Three 2019 decisions from Second, Seventh, and Ninth Circuits, discussed below, have allowed companies that share data on consumers to evade Fair Credit Reporting Act (FCRA) requirements. This article points out that these firms should be careful what they wish for. Consumers may still be in a position to sue them even if they are treated as outside of the FCRA’s coverage, because the FCRA’s preemption of state law claims no longer applies.
FCRA’s Broad Coverage
As those familiar with the FCRA know, the definitions of “consumer report” and “consumer reporting agency” under the Act are not limited to the “Big Three” credit bureaus (i.e., Equifax, Experian, and TransUnion). These definitions are quite expansive and cover a much wider range of entities, from criminal background check vendors to tenant screening agencies to financial technology data aggregators. FCRA requirements and consumer remedies apply to all of these entities.
If a company is collecting and sharing third-party data that is used or expected to be used as a factor in determining eligibility for credit, insurance, employment, or other purpose authorized under the FCRA, that company should be considered a “consumer reporting agency” or CRA subject to the FCRA. The term CRA extends to:
any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties. 15 U.S.C. § 1681a(f)
A key term in this definition is that the consumer reporting agency’s activities must be for the purpose of furnishing “consumer reports.” A consumer report is defined at 15 U.S.C. § 1681a(d)(1) and discussed at NCLC’s Fair Credit Reporting § 2.3. A consumer report need not relate to credit. A consumer report is any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s:
- Credit worthiness
- Credit standing
- Credit capacity
- General reputation
- Personal characteristics or
- Mode of living.
To be a consumer report, the information also must be used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for certain “permissible purposes.” The term “permissible purposes” is also far broader than credit. Three of these purposes are for credit, insurance, or employment. But a permissible purpose also includes use for government benefits, licenses, and the FCRA “catch-all” purpose of a “legitimate business need for the information – (i) in connection with a business transaction that is initiated by the consumer,…" 15 U.S.C. § 1681b(a)(3)(F)(i). For more on these “permissible purposes,” see NCLC’s Fair Credit Reporting Ch. 7.
Thus, by its terms, the definition of “consumer reports” is not limited to credit-based information, as it includes very broad categories of “character, general reputation, personal characteristics, or mode of living.” These categories encompass a tremendous range of information about a consumer, making its communication eligible to be a consumer report if used for a “permissible purpose” authorized by the FCRA.
For more on the definitions of a “consumer reporting agency,” see NCLC’s Fair Credit Reporting § 2.5.
Courts are Skittish about Acknowledging the Broad Scope of the FCRA
Despite the FCRA’s very broad definitions of” consumer report” and “consumer reporting agency,” three circuit courts this year have shown a reluctance to respect the FCRA’s plain language and its expansive coverage. In Zabriskie v. Federal National Mortgage Association, 912 F.3d 1192 (9th Cir. 2019), a divided panel of the Ninth Circuit held that Fannie Mae, which licenses its proprietary software program known as Desktop Underwriter to lenders, is not a CRA because its role is purportedly limited to providing this software that in turn allows lenders to assemble or evaluate information.
The majority seems to have ignored the fact that it is Fannie Mae’s Desktop Underwriter itself, and not the lenders, which actually obtains and “assembles” information from various sources including Equifax, Experian, and TransUnion. Furthermore, it is Desktop Underwriter itself that analyzes or “evaluates” the information and issues a recommendation. Note that there is currently a petition for rehearing pending in Zabriskie v. Federal National Mortgage Association.
In Kidd v. Thomson Reuters, __ F.3d. __, 2019 WL 2292190 (2d Cir May 30, 2019), the plaintiff alleged that Reuters’ Consolidated Lead Evaluation and Reporting (CLEAR) product was a consumer report because a potential employer, the Georgia Department of Public Health, had used it to conduct an employment background check that wrongfully flagged the plaintiff as having a conviction for theft. The Second Circuit held that the report produced by CLEAR was not a consumer report, despite the Georgia agency’s use for employment purposes, because the evidence showed that Thomson Reuters had collected the information and intended it to be used only for law enforcement, fraud prevention, and identity verification (non-FCRA) purposes. Thomson Reuters not only expressly prohibited its sale or use for any FCRA-related purpose, but also required subscribers to make non-FCRA use certifications and actively monitored compliance through investigations and suspensions. Furthermore, the Second Circuit held that, in order to qualify as a “consumer reporting agency,” an entity must have a specific intent to furnish a “consumer report,” and the evidence established that Thompson Reuters did not have this intent.
Finally, in Rivera v. Allstate, 913 F.3d 603, 615 (7th Cir. 2019), the Seventh Circuit noted in dicta that a law firm’s report on employee misconduct was not necessarily a consumer report because nothing in the record suggested that the firm qualified as a CRA by “regularly” engaging in assembling or evaluating “consumer credit information.” Whether it was due to oversight or the desire for brevity, the Seventh Circuit omitted the part of the CRA definition covering the collection of “other information on consumers” in addition to credit information. Note that the issue of whether the law firm was a CRA was neither raised nor briefed by either party.
These cases have undermined FCRA protections with respect to its scope of coverage. For example, the Zabriskie decision has provided support to certain types of specialty CRAs, such as criminal background check and tenant screening agencies, that claim they are not covered by the Act because they merely provide software to end users. Expect companies to use disclaimers, contract language, and other show measures that purportedly prevent users from using reports for an FCRA-covered purpose. All is not lost, however, as there is an alternative to holding companies accountable if they are not considered consumer reporting agencies, as described below.
Bringing State Law Claims Against Non-CRAs
Companies seeking to avoid FCRA coverage are missing a critical point— that being a CRA has important benefits. First, FCRA § 1681h(e) provides qualified immunity to CRAs, users, and furnishers of information from “any action or proceeding in the nature of defamation, invasion of privacy, or negligence with respect to the reporting of information . . . except as to false information furnished with malice or willful intent to injure such consumer.”
Second, furnishers of information to CRAs have the benefit of the expansive preemption of state law in § 1681t(b)(1), which preempts any state law “with respect to any subject matter regulated under . . . (F) section 1681s-2 of this title, relating to the responsibilities of [furnishers].” This latter provision preempts state law claims for furnisher inaccuracy, as well as for unfair and deceptive acts and practices (UDAP) against furnishers.
Indeed, preemption was part of the grand legislative bargain of the original passage of the FCRA in 1970. As a quid pro quo for the FCRA requiring certain disclosures to consumers and providing consumer remedies, the FCRA limited the tort liability of CRAs, users, and furnishers if the consumer acquired knowledge of the information through an FCRA-required disclosure. See NCLC’s Fair Credit Reporting § 10.4.1.2. Later on, preemption of state law requirements with respect to furnishers was added in exchange for the 1996 Reform Act amendments that added accuracy and dispute investigation responsibilities for furnishers under the FCRA.
Thus, if a company is not a CRA, then qualified immunity does not apply, and any inaccurate information it supplies could be subject to UDAP laws as well as common law tort claims such as libel, defamation, or false light (a tort relating to privacy). Tort claims have broad applicability and often provide for punitive damages. See NCLC’s Fair Credit Reporting § 10.5; NCLC’s Unfair and Deceptive Acts and Practices.
For example, the plaintiff in Kidd v. Thompson Reuters, who was wrongfully reported as having a criminal conviction, could have a claim for libel or defamation under state law. Even the reporting of accurate information could be actionable in some states as an invasion of privacy, i.e., unreasonable intrusion or appropriation. See NCLC’s Fair Credit Reporting § 18.3.
Consumer attorneys facing a possible argument by a company that it is not a CRA should always consider pleading in the alternative state common law, UDAP, and/or other state statutory causes of action. If the court rules that the company is not a CRA, consider whether there is a furnisher who now may be subject to state law claims as well.
Introducing State Law Bills to Govern Non-CRAs
States can also regulate data companies that claim they are not a CRA. Without the benefit of preemption, states are free to regulate non-CRA companies by imposing certain requirements (registration, accuracy, dispute rights, disclosure, notices) or even banning collection or sale of certain information. Moreover, entities that supply information to these companies are not entitled to the sweeping preemption for furnishers under the FCRA, and thus states can regulate their reporting activities. Some examples of state laws already passed include:
- Vermont Data Broker Law (9 Vt. Stat. Ann. § 2430 et seq.). In 2018, Vermont passed a law governing data brokers, which it defines as businesses that collect and sell or license the data of consumers with whom they do not have a direct relationship. The law requires data brokers: (1) to register with the Vermont Secretary of State annually; (2) to maintain certain minimum data security standards; and (3) to refrain from fraudulently acquiring certain types of data, or collecting or using such data to commit stalking, harassment, identity theft, or engaging in discrimination.
- California Consumer Privacy Act (Cal Civ. Code § 1798.100 et seq., eff. Jan. 1, 2020). In June 2018, California enacted a groundbreaking privacy law that gives consumers much greater control over how their information is collected and sold by large companies. Protections include a consumer’s right to know what information companies are collecting about them, to opt out of companies selling their personal information, and to have a company delete their personal information from their databases. Note that the California privacy law has an exemption for CRAs. Thus, any company that is not a CRA is not entitled to that benefit. A number of states have introduced bills similar to the California Consumer Privacy Act.