Consumer reviewing a credit report document with Equifax, Experian, and TransUnion logos visible on a desk

5 Things Credit Bureaus Are Allowed to Do That Most Consumers Don’t Know About

Fact-checked by the onlinepaydaynews.com editorial team

Quick Answer

Credit bureaus are legally permitted to sell your data for prescreened loan offers without notifying you, dismiss disputes as “frivolous,” reinsert previously deleted items onto your report, share your identifying data outside FCRA protections, and pull your report for existing creditors without your knowledge. These 5 permitted practices are governed by the Fair Credit Reporting Act, which spans 117 pages across 29 sections.

Credit bureau consumer rights are defined primarily by the Fair Credit Reporting Act (FCRA), a federal law that grants Equifax, Experian, and TransUnion broad authority over how consumer data is collected, stored, shared, and used. The CFPB consistently receives more complaints about credit reporting than any other industry it regulates, a fact that signals just how wide the gap is between what bureaus are legally permitted to do and what consumers actually understand.

Most consumers assume the three major credit bureaus operate as neutral, quasi-governmental agencies. They are not. They are for-profit corporations whose primary paying customers are lenders, insurers, and employers, not the people whose data they hold. This article breaks down five specific things credit bureaus are legally allowed to do that most consumers have never been told about, and explains what practical recourse, if any, exists for each.

Key Takeaways

  • The FCRA explicitly permits prescreened solicitations without individual consumer consent; fewer than 5% of consumers are aware that OptOutPrescreen.com exists as a tool to stop them (CFPB/FTC).
  • Credit bureaus may legally dismiss a dispute as “frivolous or irrelevant” and halt the 30-day investigation clock entirely, without completing any inquiry into the contested item (CFPB, Regulation V).
  • In January 2025, the CFPB filed a formal lawsuit against Experian alleging it conducted “sham investigations” by converting consumer dispute narratives into 2-to-3-digit numeric codes before forwarding them to furnishers (CFPB enforcement action).
  • Under FCRA Section 1681n, consumers can sue for willful violations and recover between $100 and $1,000 in statutory damages per violation, plus attorney’s fees (FTC FCRA full text).
  • Approximately 45 million U.S. adults could not generate a credit score as of the CFPB’s 2015 research due to limited or stale credit histories, a direct consequence of how bureaus define and collect reportable data (CFPB).

Credit Bureaus Are Private, For-Profit Companies

Equifax, Experian, and TransUnion are not government agencies. They are publicly traded corporations that generate billions of dollars in annual revenue by collecting data about you and selling access to it. This distinction matters because the rules governing their conduct were shaped in an environment where their paying customers, lenders, insurers, and employers, hold far more lobbying power than individual consumers.

Who Are the Bureaus Actually Serving?

The structural tension in credit reporting is straightforward: bureaus earn money by serving data buyers, not data subjects. A lender pays for a credit report. You do not. That business model directly influences how bureaus invest in dispute resolution, data accuracy, and consumer notification systems. The FCRA attempts to impose consumer protections on top of this commercial structure, but it also contains dozens of carve-outs that tilt in the bureaus’ favor.

Understanding this dynamic is the starting point for every permission described below. The FCRA did not accidentally authorize prescreening, account review pulls, or the reinsertion of disputed items. These permissions were negotiated into the law, often at the request of the financial services industry.

Did You Know?

The CFPB consistently receives more consumer complaints about credit reporting than any other industry it regulates, more than debt collection, mortgage lending, or banking combined. This volume reflects how frequently bureau practices surprise or harm consumers who had no idea what was legally permitted.

Can Credit Bureaus Sell Your Data Without Asking?

Yes. Under FCRA Section 1681b, credit bureaus are explicitly authorized to furnish consumer reports for “prescreened” solicitations, meaning they can sell lists of consumers who meet certain credit criteria to lenders and insurers who want to send unsolicited “firm offers” of credit or insurance. No individual notification is required before the sale occurs.

What Is a Trigger List, and Why Does It Matter?

Most prescreening articles stop at the generic opt-out advice, but few explain the specific mechanism called a trigger list. When a hard inquiry hits your credit report, as happens when you apply for a mortgage or auto loan, the bureaus can alert competing lenders that you are actively shopping for credit. Those lenders can then purchase your contact information and begin soliciting you. This is why many consumers experience a surge of unsolicited loan offers in the days immediately after submitting a mortgage application.

Trigger lists are a legal product offered by the bureaus. They are separate from general prescreening lists, which are built on static criteria. A trigger is event-driven: your hard inquiry is the trigger. As the FTC’s 40-year FCRA staff report explains, prescreening is a legally permitted exception to the rule that reports can only be provided when a consumer initiates a transaction, provided consumers are given a right to opt out.

How to Opt Out, and What the Opt-Out Doesn’t Cover

Consumers can opt out of prescreened solicitations at OptOutPrescreen.com, which is the official opt-out mechanism operated by the major bureaus under FTC oversight. An online opt-out lasts five years. A permanent opt-out requires mailing a signed form. Fewer than 5% of consumers know this resource exists, which is a significant gap given how widely trigger lists are used.

The opt-out has real limits. It applies only to the three major bureaus and does not stop all marketing from data brokers who operate outside the FCRA’s prescreening framework. If you are concerned about data broker exposure more broadly, understanding the quiet credit score killers tied to data sharing is a useful starting point.

By the Numbers

Fewer than 5% of U.S. consumers are aware of OptOutPrescreen.com as a tool to stop prescreened credit and insurance solicitations, even though it has been required by federal law for decades. The permanent opt-out requires a mailed form, a step most consumers never take.

Can a Bureau Really Dismiss Your Dispute?

Under the FCRA, a credit bureau may terminate a dispute investigation and refuse to reinvestigate if it concludes the dispute is “frivolous or irrelevant.” When a bureau makes this determination, it must notify the consumer within five business days but has no obligation to complete any investigation. This is one of the least-discussed credit bureau consumer rights provisions because it functions as an escape valve for bureaus facing high dispute volumes.

What Makes a Dispute Non-Frivolous?

The most common trigger for a “frivolous” designation is a repeat dispute submitted without new information. Submitting the same claim a second time without additional documentation or a new factual argument gives the bureau grounds to dismiss it. Consumers can restart the investigation obligation by including new evidence, a billing statement, a creditor letter, a fraud report, or a different legal theory than the one previously asserted.

There is a broader problem the CFPB identified in its January 2025 lawsuit against Experian. The bureau is alleged to have conducted “sham investigations” by converting consumer dispute narratives into 2-to-3-digit numeric codes before forwarding them to data furnishers. Stripping out the consumer’s actual evidence before the furnisher even sees the dispute means the furnisher is responding to a code, not the substance of the claim. If that practice holds up in court, it would mean that many investigations that appeared complete were effectively non-investigations. For consumers, the practical implication is clear: submitting disputes in writing via certified mail, with specific documentation attached, is stronger than submitting through an online portal where narrative can be compressed or stripped.

If you have already been through a dispute cycle and are unsure where you went wrong, the article on what most borrowers get wrong about their right to dispute covers common procedural errors in detail.

Infographic showing the FCRA dispute process timeline and frivolous designation decision tree

Deleted Items Can Legally Come Back

One of the most surprising, and least publicized, permissions in the FCRA is the right of a credit bureau to reinsert a previously deleted item onto your report. If a furnisher initially failed to respond during the dispute window, the item is removed. But if that furnisher later certifies the information as accurate, the bureau may reinsert it, even after the original deletion.

Legal Reinsertion vs. Illegal Re-Aging

These two concepts are frequently confused, and the distinction matters. Legal reinsertion occurs when a furnisher provides late verification that a deleted item was, in fact, accurate. The bureau must notify the consumer within five business days of any reinsertion, but the item goes back on the report regardless of the original removal. Illegal re-aging is a separate violation: it occurs when a furnisher resets the delinquency date on a negative account to make it appear more recent than it actually is, effectively extending the seven-year reporting window.

Re-aging is an FCRA violation with legal remedies available to consumers. Reinsertion, by contrast, is a permitted practice, even if it restarts the consumer’s entire dispute cycle. The CFPB’s FCRA compliance resource page outlines both practices under Regulation V (12 CFR Part 1022), and understanding which category applies determines what remedy, if any, is available.

Consumers dealing with collection accounts that have been deleted and reinserted, or wondering whether to pay them, should also review the question of whether to pay off collections or let them age off the report, since reinsertion risk factors into that decision.

Did You Know?

If a furnisher certifies the accuracy of a previously deleted item, the credit bureau is legally permitted to reinsert it onto your report. Bureaus must notify you within 5 business days of any reinsertion, but the item reappears first, and then you are told about it afterward.

The Credit Header Data Loophole

When you apply for credit, lenders transmit your full identifying information to the bureaus: name, address, date of birth, phone number, and Social Security Number. This identifying block is called credit header data, and it has historically been treated by the FTC as falling outside FCRA protections because it does not directly relate to creditworthiness. That interpretation has allowed bureaus and affiliated data brokers to sell this information with far fewer restrictions than the credit report itself.

What Advocacy Groups Are Saying

The Electronic Privacy Information Center (EPIC) has documented that the 1996 FCRA amendments explicitly authorized affiliate sharing of credit reports and prescreening, and that the credit header loophole is one of the most commercially significant permitted practices most consumers have never heard of. EPIC has been among the organizations pushing the CFPB to bring credit header data explicitly under FCRA coverage.

A 2024 CFPB proposed rule would have tightened restrictions on data broker practices that implicate credit header data. As of April 2026, the status of that rule is uncertain given regulatory changes at the federal level. Consumers cannot currently opt out of credit header data sales under existing law. This is an honest limitation worth stating directly: there is no OptOutPrescreen.com equivalent for this category of data.

Permitted Practice Legal Basis (FCRA) Consumer Opt-Out Available?
Prescreened Solicitations Section 1681b(c) Yes, OptOutPrescreen.com (5-year or permanent)
Trigger Lists Section 1681b(c), event-driven prescreening Yes, same opt-out process, but rarely used
Frivolous Dispute Dismissal Section 1681i(a)(3) No, resubmit with new evidence to restart
Reinsertion of Deleted Items Section 1681i(a)(5)(B) No, 5-day notice required after reinsertion
Credit Header Data Sales Outside FCRA scope (FTC interpretation) No, no federal opt-out mechanism exists
Account Review Pulls Section 1681b(a)(3)(A) No, security freeze blocks new creditors only

Your Current Creditors Are Watching Without Telling You

Existing creditors can pull your credit report at any time, without a new application, without advance notice, and without triggering a hard inquiry that other lenders can see. This is called an account review pull, and it is expressly permitted under FCRA Section 1681b(a)(3)(A) as a permissible purpose for existing account holders. Creditors use these soft pulls to decide whether to reduce your credit limit, increase your interest rate, or close your account entirely.

Soft Inquiries You Can’t See the Full Picture Of

Account review pulls appear on your personal copy of your credit report as soft inquiries, but they do not appear on the version lenders see when evaluating a new application. This creates an asymmetry: your current creditors are continuously monitoring your financial behavior in ways that can directly affect your existing accounts, but that activity is invisible to you unless you pull your own report regularly.

The NCUA’s FCRA/Regulation V compliance guide confirms that account review is among the permissible purposes under which consumer reporting agencies may legally furnish reports without the consumer’s direct initiation. Adverse action, reducing a limit, raising a rate, or canceling a card, requires notification after the fact, but not before.

A common misconception is that placing a security freeze blocks this type of access. It does not. A security freeze prevents new creditors from accessing your report, but existing creditors retain full access for account monitoring purposes. This is a meaningful distinction for anyone who believes a freeze provides comprehensive protection.

Diagram comparing soft account review pulls vs hard inquiry credit report access by creditor type

What Consumers Can Actually Do About These Practices

The honest answer is that consumer leverage here is real but limited. The FCRA was designed with the financial services industry as a primary stakeholder, and several of the practices described above have no opt-out. That said, the levers that do exist are worth using deliberately.

Practical Steps Organized by Practice

  • Prescreening and trigger lists: Opt out at OptOutPrescreen.com. Mail the permanent opt-out form rather than relying on the five-year online version. Do this before applying for a mortgage or auto loan if you want to reduce unsolicited contact.
  • Frivolous dispute dismissals: Submit disputes in writing via certified mail with return receipt. Include specific documentation, not just a claim. Reference the exact account number, the specific error, and attach supporting evidence. A dispute with substance is harder to code as frivolous.
  • Reinsertion of deleted items: Monitor your reports after any deletion. The bureaus are required to notify you within five business days of a reinsertion, but self-monitoring is faster. If an item reappears without the required notice, that is an independent FCRA violation.
  • Credit header data: There is currently no federal opt-out. Consumers can reduce exposure by freezing reports at the major bureaus and at the specialty reporting agencies (ChexSystems, LexisNexis, Innovis), which limits new data collection pathways, though it does not eliminate existing data already in circulation.
  • Account review pulls: A security freeze does not stop existing creditors from pulling for account review. Maintaining healthy utilization and payment history is the most direct way to reduce the likelihood of adverse action resulting from an account review.

The Private Right of Action Under FCRA

The strongest tool available to consumers who believe a bureau has willfully violated the FCRA is litigation. Under FCRA Section 1681n, consumers can sue for willful violations and recover actual damages, statutory damages between $100 and $1,000 per violation, and attorney’s fees. This means that an attorney may take a well-documented case on contingency, making it financially accessible even without upfront legal costs.

Filing a complaint with the CFPB is also a productive step, particularly in cases involving superficial dispute investigations. The CFPB complaint database is a public record, and a formal complaint creates a paper trail that can support subsequent legal action. For consumers who have used credit repair companies and found their disputes dismissed as frivolous, the article on credit repair companies vs. DIY dispute approaches examines which method actually produces better legal standing.

Pro Tip

When submitting a dispute, never rely solely on the online portal. Mail a written dispute with certified mail and return receipt to the bureau’s dispute address. Include a copy of your ID, your credit report with the error circled, and any documentation that contradicts the disputed item. Bureaus must begin their investigation within 30 days of receiving a complete, substantive dispute, and a paper trail protects your right to sue if they fail to do so.

Consumers rebuilding credit after dispute cycles should also look at common credit-building mistakes made after paying off a collection, because how you proceed after a dispute resolves has as much impact on your score as the dispute itself.

Frequently Asked Questions

Can credit bureaus share my information without my permission?

Yes, in several specific circumstances. The FCRA explicitly permits credit bureaus to share your data for prescreened solicitations, account reviews by existing creditors, and employment or insurance purposes under defined permissible-purpose rules, all without your advance consent. Your credit header data (name, address, SSN, DOB) has historically been shareable with even fewer restrictions.

What is a trigger list in credit reporting?

A trigger list is a product sold by credit bureaus that alerts competing lenders the moment a hard inquiry hits your report. When you apply for a mortgage or auto loan, bureaus can notify other lenders that you are actively shopping for credit and sell them your contact information. This is why consumers often receive a surge of loan offers immediately after submitting a credit application.

Can a credit bureau ignore my dispute?

Under FCRA Section 1681i(a)(3), a bureau may halt its investigation and decline to reinvestigate if it determines a dispute is “frivolous or irrelevant.” The bureau must notify you of this determination within five business days. You can restart the investigation obligation by resubmitting with new documentation or a different factual argument.

Does a security freeze stop all credit inquiries?

No. A security freeze prevents new creditors from accessing your report when evaluating a new application. It does not stop existing creditors from pulling your report for account review purposes. Existing lenders retain full access under permissible purpose rules regardless of a freeze.

What is the difference between reinsertion and re-aging?

Reinsertion is the legal process by which a furnisher later verifies the accuracy of a previously deleted item, allowing the bureau to put it back on your report. Re-aging is an illegal practice in which a furnisher resets the delinquency date on an account to make it appear more recent, extending the seven-year reporting window. Reinsertion is permitted; re-aging is an FCRA violation.

What can I do if I believe a credit bureau conducted a sham investigation?

File a formal complaint with the CFPB, and consult a consumer protection attorney. Under FCRA Section 1681n, willful violations entitle consumers to statutory damages between $100 and $1,000 per violation plus attorney’s fees, meaning attorneys often take these cases on contingency. The January 2025 CFPB lawsuit against Experian establishes a legal framework that may support individual consumer claims about superficial dispute investigations.

Is credit header data protected under the FCRA?

Credit header data (name, address, date of birth, Social Security Number) has historically been treated by the FTC as falling outside the core consumer reporting protections of the FCRA because it does not directly relate to creditworthiness. This means it can be sold by bureaus and data brokers with fewer restrictions than a full credit report. As of April 2026, there is no federal opt-out mechanism for this category of data.

NP

Nikos Papadimitriou

Staff Writer

Running the family restaurant group his father built in Chicago taught Nikos Papadimitriou more about predatory lending and credit traps than any textbook ever could — lessons he started writing down publicly after contributing a widely-shared piece on small-business debt cycles to the Substack ‘The Contrarian Consumer’ in 2021. He does not believe most credit-building advice found online is honest, and he says so. Now in his early fifties, he covers consumer protection and credit-building for readers who are tired of being talked down to.