The Fair Credit Reporting Act (“FCRA”) is a frequently litigated data privacy statute.  [Note: For more on the FCRA and what it requires, check out this overview].  In a recent litigation involving claims under the FCRA, the Court denied the defendant’s motion to dismiss.  The opinion is a reminder of the essential elements of a FCRA claim and what a plaintiff must allege to satisfy federal pleading standards, as explained in greater detail below.  Jones v Sky Group USA, LLC, 2021 U.S. Dist. LEXIS 27951, at *1 (M.D. Fla. Feb. 16, 2021).

First, some background.

  • The Jones Complaint alleged that Sky Group violated the FCRA by twice obtaining the plaintiff’s credit report from two Consumer Credit Reporting Agencies, for marketing purposes, and without the plaintiff’s consent.  The plaintiff alleged that “she ‘never applied for any account with Sky Group,’ but even if she had, any application with Sky Group for a loan would have been void ab initio because [Sky Group] engages in ‘usurious’ loans under Florida law.”
  • The plaintiff also alleged that Sky Group “engages in consumer lending of high-interest bearing loans” and obtained her credit report “to assess whether she would be a good loan prospect for [Sky Group’s] marketing purposes.”  The plaintiff attached to the complaint Sky Group’s online business description and the disclosures from the two reporting agencies reflecting that Sky Group had obtained her report.
  • Finally, the plaintiff alleged that Sky Group certified to the reporting agencies that the plaintiff initiated the request for a credit report when the plaintiff did not make such request.

Sky Group’s motion to dismiss argued that the allegations in the complaint were speculative, conclusory, and failed to allege facts regarding Sky Group’s intent for its use of the credit report.  The court disagreed, denying Sky Group’s motion.

The court’s denial centered upon what is (and is not) necessary at the pleadings stage to allege a FCRA claim.  As the court noted, under well-established federal precedent, to state a FCRA claim a plaintiff must allege: “(i) that there was a consumer report, (ii) that defendants used or obtained it, (iii) that they did so without a permissible statutory purpose, and (iv) that they acted with the specified culpable mental state.”  Id. at *3 (quotation omitted).  Additionally, the FCRA identifies three permissible purposes for disclosure of a consumer report: (1) extending credit; (2) reviewing an account; and (3) collections.  The FCRA imposes civil liability when the violation is willful (i.e. knowingly or recklessly violated).  To prove a reckless violation, a consumer must establish that the company’s action is ‘a violation under a reasonable reading of the statute’s terms.

In the context of this dispute, the court concluded that the plaintiff adequately pled that Sky Group obtained her credit report for marketing purposes or, alternatively, for illegal “usurious” purposes.  Id. at *5-*6.  Accepting the allegations as true, the court agreed that these were not permissible purposes and did not constitute an “objectively reasonable interpretation” of the permissible purposes.

Time will tell whether plaintiff will be able to prevail on the merits of her claim after making it past defendant’s motion to dismiss.  And in the meantime, for more developments in the area of data privacy litigation, stay tuned.  CPW will be there.