FTC Consumer Protection and Privacy Enforcement Series: The Fair Credit Reporting Act—Who Is Covered and How to Comply

August 20, 2025

For the latest installment of our series of practical insights on emerging Federal Trade Commission (FTC) consumer protection and data privacy priorities, we discuss coverage and requirements under the Fair Credit Reporting Act (FCRA). Companies that share or sell data, including data brokers, and companies that use data from other companies should pay close attention to the FCRA – particularly given renewed scrutiny of third-party data sales. The FCRA is a complex statute, and its application to consumer data flows in the modern digital economy can be complicated. In recent remarks, FTC Commissioner Melissa Holyoak called for the FTC to “robustly enforce” the FCRA, highlighting it as a statute in which Congress explicitly directed the FTC to protect consumer privacy.

Notably, the FCRA is enforced by both the FTC and the Consumer Financial Protection Bureau (CFPB). The FTC was the original agency tasked with enforcing and interpreting the FCRA before the CFPB was formed, and the FTC’s role appears likely to continue even if CFPB enforcement is pulled back. In addition, the FCRA contains a private right of action that presents significant class action litigation risk.

Think your company that shares or sells data is not covered by FCRA? Check again.

Who is covered by and subject to FCRA’s requirements is a fact-intensive question, and the relevant statutory text is somewhat circular. The law’s coverage extends well beyond large, nationwide credit bureaus to reach other kinds of companies that are covered as “consumer reporting agencies” (CRAs), and data that may be covered as “consumer reports.” 

Indeed, last year the CFPB initiated a rulemaking to attempt to expand coverage to certain data brokers. The CFPB’s proposed rule arguably would have made every sale of information about a consumer’s credit history, credit score, debt payments, or income tier a “consumer report” that triggers FCRA coverage – even if the information was sold for non-credit uses, including in targeted advertising or training AI models. The proposed regulation did that by indicating those four categories of information are “expected to be used” as a “factor in establishing the consumer’s eligibility for credit, insurance, employment,” or other transaction initiated by the consumer, regardless of the actual nature of the transaction. Although the CFPB later withdrew that rulemaking, the arguments supporting it point to greater scrutiny of financial-related information sold and shared even for non-credit reasons.

Moreover, even under the established legal framework sellers of data should consider the expected use of that data to determine coverage under FCRA, which applies to use of certain data even outside of credit-related purposes, including determining eligibility for insurance and employment. It also applies in cases where the recipient has a “legitimate business need” for the information in connection with a “transaction that is initiated by the consumer.” The categories of transactions in that category are not always clear, but the FTC has taken the position it includes rental housing applications. As a result, the FTC considers background reports used to determine eligibility for rental housing consumer reports under the FCRA. The FTC has enforced under this theory, alleging that a company knowingly selling criminal background reports for tenant screening was a CRA that provided consumer reports, and therefore subject to the FCRA. The FTC has issued guidance on other use cases, but its last comprehensive update was well over a decade ago.

Think your data purchase isn’t covered by FCRA because the seller isn’t a CRA? Check again.

Just like companies selling data, companies purchasing data need to determine FCRA applicability by looking at the nature of the transaction and data being purchased. Under FCRA, relevant data includes information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.” And when that data is sold to third parties, the data can become a “consumer report” under the FCRA if it is used or should be expected to be used “as a factor in establishing the consumer’s eligibility for credit, insurance, employment,” or business transactions initiated by the consumer. Even if the data is obtained from a company that is not holding itself out as a CRA, the data recipient can be subject to FCRA requirements if the data is found to be effectively a “consumer report.”

Companies subject to FCRA should monitor compliance.

Companies covered as CRAs under the FCRA have numerous compliance duties. Among others, they must ensure the information they include in consumer reports is accurate, complete, and identifies the consumer correctly. They must also undertake a reasonable investigation of disputes from consumers about the accuracy or completeness of information in their files. What constitutes a “reasonable” investigation has been the subject of significant private litigation. CRAs also have a duty to provide consumer reports only to parties with a permissible purpose as defined by the statute.

Companies purchasing or using consumer reports also have compliance requirements. For example, they must have a statutorily authorized permissible purpose to obtain consumer reports. Additionally, when a company takes adverse action against a consumer (such as denying credit or declining to offer a service) based on information in their consumer report, it must provide the consumer a notice describing that adverse action, the reason for the adverse action, and the consumer’s rights under the FCRA.

Furnishers of information to CRAs also have requirements under the FCRA. A furnisher is any “entity that furnishes information relating to consumers to one or more consumer reporting agencies for inclusion in a consumer report.” Companies that meet this definition have certain obligations under the FCRA, including furnishing information that is accurate and complete, and reasonably investigating consumer disputes about the accuracy of information they furnish.

***

Wiley’s FTC and Consumer Protection and Privacy, Cyber & Data Governance teams assist clients with a full spectrum of advertising, consumer protection, privacy, cybersecurity, and data governance issues. Please reach out to any of the authors with questions. Wiley’s complete FTC Consumer Protection and Privacy Enforcement Series is available here.

Wiley Connect

Sign up for updates

Wiley Rein LLP Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek