Privacy & Information Security Law Blog

On September 5, 2025, President Trump signed into law the Homebuyers Privacy Protection Act, H.R. 2808 (the “Act”), which amends the Fair Credit Reporting Act (“FCRA”) by restricting consumer reporting agencies (“CRAs”) from furnishing “trigger leads” except in certain limited circumstances.  A “trigger lead” occurs when a lender pays a CRA to produce consumer reports on a specific list of consumers that meet certain criteria provided by the lender. Trigger leads are provided upon a “triggering” event, most commonly when a prospective homebuyer applies for a mortgage. This sale of information occurs without the consumer’s knowledge or consent. These leads can result in a deluge of marketing offers from lenders to prospective home buyers, which can cause confusion and disrupt financing processes already underway. 

The FCRA permits lenders to acquire trigger leads from the CRAs if the lender intends to extend a “firm offer of credit” to the consumer, which is defined as an offer of credit or insurance that “will be honored if the consumer is determined, based on information in a consumer report on the consumer, to meet the specific criteria used to select the consumer for the offer.” Importantly, the FCRA does not permit conditions to be attached to these firm offers. Trigger leads must result in firm offers – and not merely marketing materials – because under the FCRA, obtaining consumer reports for general marketing and advertising is not a permissible purpose (and using consumer data for marketing is only allowed under specific exceptions and conditions).

Under the Act, a CRA may furnish a trigger lead (i.e., a consumer report in connection with a credit transaction involving a residential mortgage loan) only if the following conditions are met:

• The transaction consists of a firm offer of credit or insurance; and
  
• The requestor meets one of the following conditions:
  
  1. Opt-in Consent: The requestor has obtained the consumer’s documented authorization (i.e., opt-in consent) and provides evidence of the consumer’s authorization to the CRA; or
  2. Existing Relationship: The requestor has an existing relationship with the consumer, namely: (1) the consumer’s current mortgage originator; (2) the consumer’s current mortgage loan servicer; or (3) an insured depository institution or credit union that holds a current account for the consumer.

The Act also mandates the U.S. Comptroller General (i.e., the head of the Government Accountability Office (“GAO”) to conduct a study to evaluate the value of trigger leads received by text message.

The Act will take effect on March 4, 2026.  The GAO report is due September 4, 2026.