The FCRA requires credit bureaus to disclose to consumers the identity of the sources of information in your credit file. Yet if you look at your credit report from any of the 3 major giants (TRU, EFX, EXPN), they list out all addresses, phone numbers, and email addresses with no indication of who fed them that info. If you request that info, they ignore or refuse.

The penalty for FCRA violations in that section is $1k. So you might think: “how cool is that? I can simply sue all three credit bureaus for $1k each”. It should work like that, but doesn’t. IIRC, it was a lawyer for a credit bureau who told me in so many words: case law shows that you must incur damages in this particular case. So if you can prove damages, then you can claim $1k (even if the actual damages are $1). But how do you even prove $1 in damages?

I have some ideas but generally this is such an uphill battle that credit bureaus can simply bluntly ignore the law. Which is what they do. It’s a good demonstration of how US corporations will plainly break laws that are unenforceable.

According to 15 U.S.C. 7704 §5(a)(5):

INCLUSION OF IDENTIFIER, OPT-OUT, AND PHYSICAL ADDRESS IN COMMERCIAL ELECTRONIC MAIL.—

(A) It is unlawful for any person to initiate the transmission of any commercial electronic mail message to a protected computer unless the message provides—

(i) clear and conspicuous identification that the message is an advertisement or solicitation;
(ii) clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender; and
(iii) a valid physical postal address of the sender.

When my text-based mail client receives an HTML-only email message, it tries to render the HTML as text. It’s sometimes a jumbled up unreadable heap of garbage because the HTML is malformed and relies on a forgiving/tolerant rendering engine. Even when the HTML is well formed, hyperlinks are not exposed in the text rendered. E.g. a msg will say “to unsubscribe and stop receiving emails, update preferences here.”

Where is “here”? That is just raw text to me. Sure, an advanced user can do a number of things to dig up that link. But I doubt that would pass the legal standard of “clear and conspicuous”.

Anyone have confidence either way whether HTML-only spam is legally actionable on this basis?

(update) I should mention the most annoying offenders-- corporate senders (e.g. banks) that attach a plaintext MIME part, but then the motherfuckers use it to just say (in so many words) “You need to update your software”. This makes it extra difficult to see the content of the message because the text mail client of course shows the text MIME part by default.

Some banks have started demanding proof of address when they realize that the address they have on file is “commercial”, e.g. like a UPS Store PMB type of address. How would this play out in court? The law¹ states:

“(i) Customer information required—(A) In general. The CIP must contain procedures for opening an account that specify the identifying information that will be obtained from each customer. Except as permitted by paragraphs (b)(2)(i)(B) and (C) of this section, the bank must obtain, at a minimum,the following information from the customer prior to opening an account:

1. Name;
2. Date of birth, for an individual;
3. Address, which shall be:
   (i) For an individual, a residential or business street address;
   (ii) For an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual; or …
4. Identification number, which shall be: …

(emphasis mine)

Banks seem to be over-reacting to law that is more lenient than what banks are interpreting. Not only are business addresses allowed, but a bank customer can even supply someone else’s address. The law also seems to distinguish between old customers and new. Yet out of the blue banks are harrassing customers who have had an account for years. They have a gov-issued ID doc and SSN, yet suddenly the banks get anal and persnickety about the address to the extreme of freezing people’s accounts as databases grow (DBs that track the zoning an address is in).

Has this been challenged in court? It’s clear from the linked thread that customers either dance for the banks or get their accounts frozen. It could be hard to challenge in court since banks can demand whatever info they want even if not required by law. But if they suddenly close an account that has been established, that could cause damages to the customer.

One interpretation is that legislators intended the business address to be that of the customer’s workplace. But the law does not seem to specify that.

¹ 31 C.F.R. § 103.121

Some tax forms ask information that seems to have no effect on the bottom line. No matter how you answer the question, your tax bill is the same either way. In Europe, this sort of thing would violate the data minimization principle of the GDPR. So the question is, what happens to people who either leave the intrusive fields blank, or they give bogus info? I’ve heard that tax penalties are generally a constant × the amount of underpayment. If underpayment is zero then so is the penalty, correct?

My credit union has been spamming me for years. As the volume of their bulk junk mail increases, I’m looking for a way out. Their email is HTML-only. So my text mail client only renders the raw text “To unsubscribe and stop receiving emails click here”. And “here” is obviously just text because it’s a text terminal.

Is that legal?

Suppose it is. So I dissect the HTML and fish out the link from a heap of garbage. The link does not go to the credit union’s website (if it did, that would be a non-starter anyway because I canceled my web account when they started blocking Tor). The link goes to a 3rd party site which also blocks Tor. So apparently as a precondition to opting out of spam I must share my personal IP address with a 3rd party agent of spam. Perhaps I can play whack-a-mole with a series of VPNs but I’m not interested. I just want to know if the opt-out procedure can legally be exclusive in this way. Can a legal challenge be mounted that forces them to provide an opt-out mechanism that’s inclusive?

The legal text is this:

(ii) clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender;

I don’t know the legal meaning of “clear and conspicuous”, so I’m not sure if nesting it in HTML satisfies that requirement. But it’s strange that they must merely give notice of the opportunity to opt-out, apparently without actually giving the opportunity to opt-out (just notice thereof IIUC).