“Permissible purposes” are required when credit reporting companies – and users of credit reports – share credit and background reports, the federal consumer financial protection agency clarified Thursday in an advisory opinion.
According to the Consumer Financial Protection Bureau (CFPB), the legal interpretation is intended to ensure companies that share the credit reports and background reports have a permissible purpose under the Fair Credit Reporting Act (FCRA).
“The CFPB’s new advisory opinion makes clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy,” the bureau said in a release. “The advisory also reminds covered entities of potential criminal liability for certain misconduct.”
The agency said the advisory opinion will “help to hold responsible” any company, or user, of credit reports that violates the permissible purpose provisions of the Fair Credit Reporting Act. Specifically, the agency said the opinion clarifies:
- Insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, which would violate consumers’ privacy rights.
- It is unlawful to provide credit reports of multiple people as “possible matches.”
- Disclaimers about insufficient matching procedures do not cure permissible purpose violations.
- Users of credit reports must ensure that they do not violate a person’s privacy by obtaining a credit report when they lack a permissible purpose for doing so.
The opinion also notes that under criminal liability provisions FCRA, covered entities can face criminal liability for obtaining a background report on an individual under false pretenses or by providing a background report to an unauthorized individual. “For example, Section 620 of the Fair Credit Reporting Act imposes criminal liability on any officer or employee of a consumer reporting agency who knowingly and willfully provides information concerning an individual from the agency’s files to an unauthorized person,” it said. The agency noted that violators can face criminal penalties and imprisonment.