In this episode, Troutman Pepper Partners Chris Willis, Dave Gettings, Kim Phan, Ethan Ostroff, and Ron Raether discuss the potential implications of regulating data brokers under the FCRA, and how this might affect data brokers as well as other types of entities, including users, consumer reporting agencies, and resellers.
Join us for the third episode in a special three-part series covering the CFPB's intention to propose new rules under the Fair Credit Reporting Act (FCRA). In this episode, Troutman Pepper Partners Chris Willis, Dave Gettings, Kim Phan, Ethan Ostroff, and Ron Raether discuss the potential implications of regulating data brokers under the FCRA, and how this might affect data brokers as well as other types of entities, including users, consumer reporting agencies, and resellers.
CFPB’s Rulemaking Under the FCRA – Part 3
Hosts: Dave Gettings and Chris Willis
Guests: Ethan Ostroff, Kim Phan, Ron Raether
Hey, everybody, and welcome to another edition of FCRA Focus, the podcast that focuses on all things FCRA and credit reporting. I'm your host, Dave Gettings, and today we are continuing our crossover episodes with Chris Willis and The Consumer Finance Podcast. We're at the end of a three-part series discussing the CFPB'S forthcoming efforts to regulate credit header data and data brokers.
The first two episodes focused on the CFPB'S process and the details regarding credit header data and today we're going to focus on data brokers, the last element of the feature. With us today is a great panel, people that were on the panel for the last two episodes as well. We've got Chris Willis. We've got Ron Raether, Kim Phan, and Ethan Ostroff. Before we get started on the substance, I'd like to turn it over to each of them to do a brief intro just in case this is the listener's first listen in the feature.
Dave, thanks very much and thanks for co-hosting this with us. We're really happy to have the opportunity to co-publish this very important series on the CFPB's Fair Credit Reporting Act rulemaking. As Dave said, I'm Chris Willis, I'm the host of The Consumer Finance Podcast and I'm the co-leader of our firm's Consumer Financial Services Regulatory Practice. So, Dave, thanks for doing this with me and let me turn it over to Kim.
Thank you very much, Chris. It is my pleasure to be here. I'm a partner in the firm's not only Consumer Financial Services group, but also our Privacy and Cyber group. Excited to be here to talk about the FCRA, which is the perfect intersection of privacy and consumer finance. Ron?
It's great to be here with everyone. This is Ron Raether. Crossover is probably a great term, Kim, with respect to our Privacy and Cyber group and the issues that we're going to talk about today. And importantly, the CFPB's attempts to extend their power and authority into more traditional privacy related areas that fall outside of the FCRA. So, I'm excited to talk about this topic and thanks for having us on this podcast.
Hey, this is Ethan Ostroff. Happy to be back again. I'm a partner as well and I focus on litigation and compliance, particularly in the FCRA space for furnishers, users and specialty consumer reporting agencies.
Thanks everybody. Appreciate you being here. Appreciate the intros. So, let's start with some basic questions or just some basic framework. The FCRA regulates consumer reporting agencies that prepare consumer reports. What are everyone's thoughts on whether data brokers cleanly fit in the definition of consumer reporting agency and what they do cleanly fits in the definition of consumer report?
I'm happy to take that one, Dave. I've spent most of my career helping companies navigate the lines of when the Fair Credit Reporting Act applies. So, a lot of companies that have worked in the data space, looking at the definitions of the FCRA and defining their businesses and building them in a way to make sure they don't fall within the FCRA.
The FCRA is a unique privacy statute in the sense that it doesn't regulate based on the classification of the data. In other words, an SSN, driver's license number. Other than the bear on consideration it's agnostic as to the type of data and it also doesn't regulate based on who's creating the data or who's collecting the data, instead it depends on how the data is being used. And I think what's important here is CFPB rulemaking in their attempt to try to extend their authority under the FCRA to traditional data brokers, they've ignored an important line that the FCRA places in terms of when a company acts as a consumer reporting agency. And that is that the information has to be used to determine eligibility for one of the FCRA's permissible purposes.
So, for example, if I'm getting data and I'm using it to determine a consumer's eligibility for employment, then I'm a consumer reporting agency. However, if I'm getting that same data from the same source and I'm making it available to companies, for example, skip tracing or fraud prevention identity verification, that is not to determine someone's eligibility for credit, insurance, or housing. And that use should not fall within the FCRA's definition of consumer report or consumer reporting agency.
Thanks, Ron. So, one follow-up question on that. You talked about eligibility. We often talk about conduits and companies that do not necessarily assemble and evaluate data, but just are simply a conduit for public records or for unadulterated data. Does that conduit theory play in at all in terms of whether or not data brokers could qualify as a consumer reporting agency even if the information might eventually downstream be used for an eligibility determination?
There's a couple of components to that, Dave. So, the first is do they assemble or evaluate? We've litigated this issue successfully. There are companies that pull raw data from publicly available data sources. So, without any modification or changes to that data other than maybe normal standardization for example, and the address, instead of having variations in drive, for example D-R or D-R-I-V-E, you can standardize to just one value, D-R. In those instances you're not assembling or evaluating. I think that clearly brings those companies outside of the definition of consumer report and consumer reporting agency.
I think likewise, even in other instances where arguably there could be some evaluation, there are opportunities and designs in terms of architecture and data flow by which that company can still provide information to both consumer reporting agencies and non-consumer reporting agencies because it's that intent to make that information available for eligibility purposes that transitions data into the definition of consumer report and that intent that's really in the eye or in the action of the ultimate CRA. So, if that data company is making its information available to multiple sources, they are not acting as a CRA, even if they ultimately sell that information to a consumer reporting agency.
So, we know from Ron's answer that it feels like this idea of looping in data brokers into coverage under the Fair Credit Reporting Act seems to be on, let's say, shaky ground in terms of the language of the statute. But let's see exactly where the CFPB thinks it's going with this. Could I ask the panel to talk about how the term data broker was defined in Director Chopra's remarks at the White House event and in the frequently asked questions that were released in connection with the event, who is he wanting to cover?
Well, Chris, if I may weigh in on that, it's challenging in the way that data brokers are discussed in Chopra's remarks and in the FAQs and the fact sheets, in that they attempt to just synonymously use data broker and consumer reporting agency interchangeably. But that's not necessarily going to be the case, even if they take this broad approach to what is defined as a data broker. While all CRAs may in their mind be data brokers, not all data brokers are necessarily going to be CRAs.
As Ron was laying out, the Fair Credit Reporting Act has very specific definitions about what constitutes a consumer reporting agency, what constitutes a consumer report. And now while those definitions are certainly a little bit circular to the extent that any kind of entity doesn't match every element laid out in that definition, meaning that it's an entity that engages in assembling or evaluating. If you don't do that, you're not a consumer reporting agency. That is providing combined information to third parties. If you're not providing it to a third party, you're not a consumer reporting agency. There's lots of entities that provide data under a consumer permission model directly to the consumer. So, there's no third party involved.
If you're not using that information for ineligibility determination, you're not a consumer reporting agency and it's not a consumer report. Right? So, I think the CFPB's attempting to get around the black letter language in the actual statute and just lay in this concept, this overlay that if you're an entity that is compiling data for purposes of selling that information about consumers to other entities, you're a data broker.
And they defined it actually in two different ways. They're addressing both what they call first-party data brokers, entities that interact directly with consumers, and third-party data brokers, which are companies that don't have a direct relationship with consumers. But it's important to note that the CFPB is not in alignment with where the states are going in this respect.
The few states that have enacted data broker laws, and we're talking about California, Vermont, most recently, Oregon and Texas, all of them have defined data broker in a way that it is an entity that does not have a direct relationship with the consumer. These would be the third-party data brokers that the CFPB was referring to. But here the CFPB is looking expansively at both first party and third party. So, I think there's going to be some struggles as the CFPB figures this out because these early remarks are, again, I think they're casting their net as wide as possible and I don't think that's going to work under the black letter of the law in the long term.
Yeah. And in order to highlight that, Kim, let me just look at part of the definition that the Bureau put out in connection with this event. It talks about describing the activities of data brokers in that they collect information from public and private sources for purposes including marketing and advertising, building and refining proprietary algorithms, credit and insurance underwriting, consumer authorized data porting, fraud detection, criminal background checks, identity verification, and people search databases.
And certainly, Kim, there's some examples there that we would understand to be a consumer report like credit and insurance underwriting, but there's a bunch of stuff in that list that I think we would consider to be well outside the definition of a consumer report and that has been litigated and judged by courts not to be a consumer report, right?
That's correct. And I know Ron has actually litigated many of these cases in court and may have some thoughts on that.
Exactly, Kim. And I think the Fourth Circuit's decision in the Barry case that we handled puts a pin on exactly, Chris, what you were saying is that the CFPB wants to ignore the language of the FCRA and specifically the eligibility requirement. And the consequences of that are enormous and I think in ways that are detrimental and adverse to the interests of consumers.
So, for example, I'd like the CFPB to explain what permissible purpose would a company have in order to use data broker information regulated by the FCRA to conduct identity verification, for example, to get access to an app? Say I want to access my Hulu account, what's the permissible purpose that allows Hulu to use my identity verification fraud prevention tool for that transaction? And the answer is there is none, which goes back to the point that we made earlier, there's a reason why the FCRA is written the way it was. It was intended to regulate very specific types of transactions and the flow of data within those transactions, including things such as marketing and fraud and people searches. It is just a megaphone screaming that the CFPB is going well beyond their authority and what the FCRA grants to them.
And I think likewise, Kim, your reference to state privacy laws is right on point because the other thing, the states have recognized that in enacting privacy legislation like the CCPA or CPRA that provides some of the FIPS rights for data outside the FCRA, that they've created fraud prevention and identity protection exemptions. There is no such exemption anywhere within the FCRA with regard to data that meets the definition of consumer report. So one, it violates the language of the statute, it's just offensive to it. And two, what the CFPB is trying to do is completely contrary to what states have done and thought about these specific uses and not regulating them and requiring, for example, access rights or disputes rights.
Chris, the types of uses you were describing before, they all come from what was described not in what Chopra most recently said, but going back to the March 2023 request for information, right? In that request for information, they actually did give somewhat of a definition, at least at that point, their definition of what a data broker is, and they defined it as, "An umbrella term to describe firms," literally they use the word firms, "that collect, aggregate, sell, resell, license, or otherwise share consumers' personal information with other parties."
And that term, data brokers, I mean, that's not something new that the CFPB is coming up with. They may be trying to change the common understanding and definition, but the FTC has been using that terminology for many years. I mean, going back to the FTC's 2020 privacy report, they talked about data brokers and really, actually I think divided them up into three categories, right? Entities that maintain data for marketing purposes, number one. Number two, non-FCRA covered entities that maintain data for non-marketing purposes that fall outside of the FCRA, such as to detect fraud or locate people. And then third and finally, entities that are subject to the FCRA.
So, the FTC historically has given us an understanding in the industry, an understanding of the different types of entities that may fall within an umbrella definition of data brokers, but at the same time to acknowledge that the overwhelming majority of them are not going to be subject to the FCRA. So, now we've got really what is a potentially a seismic shift in the understanding or the perspective of the regulator that's overseeing this area as to how people should understand the term data broker.
One of the problems with that is there's a long history by the FTC of doing lots of enforcement actions all involving this idea of where you draw the line of CRA covered by the FCRA and non-CRA that's not covered by the FCRA, and all that's looking like it's going to be turned on its head.
So, can we talk a little bit about what data brokers look like in practice? And maybe I'm going a little bit off script, but it seems to me that a lot of the CFPB's proposed regulation is geared toward a suspicion or maybe a misunderstanding of what data brokers do in the market. For example, on the FAQ, they talked about data brokers and referenced ... Or other companies in the surveillance industry, which is not necessarily a really good way to phrase it or a really positive way to phrase it.
Ron, you mentioned for example, streaming services and ID verification, but besides criminal records vendors, which is maybe the prototypical example of what the CFPB thinks of a data broker, what are the positive roles data brokers are playing in society? What are some examples of what data brokers do that can actually be beneficial to consumers?
Well, there's a variety of services and a variety of different molds in which that broad data broker registration that Kim explained, businesses can fit into. So for example, we have a client that makes it easier for individuals to get copies of their public records. I'm not sure what it's like in Virginia Beach, Dave, but in California, a trip to the DMV is worse than a trip to the dentist to get a root canal. It's just not a very good experience in California. So, the ability to be able to go to a third party and get a copy of a document rather than having to wait in line, since the California DMV doesn't yet have records available online, that's a value to consumers. That arguably could be a data broker, a company that goes out and pulls all those public records and makes them searchable and available to consumers. That's a positive.
The other is I have checks that are owed to me. I've moved and you can't find me. So, whether that's tax return or for unclaimed funds, like if you have a loan or mortgage and you don't get that last payment, your bank can deposit that with the state. Being able to use a data broker to find and locate an individual to track them down so they can get their check or their money, that's of value.
I mean, the list goes on and on. I'm not even getting into the nerdy economist arguments that we all have to pay for the cost of people that don't pay their debts. Whether we want to realize it or not, if I have an account with a bank and others have accounts with that same bank and I don't pay my debts, you guys are having to come up with the difference of Ron not paying what he's obligated to pay. A lot of those use cases, data brokers and data aggregators provide a very beneficial, useful service to society and to consumers individually.
I also wanted to point out that, and Dave, you've mentioned this characterization by the CFPB that this is some creepy surveillance state type activity where that this data is being compiled and consumers have no insider input on it. But we know the reality is some of the fraud prevention purposes, some of the tools that are made available to businesses to prevent malicious activity, some of that would not be available if consumers had more control.
The idea that consumers can cherry-pick the positive credit behaviors that they want included in reports versus the negative ones. I mean, that undermines the entire system. And many of the benefits that Ron described would just go away if the CFPB is creating new, what they consider protections from consumers, from this surveillance state that they're describing.
Well, I think, Kim, the presumption is that criminals want to be caught, which is ridiculous. I mean, we know that criminals are smart. They're using means by which to steal people's identities, trick various holders of money or data or information or services to think that they're somebody other than who they are. And providing some of the rights that are afforded to consumers under the Fair Credit Reporting Act completely undermines those tools and processes.
So, for the FCRA, the whole intent is to provide information about somebody that you know and you've confirmed who they are so that you can see their individual experiences. The whole point of fraud prevention and identity theft prevention and ID verification is to weed out the people that are trying to play the system. If you then give those people the ability to access that file to correct that file, they're able to undermine and subvert those systems that are in place to prevent that type of criminal behavior that's victimizing me, you, my mom.
Yeah, it's interesting, Ron, dovetailing with that point you just made, I mean we're recording this on August 29th, just today, the CFPB came up with another email about this rulemaking. And really the only thing different in the email today than what was previously announced is they added on a paragraph specifically about data brokers causing harm to older consumers when information about their finances, health or preferences is collected and sold.
And then they reference the DOJ having prosecuted several data brokers for selling the personal information of older adults and individuals with dementia, to criminals who use this data to target and perpetuate scams against them. Well, of course, no one wants this type of activity to be going on, but at the same time, it's like, clearly there are tools in the current toolbox with the current understanding of what's lawful and what's unlawful for criminals to be prosecuted. So, it's interesting that they chose that hook to use today in their most recent statement.
So, it seems clear from this discussion that the policy merit, in addition to the legal merit of this rulemaking being highly suspect, the policy merit also seems very suspect as well. But the Bureau has said it's going to go forward with the rulemaking. So, let me just ask the panel, as the rulemaking moves forward, what are some key issues that we'll be watching and that we think our listeners should also be watching for?
There's a couple of things, Chris. So, one is, and we talked about this in the previous podcast, there's some public relations work going on by the CFPB and the supporters of these regulations that need some correction. For example, following on what we were just talking about, I saw an article that suggested that the data incident somehow put social security numbers and other header information out there, and that was a justification or a reason for why the CFPB needs to take action and regulate the space.
In reality, litigating and being in the data breach universe is that everyone's SSN is out there on the dark web. And so, pinpointing and suggesting that somehow this regulation is going to change that fact or somehow improve the protections to the elderly is a farce. So, I think we need to be very considerate and conscious of the public relations campaign that's going out there and think about ways in which we can educate the public to the benefits as well as to the detriment to consumers and society if this CFPB regulation stands.
The other thing is that there are other means by which to protect consumers short of taking the FCRA and stretching it in ways that Congress never intended. And I just mentioned how with Congress. So, if there are issues or concerns that need to be addressed, deal with them in Congress so that it's done in a balanced, fair way that allows for all voices to be heard and for a statute to be constructed that actually balances the various needs and concerns of society.
Ron, you're right about those things, and of course we'll be following that very closely. And all this discussion really makes me wonder, you have a rulemaking effort that seems so clearly outside the permissible scope of the statute that would be birthed into a judicial environment that seems especially hostile to aggressive agency interpretations of their authority. And so, it seems like this is an effort that would eventually be on a collision course with failure in a court challenge. And it honestly makes me wonder whether the motivation for this rulemaking is more from a political and public relations standpoint than to actually achieve a final enforceable rule.
That's just my speculation, but it does seem like it's one of the rational ways to think about what the bureau is doing because there's no way, I don't think, that the bureau would rationally conclude that it has a good chance of extending the Fair Credit Reporting Act to products that are used for people finders and identity verification and the other use cases, advertising, things like that, that are discussed by the Bureau.
But in any event, I want to thank all of my partners for this very important and incredibly informative discussion. Of course, we're going to continue to monitor this rulemaking as it proceeds. We'll be looking for the SBREFA outline when it comes. That'll be the next step. And of course, thanks to you, the members of the audience, for listening to this special crossover edition of our podcast as well. Don't forget to visit and subscribe to our blogs, troutmanpepperfinancialservices.com and consumerfinancialserviceslawmonitor.com.
And while you're at it, why don't you visit us over at troutman.com and sign yourself up for our consumer financial services email list? That way you can get copies of the alerts that we send out and invitations to our industry-only webinars. And of course, I always want to mention our nifty new mobile app, which is a great one-stop shop for all of our thought leadership content. You can listen to all of our podcasts, see all of our blogs, all of our articles, see a directory of our financial services lawyers, over 200 of them, and even a calendar that shows you what industry events and seminars we'll be participating in and speaking at. And of course, stay tuned for a great new episode of this show, The Consumer Finance Podcast, every Thursday afternoon. Thank you all for listening.
Copyright, Troutman Pepper Hamilton Sanders LLP. These recorded materials are designed for educational purposes only. This podcast is not legal advice and does not create an attorney-client relationship. The views and opinions expressed in this podcast are solely those of the individual participants. Troutman Pepper does not make any representations or warranties, express or implied, regarding the contents of this podcast. Information on previous case results does not guarantee a similar future result. Users of this podcast may save and use the podcast only for personal or other non-commercial, educational purposes. No other use, including, without limitation, reproduction, retransmission or editing of this podcast may be made without the prior written permission of Troutman Pepper. If you have any questions, please contact us at troutman.com.