Privacy Protection Through Regulation | Part 3

Background: In early 2023, we started preparing a public opinion on data rights and regulation for the Consumer Financial Protection Bureau (CFPB). Over the last few months, we've shared an overview of the CFPB's Request for Information (RFI), our perspective on the industry, and a few high level predictions.

For our final response, we summarized hundreds of pieces of feedback from our members who support stricter regulation on a harmful and creepy industry. We also summarized our data from sending millions of removal request and escalations to hundreds of data brokers. We shared our final response and a few recommendations with the CFPB publicly before the extended July 2023 deadline. In addition to the CFPB, we want to share our response and perspective on regulation with you.

Part 3 | Privacy Protection Through Regulating Consumer Reporting Organizations

We encouraged our members to respond to the CFPB request either directly or by providing us context for our response. We were shocked by the volume and vigor of replies. We’ve done our best to anonymize, organize, and present the most impactful testimonials about the harms caused by this industry. We grouped these broadly in to 3 sections, covering the first in this post:

1. Credit Reports and Housing Access

2. Stalking and Targeted Harassment

3. Frustration Toward Industry & Regulators

What Our Members Say About Housing Access And Credit Reports

I spent months last year apartment hunting and dealing with rejection after rejection from poor credit and credit reports. The debt that I had also came up in reports which made finding a place almost impossible. I was almost homeless if it weren't for the generosity of my friend who rented property and gave me a chance.

Bank of America’s debt collection practices have caused me immense emotional distress. By mistake I selected to make the entire credit card payment at once, they told me it could not be reversed, and I had to pay everything in full. I couldn’t do that, but they told me there was no wiggle room, I cried, they put a charge/off in my credit score - which to this day I still have. Because it stays for 7 years in the credit history. I haven’t been able to open any other credit account since. This happened out of a goodwill mistake.

I know Rocket Money is selling off bank and credit scoring info without consent. I’ve used this site to track whether I can get involved since I was a user of their service: https://lantern.labaton.com/case/rocket-money There are predatory practices all around.

My contact information was compromised and someone committed credit card fraud against me. The person committing the fraud had public internet access to my name and address and other information due to a delayed removal, as some data brokers do not remove information in a timely manner. My abusive ex has tried in the past to collect personal data of me to use it for financial gains and open accounts in my name. I have to use personal funds to protect myself monthly using data broker removal services and Experian credit monitoring to prevent abuse of my data. My credit score was negatively impacted on at least one occasion directly due to my data being publicly available. I filed a credit card fraud report, secure all accounts, change passwords, contact all recurring payment connected to my credit card. I had to install a security system in my home to prevent an abusive ex from showing up. 

I definitely would like to share my experience with Fedpay.org that uses a federal law (the Freedom of Information Act) to publish government employee data on salaries and salary history but now also has ads attached to this data from data-brokers. These ads encourage the user to seek more information tied to government employees - but most of that information is false. Fedpay.org is using government salary data to make money. It’s disgusting and something needs to be done. If the Federal government wants to provide open access for salary information, the requirement should be that requester has to ask for the information as they would for any other Freedom of Information request. It should not be made widely available on a website for the whole world to see. The site is also misleading because they have incorrect data inferring that a certain person makes more than X% of government employees. Fedpay.org also affects our ability to get fair and reasonable prices for goods and services. Companies will search your information before providing quotes/estimates and assume you can pay more because of this salary data.

When my renters policy renewed, the insurer requested LexisNexis’ Auto CLUE and Current Carrier reports without my consent. I haven’t owned, rented, driven, or shopped for a vehicle in ten years. I have no lifetime history of property claims, no insurer debt or any other line of business with the insurer. The insurer used an expired out of state driver license number to generate these reports instead on my valid license. The CRA’s then included in my credit files the year, make and model of a vehicle owned by a separate unrelated individual with whom I share an address and they offered me auto insurance policies despite the permanent opt-outs of all offers of credit and insurance.

About 6 years ago I was the victim of identity theft. Someone used my credit card. It was originally paid off, so I didn’t check the balance until I received notices of delinquent payments. This impacted my credit score. I cleared the issue with the bank/credit union and they said they would remove the reporting. But I checked and the negative reporting was still there. Checked with the bank and they said that they had taken care of it. I filed inquiries a couple of times with the credit reporting agencies. In the first round, I got no resolution or feedback that any investigation was done. The second time I got an update that stated that the credit reporting agency contacted the bank and confirmed that the negative reporting was correct. I've given up and expect the negative report to fall out of my credit profile. To clear my credit I tried TransUnion and Equifax on separate occasions maybe 12-18 months apart. The communications with them were poor, e.g. never got email confirmation.

In December of 2016, I was subjected to a wrong procedure surgery. Like wrong site and wrong patient surgeries, it is known as a "never event" in medicine, as it should never happen. Incredibly, the hospital still billed me. I responded to the efforts to collect with a dispute letter as per the Fair Debt Collection Practices Act. The letter was ignored. I ended up having to sue the debt collector in federal court. It took a while, but I ended up with a substantial settlement. It’s public record. I was left with no other option but to litigate. And litigation by nature involves a complete loss of privacy, as court filings are public record. If at some point, someone needs to testify publicly, I may consider doing it. I have waged a 10+ year fight against the data brokers making my home address very public.

Many companies collect data they shouldn’t. Equifax refuses to delete work-study job history which they shouldn’t have in the first place, it’s education history not employment history. Education is protected by FERPA. TheWorkNumber is an example of a site collecting and selling workstudy job history. This is defamation. It could cause harm or loss of life for some people.

Equifax so far has refused to place an extended identity theft/ fraud message despite sending the required documents and FTC report three times. Calls to Equifax are disconnected if you do not choose the “continue this call by text” option after completing the automated system’s identity verification. TransUnion’s Drivers History report had no option for security freeze and flag for identity theft. TransUnion sold this product to some other broker. There is no way to secure this report.

After the Equifax breach, I had to call to validate a suspicious letter I received. I was routed to an offshore call center where I needed to repeatedly escalate “can I speak to your manager” in order to verify their request for sensitive information was legitimate. They were actively trying to block or invalidate my attempts. It took over an hour.

I am being harassed by a collector and I have reason to believe that they are related to a collection agency related to Santander Consumer. I had a vehicle that was repossessed when I was undergoing medical treatment. The repo agent showed up in the middle of the night and made abusive threats. Santander was sued for predatory lending and there was an agreement with our attorney general where they agreed to discharge monies owed by [state redacted] residents. But Santander refused to honor this because the vehicle was purchased in [state redacted]. Even though I have never lived there, they still hound me for the deficit, and use abusive tactics to do so. I hope that the CFPB can do something to stop them from abusing people and violating the law.

Someone applied for Unemployment Benefits in my name during the pandemic. Around the same time, they opened an account in my name. The bank would give me no information about the account; however, I was able to close the account. I have no idea how they were able to get enough information about me to open an account. I locked down my credit report. Someone also applied for unemployment benefits under the name of the CEO of our company. In both cases, I immediately reported the incident as fraud. However, the person who collected under the CEO’s name was able to collect $12,000+ in funds from the [state redacted] Unemployment Office. My boss received letters from the Attorney General’s office demanding that he return the funds. He was eventually able to get this cleared up.

When a mortgage (either a first mortgage or a second mortgage) is settled, the details are registered along with the title information. This information is public record. When this happens companies that attempt to sell "mortgage life insurance" will bombard the mortgage holder with "official looking" documents, all designed to give the recipient the same impression that occurs with a phishing email: this is time sensitive; this is very, very important; you are at risk; and most egregiously, that this is somehow an offer from or sanctioned by either your mortgage company or even the government. What I would like to see is for the government to make it unlawful to create marketing material that gives the appearance that the "offer" is coming from a company that already does business with the recipient, that misleads the recipient that this is an urgent issue, that the marketing is in any way related to the validity of the mortgage, or that the marketing is in any way associated or sanctified by any government entity. I've tried to interest my state representatives with this issue to no avail.

On one of my credit reports had incorrect information about an address and car I was supposed to own which locked me out of key accounts. Certain sites require you to identify yourself by correctly identifying places you have lived, cars you have owned, etc. I’m not sure where this credit bureau got incorrect information, but I was locked out. I gave the correct information and they had incorrect information. Getting it fixed has been difficult to impossible. I can only assume that this could be associated with their algorithms or processes because it keeps showing back up at later times. The process of correcting this needs to be made clear and needs to be simplified. Additionally, all bureaus need to be fully transparent about where they get ALL of their data. There also needs to be a way to help flag to a bureau when you know someone else has your EXACT name to help them prevent confusion and incorrect information in the reports from populating. Once per year free reports may not been enough when there are too many duplicate names, many addresses, many loans, or other complicated information. We may need two or even three free credit reports per year to fix the problems created by algorithms when there are issues like this.

I have had negative experiences with debt collection through medical bills. I have had medical bills go directly to collections with no contact from the medical billing offices. The debt collection offices then contacted me multiple times per day, contacted every person who could possibly be associated with me through some kind of internet search - or maybe my emergency contacts provided to hospital were sold to the collector? They were NOT listed as responsible parties for billing and were still contacted, multiple times daily. The worst part of this is, this is for small medical bills of around one hundred dollars or less. My credit took multiple hits because they would report it every month that they had it on their books (which I was not aware it was sold to collections on the first month they reported it, they also reported on the month I paid, so minimal three months, I disputed all) and they continued to call weeks after they were paid until it “showed” on their books. This was extremely embarrassing, very difficult to manage the harassing and unpleasant calls at work, to family members, and constantly at home, not to mention the hits to my credit. All for such a small amount of money. When I try to prepay in the office to prevent this from happening the next time, medical offices that used this method dont accept payment. The only option is to call them daily until they have a balance available to pay and prevent sale to collectors. We should consider the specific entities behind the AI, behind the breaches, behind the problems that are repeatedly occurring. If there is a pattern to these problems, certain entities or groups of entities continually crossing lines that ought not be crossed, those entities or groups should be held liable for those violations. Denial of access to data, use of AI, or limitation to the type of data or AI that may be used could be options to prevent these types of problems in the future.

I sold a car to a kid a long time ago and had all the documentation. He crashed the car a year after I sold it to him, he never transferred the vehicle out of my name. The crash and the lack of transfer was not brought to my attention until a year after the crash, whenever debt collectors started hounding me for payments to the victims car and medical bills. I supplied the material to the person that called me from the first collection company three different times, after about every three months from that point, a new collection company would start calling me and I would have to supply the same information and restart the process telling them that I didn't own the car and had the necessary documentation to prove so. Needless to say it was probably about three years total of being harassed by people on and off for something that should not have been my problem in the first place.

What's Next After The Request For Information?

Kanary believes our data about violations and sites compliance can be invaluable as the CFPB scales enforcement of existing FCRA violation. We expect to see them working with individuals and companies like Kanary to take the following next steps:

• Gather data on the worst violators of the FCRA (Radaris, People Connect, LexisNexis, BeenVerified… many others) and determine appropriate enforcement.

• Track progress and flag ongoing violations to help consumers understand which enforcement is most impactful.

In case you missed other parts of the series, Privacy Protection through Regulation, they can be viewed here. Have questions or thoughts to share? Email us at [email protected].