuant to the Health Insurance Portability and Accountability Act of 
1996 (HIPAA);
    (3) For any purpose referred to in section 1179 of HIPAA;
    (4) For any purpose described in section 502(e) of the Gramm-Leach-
Bliley Act;
    (5) In connection with a determination of the consumer's 
eligibility, or continued eligibility, for credit consistent with Sec.  
1022.30; or
    (6) As otherwise permitted by order of the Bureau.

Subpart E--Duties of Furnishers of Information

0
8. In Sec.  1022.41, introductory text is republished and paragraph (c) 
is revised to read as follows:


Sec.  1022.41  Definitions.

    For purposes of this subpart and appendix E of this part, the 
following definitions apply:
* * * * *
    (c) Furnisher means an entity that furnishes information relating 
to consumers to one or more consumer reporting agencies for inclusion 
in a consumer report. An entity is not a furnisher when it:
    (1) Provides information to a consumer reporting agency solely to 
obtain a consumer report in accordance with Sec. Sec.  1022.10 through 
1022.13 and section 604(f) of the FCRA;
    (2) Is acting as a consumer reporting agency as defined in Sec.  
1022.5;
    (3) Is a consumer to whom the furnished information pertains; or

[[Page 101462]]

    (4) Is a neighbor, friend, or associate of the consumer, or another 
individual with whom the consumer is acquainted or who may have 
knowledge about the consumer, and who provides information about the 
consumer's character, general reputation, personal characteristics, or 
mode of living in response to a specific request from a consumer 
reporting agency.
* * * * *

Subpart H--Duties of Users Regarding Risk-Based Pricing

0
9. Section 1022.71 is amended by revising paragraphs (f) and (g) to 
read as follows:


Sec.  1022.71  Definitions.

* * * * *
    (f) Consumer report has the same meaning as in Sec.  1022.4.
    (g) Consumer reporting agency has the same meaning as in Sec.  
1022.5.
* * * * *

Subpart N--Duties of Consumer Reporting Agencies Regarding 
Disclosures to Consumers

0
10. In Sec.  1022.130, introductory text is republished and paragraphs 
(c) and (d) are revised to read as follows:


Sec.  1022.130  Definitions.

    For purposes of this subpart, the following definitions apply:
* * * * *
    (c) Consumer report has the meaning provided in Sec.  1022.4.
    (d) Consumer reporting agency has the meaning provided in Sec.  
1022.5.
* * * * *

Subpart O--Miscellaneous Duties of Consumer Reporting Agencies

0
11. Section 1022.142 is amended by revising paragraphs (a) and (b)(2) 
and (3) to read as follows:


Sec.  1022.142  Prohibition on inclusion of adverse information in 
consumer reporting in cases of human trafficking.

    (a) Scope. This section applies to any consumer reporting agency as 
defined in Sec.  1022.5.
    (b) * * *
    (2) Consumer report has the meaning provided in Sec.  1022.4.
    (3) Consumer reporting agency has the meaning provided in Sec.  
1022.5.
* * * * *

Rohit Chopra,
Director, Consumer Financial Protection Bureau.
[FR Doc. 2024-28690 Filed 12-12-24; 8:45 am]
BILLING CODE 4810-AM-P