The Fair Credit Reporting Act of 1970 controls the collection, use, and redistribution of your consumer information. Enacted October 26, 1970, it represents an amendment to the Consumer Credit Protection Act of 1969 and is enforced by the Federal Trade Commission. The law is usually referred to as FCRA. The FTC maintains a consumer-friendly detailed online summary of rights that the Act provides for consumers.
History of the Fair Credit Reporting Act
Originally, the law was primarily of interest to banks and consumer reporting agencies (CRA), and businesses which sent information to them. Today, this law applies to a wide variety of organizations that collect personal information from you directly, as well as from public records.
The law was amended in 2003 by the Fair and Accurate Credit Transactions Act (FACTA) to allow consumers to obtain a free report from consumer reporting agencies that are covered by FCRA. By that time, however, the list of consumer reporting agencies had grown significantly. The FCRA defines the organizations that must comply with the law by the type of information that is handled. As credit lenders have widened their search for creditworthiness to include things like utility bills and rental history, organizations that collect this type of information are also included.
Generally, the FCRA says you may see whatever information a CRA has in their file on you and that you have the right to dispute inaccurate information in that file. If you dispute something, FCRA dictates how that dispute is resolved, and if inaccurate information is removed, they must also notify you within 5 days if the information is put back into your file.
If you're a victim of identity theft, however, the most important part of FCRA is Section 609(e). This is the part that says if a company has done business with someone using your information (in other words, an identity thief who says they are you) that company must provide you with all applications and business records that were made in your name.
However, companies have given identity theft victims a lot of grief over this. Some companies say they cannot release the records because they are proprietary, others may say they won't give you the information without a court order. A few have even gone so far as to say they wouldn't provide that information because they must protect the privacy of their clients (be careful not to explode when they tell you that.) The problem is so prevalent that the FTC has written guidances specifically addressing this issue. They have also created a letter you can download to send to a company if you need to obtain these records.
FCRA specifies that these records may be given to you, and to a law enforcement officer you designate, who will probably be the detective looking into your case (assuming you have one).
One advantage the FCRA offers consumers is that it permits a private citizen to prosecute their own case against any "nationwide specialty consumer reporting agency" that is in violation of the law in state or federal court.
The statute of limitations is either five years after the infraction that is the basis of the suit, or two years after the plaintiff discovers the infraction, whichever is earlier. (In other words, if you discover the violation one year after it occurs, but then wait three years to act, you will be prohibited from filing a suit by the earlier two-year date-of-discovery limit, even though you are still within the later five-year occurrence limit.) Companies that know they have violated the FCRA may be able to have a case dismissed by notifying their clients of the error, because this would give clients a two-year window instead, after which they could argue that the statute of limitations has already passed.