On June 28, the Consumer Financial Protection Bureau (CFPB) issued an interpretive rule, encouraging states to enact more laws regulating consumer reporting, arguing that states’ powers are only constrained in limited ways by the Fair Credit Reporting Act (FCRA).

The CFPB believes that states have the ability to enact state-level laws that are stricter than the FCRA, including outright prohibitions on reporting many kinds of truthful information about consumers, with only “limited preemption exceptions.”

The CFPB goes beyond, saying that states have the power to pass these laws, but encourages states to pass laws addressing state-level concerns. For example, the CFPB argues that states may wish to pass laws to prohibit reporting medical debt in a consumer report for a certain period of time after the debt was incurred, articulating its belief that “such a law would generally not be preempted.” Other examples of state laws the CFPB believes would not be preempted include a state law governing when a furnisher may begin reporting a consumer’s account (including medical debt); and a state law prohibiting a consumer reporting agency from including information (or certain types of information) about a consumer’s eviction, rental arrears, or arrests on a consumer report.

The CFPB’s rule argues that state laws that are more protective of consumers than the FCRA are not preempted unless they conflict with specific provisions of the FCRA. The CFPB argues that these conflicts will be on narrow, specific topics, and hence preemption will be narrow. As a result, the scope of permissible state regulation is broad.

The CFPB’s position can be viewed as a follow-up to the CFPB’s recent statements encouraging states to exercise their authority to enforce federal consumer protection laws.

If followed by the states, and by courts hearing preemption challenges to new state laws, the CFPB rule opens the door to more state-by-state regulation of the consumer reporting ecosystem. This regulation could include state laws that restrict the reporting of truthful information, even when permitted by the FCRA and other laws. For example, the CFPB has already questioned the reporting of medical debt, and uses state regulation of medical debt as a main example of permissible state action. It is significant for the CFPB to now also mention eviction records, rental arrears, and arrest records — all data that can be lawfully reported under the FCRA — as topics that the CFPB also believes the states can ban.

It should be noted that the CFPB’s position comes in the context of a long-standing debate in the courts of the scope of FCRA preemption, and the CFPB simply ignores the teachings from the developing case law. For example, multiple courts have broadly questioned the states’ ability to ban reporting of information permitted by the FCRA, while others have roughly aligned themselves with the view of the CFPB that preemption only arises when state law intrudes into consumer reporting questions that have been specifically addressed by the FCRA. In other words, the CFPB has joined the preemption fray, with no certainties in the results other than the promise of a more complex, and litigious, legal environment for consumer reporting, which is already bedeviled by plenty of legal complexity and litigation.

Photo of Alan D. Wingfield Alan D. Wingfield

Alan Wingfield helps consumer-facing clients navigate compliance, litigation and regulatory risks posed by the complex web of state and federal consumer protection laws. He is a trusted advisor and tireless advocate, helping clients develop practical compliance and dispute-resolution strategies.

Photo of Tim J. St. George Tim J. St. George

Tim defends institutions nationwide facing class actions and individual lawsuits. He has particular experience litigating consumer class actions, including industry-leading expertise in cases arising under the Fair Credit Reporting Act and its state law counterparts, as well as litigation arising from data breaches.

Photo of David N. Anthony David N. Anthony

David Anthony handles litigation against consumer financial services businesses and other highly regulated companies across the United States. He is a strategic thinker who balances his extensive litigation experience with practical business advice to solve companies’ hardest problems.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application

Ron leads the firm’s Privacy + Cyber team. Drawing from nearly 30 years of experience, he provides comprehensive services to companies in all aspects of privacy, security, data use, and risk mitigation. Clients rely on his in-depth understanding of technology and its application to their business to solve their most important challenges — from implementation and strategy to litigation and incident response. Ron and his team have redefined the boundaries of typical law firm privacy and cyber services in offering a 360 degree approach to tackling information governance issues. Their holistic services include drafting and implementing bespoke privacy programs, program implementation, licensing, financing and M&A transactions, incident response, privacy and cyber litigation, regulatory investigations, and enforcement experience.

Photo of H. Scott Kelly H. Scott Kelly

Scott is a consumer data and privacy specialist. He regularly defends against data breach lawsuits and class action claims asserted under federal and state consumer-protection statutes (FCRA, FDCPA, TCPA, UCC, UDAAP, RICO). Scott represents companies on an array of data privacy issues, including

Scott is a consumer data and privacy specialist. He regularly defends against data breach lawsuits and class action claims asserted under federal and state consumer-protection statutes (FCRA, FDCPA, TCPA, UCC, UDAAP, RICO). Scott represents companies on an array of data privacy issues, including background screening, consumer reporting, data breaches, ransomware attacks, and related regulatory investigations by the Consumer Financial Protection Bureau (CFPB), Federal Trade Commission (FTC), and state attorneys general.