After the FACT Act: What States Can Still Do to Prevent Identity Theft
Gail Hillebrand, Senior Attorney, Consumers Union(1)
(Please note: for the PDF file of this document, click here.)
I. The General Rule of No-Preemption is Clarified to Cover Identity Theft Prevention or Mitigation Laws
II. The 1996 Preemptions are Extended
III. There are Very Limited Additions to “Subject Matter Regulated Under” Preemption
IV. Two New Standalone Preemption Sections Do Not Include Either the “Subject Matter Regulated Under” or the “Conduct Required Under” Standards
V. The Act Creates a Narrow Form of Preemption for Conduct Required under Listed Sections
VI. There is Much that States Can Still Do
The federal Fair and Accurate Credit Transactions Act of 2003 (FACT), signed December 4, 2003, made significant changes and additions to the federal Fair Credit Reporting Act (FCRA). The Act provides for free annual credit reports, increases the standard for the accuracy of information furnished to credit reporting agencies, strengthens adverse action notices, and creates a right to a credit score from a credit reporting agency for a reasonable fee. FACT also requires a lender or broker who is considering a home loan application to provide a credit score without a fee, and adds certain rights for identity theft victims and measures intended to prevent identity theft, including a duty on creditors to take certain steps before granting credit when a fraud alert is contained in a credit file or accompanies a credit score.
States retain significant authority under FACT to continue to protect their residents, including from identity theft. This is the clearest in areas untouched by the federal Act, but states also retain the right to supplement most of the federal identity theft provisions. FACT amends FCRA with respect to preemption of state laws by:
1) Adding identity theft prevention and mitigation to the basic “inconsistency” rule, which permits state laws that are not inconsistent with the federal act;
2) Permanently extending the 1996 preemptions for the “subject matter regulated under” specific described sections;
3) Adding one identity theft provision and two non-ID theft provisions to the list of “subject matter regulated under” preemptive sections;
4) Adding two new preemptive sections related to certain disclosures; and
5) Creating a narrow preemption with respect to certain new federal protections relating to identity theft. This preemption provision restricts state laws only with “respect to the conduct required by the specific provisions” of certain listed sections of the FACT Act.
Parts I – V discuss each of these approaches to preemption. Part VI discusses some of the many types of state laws in the area of identity theft which are not preempted.
I. The General Rule of No-Preemption is Clarified to Cover Identity Theft Prevention or Mitigation Laws
The general rule under FCRA is a rule of non-preemption, except for and to the extent of an inconsistency with any provision of the federal Act. FCRA § 624(a); 15 U.S.C. § 1681t(a). To clarify that this general “inconsistency only” preemption rule applies to state identity theft statutes, the phrase “identity theft prevention or mitigation” was added to the general inconsistency standard of section 624(a). The section has been renumbered section 625(a). FACT § 711. Unless one of the specific sections described in Parts III, IV, or V below applies, state identity theft laws are preempted by the revised FCRA only when, and only to the extent, that they are inconsistent with a provision of FCRA.
II. The 1996 Preemptions are Extended
The biggest loss for consumers in FACT is the permanent extension of the seven areas of preemption first added to FCRA in 1996 and previously set to expire on January 1, 2004. These are found at FCRA section 624(b)(1) and (b)(2); 15 U.S.C. section 1681t(b)(1) and (b)(2). The text of these preemptions was not changed. No new statutory language was added to clarify existing preemption disputes, such as the interplay of the FCRA preemption provision on affiliate sharing and the authorization in the Gramm Leach Bliley Act for states to provide greater protection with respect to consumer privacy and information sharing by financial institutions. GLBA § 507; 15 U.S.C. § 6807. Congress simply made these preexisting FCRA subsections permanent without changing their language or clarifying their scope.
Six of the seven 1996 FCRA preemptions apply “with respect to any subject matter regulated under” listed sections or subsections. FCRA § 624(b)(1); I5 U.S.C. § 16812t(b)(1); renumbered by FACT as FCRA § 625(b)(1); FACT § 711(3). Those six sections are:
• Section 1681b relating to the prescreening of consumer reports;
• Section 1681i relating to the time by which a consumer reporting agency must take any action in any procedure related to the disputed accuracy of information in a consumer’s file (state laws in effect on September 30, 1996 are exempted);
• Section 1681m(a) and (b) relating to the duties of a person who takes any adverse action with respect to a consumer;
• Section 1681m(d) relating to the duties of persons who use a consumer report in connection with any credit or insurance transaction that is not initiated by the consumer and that consists of a firm offer of credit or insurance;
• Section 1681c relating to information contained in consumer reports (state laws in effect on September 30, 1996 are exempted); and
• Section 1681s-2, related to the responsibilities of person who furnish information to credit reporting agencies.(2)
The final prior preemption provision appears in FCRA section 624(b)(2), renumbered section 625(b)(2). It is not accompanied by an introductory clause purporting to cover “any subject matter regulated under” the section. That provision preempts any requirement or prohibition imposed under state law with respect to “the exchange of information among persons affiliated by common ownership or common corporate control.”(3)
Because these preemptions have been in place since the 1996 FCRA amendments, they will not be further analyzed here.
III. There Are Very Limited Additions to “Subject Matter Regulated Under” Preemption
FACT adds only three sections to the “subject matter regulated under” form of preemption found in renumbered FCRA section 625(b)(1). FACT describes these sections as:
• Section 609(e), relating to information available to victims under section 609(e);
• Section 624, relating to the exchange and use of information to make a solicitation for marketing purposes; and
• Section 615(h), relating to the duties of users to provide notice with respect to terms in certain credit transactions.
FACT § 625(b)(1)(G) – (I); FACT §§ 151(a)(2), 214(c)(2), 311(b).
Only one of these sections, FCRA section 609(e), is an identity theft section. FACT § 151(a).(4) Section 609(e) gives identity theft victims a right to receive application and transaction information from businesses where an identity thief has successfully impersonated the consumer. It requires a business from whom an identity thief obtained credit, products, or services to provide the victim with copies of reasonably available application and business transaction records in the control of the business entity. The victim must make a request; provide proof of his or her identity; and, at the option of the business, provide both a police report and an FTC ID theft affidavit. FCRA § 609(e); FACT § 151(a)(1). Because this section is under the general “subject matter regulated under” preemption provision in renumbered section 625(b)(1), a state is limited in its ability to enact enforceable laws in this area. For example, state laws shortening the 30 day time period or providing for a less strict trigger for the right are probably preempted.
Section 609(e) is not enforceable under the civil liability provisions of FCRA. FCRA § 609(e)(6); FACT § 151(a). This section also contains an express protection from liability under federal, state or other law for making the disclosure in good faith pursuant to the subsection. FCRA § 609(e)(7); FACT § 151(a)(1). Thus, a state could not directly impose liability for failure to comply with the section. However, the preemption applies only to “information available to victims under section 609(e).” See FCRA §§ 609(e) and 625(b)(2)(G); FACT § 151(a). Other state-imposed duties, or other state causes of action such as for negligence in dealing with a thief impersonating a consumer, which may exist now or in the future are left untouched.
New FCRA section 624 is the affiliate marketing opt-out. FACT § 214. Section 624 prohibits using information received from an affiliate that would be a credit report, if not for the exemption provided for exchange of information among affiliates, for making a solicitation for marketing purposes unless the consumer is given an opportunity to opt out of receiving such solicitations. This section therefore regulates only the use of certain information for a specific purpose, and not the actual sharing of consumers’ personal financial information. The new preemption covers the “subject matter regulated under” the section, describing that subject matter as: “relating to the exchange and use of information to make a solicitation for marketing purposes.” FCRA § 625(b)(1)(H); FACT § 214(c)(2). This description of the “subject matter” is, in fact, broader than the actual provisions of section 624; consequently, the extent of any new preemption of state laws in the area of affiliate sharing, if any, is unclear. Such preemption should extend, at the most, to state laws imposing conditions or restrictions on the use of personal financial information obtained from an affiliate for making solicitations for marketing purposes. This section should not determine whether or not there is preemption of state restrictions on affiliate sharing for other purposes, such as underwriting or pricing. Preemption with respect to section 624 must be evaluated under: 1) the Gramm Leach Bliley Act (GLBA), as consumer advocates contend; 2) preexisting FCRA section 624(b)(2), renumbered as 625(b)(2), as banks contend; or 3) by harmonizing the 1996 FCRA preemption which was renewed without change in 2003 with the 1998 GLBA authorization for further state regulation to accompany the GLBA’s expansion of the kinds of allowable affiliate relationships.
The final new section of FCRA which was added to the list of “subject matter regulated under” preemption is section 615(h); FACT section 311(b). Section 615(h) is the enhanced adverse action notice, also called the risk-based pricing notice. It requires notice to the consumer when credit is granted based in whole or in part on a consumer report but the material terms are materially less favorable than the most favorable terms available to a “substantial proportion” of consumers from or through that person (lender or broker). Thus, this section prevents a state from requiring an adverse action notice where it would not be required by federal law, such as when the terms offered are less favorable in a nonmaterial way, or when the materially less favorable term is not itself a material term. There is talk that this section will be reopened, because of an apparent error that restricts private civil liability for violations of the section in FCRA 615(h)(8)(A); FACT § 311(a). See Regulators Scurry to Close FACT Loophole, American Banker, Dec. 12, 2003 (referring to a different loophole, but also quoting Chairman Shelby on the apparent error regarding the restriction on civil liability).
IV. Two New Standalone Preemption Sections Do Not Include Either the “Subject Matter Regulated Under” or the “Conduct Required Under” Standards
The next category of preemption in FACT is found in FCRA subsections 625(b)(3) and (4); FACT subsection 212(e). These two new subsections omit both the general “subject matter regulated under” introductory language of renumbered FRCA section 625(b)(1) and the “conduct required under specific provisions” introductory language of FCRA section 625(b)(5), which is discussed in Part V, below.
The first of these two new preemptive sections is FCRA section 625(b)(3); FACT section 212(e). It covers the disclosures required by subsections 609(c), (d), (e) or (g); and subsection 609(f) “relating to the disclosure of credit scores for credit granting purposes.” The inclusion of subsection 609(e) in this section might be a mistake, since the disclosures required under section 609(e) are also included in the preemption section 625(b)(1)(G). See FACT § 151(a)(2), compare FACT § 212(e). On the other hand, it could be argued that the “subject matter regulated under” form of preemption applies only to the disclosures required under section 609(e), and that the rest of the section, including the identification requirements to trigger that disclosure obligation, is covered in section 625(b)(3), which lacks the “subject matter required” introductory language.
Subsections 609(c) and (d) are the notices of the right to obtain a consumer credit report and credit score and to dispute information, and the summary of rights conferred by FCRA. A consumer reporting agency that gives the section 609(c) notice must also tell the consumer that he or she may have “additional rights under State law.” FCRA § 609(c)(2)(D); FACT § 211(c). Thus, this notice does not purport to be a complete summary of all consumer rights, but only of the rights provided under FRCA. This suggests states should continue to have the right to require notice of additional state law rights.
The last item listed in FRCA section 625(b)(3) is credit score disclosure. FACT § 212(e). This covers “the disclosures required to be made” under section 609(g) and under section 609(f) “relating to the disclosure of credit scores for credit granting purposes.” These substantive sections are found at FACT section 212(b). Section 609(f) addresses disclosure of credit scores by consumer reporting agencies. Section 609(g) imposes obligations only on persons who make or arrange loans to be secured by residential real property. Neither section addresses the obligations, if any, of other types of creditors, such as auto lenders or credit card lenders. Finally, existing state credit score disclosure laws in California and Colorado are exempted from preemption.
The words used suggest that the degree of credit score preemption is fairly narrow. The preemption does not apply to all types of credit scores, or to all aspects of credit score disclosure. Instead, this preemption applies to disclosures under section 609(g), which are made by mortgage lenders and mortgage brokers, and to disclosures under section 609(f), which covers consumer reporting agency disclosure of credit scores “for credit granting purposes.” FCRA §§ 625(b)(3), 609(g), 609(f); FACT §§ 212(e), 212(c), 212(b). Thus, a state could not require a mortgage lender or a consumer reporting agency to provide more key reasons why the score was not higher than the 4 to 5 reasons which are required under FACT. However, since FCRA section 609(g) is silent on the obligations of non-home secured lenders to disclose credit scores, a state might be able to require these types of lenders to disclose credit scores. A state should also remain free to regulate credit scores outside the area of disclosure, and can regulate the disclosure by consumer reporting agencies of credit scores generated or used for purposes other than credit granting purposes. Because the language of FCRA section 625(b)(3) is tied to disclosure, it also should leave states free to impose substantive, non-disclosure requirements or prohibitions on the uses of credit scores even when used for credit granting purposes. FCRA § 625(b)(3); FACT 212(e).
The credit score disclosure preemption provision expressly preserves state authority in the area of insurance scoring. FCRA section 625(b)(3)(C) states that the paragraph “shall not be construed as limiting, annulling, affecting, or superseding any provision of the laws of any State regulating the use in an insurance activity, or regulating disclosures concerning such use, of a credit-based insurance score of a consumer by any person engaged in the business of insurance.” FCRA § 625(b)(3)(C); FACT § 212(e).
The next section in this category, FCRA section 625(b)(4), preempts “with respect to the frequency of “any disclosure under section 612(a),” which refers to annual free credit reports. FCRA § 625(b)(4); FACT § 212(e). This section does not contain the broad introductory language of section 625(b)(1), covering the “subject matter regulated under.” It also omits the narrow “conduct required under the specific provisions” introductory language of section 625(b)(5). However, section 612(a) is also included in the list of “conduct required under” preempted sections. FACT § 711(2). There, the section is listed by number, without reference to the “frequency” requirement.
Preexisting laws in the seven states that already provided for free annual credit reports are exempt from the preemption in FCRA section 625(b)(4), but not from section 625(b)(5). This suggests that the double listing in both subsections 625(b)(4) and (b)(5) is simply an error. The state laws exempted from section 625(b)(4) preemption are those of Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey and Vermont. (5)
If the inclusion of section 612(a) in both its own separate preemptive section in FCRA 625(b)(4) and in the list under FCRA 625(b)(5) is simply a mistake, then the scope of free credit report preemption should be restricted to the issue of frequency. States could impose a similar free annual report requirement on regional consumer reporting agencies and regional specialty agencies such as a regional landlord-tenant database, from which section 612(a) does not require a free annual report. The same result should be reached under section 625(b)(5)’s preemption rule, since it limits preemption to the conduct required, and section 612 does not require any conduct of regional consumer reporting agencies. Because the preemption in section 625(b)(4) and (5) refers only to section 612(a), and not to other parts of section 612, states also retain their long-held right to regulate the cost of a non-free credit report.
V. The Act Creates a Narrow Form of Preemption for Conduct Required Under Listed Sections
Unlike the “subject matter regulated under” form of preemption in FCRA section 624(b)(1), renumbered as section 625(b)(1), most of the new FCRA identity theft requirements are subject to a very narrow, “conduct required under the specific provisions” type of preemption. As discussed above in Part I, the phrase “or for the prevention or mitigation of identity theft” is added to the inconsistency standard of § 624(a), renumbered § 625(a). The statute then creates a new exception to the inconsistency rule in new subsection 625(b)(5). The new exception preempts state laws only “with respect to the conduct required by the specific provisions” of sections 625(g), 605A, 605B, 609(a)(1)(A), 612(a), 615(e), (f), and (g), 621(f), 623(a)(6) and 628. Thus, the conduct required by these sections or subsections defines and limits the scope of their preemptive effect.
Section 605(g) prohibits printing more than the last 5 digits of a debit or credit card number, or the expiration date, on a credit or debit card receipt which is electronically printed, after a delayed effective date. FCRA § 605(g); FACT § 113.
Section 605A requires certain consumer reporting agencies to place initial and extended fraud alerts and active duty military consumer alerts in consumer credit files and to provide those alerts with both credit reports and credit scores. FCRA § 605A; FACT § 112. The user of a credit report or a credit score containing or accompanied by an extended alert must contact the consumer at the phone number that the consumer has provided in the alert or by another method designated by the consumer to confirm that the application or request is not the result of result of identity theft. FCRA § 605A(h)(2)(B); FACT § 112. Where there is an initial alert, or an active duty military consumer alert, the user must employ reasonable policies and procedures to form a reasonable belief that the user knows the identity of the applicant. FCRA § 605A(h)(1)(B)(i) and (ii); FACT § 112.
Section 605B requires blocking of information in a consumer credit file that the consumer identifies as resulting from ID theft. A police report or an identity theft report filed with a federal, state or local law enforcement agency triggers this right. FCRA §§ 605B, 603(q)(4); FACT § 152, 111(q)(4).
Section 609(a)(1)(A) provides that, at consumer’s request, the first 5 digits of the consumer’s Social Security Number will be omitted on a disclosure of a credit file sent to consumer. FCRA § 609(a)(1)(A); FACT § 115.
Section 612(a) provides for a free annual credit report from each of the nationwide consumer reporting agencies and nationwide specialty consumer reporting agencies (specialty agencies compile files relating to medical records or payments, residential tenant history, check writing history, employment history or insurance claims). FCRA § 612(a); FACT § 211(a); see FCRA § 603(p) and (w); FACT § 111(p) and (w), for definitions of nationwide, and nationwide specialty, consumer reporting agencies.
Subsection 615(e) requires the federal banking regulatory agencies, the National Credit Union Administration (NCUA) and the Federal Trade Commission (FTC) to prescribe “red flag” ID theft guidelines and related regulations, plus regulations for card issuers regarding requests for an additional or replacement card within a short period of time after a change of address notice. FCRA § 615(e); FACT § 114.
Subsection 615(f) prohibits a person from selling, transferring or placing for collection a debt after the person has been notified under section 605B that the debt resulted from ID theft. There are exceptions for repurchase, securitization, merger and sale of an entity. FCRA § 615(f); FACT § 154(b).
Subsection 615(g) requires a third party debt collector to notify the creditor if the debt collector is notified that the debt may be fraudulent or may be the result of ID theft, and to provide certain information to the consumer on request. FCRA § 615(g); FACT § 155.
Section 621(f) requires national consumer reporting agencies to maintain procedures for referrals to each other of any consumer complaint alleging ID theft or requesting for a fraud alert or a block of information. FCRA § 621(f); FACT § 153.
Section 623(a)(6) requires furnishers to have reasonable procedures to prevent a furnisher of information to a consumer reporting agency from furnishing blocked information after the furnisher receives notice that the information has been blocked under section 605B. It also prohibits a furnisher who is provided an ID theft report from reporting the information unless the furnisher subsequently knows or is informed by the consumer that the information is correct. FCRA § 623(a)(6); FACT § 154(a).
Section 628 requires the federal banking agencies, the NCUA, the FTC and the SEC to issue regulations requiring any person who maintains consumer information derived from consumer reports for a business purpose to “properly dispose” of any such information or compilation of such information. FCRA § 628; FACT § 216.
VI. There is Much that States Can Still Do
Adding the subject of identity theft prevention or mitigation to the general rule of no preemption except for inconsistency preserves most state power to act to prevent or mitigate identity theft. The key exception is narrow, preempting state laws only with respect to the “conduct required” under specific sections. States remain free to enact further requirements and prohibitions in areas in which the federal law is silent, free to impose obligations on persons not covered by the federal law, and also free to supplement the federal requirements with additional requirements and prohibitions. Here are examples of some of the types of state laws which should not be preempted.
Security freeze: A security freeze is a right of the consumer to freeze access to the credit file held by a consumer reporting agency about that consumer. The consumer can give access to selected users of the credit file through a password or a temporary exemption to the freeze. California and Texas have security freeze laws. The federal Act does not require any conduct with respect to a security freeze, thus leaving this issue to the states. There is a weak argument that a security freeze relates to the content of a credit report, and thus is preempted under existing FCRA section 624(b)(1)(E), renumbered as section 625(b)(1)(E). However, that section preempts state laws relating to the information contained in a report. A security freeze should not be preempted because it is not a requirement relating to the information contained in the report, but instead a requirement restricting access to the report. Access to credit reports, rather than their contents, is not addressed by any of the 1996 preemptions nor by any of the new preemption sections.
Obligation to take a police report: Consumers need a police report to exercise the right to require businesses to give the consumer copies of records of transactions that an ID theft has performed while impersonating the consumer. A police report also can be used to trigger the extended fraud alert and the blocking of theft-related information from a credit file. ID theft victims may be unable to obtain a police report due to local policies, staff shortages at the local police department, or an unwillingness of a local police department to take a report when the identity thief is operating from another jurisdiction. California requires local police departments to take police reports from all local ID theft victims, but this is unusual. The San Diego-based Identity Theft Resource Center, which serves ID theft victims nationwide, reports that half of the victims it assists have been unable to secure a police report. A state law to require local police departments to take police reports will not be preempted. It falls in an area not touched by FCRA.
Obligation to destroy records: States can impose requirements to destroy records containing personal information. FACT does not impose a conduct requirement to destroy records, although it does require that if records or compilations containing consumer information derived from consumer reports are disposed of, the method of disposition must be proper. Section 628 expressly preserves other provisions of law related to maintaining records. Section 628(b)(2) says that nothing in the section shall be construed “to alter or effect any requirements imposed under any other provision of the law to maintain or destroy such a record.” FCRA § 628(b)(2); FACT § 216. Thus, states should remain free to require that records containing personal financial information be destroyed on a periodic basis.
State liability for violations of obligations imposed by FACT: FCRA’s liability sections and liability restrictions are not included in the list of existing or newly preempted sections, but some of the new obligations are added to existing sections restricting liability, and two new sections contain their own restrictions on enforcement. FACT restricts liability for the duty on businesses to give application and transaction information to victims. FCRA § 609(e)(6) and (7); FACT § 151(a). FACT adds some duties on furnishers of information to consumer reporting agencies, but places those duties into FCRA section 623(a) and (c), for which the preexisting FCRA restricted private enforcement. FCRA § 623(a)(6)-(9) and (c); FACT §§ 154(a), 217, 312(c), 412(a), and 312(e), respectively. FACT expands the duty on users of credit reports to give an adverse action notice, but this duty is to be enforced exclusively by federal regulatory agencies. FCRA § 615(h)(8)(B); FACT § 311(a). In most other areas, a state probably could enact an enforceable civil penalty or otherwise impose additional consequences on persons other than furnishers who violate the identity theft prevention and mitigation requirements of the federal Act. Such a state law could be challenged only under the general “inconsistency” rule. A new state penalty on furnisher liability would seem to be preempted under section 624(b)(1)(F), renumbered section 625(b)(1)(F), which restricts the responsibilities of furnishers under federal law, but there is no similar general liability restriction in FCRA with respect to the obligations of consumer reporting agencies or with respect to most of the obligations placed on users of credit reports. A state law imposing responsibility for violations of the federal law is unlikely to be inconsistent with that federal law. State laws outlawing unfair and deceptive acts and practices (UDAP statutes) also should not be preempted.
Most additional credit score regulation: As discussed in Part IV, above, states remain free to regulate with respect to all aspects of credit scores and insurance scores except the disclosure of credit scores by consumer reporting agencies for credit granting purposes and the disclosure of credit scores by persons who make or arrange home-secured loans.
Preexisting rights of states with respect to credit reports remain undisturbed: Rights that remained to the states under the 1996 FCRA amendments should continue to be available, unless they are affected by one of the preemptive sections in renumbered section 625(b) described above.
Medical privacy: FACT’s section 411, restricting the provision of medical information by consumer reporting agencies, is not included on any list of preemptive sections. However, the obligation of a furnisher of information to notify the consumer reporting agency of its status as a medical information furnisher is placed in a section which is not privately enforceable. FCRA § 623A)(9); FACT § 412.
Additional preventative identity theft requirements: States should also be able to require users of credit reports and others to engage in additional preventative behavior, such as nonuse of Social Security Numbers as customer identifiers, purging of personal information from records, and other identity theft prevention requirements if the approach taken is not addressed in the red flag ID theft guidelines for financial institutions and creditors to be promulgated under section 615(e) of the Act or if the regulators who develop those guidelines characterize the guidelines as merely advisory.
Section 615(e) will preempt only to the extent of the conduct it requires. There is a murky question of whether the guidelines will require any specific conduct, or merely recommend conduct. The section requires guidelines, but it also requires regulations to require financial institutions and creditors to institute “reasonable polices and procedures for implementing the guidelines.” FCRA § 615(e)(1)(A) (guidelines) and (B) (regulations); FACT § 114. The more that the regulators attempt to craft guidelines which are not binding, the less likely it is that those guidelines will have any preemptive effect under FCRA, since the section is preemptive only to the extent of the “conduct required.” Advisory guidelines do not require conduct. In addition, states can continue to act in a variety of ID theft prevention areas upon which the yet-to-be developed guidelines are silent. States also can act in identity theft prevention areas touching on the conduct of persons other than financial institutions and creditors, for whom federal law does not contemplate any federal ID theft prevention guidelines.(6) This could include sellers of goods and services who collect and maintain personal information.
Supplemental identity theft requirements and prohibitions: States can also impose additional prohibitions, and require additional conduct, to supplement federal identity theft protections. The preventative steps described above are the easier examples. Those state laws that give more rights to victims in the same areas in which federal law requires some, but more limited, conduct, may have to be tested. For example, California’s requirement that victims be given 12 free credit reports in the first year after a fraud alert is arguably supplemental to the federal “conduct required,” which is to give two free reports in the first year to victims who file an extended alert. FCRA § 605(6)(2)(A); FACT § 112(a).
For specialty consumer reporting agencies and regional consumer reporting agencies, a state law requiring more free reports to victims than federal law should not be preempted. Since the federal fraud alert section addresses only nationwide consumer reporting agencies, it does not impose any required conduct on other types of agencies, and hence does not preempt state laws with respect to those agencies, unless under the general inconsistency rule.
Requirements on persons not covered by a listed federal provision: States should remain free to impose conduct requirements on persons who are not covered by the federal requirements. For example, the fraud alert system created by the federal Act applies only to nationwide credit reporting agencies, so-called 603(p) agencies. FCRA § 605A; FACT § 112. An existing or future state law that requires fraud alerts for nationwide or regional specialty agencies, such as landlord tenant registries, or for regional consumer reporting agencies, should not be disturbed under “conduct required” preemption. Federal law simply does not impose a conduct requirement with respect to fraud alerts on these types of consumer reporting agencies. By contrast, the FACT blocking requirement is not restricted to nationwide agencies, so a state probably cannot enforce its own blocking requirement. FCRA § 605B; FACT § 152(a).
There is some conflict in the legislative history on the meaning and scope of “conduct required under specific provisions” preemption. The Joint Explanatory Statement of the Committee of Conference mentions the permanent extension of the 1996 preemptions but is wholly silent on the meaning of the “conduct required” preemption treatment. Cong. Rec. Nov. 21, 2003, H12198, H12214.
Congressman Oxley stated orally on November 21, 2003 that the ID theft provisions “will be national, ensuring uniform protection for consumers in all 50 States.” Cong. Rec., Nov. 21, 2003, H 12198. His extended remarks go on to characterize the preemptive effect of the bill on identity theft as: “The final FCRA legislation states that no requirement or prohibition may be imposed under the laws of any State with respect to the conduct required under the nine specific provisions included in the new identity theft preemption provision of the law. Accordingly, States cannot act to impose any requirements or prohibitions with respect to the conduct addressed by any of these provisions or the conduct addressed by any of the federal regulations adopted under these nine provisions. All of the rules and requirements governing the conduct of any person in these areas are governed solely by federal law and any State that attempts to impose requirements or prohibitions in these areas would be preempted….I should note that the legislation lists the provisions to be preempted. However, to the extent such provisions would enjoy preemption under another provision in the FCRA, the other provision would control.” Cong. Rec. Nov. 21, 2003, H12198, H 12215.(7) Congressman Oxley, however, goes on to say that the Conference committee provided “that the new uniform national standards on identity theft created by this legislation apply with respect to the conduct required by those specific provisions.” Cong. Rec. Nov. 21, 2003, H 12198, 12215.
The Conference report was presented to the Senate on November 24, 2003. Senator Sarbanes’s floor statement of November 24, 2003 interprets the ID theft preemption much more narrowly. He states: “After careful consideration by the conferees, the conference report provides for preemption of the States with respect to conduct required by specific listed provisions of the Act on identity theft. This narrowly focused preemption will leave States free to supplement these protections and to develop additional approaches and solutions to identity theft.” Cong. Rec. Nov. 24, 2003, S15806, S15807. (8)
The text of the statute itself supports Senator Sarbanes’ interpretation that states can continue to develop new identity theft rights and solutions. FACT requires that when a consumer reporting agency makes a written disclosure to a consumer, it must provide both an FTC summary of consumer rights and: “A statement that the consumer may have additional rights under State law, and that the consumer may wish to contact a state or local consumer protection agency or a state Attorney General (or the equivalent thereof) to learn of those rights.” FCRA § 609(c)(2)(D); FACT § 211(c).
Post-enactment statements by the regulators also support the conclusion that the “conduct required” preemption is very narrow. On December 16, 2003, the Federal Trade Commission and the Board of Governors of the Federal Reserve System issued Joint Interim Final Rules to establish December 31, 2003 as the effective date for a list of preemption sections of the FACT Act. FRB-6210-01-P, FTC-6750-01. All of Section 711, including subsection 711(2) which is the new “conduct required” preemption subsection, was included in the list of sections to become effective December 31, 2003. However, none of the substantive provisions requiring conduct which are referenced in section 711(2) would become effective until later. Consumers Union, the Consumer Federation of America, and U.S. PIRG expressed concern that this created a risk that the early effective date of section 711 could arguably preempt state identity theft laws before the federal protections modeled on those state laws became effective. Letter of Dec. 16, 2003 by Consumers Union, Consumer Federation of America, and U.S. PIRG to Federal Trade Commission, and similar letter of Dec. 19, 2003 to Federal Reserve Board (on file with Consumers Union’s West Coast Regional Office). The regulators clarified the meaning and effect of conduct required preemption in a responsive letter of December 23, 2003 signed by the General Counsel of the Federal Reserve Board and the Director of the Bureau of Consumer Protection of the Federal Trade Commission. In this letter, the two agencies plainly state that “conduct required” preemption does not begin until the substantive provisions of federal law which require conduct are in effect. Letter of Dec. 23, 2003, from J. Virgil Mattingly, Jr., General Counsel, Board of Governors of the Federal Reserve System, and J. Howard Beales, III, Director, Bureau of Consumer Protection, Federal Trade Commission, to Mr. Plunkett, Ms. Hillebrand, and Mr. Mierzwinski (on file with Consumers Union’s West Coast Regional Office). The letter states that the rules establishing an effective date for section 711 “do not speak to how or when the preemption provisions…will apply and do not alter the relationship between those newly-enacted provisions and state laws in these areas.” The letter then describes the scope of “conduct required” preemption to apply only when “the referenced federal provisions that require conduct by the affected persons are in effect.” It goes on to say that even under the traditional, “subject matter regulated under” form of preemption, there is no federal override of state law until there is “a federal provision in effect that regulates the subject matter.” The relevant language from the letter reads:
Section 711(2) of the FACT Act adds a new provision to the FCRA that bars any requirement or prohibition under any state laws “with respect to the conduct required by the specific provisions” of the FCRA, as amended by the FACT Act. The joint rules are based on our opinion that the specific protections afforded under the FCRA override state laws only when the referenced federal provisions that require conduct by the affected persons are in effect. Similarly, section 151(a)(2) of the FACT Act adds a new provision to section 625(b)(1) of the FCRA which preempts any state law “with respect to any subject matter regulated under” that provision, and thus overrides state laws only when a federal provision is in effect that regulates that subject matter.(9) In other words, we believe that a requirement that applies under an existing state law will remain in effect until the applicable specific provision of the FCRA, as amended by the FACT Act, becomes effective. Consequently, because the substantive federal provisions actually will become effective at different times, from six months to three years after the FACT Act was enacted, establishing December 31, 2003, as the effective date for the preemption provisions would allow the state law to continue in effect until the respective federal protections come into effect.
There is much that states can still do. States can still develop solutions in areas which are not addressed by the federal Act. Examples of allowable state laws include a security freeze, an obligation to take police reports, an obligation to destroy records which contain sensitive personal information and a restriction on the use of Social Security Numbers as personal identifiers. States also can still act in areas such as medical privacy, insurance scoring, and credit scores issues other than the disclosure of credit scores used for credit granting. The closer questions arise when a state wishes to add more requirements or prohibitions in an area where the federal law imposes some requirements on the same actor the state wishes to regulate. States can give ID theft victims more rights than federal law as long as the state law does not address the conduct required under the specifically listed ID theft provisions of federal law. States can also develop state rights to address transactions between consumers and persons not covered by the provisions of the federal law, such as a fraud alert at regional consumer reporting agencies. A baseline package of model state ID theft legislation to supplement the new federal law will available from U.S. PIRG in January 2004. See www.pirg.org/consumer. States must continue to play their vital role in protecting the 9.9 million annual U.S. victims of identity theft.
West Coast Regional Office
1525 Mission St.
San Francisco, CA 94103
415 431-6747 (phone)
415 431-0906 (fax)
(1) This analysis is offered to assist policymakers, law enforcement, and consumer groups to determine what state laws can continue to be enacted and enforced after the 2003 revisions to the federal Fair Credit Reporting Act. Consumers Union does not give legal advice to consumers, businesses, or others.
Ms. Hillebrand is a Senior Attorney with the West Coast Regional Office of Consumers Union located in San Francisco, California. Consumers Union is a nonprofit membership organization chartered in 1936 under the laws of the State of New York to provide consumers with information, education and counsel about goods, services, health, and personal finance; and to initiate and cooperate with individual and group efforts to maintain and enhance the quality of life of consumers. Consumers Union’s income is solely derived from the sale of Consumer Reports, its other publications and from noncommercial contributions, grants and fees. In addition to reports on Consumers Union’s own product testing, Consumer Reports with approximately 4 million paid circulation, regularly carries articles on health, product safety, marketplace economics and legislative, judicial and regulatory actions which affect consumer welfare. Consumers Union’s publications carry no advertising and receive no commercial support.
(2) There is an exemption for the section 54A(a) of Chapter 93 of the Massachusetts Annotated Laws and California Civil Code section 1785.25(a), both as in effect on September 30, 1996.
(3) Vermont Statutes Annotated section 2480e(a) and (c)(1) of Title 9 as in effect on September 30, 1996 is exempt.
(4) New section 624 is titled “Affiliate Sharing.” Affiliate information sharing does affect identity theft, because the spread of a consumer’s personal financial information to a broad array of affiliates can open the door to insider theft of consumers’ identities. However, new FCRA section 624 cannot be characterized as an identity theft protection because it does not, in fact, restrict the sharing of information among financial institutions and their affiliates; instead, it only restricts marketing solicitation activities based on information that is shared. FCRA § 624; FACT § 214.
(5) These sections are cited in the statute as: Colorado Revised Statutes 12-14.3-105(1)(d); Georgia Code section 10-1-393(29)(C); Maine Revised Statute Title 10 Section 1316.2; Maryland Commercial Law Article sections 14-1209(a)(1) and 14-1209(b)(1)(i); General Laws of Massachusetts Chapter 93, sections 59(d) and (e); New Jersey Revised Statute section 56:11-37.10(a)(1); and Vermont Statutes Annotated, Title 9 section 2480c(a)(1).
(6) For this purpose, “creditor” has the meaning used in section 702 of the Equal Credit Opportunity Act. FCRA § 603(r)(5); FACT § 111.
(7) In extended remarks dated Dec. 9, 2003, after the bill was signed, Congressman Oxley asserts that the bill “clarifies that all of the new consumer protections added by the FACT Act are intended to be uniform national standards, by enumerating as additional preemptions the 11 new provisions of the FACT Act that do not contain specific preemptions in those sections.“ Congressional Record, Dec. 9, 2003, E2512-2518.
(8) The “conduct required” approach was not added until the Conference Report, so legislative history with respect to ID theft preemption prior to November 21, 2003 should be irrelevant to the meaning and scope of “conduct required” preemption.
(9) Identical language in the FCRA prefaces the preemption provisions established in section 214(c) and 311(b) of the FACT Act, and similar language prefaces the preemption provision established in section 212(e).