The collection, compilation, and dissemination of consumer credit information in reports (‘‘consumer reports’’) is not a recent development. The first credit reporting agency (CRA), Retail Credit Company, began compiling consumer reports as early as 1899. Today, the consumer credit reporting industry is dominated by three major companies, Experian, Equifax (the descendant of Retail Credit Company), and Trans Union. Together, these three CRAs hold records on more than 200 million consumers and provide crucial economic information to lenders, retailers, and employers in millions of transactions every day. Indeed, it is difficult, if not impossible, to imagine our economy without them or the thousands of others.
Despite the obvious importance and value of CRAs, they also have the potential to affect the privacy and livelihood of millions of Americans. Over time, poor collection and dissemination practices by CRAs resulted in real dangers to individual privacy. By the 1960s, consumer reports not only tracked credit history but many also included personal information, including sexual orientation, drinking habits, and even cleanliness. Compounding these problems were the lax disclosure practices many CRAs used— making consumer reports available to almost anyone willing to pay a fee. In addition, many of these consumer reports were highly inaccurate—containing obsolete, incomplete, or even fraudulent data. Finally, CRAs policies made it virtually impossible for consumer to see or correct their own consumer reports.
Out of this mess Congress passed the Fair Credit Reporting Act (FCRA) of 1970. Congress’ intent in passing FCRA was to address the most important problems associated with CRAs’ past practices. In particular, FCRA addressed the two major areas of abuse: (1) dissemination of consumer reports to unauthorized parties and (2) creation of inaccurate, false, incomplete, or obsolete consumer reports. In addressing these problems, FCRA created a complex regulatory framework that imposes obligations on CRAs and provides rights and remedies to consumers. This important legislation, therefore, represents the first attempt by Congress to protect individual privacy from the intrusive and, at times, abusive practices of private industry.
FCRA created a very broad definition of CRA, encompassing any entity that regularly prepares and disseminates consumer reports. As a result, bill collection agencies, cable companies, banks, and even universities have been held to be CRAs. Congress also insisted on a broad definition of consumer report— defining it to include any report that ‘‘touches’’ on an individual’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or modes of living.
Under FCRA, CRAs are required to enact ‘‘reasonable procedures to assure maximum possible accuracy’’ in consumer report information. Among the steps CRAs must take are: (1) removing inaccurate or obsolete data on notice or discovery; (2) informing consumers of adverse actions taken as a result of a consumer report; (3) allowing consumers to challenge the accuracy, currency, or completeness of information contained in consumer reports; and (4) removing or changing challenged data that cannot be confirmed within a reasonable period of time. Finally, CRAs are prohibited from disclosing consumer reports for anything other than a ‘‘permissible purpose.’’ Permissible purposes include, among others, requests for reports to employers (with consent), as part of an application for credit, or to allow financial institutions to review the creditworthiness of current customers.
CRAs are also required to make consumer reports available to consumers for review and correction. Prior to 2003, the provision of reports was only required in two circumstances: (1) on request and for a fee or (2) when an adverse action has been taken based on the report. In 2003, Congress amended FCRA with passage of the Fair and Accurate Credit Transactions Act (FACTA). Among the many changes made to FCRA, this latest amendment now requires all the three major CRAs to provide a copy of a consumer’s report, without fee, once a year on request.
Unlike many privacy and consumer protection laws, FCRA authorizes private lawsuits. Injured consumers may sue for economic and punitive damages. Criminal prosecutions may be brought against both CRAs and those who fraudulently obtain consumer reports. These robust remedial provisions have led many individuals to sue CRAs and users of consumer reports for damages caused by inaccurate information and unauthorized disclosures. In addition, the Federal Trade Commission has been active in enforcing FCRA’s provisions—mostly recently obtaining a $2.5 million settlement from the major CRAs based on their sale of consumer reports to advertisers and marketers (Trans Union v. FTC ).
In the decades since its passage, FCRA has required various amendments to capture the current practices and capabilities of CRAs. The most fundamental change in consumer reports has been the creation of ‘‘credit scores.’’ Credit scores (using proprietary formulas created by CRAs) have become more important for assessing the creditworthiness of consumers than the consumer reports on which they are based. Yet FCRA, in its original formulation, does not govern credit scores. In 2003, Congress amended FCRA to require disclosure of credit scores, including explanations of their use, for a fee. As consumer reports become increasingly important in a credit-rich and electronic market, we may assume that FCRA will be amended again. Indeed, FCRA has recently been amended by the USA Patriot Act to give law enforcement greater access to credit and financial information.
DOUGLAS J. SYLVESTER
References and Further Reading
Cases and Statutes Cited
See also Congressional Protection of Privacy; 9/11 and the War on Terrorism; Privacy; Terrorism and Civil Liberties