What the F(CRA) is a Permissible Purpose?

Earlier this July, the Consumer Finance Protection Bureau (CFPB) issued a legal interpretation  to ensure that companies that use and share consumer reports can prove what’s called a “permissible purpose” under the Fair Credit Reporting Act (FCRA).

The advisory opinion sets the record straight on consumer data privacy: Not only do consumer reporting companies and companies that use credit reports have a duty to protect consumer information, they’re subject to potential criminal liability if they don’t play by the rules.

But what is a permissible purpose? What kind of information do these entities keep on consumers? What do they do with that data? These are questions that many consumers don’t even know they should be asking, which is why we did the heavy lifting for you. Keep reading to get the lowdown on permissible purposes and data privacy.

Permissible Purposes

The FCRA does more than just entitle Americans to fair and accurate consumer reports, it requires the companies and individuals who buy those reports to demonstrate a legally permissible purpose. This rule protects consumers’ private data, including credit history.

What are those permissible purposes? Companies are legally permitted to access consumer data for reasons like:

• Loans or credit applications
• Insurance applications
• Tenancy applications requiring background checks
• Hiring processes requiring background checks

It’s just as imperative to know under what circumstances companies are not allowed to purchase consumer data under the permissible purpose provisions of the FCRA. The CFPB’s latest advisory reminds companies:

• Insufficient matching procedures can lead to entities providing reports to companies without a permissible purpose. Let’s say Equifax uses name-only procedures to find a consumer’s information — that’s illegal because the user of a report could be given a report that belongs to a different consumer with the same or similar name. 
• Consumer reporting companies can’t provide reports on multiple individuals if they only have a permissible purpose to obtain a report on one person. “Possible matches” are not a valid purpose to obtain information on multiple consumers.

What happens if a company violates my data privacy under the FCRA?

Simply put, companies face criminal liability, including jail time, if they are found to have purchased a report on an individual under false pretenses. Same goes for companies that provide consumer reports for an unauthorized purpose.

Consumers are also able to sue companies that violate their data privacy under the permissible purposes clause of the FCRA. For instance, let’s say you pay off and decide to close a line of credit with Bank A. When you open a line of credit, you must agree to allow Bank A to pull your credit report on a monthly basis. If Bank A continues to pull your report after you sever your relationship, you could be eligible for compensation.

If you believe a permissible purposes violation has caused you financial, emotional, or reputational harm, let us know if Consumer Attorneys can help. We offer a free consultation to let you know how much your case may be worth.