Center for Democracy and Technology, Protecting Privacy in Online Identity: A Review of the Letter and Spirit of the Fair Credit Reporting Act’s Application to Identity Providers

CDT insists on “the need to develop some type of private or public legal regime that ensures identity providers properly safeguard consumer privacy in the emerging identity management industry”.

CDT also highlighted that

“If identity services are covered under the FCRA, relying parties would also have a number of important FIPs-related obligations including:

  • Use Limitation – Relying parties are responsible for limiting the purposes for which they use data to those stated in the Act.
  • Certification of Purpose – Relying parties must certify to the CRA (by a general or specific certification, as appropriate) the permissible purpose(s) for which the report is being obtained and certify that the report will not be used for any other purpose.
  • Notification of Adverse Action – Relying parties must notify individuals when an adverse action has been taken based on information contained in a consumer report. Relying parties must also notify individuals when an adverse credit decision has been taken based on information obtained from third parties other than CRAs. The specific type of notification required depends on whether the information used came from a CRA, a non-CRA, or an affiliate.
  • Notification of an Address Discrepancy – CRAs must notify relying parties that request reports when the address for a consumer provided by the requesting party in requesting the report is different from the address in the consumer’s file. Relying parties must comply with regulations specifying the procedures – issued by the FTC and banking and credit union regulators – to be followed when this occurs.
  • Proper Disposal of Records – All users of consumer report information must have in place procedures to properly dispose of records containing this information”.

The document can be found at: https://cdt…