FCRA Rule Changes Better Complement Dodd-Frank Act

By Anokhy Desai


On September 8, the Federal Trade Commission (FTC) approved “largely technical” changes to five Fair Credit Reporting Act (FCRA) rules that narrowed their scope to only apply to motor vehicle dealers, decreasing confusion for applicable entities that must look to the FTC or Consumer Financial Protection Bureau (CFPB) for guidance on the FCRA.



The FTC has authority to enforce the FCRA, a regulation that protects individuals’ information that is collected by consumer reporting agencies (CRA). Keeping in mind that the three largest CRA’s in the US are Equifax, TransUnion, and Experian, and all three have experienced a data breach in the last few years, it is only logical that the FTC, as the unofficial-but-official consumer privacy protector, enforce an Act that governs CRA’s. Despite the FTC’s initial rulemaking authority of the FCRA, the Dodd-Frank Act amended the FCRA in 2010 to require disclosure of credit scores and related consumer information for both risk-based pricing and FCRA adverse action notices, and to provide the CFPB with most of the rulemaking responsibilities added to the FCRA. Not only did this limit the FTC’s authority over the Act, but it also caused some confusion over which agency governed which FCRA-covered entities. This confusion was finally addressed over a decade later.


The Updates

Last week, the FTC approved changes to five FCRA rules, aligning them more with the Dodd-Frank Act; the changes clarify that the five rules listed below only apply to motor vehicle dealers, which are excluded from the scope of the Dodd-Frank Act. The changes, while not substantive, affected:


  1. The Address Discrepancy Rule, which explains consumer obligations upon receiving a notice of address discrepancy from a CRA.
  2. The Affiliate Marketing Rule, which provides consumers the right to restrict the use of information obtained from an affiliate to advertise to those consumers.
  3. The Furnisher Rule, which requires entities that provide consumer information to CRA’s to create and implement reasonable policies and procedures about the accuracy and integrity of that information.
  4. The Pre-Screen Opt-Out Notice Rule, which provides requirements to those who use consumer reports to make unsolicited credit or insurance offers to consumers.
  5. The Risk-Based Pricing Rule, which requires those who offer less favorable terms to consumers based on their consumer reports to notify those consumers about the use of such data.


The changes to these rules do not exempt other financial services organizations from complying with the FCRA rules, but rather clarify that they, unlike motor vehicle dealers, would be subject to the CFPB’s requirements for these rules.


In addition to these rule changes, the FTC added a website to the Prescreen Opt-Out Notice Rule as another way consumers can opt out for five years or even permanently. The rule originally required CRA’s and others who use information from consumer reports to provide consumers both the right to opt out of receiving prescreened solicitations and the toll-free number consumers can call to exercise that right.


What this Means

Motor vehicle dealers must now follow the FTC’s guidance on the FCRA, which is not much different from the CFPB’s guidance, in addition to the state consumer credit laws they were already following. Consumers will be able to use “optoutprescreen.com” to opt out of unsolicited credit and insurance offers, and motor vehicle dealers will have to provide that website on notices to consumers to whom they are advertising based on their consumer reports. This should not be a large hurdle to overcome, as most large companies, including motor vehicle dealers like Ford and GM, have updated their site policies to include CCPA verbiage and emails links for their respective privacy officers for CCPA complaints and data subject requests. Not all attorneys working for entities that are considered “motor vehicle dealers” may be affected, however, as some of those entities may not make unsolicited offers covered under the Pre-Screen Opt-Out Notice Rule.


Anokhy Desai is a law student at the University of Pittsburgh School of Law with an expected graduation in May 2022.

About: PBA Cybersecurity and Data Privacy

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.

Leave a Reply

Your email address will not be published. Required fields are marked *