On July 7, 2022, the CFPB issued a legal interpretation to ensure that companies that use and share credit reports and background reports have a permissible purpose under the Fair Credit Reporting Act. The advisory opinion clarifies that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy.

The FCRA ensures fair and accurate reporting, and it requires users who buy consumer’s personal data to have a legally permissible purpose. With the CFPB’s advisory opinion, the FCRA's permissible purpose provisions will be enforced against companies or individuals who violate them. In particular, the advisory opinion makes clear:

• Insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, which would violate consumers’ privacy rights;

• It is unlawful to provide credit reports of multiple people as “possible matches”;

• Disclaimers about insufficient matching procedures do not cure permissible purpose violations; and

• Users of credit reports must ensure that they do not violate a person’s privacy by obtaining a credit report when they lack a permissible purpose for doing so.

In addition, the advisory opinion outlines some of the criminal liability provisions in the FCRA. Criminal liability, such as penalties and imprisonment, can be imposed on covered entities if they obtain a background report on an individual under false pretenses or provide the report to an unauthorized party.

Read the CFPB’s full press release here.

The CFPB’s advisory opinion can be found here.