On September 5, the Homebuyers Privacy Protection Act (H.R. 2808) was signed into law. The law amends the Fair Credit Reporting Act to restrict the sale of consumer information generated when borrowers apply for residential mortgage loans.

Under the new framework (previously discussed here), consumer reporting agencies may release a mortgage-related trigger lead only if the recipient makes a firm offer of credit or insurance and qualifies under narrow criteria. Eligible recipients include those with documented consumer authorization, current holders or servicers of the consumer’s mortgage, and depository institutions or credit unions with existing account relationships. The statute takes effect 180 days after enactment and also requires the Comptroller General to study the consumer impact of trigger-lead solicitations delivered by text message, with findings due to Congress within one year.

Putting It Into Practice: With enactment, the Homebuyers Privacy Protection Act moves from a legislative proposal into an operational compliance requirement. Institutions that rely on prescreening must now prepare to meet the narrowed statutory conditions. That means documenting consumer authorizations, limiting data-sharing to only eligible entities, and ensuring all offers remain firm under the Fair Credit Reporting Act. Institutions should begin revising prescreening and lead-management processes now, and continue monitoring the GAO’s mandated study of text-message solicitations for potential future changes.