FTC Signals Increased FCRA And Financial Privacy Enforcement

The FTC is publicly signaling that it plans to ramp up enforcement of the Fair Credit Reporting Act (FCRA) and federal financial privacy laws, and businesses handling consumer financial data should expect more investigations and cases in the near term.

What the FTC is signaling

• Senior FTC officials have recently highlighted FCRA and Gramm‑Leach‑Bliley Act (GLBA) privacy obligations as specific enforcement priorities, alongside children’s privacy (COPPA) and data broker oversight.​

• The Director of the FTC’s Bureau of Consumer Protection has stated that the agency expects to bring federal financial privacy law enforcement actions “soon,” referring specifically to FCRA and related financial privacy requirements.​

• The FTC’s latest privacy and data security updates emphasize credit reporting and financial privacy as key focus areas, noting sustained activity against credit bureaus, tenant screeners, and financial institutions.

Evidence of increased FCRA and financial privacy activity

• The FTC reports having brought 117 FCRA cases and obtaining more than $137 million in civil penalties to date, including a recent joint action with the CFPB against TransUnion for inaccurate tenant screening reports.

• The agency has also brought about 35 GLBA cases since 2005, and has recently tightened Safeguards Rule requirements, including breach notification to the FTC when incidents affect 500 or more consumers.​

• Recent summaries of FTC enforcement trends show privacy, data security, and impersonation (including misrepresentations about data practices) as ongoing “priority targets,” with enforcement in 2026 concentrated in these areas.​

What this means for companies

• Entities that use, furnish, or compile consumer report information (credit, employment screening, tenant screening, insurance underwriting) should expect more scrutiny of accuracy, permissible purpose, and adverse action processes under FCRA.

• Financial institutions covered by GLBA must ensure that privacy notices, opt‑out mechanisms for data sharing with unaffiliated third parties, and information‑security programs (including breach response and FTC notifications) are fully implemented and documented.​

• The FTC has indicated that it is trying to better quantify privacy harms and weigh costs and benefits of interventions, which suggests more economically grounded enforcement theories but not a retreat from privacy cases.​

Practical steps to prepare

• Map where consumer financial and credit‑related data comes from, how it is used (including for eligibility decisions), and which vendors or affiliates receive it, so you can align practices with FCRA and GLBA requirements.

• Review consumer‑facing disclosures (privacy notices, marketing claims, screening and eligibility notices) to ensure they match actual data practices and are not deceptive or incomplete, especially around sharing and retention.

• Strengthen governance around data accuracy, dispute handling, and security safeguards, including incident response plans that satisfy the GLBA Safeguards Rule’s notification obligations to the FTC for qualifying breaches.