A new advisory opinion from the CFPB aims to make it clear that credit reporting companies and users of credit reports have specific obligations to protect the public’s data privacy. The advisory also reminds covered entities of potential criminal liability for certain misconduct.

The CFPB says that the advisory opinion will help to hold responsible any company, or user of credit reports, that violates the permissible purpose provisions of the Fair Credit Reporting Act. Specifically, the advisory opinion makes clear that:

• insufficient matching procedures can result in credit reporting companies providing reports to entities without a permissible purpose, which would violate consumers’ privacy rights;
• it is unlawful to provide credit reports of multiple people as “possible matches;
• disclaimers about insufficient matching procedures do not cure permissible purpose violations; and
• users of credit reports must ensure that they do not violate a person’s privacy by obtaining a credit report when they lack a permissible purpose for doing so.

The advisory opinion also outlines some of the criminal liability provisions in the Fair Credit Reporting Act, and states that covered entities can face criminal liability for obtaining a background report on an individual under false pretenses or by providing a background report to an unauthorized individual.