CFPB Releases Long-Awaited Proposed Amendments to Regulation V to Regulate Data Brokers

On December 3, 2024, the Consumer Financial Protection Bureau (“CFPB” or the “Bureau”) issued a proposed rule (the “Proposed Rule”) to amend Regulation V, which implements the Fair Credit Reporting Act (FCRA). The Proposed Rule continues CFPB efforts to expand and modernize federal requirements related to the flow of consumer information. It would bring companies operating as data brokers and information intermediaries under the FCRA’s regulatory umbrella—and, thereafter, further constrain parties’ acquisition and use of information—in an effort to address, in the Bureau’s framing, concerns about access to information by “financial scammers, thieves, and spies,” among other unscrupulous actors. It does so by expanding regulatory definitions key to scoping FCRA requirements, including “consumer reporting agency” (CRA) and “consumer report,” as well as imposing new limitations on the “permissible purpose(s)” for which users may obtain consumer reports.

The Proposed Rule follows the Small Business Regulatory Enforcement Fairness Act report issued on December 15, 2023, (the “SBREFA Report”) under procedures required for assessing the potential impact of material new regulations on small businesses. The SBREFA Report addressed the topics covered by the Proposed Rule, limitations on consumer reporting of medical debt information (which have been pursued in a separate proposed FCRA rulemaking), and certain additional proposals related to subjects such as FCRA dispute resolution and consumer privacy that have yet to be subject to further Bureau action.

Below is a high-level summary of the Proposed Rule along with a discussion of certain industries impacted by the Proposed Rule and potential hurdles to finalizing the Proposed Rule. It remains to be seen whether any of the proposals will be finalized by the incoming Trump Administration or, if any are, whether they would survive challenges likely to be brought by industry participants regarding whether the CFPB’s interpretations conform to the FCRA’s statutory requirements.

The Proposed Rule

Among other changes, the Proposed Rule would amend Regulation V by:

• Adopting a definition of “assembling or evaluating” consumer information for the purpose of clarifying the scope of CRA requirements. TheFCRA’s statutory provisions define CRAs to include certain entities engaged in “assembling or evaluating consumer credit information.” The Proposed Rule would clarify—and potentially expand—the scope of the CRA definition by defining “assembling or evaluating” broadly to include any of: (i) collecting, bringing together, gathering, or retaining consumer information; (ii) appraising, accessing, making a judgment regarding, determining or fixing the value of, verifying, or validating that information; or (iii) contributing to or altering that information. The breadth of the new definition could cause tension with the roles of various data intermediaries—including those contemplated by the CFPB’s own rule on consumer data access (the 1033 Rule)—who currently consider themselves to be nothing more than pipes facilitating the transfer of consumer data rather than conducting the more active role of CRAs under current guidance and market standards.
• Expanding the definition of a “consumer report” to capture more typical data broker activities. Under the Proposed Rule, a “consumer report” would include communications by a CRA regarding information about a consumer if the information is used for an FCRA-covered purpose, regardless of whether there is evidence that the CRA knew or expected that the information would be used for that purpose. In addition, an expectation of FCRA-regulated use would be defined to exist if a party sells information regarding a consumer’s income or financial tier, credit history, credit score, or debt payments, regardless of whether the recipient actually uses the information for an FCRA-regulated purpose. This broad definition would require many data brokers to comply with various FCRA requirements, such as ensuring the accuracy of information, providing consumers with access to their information, and maintaining safeguards against misuse.

The expansion of the CRA definition to include mere use without expectation arguably would narrow historic guidance and enforcement that has provided partial shelter to data providers taking reasonable steps to prevent a counterparty’s unanticipated use or misuse of data in an FCRA-regulated manner. In addition, the presumptive use of certain specified information for FCRA-regulated purposes arguably expands on the FCRA’s statutory definitions.

• Limiting the use of personal identifiers in consumer report headers. Personal identifiers—also known as “credit header” data—include information about a consumer that typically appears at the top of a consumer report (e.g., name, age, date of birth, address, telephone number, email address, or Social Security number). Under the Proposed Rule, when CRAs collect personal identifiers for credit reports, any subsequent sale of that information would be covered by the FCRA's protections. This would mean that CRAs could only sell personal identifiers if the user had a permissible purpose under the FCRA.
• Restricting the flow of deidentified/anonymized data. The Proposed Rule offers three alternative framings addressing when deidentified consumer information nevertheless remains subject to FCRA requirements. These range from ignoring the deidentification completely to ignoring deidentification in situations in which the information remains reasonably linkable to a consumer, is used to inform a business decision regarding a consumer, or is coupled with separate communication that identifies the consumer.
• Imposing further restrictions on the “permissible purpose(s)” for which consumer reports may be obtained. CRAs may furnish consumer reports only to those parties that have a “permissible purpose.” One permissible purpose exists when a prospective user has a “legitimate business need” for the information in connection with a consumer-initiated transaction. The Proposed Rule emphasizes that marketing is not a "legitimate business need" and, accordingly, does not result in a permissible purpose under the FCRA. A permissible purpose also exists when a prospective user seeks a consumer report pursuant to that consumer’s written instructions. The Proposed Rule would require that the written instructions be an explicit, separate authorization from the consumer meeting certain procedural and content requirements addressing how the consumer report will be used and the consumer’s right to revoke their consent.

According to the Bureau, the Proposed Rule is designed to address risks associated with current data broker practices, including (i) national security and surveillance risks from countries of concern that could enable espionage, surveillance, or blackmail; (ii) criminal exploitation from identity thieves and scammers who may seek to purchase detailed financial profiles to target vulnerable consumers; and (iii) violence, stalking, and personal safety threats to law enforcement workers and domestic violence survivors.

Impacted Industries

If the Proposed Rule is finalized as proposed, it would directly impact a variety of entities.

• Data brokers who sell consumer information, but do not treat themselves as CRAs under current law, may be required to modify their business practices and/or implement the significant regulatory requirements imposed on CRAs. In the current market, non-CRA data brokers serve a variety of roles, including being sources for information for marketing campaigns (but not eligibility determinations), fraud prevention, and similar activities by creditors and other businesses. The robustness of this data broker marketplace may be compromised by the Proposed Rule. Part of that appears to be intentional, a CFPB effort to bring data brokers—including some that may already be functioning as CRAs notwithstanding positioning to the contrary—more thoroughly within the scope of the FCRA. But the chance for unforeseen consequences seems reasonably high given the broad definition expansions proposed.
• CRAs who sell credit header data or anonymized or aggregated data under non-FCRA services may have to reconcile their specific services with the Proposed Rule. Some of these sales may still be possible, though the Proposed Rule seems likely to have a limiting effect.
• Users of consumer information not currently covered by the FCRA for purposes such as marketing, model training, or fraud prevention may find sources of information to be limited, more expensive, or burdensome to engage with.

Hurdles to Finalizing the Proposed Rule

Given a 2020 Supreme Court decision concluding that the CFPB director must be removable at will by the president, President Trump almost certainly will seek to replace Director Chopra. Any new director likely will have different priorities that the current director, and it is unclear whether a new director will work to finalize the Proposed Rule in whole or part. Even if the rule were finalized as proposed, we expect litigation challenging the Proposed Rule as an incorrect or overly broad interpretation of the FCRA. These claims may be bolstered by the Supreme Court’s decision overruling Chevron deference. Plaintiffs may also advance typical procedural claims under the Administrative Procedure Act to challenge the Proposed Rule. Regardless of whether the Proposed Rule is ever finalized, it might be used as a blueprint for state legislation.

Conclusion

Although the fate of the Proposed Rule is unclear, its release is consistent with the Bureau’s recent focus on the FCRA and Regulation V in enforcement and supervision. In April 2024, the Bureau released a special edition of its Supervisory Highlights dedicated to consumer reporting and addressing requirements for CRAs and furnishers. In addition, the Bureau has issued many consent orders and filed complaints that include credit reporting-related findings or claims in the past few years on topics such as furnishing data and resolving disputes.

Comments on the Proposed Rule are due by March 3, 2025.