Controlling the collection and disclosure of information is important, but consumers’ access to data about them held by private actors can often be equally important. The European Union provides a broad right of access under Article 10 of the Data Protection Directive 95/46/EC. In contrast, the US does not have generally-applicable consumer privacy law with the same broad scope as the DPD. The US does have a few statutes that empower consumers rights to access their data. The Fair Credit Reporting Act (15 U.S.C. §§ 1681-1681x) provides that “every consumer reporting agency shall, upon request, and subject to section 1681h(a)(1) of this title, clearly and accurately disclose to the consumer . . . [a]ll information in the consumer’s file at the time of the request[.]” 15 U.S.C. § 1681g(a). In turn, the term “file” means “all of the information on that consumer recorded and retained by a consumer reporting agency regardless of how the information is stored.” 15 U.S.C. § 1681a(g). This goes well beyond the ordinary credit reports the credit reporting agencies typically pass out. But the FCRA is fairly limited, in that it only applies to credit reporting agencies. The Dodd-Frank Act provides consumers a much broader right to access their personal data:
A covered person shall make available to a consumer, upon request, information in the control or possession of the covered person concerning the consumer financial product or service that the consumer obtained from such covered person, including information relating to any transaction, series of transactions, or to the account including costs, charges and usage data. The information shall be made available in an electronic form usable by consumers.
Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 1033, 124 Stat. 1376, 2008 (July 21, 2010) (codified at 12 U.S.C. § 5533(a)). There are some important limitations here, but the Dodd Frank Act defines a “covered person” as “any person that engages in offering or providing a consumer financial product or service,” which covers a long laundry list of products and services: most consumer loans, real estate settlement services, taking deposits, transmitting or exchanging funds, acting as a custodian of funds or any financial instrument, selling, providing, or issuing stored value or payment instruments, check cashing, check collection, or check guaranty services, providing payments or other financial data processing products or services to a consumer, and/or debt collection. See 12 U.S.C. § 5481(6), (15). The Communications Act provides consumers a right of access to their telecommunication data: “[a] telecommunications carrier shall disclose customer proprietary network information [CPNI], upon affirmative written request by the customer, to any person designated by the customer.” 47 U.S.C. § 222(c)(2). (This can be particularly important for consumers dealing with “spoofed” calls, as CPNI includes call detail reports (or call detail records) which can help trace back some spoofed calls to the genuine originating telephone number when regular billing records and caller ID fail.) Finally, the Communications Act also provides consumers a right to their cable data: “[a] cable subscriber shall be provided access to all personally identifiable information regarding that subscriber which is collected and maintained by a cable operator.” 47 U.S.C. § 551(d).
We need to exercise these rights or we lose them. Contact us if you’ve been denied your right to access your information.