On July 12, 2022, the Consumer Financial Protection Bureau (CFPB) issued an advisory opinion regarding the “permissible purpose requirement” of the Fair Credit Reporting Act (FCRA) as it applies to both a consumer reporting agency (CRA) and a user of consumer reports (e.g., employer).
The CFPB’s position is that name-only matching records in a consumer report violate the permissible purpose requirement in FCRA section 604(a)(3). The CFPB noted that consumer report users must ensure they do not violate a person’s privacy by obtaining or using a report without a permissible purpose, and that a consumer reporting agency should not provide reports with “possible matches” to users.
The CFPB further warned that including a disclaimer in the report, such as “this record was matched to the subject by First Name, Last Name ONLY and may not belong to your subject; your further review of the [source] is required in order to determine if this is your subject” does not adequately address the problem of using name-only matching procedures because the report may include information about a person other than the subject for whom the CRA has a permissible purpose. In the CFPB’s view, a disclaimer “will not change the fact that the consumer reporting company has failed to satisfy the requirements of 604(a)(3) and has provided a consumer report about a person lacking a permissible purpose with respect to that person.”
The CFPB’s advisory opinion raises the possibility that employers, as users of such consumer reports, could be held liable for FCRA permissible purpose violations resulting from a CRA’s matching procedures or mistakes. The opinion emphasized the CFPB’s position that there is strict liability for obtaining or using a consumer report without a permissible purpose and also included a reminder about criminal liability for knowing or willful violations of the FCRA provisions.