On The Hill
On December 6th, Representative Josh Gottheimer (D-NJ) introduced H.R. 5332, the Protecting Your Credit Score Act, which would amend the Fair Credit Reporting Act (FCRA) to ensure that consumer reporting agencies are providing fair and accurate information in consumer reports. The bill has been ordered to be reported by the House Committee on Financial Services.
On December 3rd, Senator Maria Cantwell (D-WA) introduced S. 2968, the Consumer Online Privacy Rights Act, which would provide consumers with data privacy rights and vest enforcement with the Federal Trade Commission. The bill has been referred to the Senate Committee on Commerce, Science, and Transportation.
On December 2nd, Senator Brian Schatz (D-HI) introduced S. 2961, the Data Care Act, which would establish duties for online service providers with respect to end user data that such providers collect and use. The bill has been referred to the Senate Committee on Commerce, Science, and Transportation.
At the CFPB
On November 22nd, the Consumer Financial Protection Bureau (CFPB) announced a settlement with background screening company, Sterling Infosystems, Inc., to resolve allegations that Sterling violated the Fair Credit Reporting Act (FCRA). The CFPB alleged that Sterling violated the FCRA by failing to employ reasonable procedures to ensure the maximum possible accuracy of the information it included in the consumer reports it prepared. Specifically, the CFPB alleged that Sterling’s procedures created a heightened risk that its consumer reports would include criminal records belonging to another individual with the same name as the applicant. The CFPB also alleged that Sterling violated the FCRA by failing to ensure that public record information it included in consumer reports was complete and up to date or notify consumers, at the time of reporting, that public record information was being reported for employment purposes. The CFPB also claims that Sterling violated the FCRA by reporting criminal history information, and other adverse information about consumers, outside of the allowable reporting period. The proposed stipulated judgment requires Sterling to pay $6 million in monetary relief to consumers and a $2.5 million civil money penalty to the CFPB. The settlement requires establishment of a compliance committee and certain oversight by the Company’s Board of Directors. Sterling did not admit or deny the CFPB’s allegations as part of the settlement.
At the FTC
On December 10th, the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) held a workshop to discuss issues related to accuracy in credit reports, as well as employment and tenant background screening reports. Various panelists discussed the issues faced by the background screening industry today such as the availability of identifiers in source information, the increase in companies who do not consider themselves credit reporting agencies, and the benefits and risks of using alternative data in credit reporting.
On December 6th, the FTC issued an opinion finding that Cambridge Analytica, LLC engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The opinion also found that Cambridge Analytica engaged in deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework. The FTC’s final order prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information and its participation in privacy shield frameworks. In addition, Cambridge Analytica must delete the personal information it deceptively collected from consumers.
On December 3rd, the FTC announced settlements with four companies related to allegations that they misrepresented their participation in the EU-U.S. Privacy Shield framework. In addition, two of the companies failed to comply with Privacy Shield requirements. The companies failed to verify annually that statements about their Privacy Shield practices were accurate, and failed to affirm that they would continue to apply Privacy Shield protections to personal information collected while participating in the program. Under the settlements, all four companies are prohibited from misrepresenting their participation in the EU-U.S. Privacy Shield framework, any other privacy or data security program sponsored by the government, or any self-regulatory or standard-setting organization.