CFPB Previews Proposals that Could Fundamentally Shift Data Broker Business

In connection with its convening of a panel of small businesses to provide input on potential regulatory actions, the CFPB released an outline of its proposals to use its rulemaking authority under the Fair Credit Reporting Act (FCRA) to cover data brokers and prohibit the use of medical debt collection data in making credit decisions. While the outline does not include any specific language, it evidences the Bureau’s desire to fundamentally alter the data broker business model by expanding the definition of consumer reporting agency” (CRA) to cover more data brokers, and limit their ability to share consumer information without a permissible purpose. The CFPB also seeks to prevent CRAs from providing credit header data to third parties for purposes beyond the scope of the FCRA. In effect, the Bureau intends to significantly curtail the sale of certain personal data for marketing purposes.

This is just the latest development showing an increased, nationwide focus on the practices of data brokers, which we have detailed in this blog, and which recently led to a strict new data broker regulation in the state of California. Depending on how the CFPB’s proposals play out, they could transform how data brokers are regulated in this country.

Background on the FCRA

The FCRA covers consumer reports” and imposes restrictions on CRAs that create and sell these reports, furnishers that provide data to CRAs, and users that consider consumer reports when making eligibility determinations about consumers. The famously circular statute (“famous” being an admittedly relative term when discussing a federal statute) defines a consumer report to be the communication of any information by a CRA bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other permissible purpose authorized under FCRA section 604.

Meanwhile, CRA is defined as any person that regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.

At the risk of oversimplifying things, in general, CRAs are those entities that assemble information about consumers for the purpose of providing reports to third parties for use in making determinations about consumers’ eligibility for credit, employment, or housing. Data brokers, on the other hand, are entities that collect information about consumers to be provided to third parties for non-FCRA purposes such as fraud prevention and marketing. Sometimes enforcers have alleged that companies purporting to be data brokers were, in fact, CRAs because they were selling consumers’ information to third parties such as background screeners and employers (see, e.g., the FTC’s cases against Spokeo and TruthFinder). More often, though, data brokers sell consumer information for marketing purposes without triggering the FCRA. There has been widespread concern that these data brokers can amass incredibly sensitive information about consumers without their knowledge, and that consumers have no control over how the data is shared.

The CFPB’s Proposal

The CFPB’s proposal would classify any report that includes data such as payment history, income, or criminal records as a consumer report. That would mean that any data broker selling this information would be a CRA and would only be able to share it for a permissible purpose – that is, for use in eligibility determinations. [The outline does not include a proposed definition of sell” but, depending on how it is defined, the scope of the provision’s reach could be quite expansive.] So, for example, a data broker could no longer provide information about a consumer that includes her individual or household income (more on this later) to a retailer for marketing purposes. Data brokers could no longer sell criminal records to individuals that want to vet their dates.

The CFPB is also considering whether it should define assembling and evaluating” to cover intermediaries or vendors that facilitate the transfer of consumer report information. Traditionally, companies that were mere conduits of information have not been considered to be assembling and evaluating information — and, hence, were not viewed as CRAs (see FTC’s 40 Years Report at 29). It is unclear if the Bureau intends to include dumb pipes” in its definition of CRA, or just those vendors that clean or organize data before providing it to their clients.

While CRAs are prohibited from providing consumer reports without a permissible purpose, there has been a longstanding exception for the provision of credit header information. In particular, reports limited to identifying information such as name, address, previous address, SSN, and phone number, have been considered exempt from the definition of consumer report if they do not bear on one of the seven factors and are not used to make an eligibility determination (see 40 Years Report at 21). Relying in this exemption, CRAs have provided credit header data to purchasers for use in marketing and fraud detection purposes. The CFPB’s proposal would consider credit header data to be a consumer report and would eliminate a CRA’s ability to provide this information for fraud prevention or marketing.

The outline also includes discussion of the following topics:

Target Marketing

The Bureau is considering clarifying that CRAs cannot use any consumer report information for targeted marketing. The CFPB is concerned that CRAs may be using consumer report data to help customers target marketing, in violation of the FCRA. Per the Bureau, these CRAs may incorrectly believe that this use of data is outside the scope of the FCRA if they do not furnish the information directly to clients, but rather provide the marketing to the consumers themselves.

Aggregated and Household Data

Significantly, the CFPB is also contemplating whether aggregated and household level data should be considered a consumer report. This would be a major change. A prohibition on the use of aggregated and household level data, such as the average income in a geographic area, for marketing purposes would reverberate across the marketplace.

Consumer Consent

Consumers can permit CRAs to share their consumer reports by providing written consent. The CFPB’s outline notes that it is considering placing limitations on how (and by whom) the consent may be collected, as well as on the scope of the consent, presumably to ensure that the consent is informed and meaningful. It is also mulling mechanisms through which consent may be revoked.

Legitimate Business Need

Another aspect of a potential proposal would be to limit the scope of the permissible purpose allowing a user to obtain a consumer report when it has a legitimate business need in connection with a business transaction initiated by the consumer. The CFPB may specify that this permissible business purpose must be for a personal, family, or household purpose. A legitimate business purpose related to account review would require that the consumer report be necessary to make a determination about a consumer’s continued eligibility for the account.

Data Security

Regulators have long made clear that they see the privacy provisions of the FCRA (limiting the use of consumer reports to certain permissible purposes) as requiring CRAs to take reasonable measures to protect those reports (see, e.g., the FTC’s case against SettlementOne and the statement of Commissioners Brill, Leibowitz, Rosch, and Ramirez). The Bureau’s outline notes that its proposal may address CRAs’ data security obligations under the FCRA. In addition, the CFPB is considering whether it should hold CRAs strictly liable for data breaches by considering the unauthorized release of any consumer report to be a violation of Section 604, which prohibits furnishing a consumer report to anyone without a permissible purpose.


Under the FCRA, consumers have the ability to dispute inaccurate information contained in their consumer reports with the CRA or directly with the furnisher of the information. Some private litigation has focused on whether CRAs and furnishers have a duty to investigate so-called legal disputes. The CFPB’s proposal would make clear that the FCRA requires investigation of both legal and factual disputes. Simply put, a legal dispute is a dispute that hinges on an interpretation of a law. The Bureau’s outline uses the example of a state foreclosure law. If a consumer disputes the accuracy of a report that lists him as having mortgage debt, the CFPB would require that the CRA investigate whether the state’s anti-deficiency statute required the debt to be extinguished.

In addition, the CFPB says it wants to tackle what it considers to be systemic issues that affect the completeness and accuracy of consumer reports – for example, outdated software or deficiencies in a furnisher’s policies and procedures to assure data accuracy. The outline notes that the CFPB is thinking about ways that CRAs and furnishers could be notified of potential systemic issues, which they would have to investigate and, if necessary, address. Among the CFPB’s proposals for consideration are requiring a mechanism where consumers could report suspected systemic issues. It is also considering whether consumers should be notified of any systemic issues that affected their reports, even if the issue was identified in response to a complaint from another consumer. This could potentially result in consumers receiving notices about issues at CRAs that may have affected their reports, but did not have a negative impact on them because the inaccurate reports were not shared.

Medical Debt Collection Information

Finally, the CFPB is considering revising Reg V which, among other things, covers medical debt collection information. The potential revisions would prohibit creditors from using this information to make credit eligibility determinations, and prohibit CRAs from including this information on consumer reports for credit eligibility. Medical debt collection information has long been a source of concern for consumers, legislators, and regulators, since it can prevent consumers from obtaining credit following a medical emergency or be used to coerce consumers into paying spurious or false unpaid medical bills. In addition, the CFPB believes there is compelling evidence that this information does not have predictive value for credit decisions. The Big 3 CRAs ceased reporting paid medical collection debt, medical collection debt under $500, and any medical collection debt that is less than one year past due. The Bureau’s proposal would further limit the ability of medical debt collection tradelines to affect a consumer’s ability to obtain credit.

Next Steps

The CFPB is accepting comments on this outline until October 30, 2023 and is especially interested in feedback from small businesses that would be affected by the rule. Once the Bureau completes this process, which is required under the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), it can issue a more formal rulemaking proposal which will be put out for public comment. It seems unlikely that any proposal would be announced before 2024. However, the CFPB is clear that it envisions a sea of change in the scope of the FCRA, and businesses should be ready to provide input and comment.