Current Developments in Privacy Law

February, 2014

CFPB Credit Reporting Complaint Snapshot: The CFPB finds that credit reporting accounted for 11% of the consumer complaints it has received. Of those  complaints, 73% involved complaints about accuracy.

The FTC also listed complaints it received in 2013. Identity theft topped the list. Credit reporting was not in the top ten:

October, 2013

Data Brokers and Privacy: In a report issued by the GAO, it recommends that Congress should consider strengthening the consumer privacy framework to reflect the effects of changes in technology and the increased market for consumer information. Any changes should seek to provide consumers with appropriate privacy protections without unduly inhibiting commerce and innovation. The Department of Commerce agreed that strengthened privacy protections could better protect consumers and support innovation. 

For details, see:

CFPB Bulletin 2013-09

Date: September 4, 2013

Subject: The FCRA’s requirement to investigate disputes and review “all relevant” information provided by consumer reporting agencies (CRAs) about the dispute

The Fair Credit Reporting Act (FCRA) generally requires a consumer reporting agency (CRA) to notify a furnisher when a consumer disputes the accuracy or completeness of an item of information provided by the furnisher to the CRA.1 The CRA must also promptly provide the furnisher “all relevant information” regarding the dispute that the CRA timely received from the consumer.2 The furnisher, in turn, must “conduct an investigation with respect to the disputed information,” “review all relevant information” provided by the CRA, and respond appropriately based on the result of the investigation.3 The CFPB expects CRAs and furnishers to comply fully with these FCRA requirements, thereby promoting the accuracy and completeness of information in the consumer reporting system.

This bulletin specifically addresses furnishers’ obligations to “review all relevant information” they receive in connection with disputes forwarded by CRAs.

The CFPB expects furnishers to have reasonable systems and technology in place to receive and process notices of disputes and information regarding disputes, including relevant documentation, forwarded to them by CRAs. The CFPB also expects every furnisher to review and consider “all relevant information” relating to the dispute, including documents that the CRA includes with the notice of dispute or transmits during the investigation, and the furnisher’s own information with respect to the dispute.

The CFPB will continue to evaluate compliance with the requirement to review “all relevant information” by furnishers subject to its supervisory and enforcement authorities. In general, with respect to disputes received by furnishers from CRAs, the CFPB expects each furnisher to comply with the FCRA by:

(1) Maintaining a system reasonably capable of receiving from CRAs information regarding disputes, including supporting documentation;

(2) Conducting an investigation of the disputed information including reviewing:

a. “all relevant information” forwarded by the CRA and;

b. the furnisher’s own information with respect to the dispute;

(3) Reporting the results of the investigation to the CRA that sent the dispute;

(4) Providing corrected information to every nationwide CRA that received the information if the information is inaccurate or incomplete; and

(5) Modifying or deleting the disputed information, or permanently blocking the reporting of the information if the information is incomplete or inaccurate, or cannot be verified.

Any furnisher not currently maintaining a process that meets these requirements should take immediate steps to comply with the requirements of the law.

The CFPB is monitoring complaints received from consumers and will prioritize examinations and other actions on the basis of risks posed to consumers. If the CFPB determines that a furnisher has engaged in any acts or practices that violate the FCRA or other Federal consumer financial laws and regulations, it will take appropriate supervisory and enforcement actions to address violations and seek all appropriate corrective measures, possibly including remediation of harm to consumers. The CFPB will continue to review furnisher compliance with these requirements during examinations and investigations.

CDIA Says "60 Minutes" Story Misleads On Credit Report Accuracy

Story Ignores Study Results that Credit Reports are Materially Accurate 98% of the Time

WASHINGTON, Feb. 9, 2013 /PRNewswire-USNewswire/ -- "The promotion released yesterday for a '60 Minutes' story airing this coming Sunday, February 10, demonstrates that '60 Minutes' has selectively interpreted an upcoming Federal Trade Commission (FTC) study to ignore the most significant results," stated Consumer Data Industry Association (CDIA) president and CEO Stuart Pratt .  "The FTC study shows that 98% of credit reports are materially accurate, a fact it appears '60 Minutes' is set to ignore."

The "60 Minutes" promotional spot reveals that the show has been given access to a Federal Trade Commission report on the accuracy of credit reports that has not yet been released to the general public.  Having obtained a copy of the report, CDIA found that the show has missed the most critical point in the research; that the measure of accuracy is tied to the question of when an error has a consequence for consumers, not just when a report contains an error that will have little or no impact on creditworthiness.

"It is irresponsible for '60 Minutes' to be reporting the findings of the study in this manner.  The FTC's study concludes that only 2.2 percent of credit reports have an error that would lead to higher-priced credit for the consumer. It is simply wrong to suggest that 21 percent have errors that would lead to this consequence," stated Pratt.

"It's easy to selectively hype snippets from the FTC study to sensationalize the issue, as '60 Minutes' has done, but the number important to consumers is the one they ignored – that only 2.2% of credit reports contain materials errors.  The shared goal of our members and lenders who report data about consumers is to get it right every time.  We will continue our efforts to push down the material error rate even further in credit reports," stated Pratt.

The show also states that a disputed error is "nearly impossible to expunge."  Pratt reacted, "The notion that it is difficult to dispute an error is just wrong.  It is irresponsible to suggest to consumers that they might as well not take action when they have a question about their credit report. CDIA and our members encourage consumers to get a copy of their credit report from each of the national credit reporting agencies at"  Research released by the Political and Economic Research Council in 2011 shows that consumers in their study were satisfied with the results of the dispute process in 95% of the cases.

Statements made on the show suggest that the actions of CDIA members are in violation of federal law.  Pratt responded "Federal courts have found just the opposite on multiple occasions."  Further, Congress directed the Federal Trade Commission to conduct a year-long review of the dispute process and they did not find any violations of law.

"There seems to be some misunderstanding about what the law requires of a credit bureau when a consumer submits a dispute.  This is a good time to get the facts straight," Pratt said.

For Release: 02/11/2013

In FTC Study, Five Percent of Consumers Had Errors on Their Credit Reports That Could Result in Less Favorable Terms for Loans

Consumers Should Check Their Credit Reports for Free Using

A Federal Trade Commission study of the U.S. credit reporting industry found that five percent of consumers had errors on one of their three major credit reports that could lead to them paying more for products such as auto loans and insurance.

Overall, the congressionally mandated study on credit report accuracy found that one in five consumers had an error on at least one of their three credit reports.

“These are eye-opening numbers for American consumers,” said Howard Shelanski, Director of the FTC’s Bureau of Economics.  “The results of this first-of-its-kind study make it clear that consumers should check their credit reports regularly.  If they don’t, they are potentially putting their pocketbooks at risk.”

The study, in which participants were encouraged to use the Fair Credit Reporting Act (FCRA) process to resolve any potential credit report errors, also found that:

  • One in four consumers identified errors on their credit reports that might affect their credit scores;
  • One in five consumers had an error that was corrected by a credit reporting agency (CRA) after it was disputed, on at least one of their three credit reports;
  • Four out of five consumers who filed disputes experienced some modification to their credit report;    
  • Slightly more than one in 10 consumers saw a change in their credit score after the CRAs modified errors on their credit report; and
  • Approximately one in 20 consumers had a maximum score change of more than 25 points and only one in 250 consumers had a maximum score change of more than 100 points.           

Other study results can be found in the executive summary of the report.

“Your credit report has information about your finances and your bill-paying history, so it’s important to make sure it’s accurate,” said Charles Harwood, Acting Director of the FTC’s Bureau of Consumer Protection.  “The good news for consumers is that credit reports are free through, and if you find an error, you can work with the credit reporting company to fix it.”

CFPB Bulletin 2012-09 
Date:  November 29, 2012 
Subject: The FCRA’s “streamlined process” requirement for 
consumers to obtain free annual reports from nationwide 
specialty consumer reporting agencies 
The Fair Credit Reporting Act (FCRA) requires nationwide specialty 
consumer reporting agencies (NSCRAs) to provide, upon request of a 
consumer, a free annual disclosure of the consumer’s file, commonly 
known as a consumer report.  The FCRA’s implementing Regulation 
(Regulation V) includes a rule mandated by the FCRA that requires each 
NSCRA to establish a “streamlined process for consumers to request [their 
free annual] consumer reports . . . which shall include, at a minimum, the 
establishment by each such agency of a toll-free telephone number for 
such requests.” 15 U.S.C. § 1681j; 12 C.F.R. § 1022.137.   
Pursuant to Regulation V, this streamlined process must permit 
consumers to request an annual file disclosure through a toll-free 
telephone number that is published “in any telephone directory in which 
any telephone number for the [NSCRA] is published” and is “clearly and 
prominently posted on any Web site owned or maintained by the [NSCRA] 
that is related to consumer reporting.” 12 C.F.R. § 1022.137(a)(1)(ii)–(iii). 
The streamlined process must, among other things, have adequate 
capacity to accept requests from the reasonably anticipated volume of 
consumers requesting their annual file disclosures through the 
streamlined process and must provide clear and easily understandable 
information and instructions to consumers. 12 C.F.R. § 1022.137(a)(2). 
It has come to the attention of the CFPB that some NSCRAs may not have 
established the required streamlined process for consumers to request 
copies of their annual file disclosures.  The Bureau is issuing this Bulletin 
to remind the NSCRAs of their obligation to comply with the streamlined 
process requirement, which the Bureau views as an important consumer 
CFPB Expectations 
NSCRAs are defined as consumer reporting agencies that compile and 
maintain files on consumers on a nationwide basis relating to (1) medical
records or payments; (2) residential or tenant history; (3) check writing 
history; (4) employment history; or (5) insurance claims.  15 U.S.C. § 
1681a(x).  In light of the range and frequency of decisions that rely on 
NSCRA reports, the accuracy of these reports is critical.  Consumer access 
to NSCRA files enables consumers to detect and dispute inaccuracies 
contained in their files. 
The CFPB will evaluate compliance with the streamlined process 
requirements by NSCRAs subject to its supervisory and enforcement 
authority.  The CFPB expects each NSCRA to comply with the FCRA and 
Regulation V, including by:   
(1) Enabling consumers to request annual file disclosures by a toll-free 
telephone number that;  
a. Is published, in conjunction with all other published numbers 
for the NSCRA, in any telephone directory in which any 
telephone number for the NSCRA is published; and 
b. Is clearly and prominently posted on any Website owned or 
maintained by the NSCRA that is related to consumer 
reporting, along with instructions for requesting disclosures by 
any additional available request methods, 12 C.F.R. § 
(2) Ensuring that its streamlined process for obtaining an annual file 
disclosure has adequate capacity to accept requests from a reasonably 
anticipated volume of consumers, 12 C.F.R. § 1022.137(a)(2)(i); 12 
C.F.R. § 1022.137(b)-(c); 
(3) Collecting only as much personal information from a consumer 
requesting a disclosure as is reasonably necessary to identify the 
consumer properly, 12 C.F.R. § 1022.137(a)(2)(ii); 
(4) Providing clear and easily understandable information and instructions 
to consumers, including but not limited to: providing information on 
the status of a request, providing a “help” or “frequently asked 
questions” page for web-based requests, and providing a statement 
when the identity of the consumer requesting an annual file disclosure 
cannot properly be verified and directions on how to complete the 
request, 12 C.F.R. § 1022.137(a)(2)(iii);  
(5) Using or disclosing personally identifiable information collected from 
a consumer because of the consumer’s request for an annual or other 
disclosure required by the FCRA from the entity that the consumer 
made through the streamlined process only in ways permitted by 
Regulation V, 12 C.F.R. § 1022.137(d); and
(6) Accepting consumer requests for annual file disclosures from 
consumers who use methods other than the streamlined process or 
instructing such consumers on how to use the streamlined process. 12 
C.F.R. § 1022.137(e). 
Any NCSRA not currently providing a process that meets these 
requirements should take immediate steps to comply.  

New York Times
ebruary 5, 2012

Austrian Law Student Faces Down Facebook
BERLIN — As Wall Street prepares for a record, multibillion-dollar initial stock sale from Facebook, the social networking site, a meeting with the potential to shape the economics of the deal was set to take place Monday in Vienna.

Richard Allan, a former member of Parliament in Britain who is the European director of policy for Facebook, and another executive from Facebook’s headquarters in Menlo Park, California, will meet with Max Schrems, a 24-year-old college student.

Mr. Schrems, a law student at the University of Vienna and a user of Facebook since 2008, has led a vocal campaign in Europe against what he maintains are Facebook’s illegal practices of collecting and marketing users’ personal data, often without consent.

In less than a year, Mr. Schrems’s one-person operation has morphed into a Web site, Europe Versus Facebook, and a grass-roots movement that has persuaded 40,000 people to contact Facebook in Ireland, where its European headquarters are located, to demand a summary of all the personal data the U.S. company is holding on them.

Mr. Schrems and his crusade have become a cause célèbre in parts of Europe, attracting the attention of lawmakers in Brussels as the Continent begins a lengthy debate over tough new proposed restrictions on personal data, which could affect Web businesses like Facebook.

Last month, the author of a proposed European data protection law, which would update a 1995 statute to reflect the realities of the digital age, cited Mr. Schrems’s case as an example of why European lawmakers should adopt tightened controls over Web businesses.

The plan put forward by Viviane Reding, the European justice commissioner, would give E.U. residents the right to opt out more easily of standard data collection practices used by businesses like Facebook. It would also compel companies to expunge all personal data, permanently, at a consumer’s request.

Both elements have the potential to hamper the data-harvesting engine that is at the heart of Facebook’s advertising-driven business, and of its value.

Facebook said in a statement that its data practices followed European law and that the company had gone out of its way to meet Mr. Schrems’s request for personal information. The company also noted that Facebook users could easily obtain a copy of their information on Facebook by using a function within their personal account settings.

The company said a report in December from an Irish regulator demonstrated “how Facebook adheres to European data protection principles and complies with Irish law.” It says it is not only fully compliant with E.U. data protection laws, but “we also strongly believe that every Facebook user owns his or her own data and should have simple and easy access to it.”

Mr. Schrems appeared on Facebook’s radar last June when he filed a complaint against the company with the Irish regulator, the office of the Irish Data Protection Commissioner, in Port Arlington, Ireland. He alleged 22 violations of European law. Mr. Schrems filed the grievance after using a provision of Irish law to obtain from Facebook a copy of all of the information the company had been keeping on him.

Facebook sent Mr. Schrems a computer disc containing 1,222 pages of information.

The disc, Mr. Schrems said, showed that Facebook was routinely collecting data that he had never consented to give, like his physical location, which he assumes was determined from his computer’s unique address identifiers, which can be traced geographically. Facebook was also retaining data he had deleted, Mr. Schrems said.

Irish officials began an audit based on his complaints and in October visited Facebook’s offices in the Hanover Quay section of Dublin, where the company employs more than 400 workers to direct many of its global operations outside North America.

On Dec. 21, the Irish regulator, which has a staff of only 22 employees, released a 150-page report that gave Facebook until July to make a series of changes in the way it collects and retains data and how it explains to users how their information is being used.

Mr. Schrems, during an interview last week, said the Irish inquiry and the regulator’s agreement with Facebook had not addressed “90 percent” of his complaints. Mr. Schrems said he planned to request a “formal decision” from Irish officials, which would give him the legal basis to challenge the regulator’s findings in Irish court.

Gary Davis, the deputy Irish data commissioner who led the audit on Facebook, said his agency had obtained significant concessions from Facebook that had had positive effects for the 854 million active global users of the site. After 40,000 people requested their own data from Facebook Ireland, the company responded, Mr. Davis said, by creating a software tool in October on the Web site that gives all users a quick overview of the data being kept on file.

Facebook announced improvements to that tool last week, Mr. Davis said, to provide more detailed information, and has committed to providing even more by July, when the regulator will revisit Facebook’s offices to check whether it has honored its commitments.

That visit could coincide with Facebook’s I.P.O., which could take place as early as May, depending on the length of the regulatory review in the United States.

Mr. Davis said that Facebook, as a result of Mr. Schrems’s campaign, had agreed to cut the amount of time it retains data on most user activities on the Web site to less than one year. Queries typed into Facebook’s search field are deleted within six months, in conformance with European law. Previously, Mr. Davis said, the company had no comprehensive policy on data retention, with times often dictated by the perceived level of security threats and cyberattacks on the business.

“We still view Max very favorably for the issues he has raised, which were very specific and well prepared and have led to concrete improvements in how Facebook does business,” Mr. Davis said. “I obviously think we have achieved a lot in Ireland by getting Facebook to improve its transparency and data protection practices.”

Mr. Schrems said the concessions from Facebook had been insufficient. At the time of its release, Thilo Weichert, the data protection commissioner in the German state of Schleswig-Holstein, criticized the Irish regulator, saying it had identified infractions in Facebook’s handling of consumer data but had not taken a harder line or imposed financial penalties.

The main issue, Mr. Schrems said, is that no one, including the Irish regulator, is independently verifying whether Facebook is doing what it says it will do in terms of permanently deleting personal information and shortening data retention times.

Consumer Reporting Agency to Pay $1.8 Million for Fair Credit Reporting Act Violations

June 27, 2011 

Company Provided Sensitive Consumer Credit Information to Marketers In Violation of Law

Teletrack, Inc. has agreed to pay $1.8 million to settle Federal Trade Commission charges that it sold credit reports to marketers, in violation of the Fair Credit Reporting Act (FCRA). This settlement seeks to protect consumers’ privacy by ensuring that their sensitive credit report information is not sold for marketing purposes.

According to the FTC’s complaint, as part of its business Teletrack sells credit reports and other services to businesses – such as payday lenders, rental purchase stores, and non-prime rate auto lenders – that mainly serve financially distressed consumers. These businesses use Teletrack’s credit reports to decide whether and on what terms to provide credit to their customers.

The complaint alleges that Teletrack created a marketing database of information that it gathered through its credit reporting business. It then sold the information in this database – including lists of consumers who had applied for non-traditional credit products – to marketers. For example, Teletrack sold lists of consumers who previously sought payday loans to third parties that wanted to use this information to target potential customers. The FTC’s complaint alleges that these marketing lists were credit reports under the FCRA because they contained information about a consumer’s creditworthiness. The FTC charges that Teletrack violated the FCRA, which makes it illegal to sell credit reports without a specific “permissible purpose” under the statute; marketing is not a permissible purpose.

“The fact that a consumer has applied for a payday loan is credit report information protected by the FCRA,” said FTC Bureau of Consumer Protection Director David Vladeck. 
“The FCRA says a credit reporting agency like Teletrack can’t sell a consumer’s sensitive credit report information for mere sales pitches.”

The settlement order resolving the FTC’s charges requires Teletrack to furnish credit reports only to those people that it has reason to believe have a permissible purpose to receive them under the FCRA, or as otherwise allowed by the FCRA. It also requires Teletrack to pay a civil penalty of $1.8 million, and contains reporting and record-keeping requirements to ensure the company’s compliance with the decree.

The Commission vote to authorize the staff to refer the complaint to the Department of Justice, and to approve the proposed order, was 5-0. The DOJ filed the complaint and proposed order on behalf of the Commission in U.S. District Court for the Northern District of Georgia on June 24, 2011. The proposed order is subject to court approval.

March 8, 2011

FTC Releases List of Top Consumer Complaints in 2010; Identity Theft Tops the List Again

The Federal Trade Commission today released the list of top consumer complaints received by the agency in 2010. The list showed that for the 11th year in a row, identity theft was the number one consumer complaint category. Of 1,339,265 complaints received in 2010, 250,854 – or 19 percent – were related to identity theft. Debt collection complaints were in second place, with 144,159 complaints.

The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted.

For the first time, “imposter scams” – where imposters posed as friends, family, respected companies or government agencies to get consumers to send them money – made the top 10. The FTC also has issued a new consumer alert, “Spotting an Imposter”, to help consumers avoid imposter scams.

The top consumer complaints were:

Rank Category Number of Complaints Percentage

1 Identity Theft 250,854 19%

2 Debt Collection 144,159 11%

3 Internet Services 65,565 5%

4 Prizes, Sweepstakes and Lotteries 64,085 5%

5 Shop-at-Home and Catalog Sales 60,205 4%

6 Imposter Scams 60,158 4%

7 Internet Auctions 56,107 4%

8 Foreign Money/Counterfeit Check Scams 43,866 3%

9 Telephone and Mobile Services 37,388 3%

10 Credit Cards 33,258 2%

March 2, 2011

The Federal Reserve Board and the Federal Trade Commission (FTC) on Tuesday proposed regulations regarding the credit score disclosure requirements of the Dodd-Frank Wall Street Reform and Consumer Protection Act. The statute requires creditors to disclose credit scores and related information to consumers in risk-based pricing and adverse action notices under the Fair Credit Reporting Act (FCRA) if a credit score was used in setting the credit terms or taking adverse action.

The Board proposes to amend Regulation V (Fair Credit Reporting) to revise the content requirements for risk-based pricing notices and to add related model forms to reflect the new credit score disclosure requirements. The Board is issuing this proposal jointly with the FTC.

The Board also proposes to amend certain model notices in Regulation B (Equal Credit Opportunity), which combine the adverse action notice requirements for both Regulation B and the FCRA. The proposed amendments would revise the model notices to incorporate the new credit score disclosure requirements.

Public comments on the proposed rules under Regulations V and B are due 30 days after publication in the Federal Register, which is expected shortly.

February, 2011

The CEO of a former client is named to the CFPB.

Elizabeth Warren, the White House adviser charged with setting up the U.S. Consumer Financial Protection Bureau, has hired Corey Stone to head a unit that will write rules for credit information firms. Corey is the former chief executive of Pay Rent, Build Credit, Inc. (PRBC), a credit bureau designed to allow consumers to build credit histories by documenting rent and bill payment, rather than by incurring debt. PRBC was a client until the merger with MicroBilt, in 2008. MicroBilt continues to be a client.

He will be in charge of writing rules to regulate credit bureaus, according to the agency’s draft organizational chart as well as play the same role for debt-collection companies


January 1, 2011

After many postponements, the Red Flag Rules finally are in effect. See for information about what businesses need to do to comply. Please call if you have any questions.


December 1, 2010

The Federal Trade Commission issued a preliminary staff report that proposes a framework to balance the privacy interests of consumers with innovation that relies on consumer information to develop beneficial new products and services. The proposed report suggests implementation of a “Do Not Track” mechanism – likely a persistent setting on consumers’ browsers – so consumers can choose whether to allow the collection of data regarding their online searching and browsing activities. See the report at: (


Oscar Marquis & Associates   |  P: 847-698-1077   |
Website Builder