The Consumer Financial Protection Bureau issued a legal interpretation on July 7 advising that credit reporting companies and users of credit reports “have specific obligations to protect the public’s data privacy,” and could be held criminally liable for not meeting those obligations.
According to the advisory, such violations often occur when companies use insufficient matching procedures, including providing credit reports of multiple people listed as “possible matches.” Credit reporting companies cannot provide reports on multiple people when the requester only has “a permissible purpose” to receive a report on only one person.
Officers or employees of consumer reporting companies face criminal liabilities if they “knowingly and willfully provide information concerning an individual from the agency’s files to an unauthorized person,” the CFPB said.
“This ensures that companies cannot check an individual’s personal information, including their credit history, without a bona fide reason,” the CFPB said. “Some common permissible purposes include using consumer reports for credit, insurance, housing, or employment decisions. For example, a bank may request a credit report in order to determine the terms on which it will offer someone a line of credit.”
“Americans are now subject to round-the-clock surveillance by large commercial firms seeking to monetize their personal data,” said CFPB Director Rohit Chopra. “While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.”