CFPB Bolsters Data Privacy, Cybersecurity Regulations

CFPB

The Consumer Financial Protection Bureau (CFPB) on Thursday (July 7) handed down new data privacy and cybersecurity regulations to dictate how companies can use and share credit reports and background reports under the Fair Credit Reporting Act.

Credit reporting companies and users of credit reports “have specific obligations to protect the public’s data privacy,” the CFPB press release said, adding there is “potential criminal liability for certain misconduct.”

“Americans are now subject to round-the-clock surveillance by large commercial firms seeking to monetize their personal data,” said CFPB Director Rohit Chopra in the press release. “While Congress and regulators must do more to protect our privacy, the CFPB will be taking steps to use the Fair Credit Reporting Act to combat misuse and abuse of personal data on background screening and credit reports.”

The Fair Credit Reporting Act of 1970 regulates companies that compile reports on consumers, including credit reporting companies, tenant screeners and other data brokers. It ensures fair and accurate reporting, and it requires users who buy these dossiers to have a legally permissible purpose, including using consumer reports for credit, insurance, housing or employment decisions, the report said.

To ensure compliance with the Fair Credit Reporting Act, the CFPB highlighted the experiences of military families with medical billing, credit reporting and debt collection; spotlighted medical billing challenges faced by millions of American consumers; identified credit reporting companies the public can hold accountable; issued a bulletin to prevent unlawful medical debt collection and credit reporting; and took action to stop the false identification of consumers by background screeners.

Related: Data Privacy Bill Passes US House Panel

Last month, a U.S. House of Representatives panel looking to limit the collection of personal data passed a new bipartisan privacy bill, though it may not become a law.

The bill would make it so Meta, Google and several other companies would only be able to collect personal data necessary to provide services, and nothing else. Other information would be more protected, with extra security for sensitive data like social security numbers.

The measure passed a voice vote for the House Energy and Commerce subcommittee, and it will go to the full committee for another vote.