Every time a company pulls your credit report, there’s a legal reason behind it. The Fair Credit Reporting Act sets strict rules about when and how businesses can access your credit information.

At Hays Cauley, P.C., we help South Carolina consumers, including those in Greenville, Columbia and Charleston, understand their rights when companies misuse credit reports. This guide breaks down permissible purposes under the FCRA and shows you how to spot violations.

What the Fair Credit Reporting Act Actually Is

The Law and Its Enforcement

Congress passed the Fair Credit Reporting Act in 1970 to regulate how companies collect, compile, and share your credit information. The Federal Trade Commission and Consumer Financial Protection Bureau enforce it today. Most people only hear about the FCRA when something goes wrong, but the statute creates one fundamental rule: businesses can only access your credit report for specific, legally-defined reasons called permissible purposes. Without a permissible purpose, pulling your report violates federal law.

Consumer-Specific Purposes Matter

The Consumer Financial Protection Bureau issued guidance in July 2022 that clarified a critical point: permissible purposes apply to individual consumers, not to broad categories or multiple people. A company cannot use your information for multiple people or purposes without separate legal justification for each one. This distinction matters because it prevents companies from mixing data across consumers or stretching a single permissible purpose to cover unrelated activities.

Penalties for Violations

Violations carry real consequences. Willful non-compliance results in damages ranging from $100 to $1,000 per violation, plus actual damages and attorney’s fees. Knowing violations trigger even higher penalties, and accessing reports under false pretenses can lead to fines and up to two years in prison. The Federal Trade Commission can pursue enforcement actions with civil penalties up to $2,500 per violation in cases involving a pattern or practice.

Your Rights Under the FCRA

You hold significant power under this law. You have the right to know when companies pull your report, the right to dispute inaccurate information, and the right to receive notice if a company takes adverse action against you based on your credit report. If an employer denies you a job based on your credit history, they must provide you with a copy of the report and a written summary of your rights before or within three business days of the decision. If a lender rejects your loan application, they must include the name, address, and toll-free number of the credit reporting agency in their adverse action notice.

Taking Control of Your Information

The FCRA also lets you opt out of prescreened credit offers, and that election lasts five years. Legal actions against violators must be filed within two years of discovery or five years after the violation occurs. The framework protects your privacy and accuracy, but enforcement depends on people understanding their rights and challenging misuse when it happens. Understanding what permissible purposes actually are sets the foundation for recognizing when companies cross the line.

When Companies Can Actually Pull Your Credit Report

The Legal Pathways for Credit Access

The FCRA doesn’t ban credit report access-it channels it through specific legal pathways. Lenders, employers, insurers, and landlords pull reports constantly, but each needs a permissible purpose to do so legally. The statute lists nine primary purposes, and understanding which ones apply to your situation matters because companies often overstep. A lender pulling your report before you’ve submitted a completed application violates permissible purpose, even if you eventually apply. Courts have ruled that prequalification inquiries without a formal credit transaction constitute unauthorized access.

Credit Transactions and Account Reviews

For lending specifically, the permissible purpose exists only when you’ve initiated the credit transaction or when a lender reviews your ongoing account for qualification or delinquency purposes. Banks can pull reports to open deposit accounts under ChexSystems without written authorization if they document a legitimate business need, but many fail to track this properly, creating compliance gaps. The distinction matters: a lender cannot pull your report speculatively and then claim a permissible purpose after the fact.

Employment and Insurance Screening Requirements

Employment screening requires written authorization and a separate disclosure that a report may be obtained-a single blanket consent form fails this requirement. If an employer pulls your report and takes adverse action, they must provide you a copy of the report and your rights summary before or within three business days. Insurance companies have similar authority when you apply, but prescreening for insurance offers is now heavily restricted after the 2025 amendment, which prohibits third-party prescreening for residential mortgage transactions unless the offer is firm and you’ve authorized it.

Tenant Screening and Government Agency Access

Landlords and property managers rely on tenant screening as a permissible purpose, but they must verify they’re checking the actual applicant, not someone else with a similar name. The Consumer Financial Protection Bureau’s July 2022 advisory made clear that consumer-specific purposes prevent mixing data across multiple people-a screening company cannot pull one report and use fragments for different applicants. Government agencies use reports for child support enforcement and licensing eligibility determinations. Child support agencies in South Carolina and across the country access reports to establish or modify obligations, and licensing agencies check financial responsibility for certain credentials.

Verification Requirements and Violation Patterns

The critical safeguard is that end-users must certify the permissible purpose in writing, and background screening companies must implement reasonable procedures to verify that access goes only to legitimate users. This means checking business licenses, conducting site visits, reviewing references, and performing periodic audits. Violations happen when companies skip these steps or when they certify a purpose they don’t actually have. If you suspect a company pulled your report without permissible purpose-whether for marketing, curiosity, or debt collection unrelated to credit decisions-that violation creates legal exposure for the company and potential remedies for you. Understanding how these violations occur sets the stage for recognizing when companies cross the line and what steps you can take in response.

How Violations Actually Happen

Accessing Reports Without Permissible Purpose

The most common FCRA violation occurs when companies pull your report without establishing a permissible purpose first. This happens thousands of times daily across the country. A mortgage lender might run a preliminary credit check before you submit a formal application, a debt collector might pull your report to locate you rather than to evaluate credit risk, or a retailer might access your information out of mere curiosity about a customer. The Federal Trade Commission has brought enforcement actions against companies that pulled reports speculatively and only invented a permissible purpose afterward.

The violation exists at the moment of access, not at the moment of use.

What makes this particularly dangerous is that many companies fail to track when the permissible purpose was established relative to when the report was pulled. A loan officer might pull your report on Monday during a phone conversation, but you don’t submit your application until Wednesday. That two-day gap creates liability. Courts have consistently ruled that prequalification inquiries without a completed application violate the statute because no credit transaction exists yet. The Consumer Financial Protection Bureau’s 2022 advisory reinforced that permissible purposes must be consumer-specific and documented before access occurs.

If you applied for a car loan and the dealership pulled your report, then sold that report data to an insurance company for prescreening purposes, that secondary use violates permissible purpose even if the original pull was legal. The data cannot migrate to new purposes without new legal justification for each consumer affected.

Failing to Provide Required Disclosures

Disclosure failures create the second major violation category, and employers commit these constantly. Federal law requires that employers provide written notice that a report may be obtained before they pull it, and that notice must be separate from the job application itself. Many companies use blanket consent forms that combine multiple disclosures into a single paragraph, which courts have found insufficient.

When adverse action occurs, the employer must send a 615 notice within three business days that includes the name and phone number of the reporting agency, a statement that the agency did not make the hiring decision, and information about the consumer’s right to dispute. Employers frequently skip this step or send notices late, leaving consumers unaware of their rights.

Misusing Consumer Information Beyond Authorization

The third violation involves using consumer information for purposes never authorized. A background screening company might use tenant applicant data for marketing lists, a lender might share your report with affiliates without your consent, or a government agency might access your report for purposes outside its statutory authority. The Federal Trade Commission found that companies often lack reasonable procedures to verify end-user legitimacy, allowing reports to reach unauthorized recipients.

Documentation gaps compound these problems significantly. Companies that cannot produce written certifications of permissible purpose, audit trails showing when reports were accessed, or training records demonstrating employee compliance face substantial exposure. When credit reports go wrong, these violations are preventable through proper documentation and training, but many companies skip these steps because they seem burdensome. That cost-cutting creates the legal violations that expose them to liability and harm consumers in the process.

Final Thoughts

Permissible purposes under the Fair Credit Reporting Act form the legal foundation that separates legitimate credit access from illegal violations. Companies can pull your report for credit decisions, employment screening, insurance underwriting, tenant screening, and a handful of other defined reasons, but only when they establish that purpose before accessing your information. The CFPB’s 2022 advisory made clear that these purposes apply to individual consumers, not broad categories, which means companies cannot stretch a single authorization across multiple people or uses.

You hold real power to protect yourself. Request your free credit reports annually from all three bureaus to spot unauthorized inquiries, ask companies to document the permissible purpose in writing when they pull your report, and read adverse action notices carefully to verify that the company actually had legal authority to access your information. Dispute inaccurate information immediately, keep records of all correspondence, and demand a copy of any report used against you in credit, employment, or housing decisions. These steps create a paper trail that proves violations if they occur.

We at Hays Cauley, P.C. help South Carolina consumers, including those in Greenville, Columbia and Charleston, challenge Fair Credit Reporting Act violations when companies overstep. If you believe a company accessed your report without permissible purpose, failed to provide required disclosures, or misused your information, contact us for a free consultation to learn how we can help you recover damages for FCRA violations.