What Is Fair Credit Reporting Act?
The Fair Credit Reporting Act of 1970 is the foundational federal law governing consumer reporting agencies (CRAs) — entities that compile and sell reports on individuals' creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living when those reports are used for employment, credit, insurance, or housing decisions. FCRA is the single most important federal privacy law affecting data brokers that traffic in background-check and people-search data. If a broker provides reports used for employment screening, tenant screening, or credit decisions, it is a CRA under FCRA and must follow strict accuracy, access, and dispute-resolution requirements — regardless of any state privacy law.
At a glance
- Full name
- Fair Credit Reporting Act
- Short code
- FCRA
- Enacted
- 1970
- Last major update
- FACTA 2003; CROA 1996; Red Flags Rule 2007
- Jurisdiction
- United States (federal)
- Private right of action
- Yes
- Primary enforcer
- FTC, CFPB, and state Attorneys General
- Statutory citation
- 15 U.S.C. § 1681 et seq.
Scope — who FCRA covers
Protected data
Consumer rights & protections
Right to one free credit report per year from each of the three major CRAs (Equifax, Experian, TransUnion) via annualcreditreport.com
Right to dispute inaccurate or incomplete information (§ 1681i) — CRA must investigate within 30 days
Right to have inaccurate information corrected or removed
Right to opt out of pre-approved credit and insurance offers at optoutprescreen.com (§ 1681b(e))
Right to place a security freeze or fraud alert on credit files
Right to know who has obtained your report in the past 2 years (1 year for non-employment purposes)
Right to sue a CRA or user that willfully or negligently violates FCRA (private right of action)
Notable features
FCRA is unique among federal privacy laws in granting a robust private right of action with statutory damages — meaning consumers can sue data brokers that operate as CRAs without needing a government agency to bring an action first. People-search sites like BeenVerified, Spokeo, and Intelius have faced class-action FCRA litigation when their reports have been used for employment or tenant screening without required disclosures and consent.
Enforcement & penalties
Enforcing agency: FTC, CFPB, and state Attorneys General
Penalties: Civil actions under FCRA allow actual damages, statutory damages of $100-$1,000 per violation (for willful violations), punitive damages, and attorneys' fees. The FTC and CFPB can also levy civil penalties and enter consent decrees with CRAs.
Private right of action: FCRA grants an explicit private right of action. Consumers can sue CRAs and furnishers (including data brokers acting as CRAs) for willful (§ 1681n) or negligent (§ 1681o) violations, with statutory damages of $100-$1,000 per willful violation plus punitive damages and attorneys' fees.
Landmark enforcement cases
Spokeo, Inc. v. Robins
2016US Supreme Court case establishing that an FCRA statutory violation alone isn't automatically enough for standing — the consumer must show a concrete injury. The case was remanded, and Robins ultimately settled in 2017.
Official source →FTC v. Spokeo
2012Spokeo paid $800,000 to settle FTC charges that it marketed consumer profiles to HR and recruiters without complying with FCRA requirements for CRAs, including the obligation to ensure accuracy and provide notices to the subjects of reports.
Official source →Relevance to data brokers
People-search sites and background-check brokers that provide reports for employment, tenant screening, or credit decisions are CRAs under FCRA — even if they don't self-identify that way. FCRA requires them to maintain reasonable procedures for accuracy, provide free annual disclosures to consumers, and resolve disputes within 30 days. Brokers frequently violate these requirements, and FCRA's private right of action is often the fastest path to accountability when a broker ignores a deletion or correction request tied to an employment or housing decision.
Exercise your rights
Remove your data from 300+ brokers for $5
OfflistMe drafts opt-out emails citing FCRA and other applicable laws. Citations included. You send from your own inbox. No account, no ID upload.
Start for $5 →FAQ
Does FCRA apply to people-search sites like Spokeo or BeenVerified?+
Yes, when their reports are used for employment, housing, credit, or insurance decisions. A site marketing reports to employers or landlords is a CRA under 15 USC § 1681a(f) and must comply with accuracy, access, and dispute-resolution requirements. Sites sold strictly for personal curiosity use may argue they are not CRAs, but this defense has been rejected in multiple FTC actions.
How do I dispute inaccurate information in my credit report?+
Contact the CRA (Experian, Equifax, or TransUnion) in writing with the specific item disputed. The CRA must investigate within 30 days (45 days if you provide additional documents) and must correct or delete information it cannot verify. If the dispute is with a furnisher (like a lender), the CRA forwards the dispute. You are entitled to a free copy of your report showing the correction.
What is the FCRA opt-out for pre-approved credit offers?+
Under 15 USC § 1681b(e), consumers can opt out of having their credit information shared for pre-screened credit and insurance offers. Call 1-888-5-OPT-OUT or visit optoutprescreen.com. The opt-out lasts 5 years electronically or can be made permanent via written request.
Can I sue a data broker under FCRA?+
Yes, if the broker qualifies as a CRA. FCRA grants a private right of action with statutory damages of $100-$1,000 per willful violation (§ 1681n), actual damages for negligent violations (§ 1681o), plus attorneys' fees. Class actions are common against brokers that systematically violate the law.
Official sources & citations
Other federal privacy laws
Federal privacy law is sectoral — each statute covers a specific data type or industry. Here are the other federal regimes to know alongside FCRA: