If the California Consumer Privacy Act (“CCPA”) is seen as the first U.S. data privacy law to apply across industries and sectors, then the federal Fair Credit Reporting Act, 15 U.S.C. § 1681a et seq., is its polar opposite: a law that applies based on the type of entity and how information is used. As is, the CCPA exempts from its requirements particular kinds of information subject to the FCRA in a manner similar to the way it exempts information subject to the Gramm-Leach-Bliley Act Privacy Rule (the “GLBA”). Reconciling the CCPA and FCRA, both landmark statutes, with one being brand-new and the other approaching its 50th anniversary, can be a challenge.
The CCPA exempts “the sale of personal information to or from a consumer reporting agency” if that information is to be reported in, or used to generate, a consumer report” and the use of the information is limited by the FCRA. CCPA § 1798.145(d) (the “FCRA exemption”). Recall that CCPA’s definition of “personal information” is broad and will include any information capable of being associated with an individual or household. However, a consumer report1 contains a narrow subset of personal information that is:
- Communicated by a consumer reporting agency;
- Bears on credit-worthiness and other consumer characteristics;
- Is used or expected to be used in establishing eligibility for credit, insurance, or other specified purposes.
Without the FCRA exemption, much, if not all, information contained in consumer reports would be “personal information” subject to the CCPA.The exemption, however, applies only to personal information in a consumer report that (1) is sold to or from a consumer reporting agency for the purpose of generating consumer reports; and (2) is limited in use under the FCRA. Thus the question that looms large is: What parts of a “consumer report” are not exempt from the CCPA?
The Consumer Report Conundrum
To truly appreciate the impact of the CCPA exemption for FCRA information, you first have to grapple with what is a “consumer report,” and what is a “consumer reporting agency.” This is the longest-running “chicken and egg” dilemma in information privacy jurisprudence. Consumer report information is only a “consumer report” subject to the FCRA if it is communicated by a “consumer reporting agency.” A “consumer reporting agency,” in turn, is an entity that regularly engages in the practice of assembling and evaluating consumer report information for the purpose of providing consumer reports to third parties.2
In other words, the FCRA applies only if three types of entities are involved: (1) the “furnisher”—the entity that provides consumer information that it has collected from the consumer or through its transactions and experiences with the consumer; (2) a consumer reporting agency—the entity that receives the information from the furnisher, and assembles or evaluates it; and (3) a third-party recipient of the information provided from the consumer reporting agency, usually called a “user.” We call this relationship the “FCRA Triangle."
Figure 1: The FCRA Triangle
The easiest way to understand the impact of the CCPA’s limited exemption for information subject to the FCRA (“FCRA data”) is to look at the information as it is shared and received by each entity in the FCRA triangle.
Furnisher to Consumer Reporting Agency. A FCRA “furnisher” provides consumer report information to a consumer reporting agency. For financial institutions that are furnishers, the bulk of this information will be information that relates to a consumer who requests or receives credit or other services, including the consumer’s account or transaction history (also called “transaction and experience” information). The FCRA does not proscribe the content or characteristics of the data that a furnisher provides. However, only information that a furnisher “sells” to a consumer reporting agency will be exempt from CCPA under the FCRA exemption.
The CCPA defines a “sale” of personal information as “selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration.” CCPA § 1798.140(t) (emphasis added). Thus, “sales” do not need to involve financial compensation; where two businesses agree to exchange personal information relating to consumers, for example, that would constitute a “sale” under the CCPA because each party is providing something of value, i.e., the consumer information each possesses.
Financial institutions and other furnishers provide to consumer reporting agencies much of the personal information they collect not for direct compensation but, rather, for the purpose of ensuring the availability of reliable credit-granting information overall. Thus, for the FCRA exemption to apply to a furnisher’s transfer of personal information to a consumer reporting agency, the California Attorney General would have to take the position that deriving this type of general benefit for the credit industry as a whole from the exchange of the information was “consideration,” thus making the exchange a “sale” under the CCPA. If the exchange of personal information for the purpose of supporting the industry as a whole is not an exchange for “consideration” and thus not a “sale,” then the personal information routinely provided to consumer reporting agencies by creditors and other FCRA furnishers would not be exempt from the CCPA. Much of this personal information still could be exempt from the CCPA, however, under the GLBA exemption.
Consumer Reporting Agency to Consumer Report Users. Consumer reporting agencies sell information to their credit-granting customers. Thus, any consumer report information that a consumer reporting agency provides to its third-party customers would be exempt under the CCPA, provided that the FCRA limits the use of that information.
This seems straightforward. But not all consumer report information is created equal. As a result of the Federal Trade Commission’s protracted litigation with Trans Union in the late 1990’s, the demographic and identifying information contained in a consumer report (sometimes referred to as “header” information) is not considered to be part of a “consumer report” and thus can be used and disclosed without any FCRA restriction. See 40 Years of Experience with the Fair Credit Reporting Act, Federal Trade Commission Staff Report at 1, fn. 4. Consumer reporting agencies and other entities often sell this “header” information—such as name and address—to assist their customers with verifying consumer identity and preventing fraud.
Because the FCRA does not restrict the use of such “header” information, it is not exempt from the CCPA under the FCRA exemption. Consumer reporting agencies that are subject to the CCPA therefore will likely be required to comply with CCPA requirements as to “header” information.
Similarly, the consumer reporting agencies’ customers—the FCRA users—receive consumer report information sold to them by the consumer reporting agency and are restricted by FCRA in the way that they may use or disclose that information. In that case, the consumer report information is exempt from CCPA as FCRA data.
Figure 2: Summary of CCPA Exemption for FCRA Data by Role
|Furnishers||Consumer Reporting Agencies||Consumer Report Users/Recipients|
|Not Exempt From CCPA|| |
Personal Information provided to consumer reporting agencies for no consideration (thus not a “sale” under CCPA)
Identifying and demographic information obtained from a consumer reporting agency when separated from the other consumer report information
|Identifying and demographic information purchased from a consumer reporting agency (e.g., in identity verification or fraud detection products)|
|Exempt From CCPA||Personal Information purchased from a consumer reporting agency that is a consumer report subject to the FCRA (does not include identifying and demographic data when separated from consumer report information)|| |
Personal information sold in consumer reports (does not include identifying and demographic data sold separately from consumer report information)
|Personal information purchased from a consumer reporting agency (other than identifying and demographic information)|
Use caution when applying the CCPA exemption for FCRA data. The exemption will only apply where the personal information is “sold” and the FCRA limits its use. Identifying and demographic information taken from consumer report information presents particular challenges because such information clearly is personal information under the CCPA but, just as clearly, is not a “consumer report” under FCRA precedent. As a result, the CCPA cuts an uneven path across FCRA furnishers, consumer reporting agencies, and consumer report users.
1 A “consumer report” is “any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes; or other authorized purposes.” FCRA § 1681b (d).
2 The term “consumer reporting agency” means any “person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.” FCRA § 1681a (f).