The Fair Credit Reporting Act (FCRA) is a pivotal federal law that regulates how consumer credit information is collected shared and used. Enacted in 1970, the FCRA seeks to promote fairness, accuracy, and privacy in credit reporting. While the law applies broadly, certain entities are exempt from full FCRA regulations.
Overview of the FCRA
The FCRA primarily governs consumer reporting agencies (CRAs) like Equifax, TransUnion, and Experian. It also regulates creditors, insurers, employers, landlords, and other entities that use consumer reports.
Key provisions of the FCRA include
-
Consumers have a right to access their credit reports from CRAs once a year for free.
-
Consumers can dispute any inaccurate or incomplete information in their credit reports. CRAs must investigate disputes
-
CRAs and data furnishers have obligations to ensure credit information is accurate and current.
-
Entities using credit reports must notify consumers when taking “adverse action” based on information in their reports.
-
Consumer consent is required before CRAs can provide reports to most third parties.
-
CRAs must have procedures to ensure credit reports are provided only for permissible purposes.
-
There are limits on reporting negative information like bankruptcies and civil suits.
Who is Exempt from the FCRA?
While the FCRA has broad reach, certain entities are fully or partially exempt from its requirements:
Government Agencies
Government agencies like law enforcement and national security agencies are exempt when using credit reports for non-civilian purposes.
Certain Financial Institutions
Banks, credit unions, and other financial institutions are exempt from some FCRA duties when using credit reports in relation to existing accounts and services.
Most Employers
Employers are exempt from some FCRA provisions when ordering credit reports for employment screening. But job applicants must still consent.
Most Landlords
Landlords who order credit reports to screen rental applicants are generally exempt from the FCRA. But some state laws fill gaps.
Small Businesses
Businesses with fewer than 20 employees are exempt from some rules when screening job candidates.
Certain Credit Card Issuers
Major credit card companies have some exemptions from disclosure rules for rates and terms.
Certain Credit Unions
Credit unions have limited exemptions related to releasing negative member information to third parties.
So while the FCRA governs CRAs closely, companies using credit reports often have more flexibility. But other laws like the ECOA and state statutes still regulate credit checks.
Key Exemptions Explained
Let’s look at some of the main FCRA exemptions more closely:
Government agencies – Agencies like the FBI and CIA don’t have to comply with the FCRA when pulling credit reports for national security, counterintelligence, and anti-terrorism purposes. Regular civilian monitoring isn’t exempt.
Employers – Employers can bypass some FCRA duties when ordering applicant/employee credit checks. But they must still get written consent to run reports and provide adverse action notices.
Banks – For existing accounts, banks don’t have to comply with all FCRA provisions like allowing consumers to opt out of data sharing with affiliates.
Credit card companies – Major issuers like Visa and Amex are exempt from some credit term disclosure rules. But transparency is still encouraged.
Landlords – Landlords routinely obtain credit and background checks on rental applicants. But the practice is generally exempt from the FCRA.
Small businesses – Small companies with fewer than 20 employees don’t have to comply with all FCRA regulations when screening job candidates.
So while the FCRA governs credit reporting broadly, legitimate exemptions do exist. But excluded entities still must act responsibly when handling consumer credit data.
The Purpose and Importance of the FCRA
The overarching goal of the FCRA is to promote fairness and accuracy in credit reporting. This preserves consumers’ rights to privacy and non-discrimination. The law provides critical protections:
-
Privacy – Consumers must consent before credit reports are shared in most cases.
-
Accuracy – Credit bureaus and lenders must ensure information is correct and current.
-
Access – Consumers can review their own credit reports to identify any errors.
-
Recourse – The law enables consumers to dispute and correct inaccurate credit report information.
-
Oversight – Federal and state regulators can hold credit bureaus and lenders accountable for violations.
While exemptions limit the FCRA’s reach in some areas, it remains crucial for giving consumers control over their credit information. Without it, credit reporting could become prone to abuse and misuse.
Is the FCRA Still Relevant Today?
The FCRA was a landmark law back in 1970. But is it still critical in the modern digital era? Absolutely. If anything, vigilant oversight of credit reporting is more important than ever today.
-
More data sources – Credit reports now integrate more data like utility payments and rental histories.
-
Faster sharing – Digital systems enable instant exchange of applicant credit reports.
-
New technologies – AI-based credit underwriting relies heavily on comprehensive credit data.
-
More threats – Digital crime has made credit report security and identity theft major risks.
While the internet age has transformed credit reporting, it has also created new consumer vulnerabilities. So the core FCRA principles of privacy, accuracy, and fairness remain indispensable.
The Road Ahead for the FCRA
Looking ahead, the FCRA may need select updates to keep pace with our rapidly evolving digital economy. Potential reform areas include:
-
Reining in access for employment screening
-
Expanding identity theft victim assistance
-
Adding protections around AI credit decisions
-
Enhancing regulation of alternative credit data sources
-
Strengthening enforcement of existing FCRA policies
But at its core, the decades-old FCRA still provides critical consumer protections that should remain intact even as credit reporting continues to transform.
While the Fair Credit Reporting Act governs the credit reporting industry broadly, legitimate exemptions do exist. Government agencies, certain lenders, employers, landlords, and small businesses enjoy relaxed requirements in some areas. However, the core FCRA principles of privacy, accuracy, and fairness remain highly relevant today. And consumers continue to benefit from the strong credit report protections the law provides.
Health Insurance Portability and Accountability Act
HIPAA is a federal health-care law that regulates, among other things, the disclosure and security of protected health information (PHI). Under the CCPA exemption, the California law does not apply to PHI collected by a covered entity or business associate (similar to a CCPA service provider) that is governed by the privacy, security, and breach notification rules of HIPAA.
Notice that this exemption only covers PHI; these businesses could potentially be collecting and using other personal information that is subject to CCPA requirements. However, the California law also has a total exemption for covered entities to the extent they maintain patient information in the same manner as PHI.
The HIPAA exemption covers all provisions of the CCPA, including the private right of action for data breaches. This is likely because HIPAA already has its own data-protection requirements and the California Confidentiality of Medical Information Act (CMIA) grants a similar right of action to consumers.
The GLBA imposes privacy rules on financial institutions regarding the collection and sharing of consumersâ nonpublic personal information (NPI). NPI is âpersonally identifiable financial informationâ collected in connection with providing financial products or services. Under the GLBAâs Privacy Rule, financial institutions must disclose how NPI is collected and shared, as well as provide consumers with the opportunity to opt out of sharing their NPI with third parties.
Because the GLBA already has its own data privacy rules in place, the CCPA includes an exemption for personal information that is subject to the GLBA (i.e., NPI). It is not an entity-level exemption, though. If financial institutions are collecting personal information that is not subject to the GLBA, that personal information may be subject to the CCPA. For example, if a financial institution also provides non-financial products, personal information collected while providing those products could be covered by the CCPA.
Businesses that have already implemented a GLBA-compliance system should have a good idea as to what is or is not NPI. For any personal data that has been determined not to be NPI, businesses should evaluate their obligations under the CCPA.
Importantly, the CCPA does not exempt financial institutions from its private right of action concerning data breaches. Under this provision, California residents can sue businesses when their non-encrypted and non-redacted personal information is subject to unauthorized access, theft, or disclosure due to a businessâs failure to implement and maintain reasonable data security procedures.
Fair Credit Reporting Act
The FCRA governs how personal information can be used by consumer reporting agencies such as credit bureaus and background-screening companies. It also gives consumers certain rights regarding the accuracy and privacy of their information.
The CCPA has an exemption for personal information that is collected, maintained, used, sold, or shared by consumer reporting agencies and furnishers of information (as defined by the FCRA). It is not an entity-level exemption; it only applies to the extent that the personal information is subject to the FCRA and is used as authorized by that law. If the CCPA did not have this exemption, it would be very disruptive to the overall credit-reporting system. Otherwise California residents could, for example, request the deletion of their entire credit history.
As with the GLBA exemption, this does not apply to the CCPAâs private right of action. Businesses can still be sued by consumers for a cybersecurity breach caused by the businessâs failure to implement and maintain reasonable security procedures.
The CCPA takes care to stay out of the way of HIPAA, the GLBA, and the FCRA, but it doesnât mean businesses that are subject to these laws can completely ignore the CCPA. These businesses should carefully evaluate their practices to determine whether there are any areas where federal compliance ends and CCPA compliance begins.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Does FCRA Have A Small Business Exemption? – Crazy About Credit Cards
FAQ
What entities are not subject to FCRA?
- Background-Screening Companies.
- CRAs.
- Credit Card Issuers.
- Credit Unions.
- Banks.
What is the CCPA exemption from the FCRA?
Can you opt out of FCRA?
Control Your Credit File
The FCRA also provides you the right to “Opt-Out”, which prevents Consumer Credit Reporting Companies from providing your credit file information for Firm Offers.
Which of the following is not required under the Fair Credit Reporting Act?
The option that is not required by the Fair Credit Reporting Act of 1970 is C: ‘An applicant has the right to know anyone questioned regarding the report.