Skip Navigation

Laws & Notices

The Fair Credit Reporting Act (“FCRA”) became effective on April 25, 1971. The FCRA is a group of acts contained in the Federal Consumer Credit Protection act, such as the Truth in Lending Act and the Fair Debt Collection Practices Act.

Congress substantively amended the FCRA upon the passage of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”). The FACT Act created many new responsibilities for consumer reporting agencies and users of consumer reports. It contained many new consumer disclosure requirements as well as provisions to address identity theft. In addition, it provided free annual consumer report rights for consumers and improved access to consumer report information to help increase the accuracy of data in the consumer reporting system.

The identity theft rights summary includes the identity theft rights granted to consumers by FACTA, including the right to place fraud alerts on their credit reports, to block businesses and credit bureaus from reporting information in their credit files that is a result of identity theft, and to obtain from businesses information about accounts or transactions in their name that result from identity theft. The identity theft rights summary will be provided by consumer reporting companies to consumers who contact the agencies because they believe they are victims of fraud or identity theft.

The general consumer rights summary includes, among other things, consumers' right to see their credit files and know when they have been used against them, to correct inaccuracies, and to opt-out of unsolicited offers. The summary also notes that, in addition to identity theft victims, active duty military personnel have additional rights under the FCRA and FACTA. This general summary of rights updates the current summary, which credit reporting companies provide to consumers with their credit reports. The furnisher and user notices explain to businesses their duties under the FCRA.

The FCRA contains significant responsibilities for business entities that are consumer reporting agencies and lesser responsibilities for those that are not. Generally, financial institutions are not consumer reporting agencies.

In addition to the requirements related to financial institutions acting as consumer reporting agencies, FCRA requirements also apply to financial institutions that operate in any of the following capacities:

  • Procurers and users of information (for example, as credit grantors, purchasers of dealer paper, or when opening deposit accounts).
  • Furnishers and transmitters of information (by reporting information to consumer reporting agencies, other third parties, or to affiliates).
  • Marketers of credit or insurance products.
  • Employers.

Financial institutions are subject to a number of different requirements under the FCRA. The statute contains some of the requirements, while others are in regulations issued jointly by the FFIEC agencies or in regulations issued by the Federal Reserve Board and/or the Federal Trade Commission.

The Dodd-Frank Act granted rulemaking authority under the FCRA (except for §615(e) (identity theft) and §628 (disposal)) to the Consumer Financial Protection Bureau (“CFPB”) and, with respect to entities under its jurisdiction, granted authority to the CFPB to supervise for and enforce compliance with the provisions of the FCRA and the implementing regulations.

The CFPB structured the examination procedures as a series of modules, grouping similar requirements together. The modules contain general information about each of the requirements:

  • Module 1 Obtaining Consumer Reports.
  • Module 2 Obtaining Information and Sharing Among Affiliates.
  • Module 3 Disclosures to Consumers and Miscellaneous Requirements.
  • Module 4 Financial Institutions as Furnishers of Information.
  • Module 5 Consumer Alerts and Identity Theft Protections.
State Data Broker Laws (as of March, 2026)
CALIFORNIA

California Delete Act + Data Broker Registry

Cal. Civ. Code §§ 1798.99.80–1798.99.88

https://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=202320240SB362

Summary: Requires annual registration, disclosure, and a centralized deletion mechanism.

VERMONT

Vermont Data Broker Regulation

9 V.S.A. § 2446 et seq.

https://legislature.vermont.gov/statutes/section/09/062/02447

Summary: Requires data brokers to register and maintain security standards.

TEXAS

Texas Data Broker Law

Tex. Bus. & Com. Code § 509.001 et seq.

https://statutes.capitol.texas.gov/Docs/BC/pdf/BC.509.pdf

Summary: Requires registration, security controls, and public notice; applies to companies whose primary revenue comes from selling personal data.

OREGON

Oregon Data Broker Law

ORS § 646A.593

https://olis.oregonlegislature.gov/liz/2023R1/Measures/Overview/HB2052

Summary: Requires registration and ties into broader consumer privacy rights, including disclosure of third-party recipients.

States With Comprehensive Consumer Privacy Laws (as of March, 2026)
CALIFORNIA

California Consumer Privacy Act (“CCPA”), amended by California Privacy Rights Act (“CPRA”)

Cal. Civ. Code §§ 1798.100 et seq.

https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
VIRGINIA

Virginia Consumer Data Protection Act (“VCDPA”)

Va. Code §§ 59.1-571 et seq.

https://law.lis.virginia.gov/vacode/title59.1/chapter53/
COLORADO

Colorado Privacy Act (“CPA”)

Colo. Rev. Stat. § 6-1-1301 et seq.

https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
CONNECTICUT

Connecticut Data Privacy Act (“CTDPA”)

Conn. Pub. Acts No. 22-15

https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF
UTAH

Utah Consumer Privacy Act (“UCPA”)

Utah Code § 13-61-101 et seq.

https://le.utah.gov/xcode/Title13/Chapter61/13-61.html
IOWA

Iowa Consumer Data Protection Act (“ICDPA”)

Iowa Code Ch. 715D

https://www.legis.iowa.gov/docs/code/715D.pdf
INDIANA

Indiana Consumer Data Protection Act (“INCDPA”)

Ind. Code §§ 24-15-1-1 et seq.

https://iga.in.gov/laws/2024/ic/titles/24#24-15
TENNESSEE

Tennessee Information Protection Act (“TIPA”)

Tenn. Code Ann. Title 47, Chapter 18

https://publications.tnsosfiles.com/acts/113/pub/pc0408.pdf
TEXAS

Texas Data Privacy and Security Act (“TDPSA”)

Tex. Bus. & Com. Code § 541.001 et seq.

https://statutes.capitol.texas.gov/Docs/BC/htm/BC.541.htm
OREGON

Oregon Consumer Privacy Act (“OCPA”)

Or. Senate Bill 619-B

https://olis.oregonlegislature.gov/liz/2023R1/Downloads/MeasureDocument/SB619/Enrolled
DELAWARE

Delaware Personal Data Privacy Act (“DPDPA”)

Del. Code Tit. 6 § 12D-101 et seq.

https://delcode.delaware.gov/title6/c012d/
FLORIDA

Florida Digital Bill of Rights (“FDBR”)

Fla. Senate Bill 262

https://www.flsenate.gov/Session/Bill/2023/262/BillText/er/PDF
NEW HAMPSHIRE

New Hampshire Privacy Act (“NHPA”)

N.H. Senate Bill 255-FN

https://gc.nh.gov/bill_status/legacy/bs2016/billText.aspx?id=865&txtFormat=html&sy=2024
NEW JERSEY

New Jersey Data Privacy Act (“NJDPA”)

NJ Senate Bill 332

https://pub.njleg.state.nj.us/Bills/2022/S0500/332_R6.PDF
KENTUCKY

Kentucky Consumer Data Protection Act (“KCDPA”)

Ky. Rev. Stat. § 367.3611 et seq.

https://apps.legislature.ky.gov/law/statutes/chapter.aspx?id=39092
MARYLAND

Maryland Online Data Privacy Act (“MODPA”)

Md. House Bill 0567

https://mgaleg.maryland.gov/2024rs/chapters_noln/ch_454_hb0567e.pdf
MINNESOTA

Minnesota Consumer Data Privacy Act (“MCDPA”)

Minn. Stat. § 325M.10 et seq.

https://www.revisor.mn.gov/statutes/cite/325M
NEBRASKA

Nebraska Data Privacy Act (“NDPA”)

Neb. Legislative Bill 1074

https://nebraskalegislature.gov/FloorDocs/108/PDF/Slip/LB1074.pdf
MONTANA

Montana Consumer Data Privacy Act (“MCDPA”)

Mont. Code § 30-14-2801 et seq.

https://archive.legmt.gov/bills/mca/title_0300/chapter_0140/part_0280/sections_index.html
RHODE ISLAND

Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”)

R.I. House Bill H 7787 Sub A2

https://webserver.rilegislature.gov/BillText24/HouseText24/H7787A.htm

In October 2016, the Federal Trade Commission (“FTC”) issued guidance applicable to background screening companies and landlords who engage in tenant screening. The FTC highlights four key responsibilities of such background screening companies (considered consumer reporting agencies) covered by the Fair Credit Reporting Act (“FCRA”), specifically:

  • “Follow reasonable procedures to ensure accuracy
  • Get certifications from your clients.
  • Provide your clients with information about the FCRA.
  • Honor the rights of applicants and tenants.”

The FTC opines on what “reasonable procedures to ensure accuracy” are (and those should be read to apply to employment screening as well). The FTC maintains: “[c]ertain practices may be indicators that a background screening company isn’t following reasonable procedures. For example, if a report lists criminal convictions for people other than the applicant or tenant – for instance, a person with a middle name or date of birth different from the applicant’s – that raises FCRA compliance concerns. Other examples that raise FCRA compliance concerns include screening reports with multiple entries for the same offense or that list criminal records that have been expunged or otherwise sealed. Another indication that a company’s procedures might not be reasonable are reports that list housing court actions, but do not include the outcome of the action – for instance, that a case was resolved in the tenant’s favor.”

Background screeners should also note that the FTC calls out reports with multiple entries for the same offense, the reporting of expunged or sealed records, reports with no dispositions, and finally, the failure to use a middle name to ensure accuracy.

Please see the following materials from the FTC:

Employers - Criminal Background Check Policy

Employers should be aware that in 2012 guidance on the use of criminal history records in employment, the Equal Employment Opportunity Commission made clear that blanket prohibitions on employment based on criminal history are frowned upon due to the potential for discrimination.

Customer Notice - Use of Public Record Information
MicroBilt - Public Record Information From MicroBilt (12-16-24).pdf
Information subject to change without notice. All rights reserved. © 2026 MicroBilt v.070517