- with readers working within the Property industries
- within Compliance topic(s)
This article was originally published by Law360 and is available here and as a PDF here.
Companies that share or sell personal data, use personal data from other companies, or furnish consumer financial information should pay close attention to the Fair Credit Reporting Act as a renewed enforcement priority for the current administration.
While the FCRA is an older privacy statute, regulators in the current administration have pointed to renewed enforcement. The statute itself is complex, and its application to today's consumer data flows can be complicated.
The FCRA remains top of mind for both federal and state enforcers. In remarks at the National Advertising Division Annual Conference on Sept. 17, Federal Trade Commission Bureau of Consumer Protection Director Christopher Mufarrige stated that the agency will "enforce specific laws such as" the FCRA.
That echoes recent remarks from Commissioner Melissa Holyoak earlier this year, calling for the FTC to "focus on robustly enforcing" the FCRA.
And while the Consumer Financial Protection Bureau recently withdrew a proposed rule to expand the scope of the FCRA, an internal memo earlier this year listed FCRA data furnishing as a priority enforcement area.
Both the FTC and CFPB have emphasized that they will target actions that result in demonstrable harm to consumers.
Notably, the FCRA is enforced by the FTC and federal financial regulators, including the CFPB, federal banking agencies and the National Credit Union Administration, as well as state attorneys general and private plaintiffs in certain circumstances.
It applies to traditional credit reporting agencies and furnishers of information to those agencies, but also can extend to data brokers and other providers and users of personal data when used for certain purposes.
Sharing or receiving consumer data to make decisions? The FCRA may apply.
The FCRA's coverage extends well beyond large, nationwide credit bureaus to reach other kinds of companies that are covered as consumer reporting agencies, or CRAs,1 and data that may be covered as consumer reports.2
In particular, companies that are selling and sharing personal data must pay close attention to the expected downstream uses of that data.
The FCRA generally applies to information "bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living."3
When that data is sold to third parties, the data can become a consumer report under the FCRA if it is used or should be expected to be used "as a factor in establishing the consumer's eligibility" for credit, insurance, employment4 or business transactions "initiated by the consumer."5
Even if the data is obtained from a company that is not holding itself out as a CRA, the data recipient can be subject to FCRA requirements if the data is found to be effectively a consumer report.
Last year, the CFPB initiated a rulemaking to attempt to expand coverage of the FCRA to certain data brokers.6
The CFPB's proposed rule arguably would have made every sale of information about a consumer's credit history, credit score, debt payments or income tier a consumer report that triggers FCRA coverage — even if the information was sold for noncredit uses, including in targeted advertising or training AI models.
Although the CFPB later withdrew that rulemaking, the arguments supporting it point to greater scrutiny of financial-related information sold and shared, even for noncredit reasons.
Even under existing FCRA guidance, sellers of personal data must consider the expected use of that data to determine whether the FCRA might apply. In addition to covering credit-related eligibility decisions, the FCRA applies when determining eligibility for insurance and employment.
It also applies where the recipient has a "legitimate business need" for the information in connection with a "transaction that is initiated by the consumer" — a category that is not always clear.7 For example, the FTC considers background reports used to determine eligibility for rental housing to be consumer reports under the FCRA.
The FTC also has previously brought enforcement actions against data brokers and background report companies. One example is the FTC's 2023 case against Instant Checkmate in the U.S. District Court for the Southern District of California, alleging that the defendants violated the FCRA by providing consumer reports to people who did not have a permissible purpose to obtain them, among other violations.
And the FTC issued similar guidance in its 2016 Big Data report, reinforcing that FCRA applicability may extend beyond traditional actors.8
The FCRA imposes significant compliance obligations on CRAs, data purchasers and furnishers.
Companies covered as CRAs under the FCRA have numerous compliance duties. Among others, they must "follow reasonable procedures to assure maximum possible accuracy of the information."9
They must also undertake a "reasonable investigation" when consumers dispute the accuracy or completeness of information in their files.10
What constitutes a "reasonable" investigation has been the subject of significant private litigation, and courts, including the U.S. Court of Appeals for the Second Circuit in Suluki v. Credit One Bank in May, have held that it is a "context-dependent inquiry" that is "generally a question for a finder of fact."11
CRAs also have a duty to provide consumer reports only to parties with a permissible purpose as defined by the statute.
Companies purchasing or using consumer reports also have compliance requirements. For example, they must have a statutorily authorized "permissible purpose" to obtain consumer reports.12
Additionally, when a company takes "adverse action" against a consumer (such as denying credit or declining to offer a service) based on information in its consumer report, it must provide the consumer with a notice describing that adverse action, the reason for the adverse action and the consumer's rights under the FCRA.13
Furnishers of information to CRAs also have obligations under the FCRA and its regulations. A furnisher is any "entity that furnishes information relating to consumers to one or more consumer reporting agencies for inclusion in a consumer report."14
Companies that meet this definition have certain obligations under the FCRA, including furnishing information that is accurate15 and "reasonably investigating"16 consumer disputes about the accuracy of information they furnish.
For example, a March U.S. Court of Appeals for the Fourth Circuit opinion in Roberts v. Carter-Young Inc. acknowledged it was creating a circuit split about whether furnishers of information must investigate both legal disputes to the validity of the debt and factual inaccuracies.17
Enforcement and litigation risks are concerns, but can be addressed by effective compliance steps.
For companies subject to the FCRA, regulatory and litigation risk is now more acute in several core areas, which companies can take practical steps to address.
Permissible Purpose
Companies that obtain and use consumer reports without a permissible purpose under the FCRA face enforcement and litigation risks. Companies should implement processes to understand whether they are obtaining data that qualifies as a consumer report, and if so, that it is used only for purposes allowed under the FCRA.
Data Accuracy
Inaccurate or outdated information remains a common ground for FCRA claims, where the government or plaintiffs allege harm based on credit denials, employment rejections or similar theories.
CRAs and furnishers should implement policies and procedures to comply with the FCRA and related regulatory accuracy requirements.
Dispute Resolution and Investigations
Furnishers and CRAs face risk if they do not investigate consumer disputes reasonably or in a timely manner, and should implement processes to promptly address and resolve disputes.
Finally, given regulators' emphasis on tangible consumer harm and the related litigation risks, companies should pay close attention to consumer complaints related to the above areas.
Consumer complaints often drive regulatory and litigation risk, and prompt responses can help mitigate that risk. Quick remediation can also mitigate the risk of large class actions regarding certain company practices that could potentially affect a wide range of consumers.
While federal consumer enforcement priorities may be in flux, the FCRA remains a priority and a key compliance issue for companies dealing with consumer data.
Footnotes
1. 15 U.S.C. § 1681a(f).
2. 15 U.S.C. § 1681a(d).
3. 15 U.S.C. § 1681a(d).
4. 15 U.S.C. § 1681a(d)(1)(A)-(B).
5. 15 U.S.C. § 1681a(d)(1)(C); 15 U.S.C. § 1681b(a)(3)(F)(i).
6. https://www.wiley.law/alert-CFPB-Proposes-to-Expand-Reach-of-Fair-Credit-ReportingAct-to-Data-Brokers-and-Beyond.
7. 15 U.S.C. § 1681b(a)(3)(F).
8. https://www.ftc.gov/reports/big-data-tool-inclusion-or-exclusion-understanding-issuesftc-report.
9. 15 U.S.C. § 1681e(b).
10. 15 U.S.C. § 1681i(a)(1)(A).
11. Suluki v. Credit One Bank, NA, 138 F.4th 709, 720 (2d Cir. 2025).
12. 15 U.S.C. § 1681b.
13. 15 U.S.C. § 1681m.
14. 12 CFR § 1022.41(c).
15. 12 CFR § 1022.42(a); 15 U.S.C. § 1681s-2.
16. Courts have routinely held that the requirement under 15 U.S.C. § 1681s-2(b) that furnishers conduct an investigation means it "must be a reasonable one." Maiteki v. Marten Transp., 828 F.3d 1272, 1275 (10th Cir.2016).
17. Roberts v. Carter-Young, Inc., 131 F.4th 241, 252 (4th Cir. 2025)
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
