Effect of Federal Privacy Law on FCRA

Title V of the Gramm-Leach-Bliley Act of 1999 imposes requirements and conditions on financial institutions and others who want to share certain information about consumers with certain third parties. The federal financial institution regulatory agencies have issued regulations that implement the Title V privacy requirements and conditions. Both Title V and the implementing regulations make it clear that these new privacy requirements do not affect the FCRA. The regulations say that Title V and the regulations are not to be “construed to modify, limit, or supersede the operation of the FCRA,” and that “… no inference shall be drawn on the basis of the provisions of this part regarding whether information is transaction or experience information under Section 603 of [the FCRA].” [12 CFR 1016.16]

Here’s what we think these provisions are addressing. (Citations are to the privacy regulations.)

  1. A financial institution does not want whatever information sharing it does to be within the definition of “consumer report” because that would make it more likely, though not certain, that the institution would be a “consumer reporting agency.” A financial institution does not want to be a “consumer reporting agency” because of all of the restrictions and requirements imposed on consumer reporting agencies by the FCRA. The privacy regulations authorize the disclosure to third parties of consumer information under certain circumstances. Section 1016.16 of the privacy regulations says that although an institution is authorized, under the privacy regulations, to disclose consumer information, the disclosure may still be a “consumer report” under the FCRA.
  2. The privacy regulations exempt from their notice and opt-out provisions any information you disclose that came from a consumer report reported by a consumer reporting agency. [Section 1016.15(a)(5)(ii)] But, Section 1016.16 is saying that does not mean the FCRA requirements on users of consumer reports don’t apply. For example, the FCRA requires that the user provide a notice of adverse action in some circumstances. The fact that you can disclose the information under the privacy regulations does not mean that you don’t have to meet the FCRA adverse action requirement, or other FCRA requirements, if they apply.
  3. Third, the FCRA imposes requirements on persons who provide information to a consumer reporting agency (e.g., error procedures or labeling information as “disputed”). The privacy regulations exempt from their notice and opt-out requirements any information you disclose to a consumer reporting agency. [Section 1016.15(a)(5)(i)] The fact that the privacy rules exempt from the notice and opt-out requirements disclosures an institution makes to a consumer reporting agency does not mean that your FCRA obligations as a provider of information go away.

See the chapter in this manual on federal privacy laws for more details on Title V and its implementing regulations.