EPIC Urges States to Cut Privacy Law Exemptions for Credit-Reporting Firms
States should amend comprehensive privacy laws to remove loopholes for consumer reporting agencies (CRAs), the Electronic Privacy Information Center (EPIC) said in a white paper released Tuesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Agencies that provide credit scores, such as Equifax, Experian and TransUnion, are the type of data brokers that consumers know best, said EPIC: But because they are regulated federally by the Fair Credit Reporting Act and the Gramm-Leach-Bliley Act -- and all states have carveouts for FCRA and GLBA -- they are exempt from states’ comprehensive privacy laws.
“CRAs often sell much more than just credit reports,” noted EPIC. “Prominent CRAs, for example, sell salary and employment information on hundreds of millions of U.S. consumers, as well as health, location, and other information that goes far beyond what is traditionally included in a credit file.” However, lawmakers could be unaware of this, "and may therefore unintentionally let these privacy-invasive and harmful activities off the hook from their state privacy law’s rules,” EPIC said.
“It highlights the regulatory grey area in which data brokers often operate, which incentivizes data brokers to claim or disclaim the protections and obligations of different legal frameworks to best suit their purposes,” the consumer group said. “Exemptions in state laws for GLBA- or FCRA-covered data or entities can exacerbate this regulatory arbitrage.”
Credit reporting association CDIA and its members Equifax, Experian and TransUnion didn’t comment Tuesday.
Updates this year to Connecticut’s and Montana’s privacy laws converted the states’ GLBA exemptions to data-level carveouts from entity-level ones (see 2506260005 and 2505120005). The lawmakers behind the changes said they were meant to strengthen the law’s application to financial institutions. However, in its paper Thursday, EPIC urged policymakers to go further.
States with comprehensive privacy laws should remove data-level and entity-level exemptions alike -- for FCRA and GBLA -- from their consumer privacy laws, the consumer group said. “Congress and legislatures in states without general consumer privacy laws should pass new laws without entity- or data-level GLBA or FCRA exemptions in the first place.”
EPIC added that federal agencies, including the FTC, DOJ and the Consumer Financial Protection Bureau, should strengthen rules for data brokers. The CFPB should revive its rulemaking for regulating data brokers under FCRA, and both CFPB and the FTC should take enforcement actions against data brokers violating the law, it said.
Last November, before turning over its reins to the Trump administration, the CFPB issued a report that similarly urged states to reconsider carveouts for financial institutions. “Consumers should have meaningful choice and an expectation of privacy about how their financial data is used, but large companies are increasingly harvesting and monetizing this sensitive data in mysterious ways,” Rohit Chopra, then CFPB’s director, said at the time. “Given the exemptions in state law when it comes to this personal data, consumers lack fundamental protections for their financial privacy.”
In April, after Chopra left the agency, industry urged CFPB to withdraw the Biden administration’s proposed rule to regulate data brokers under FCRA (see 2504030059). The CFPB scuttled the rulemaking one month later (see 2505140033).