In a recent single-plaintiff federal case in the Northern District of Georgia alleging violations of the Fair Credit Reporting Act (the “FCRA”), the court helpfully explored the contours of what constitutes a “consumer report.”
Here’s the back story. In 2016, a guy obtained a copy of his credit report from a consumer reporting agency (a “CRA”) to review it for accuracy. He was surprised to find that a second CRA had accessed his credit file on at least 73 occasions and spent the next 18 months trying to get an explanation. Because the explanations were (allegedly) confusing and unsatisfactory, and he filed suit against both CRAs, contending that each had violated the FCRA in providing and using a consumer report without a statutory permissible purpose for doing so.
The two CRAs are separate companies and each maintains its own database of consumer credit files and account information. However, the second CRA created a credit risk score that utilized data contained in the first CRA’s database in addition to its own credit files. When a consumer service representative for the second CRA accesses a consumer’s credit file to process a request for consumer disclosure, process a dispute reinvestigation or for other purposes, the second CRA’s system automatically, and without prompting, provides the representative with this credit risk score.
The representative can see only the score and is not able to see or otherwise access the data used to calculate the score. Every time the second CRA obtains information from the first CRA in order to generate such credit score, that event is recorded as a “soft inquiry” on the consumer’s file at the first CRA. The generation of this credit score is unnecessary to whatever tasks the representative is performing and it is never explained why this process was implemented. When the first CRA was informed of this process, it requested the second CRA to cease the practice.
On these facts, the court determined that the Plaintiff had introduced sufficient evidence to survive summary judgment and so this case is headed to a jury. In denying defendants’ Motion for Summary Judgment, the District Court reached the following (important) conclusions:
- Simple scores can be consumer reports. The defendant CRAs claimed in this case that consumers have reduced privacy interests when only limited information, short of a traditional credit report, is at issue. They claimed that the second CRA did not release detailed, specific information about the plaintiff’s accounts, but instead released only numbers that summarized the plaintiff’s payment history, the number of accounts, the type of accounts, his available credit, his credit used, and the length of his credit history. The court rejected this argument as irrelevant, because the credit data disclosed in this case fell within the FCRA’s broad definition of the term “consumer report” and therefore entitled to protection. There is nothing in the FCRA that requires the disclosure of a full credit report or the underlying data as a condition to the FCRA’s application, as urged by the defendants.
- Once a consumer report, always a consumer report. In order to be considered a consumer report under the FCRA, a report has to be “used,” “expected to be used,” or “collected” for one of the permissible purposes described in the FCRA. The CRAs argued that because the report in question here was not being used for a permissible purpose, it could not be considered a consumer report. Nice try. The Court held that even if a report isn’t used (or expected to be used) for one of those permissible purposes, if the information in the report was collected for a permissible purpose, then it remains regulated by the FCRA. In other words, if you collect personal information with the intent of subsequently including it in a consumer report, it is subject to the FCRA and may only be disclosed in a consumer report provided to a user that has a permissible purpose under the FCRA.
- Alternative credit data is NOT subject to a different standard than “traditional” credit data. The defendants claimed that the specific type of credit information disclosed here does not implicate the privacy concerns that Congress sought to address. While a typical CRA collects credit information like mortgage accounts, auto loans, credit cards, bankruptcies, or public records, the first CRA in this case collects payment information from telecommunications, pay TV, and utility service providers. This data, defendants claimed, does not reflect sensitive information about a consumer’s employment history, arrest records, or any other aspect of a person’s character. The court was not persuaded, finding that the “FCRA makes no distinction between the ‘utility credit data’ maintained by [the first CRA] and the ‘traditional credit data’ maintained by a more ‘traditional’ CRA ….” Because the data at issue here was a communication bearing on the plaintiff’s creditworthiness, credit standing, or credit capacity, the court found that that data is entitled to the privacy protections afforded to credit reports under the FCRA.
- Disclosure of a consumer report without a permissible purpose constitutes “concrete” harm for Spokeo standing purposes. In Spokeo v. Robins , the US Supreme Court explained that the US Constitution requires a plaintiff to allege an injury-in-fact that is concrete and particularized. While the lower court identified particular harms to plaintiff, it erred by not also determining that those harms were concrete. Although intangible harms can be concrete, “bare procedural violations” cannot. Many have latched on to this phrase, internalizing that unless a plaintiff can demonstrate evidence of harm corroborating the allegation, it is a “bare procedural violation,” resulting in lack of standing for the plaintiff. Well, maybe. In some circumstances that may be a winning argument, but there is a long line of post-Spokeo cases cited by the court here holding that the impermissible disclosure of credit information is more than a bare procedural violation of the FCRA because it involves the invasion of a consumer’s privacy.
Take-Aways: As I see it, this decision has two primary take-aways:
- Examine historical practices. In this case, it was never explained why a credit score was automatically generated when a consumer contacted the CRA to request his or her file. I have no knowledge of this situation, but it may be that it was an historical practice that was never questioned and so never scrutinized. All organizations subject to the FCRA should regularly scrutinize their practices on a regular basis and challenge them. Do you have a one-off process that makes use of consumer report data? How would this look to someone from outside the organization? Is this process really necessary? Would I be comfortable discussing this process publicly? All great questions to ask yourself and your team.
- Question long-held positions. Many organizations and some entire industries have legal positions that could fairly be described as “tribal lore,” which can be problematic given the rapid rate of regulatory change in the past 10 years. A legal position is often maintained past the point at which it can be reasonably defended because “it has always been that way” or maybe it has never been challenged. Drinking the kool-aid like this can come back to haunt an organization when a judge or regulator who was not been steeped in the tribal lore examines the position. As with the examination of long-standing practices discussed above, it can be a tremendous help to an organization to challenge long-standing legal positions objectively to ensure that they remain as defensible and compelling as when they were adopted.