Branden McAfee v. DataX, Ltd.

• Court: District Court, S.D. Ohio
• Decided: November 10, 2025
• Docket: 1:25-cv-00516
• Status: Unknown

Opinion

UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF OHIO WESTERN DIVISION

BRANDEN MCAFEE

Plaintiff, Case No. 1:25-cv-516 v. JUDGE DOUGLAS R. COLE DATAX, LTD., Magistrate Judge Litkovitz

Defendant.

OPINION AND ORDER Defendant DataX, Ltd., moves to dismiss Plaintiff Branden McAfee’s Complaint (Doc. 3). The Complaint alleges that DataX—a credit reporting agency— violated the Fair Credit Reporting Act by requiring McAfee to submit a copy of his Social Security card, W2, or 1099 form as a condition of disclosing McAfee’s consumer file. Since DataX filed its Motion to Dismiss, McAfee has filed a Motion for Leave to File Amended Complaint (Doc. 5), and a Motion for Leave to File a Surreply in Further Opposition to Defendant’s Motion to Dismiss (Doc. 8). For the reasons set forth below, the Court DENIES McAfee’s Motion for Leave to File a Surreply (Doc. 8), GRANTS DataX’s Motion to Dismiss (Doc. 4), and DENIES McAfee’s Motion for Leave to File Amended Complaint (Doc. 5). BACKGROUND McAfee filed this action pro se in the Hamilton County Municipal Court on June 6, 2025, (Doc. 1-3, #11), and served DataX on June 27, 2025, (id. at #41). DataX timely removed the case to this Court on July 25, 2025. (Doc. 1). DataX is allegedly a consumer reporting agency (CRA) as that term is used in 15 U.S.C. § 1681a(f). (Doc. 3, #48). That is, “for monetary fees, dues, and/or on a cooperative nonprofit basis, it regularly engages in whole or in part in the practice of

assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties.” (Id. (citing 15 U.S.C. § 1681a(f))). McAfee’s Complaint alleges that DataX violated the Fair Credit Reporting Act (FCRA). 15 U.S.C. § 1681 et seq. Specifically, McAfee contends that DataX violated 15 U.S.C. § 1681g(a)(1)—an FCRA provision that requires CRAs to disclose “[a]ll information in the consumer’s file” when the consumer appropriately requests it.

(Doc. 3, #53). According to McAfee, DataX declined to “provide a full file disclosure” to McAfee after he submitted a “proper and complete request” for the disclosure. (Id. at #53–54). McAfee says that his request included “his full name, current mailing address, date of birth, complete Social Security number, and a copy of his driver’s license.” (Id. at #49). But despite receiving this information, which, by McAfee’s lights, was sufficient to “complete[ly] identify[]” him, DataX “refused to comply” with

its § 1681g(a)(1) disclosure obligation and “demanded a copy of [McAfee’s] Social Security card, W2, or 1099 form before it would release the consumer file.” (Id.). This, McAfee says, “was plainly a stall tactic designed to frustrate [McAfee’s] access rights.” (Id.). As a result, McAfee claims he has endured “mental anguish, anxiety, uncertainty, depression, and stress.” (Id. at #50). McAfee’s stress and anxiety have induced “persistent sleep disruption, an inability to concentrate for extended periods, intense emotional fatigue, and episodes of anger and frustration, as well as intrusive thoughts relating to what information [DataX] is maintaining” about him. (Id. at #50– 51). These symptoms have been so intense that McAfee is “seeking to undergo

therapy” to redress them. (Id. at #50). The FCRA supplies two private rights of action for plaintiffs in McAfee’s situation: one for willful violations of the FCRA, 15 U.S.C. § 1681n, and one for negligent violations of the FCRA, id. § 1681o. Here, McAfee relies on both. (Id. #55). He claims that he is entitled to statutory damages, actual damages, reasonable costs, and—because DataX’s conduct was “willful”—punitive damages. (Id.). DataX has now moved to dismiss. (Doc. 4). In its motion, DataX points out that

another provision of the FCRA, 15 U.S.C. § 1681h(a)(1), provides that CRAs “shall require, as a condition of making disclosures required under section 1681g of this title, that the consumer furnish proper identification.” (Doc. 4, #82 (quoting 15 U.S.C. § 1681h(a)(1)) (emphasis removed)). Although the statute does not define “proper identification,” the Consumer Financial Protection Bureau (CFPB) has promulgated guidance defining the contours of the requirement.1 (Id.). Specifically, 12 C.F.R.

§ 1022.123 provides: (a) Consumer reporting agencies shall develop and implement reasonable requirements for what information consumers shall provide to constitute proof of identity for purposes of sections 605A, 605B, and 609(a)(1) of the FCRA. In developing these requirements, the consumer reporting agencies must: (1) Ensure that the information is sufficient to enable the consumer reporting agency to match consumers with their files; and

1 In its Motion to Dismiss, DataX asserts that the FTC promulgated this guidance. (Doc. 4, #82). But it was, in fact, the CFPB. See 76 Fed. Reg. 79308, 79335 (Dec. 21, 2011). (2) Adjust the information to be commensurate with an identifiable risk of harm arising from misidentifying the consumer. (b) Examples of information that might constitute reasonable information requirements for proof of identity are provided for illustrative purposes only, as follows: (1) Consumer file match. The identification information of the consumer including his or her full name (first, middle initial, last, suffix), any other or previously used names, current and/or recent full address (street number and name, apt. no., city, state, and zip code), full nine digits of Social Security number, and/or date of birth. (2) Additional proof of identity. Copies of government issued identification documents, utility bills, and/or other methods of authentication of a person's identity which may include, but would not be limited to, answering questions to which only the consumer might be expected to know the answer. 12 C.F.R. § 1022.123. Relying on these provisions and some case law with certain factual parallels to McAfee’s allegations, DataX’s motion argues that DataX’s requirement that McAfee produce copies of his Social Security card, W2, or 1099 form is a “reasonable” means of establishing the “proper identification” that the statute requires as a precursor to disclosing credit information. (Doc. 4, #81–85). McAfee has responded to the motion, (Doc. 6), and DataX has replied, (Doc. 7), so the matter is ripe for review. But McAfee has also filed a Motion for Leave to File a Surreply in Further Opposition to Defendant’s Motion to Dismiss (Doc. 8), as well as a Motion for Leave to File an Amended Complaint (Doc. 5). So the Court considers these latter two filings as well.2

2 McAfee also recently filed a Notice of Supplemental Information (Doc. 9). The Notice explains that, on September 11, 2025, counsel for Equifax Information Services, LLC—which wholly owns DataX, see DataX, Ltd., Consumer Fin. Prot. Bureau, https://perma.cc/9WPV- GYVK—sent McAfee a digital copy of McAfee’s DataX consumer file disclosure. (Doc. 9, #156). No further identifying documentation was requested for the disclosure. (Id.). McAfee does not request any kind of relief in the filing; rather, McAfee submitted it “solely to make the Court LEGAL STANDARD To survive a Rule 12(b)(6) motion to dismiss, a plaintiff must allege “sufficient factual matter … to state a claim to relief that is plausible on its face.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (cleaned up). While a “plausible” claim for relief does

not require a showing of probable liability, it requires “more than a sheer possibility that a defendant has acted unlawfully.” Id. The complaint must allege sufficient facts to allow the Court “to draw the reasonable inference that the defendant is liable.” Id. “In reviewing a motion to dismiss, [the Court] construe[s] the complaint in the light most favorable to the plaintiff, draw[s] all reasonable inferences in [his] favor, and accept[s] all well-pleaded allegations in the complaint as true.” Keene Grp., Inc.

v. City of Cincinnati, 998 F.3d 306, 310 (6th Cir. 2021). But that does not mean the Court must take everything a plaintiff alleges at face value, no matter how unsupported. The Court may disregard “naked assertion[s]” of fact, “formulaic recitation[s] of the elements of a cause of action,” and “mere conclusory statements.” Iqbal, 556 U.S. at 678 (cleaned up). Additionally, the Court may grant a motion to

aware of this development and to preserve it as part of the record.” (Id.). But just as the Court was preparing to publish this Opinion and Order, McAfee changed his tune on that front and filed a Motion for Sanctions Under Federal Rule of Civil Procedure 11 (Doc. 10). There, McAfee asserts that DataX and its counsel put forth statements that “were factually false, legally untenable, and interposed for an improper purpose in violation of Rule 11(b)(1)–(3).” (Id. at #160). The asserted basis for this charge is Equifax’s counsel’s decision to “transmit[] to Plaintiff via email a complete copy of his DataX consumer file disclosure” (i.e., the consumer file referenced in McAfee’s Notice above). (Id. at #161, 162–64; see Doc. 9; Doc. 10- 2). That transmission, McAfee says, belies DataX’s position in this litigation—that its internal policies and procedures required McAfee to submit identification in the forms DataX specified, and that the law permits DataX to request those forms of identification. (Doc. 10, #161, 162–64). dismiss “on the basis of a dispositive issue of law.” Neitzke v. Williams, 490 U.S. 319, 326 (1989) (citations omitted). Turning to McAfee’s request to amend his Complaint, that is governed by

Federal Rule of Civil Procedure 15. A party is entitled to amend his complaint once as a matter of course within 21 days after service of a motion under Rule 12(b), Fed. R. Civ. P. 15(a)(1)(B), a deadline that McAfee met here, (see Doc. 4; Doc. 5). But a party can forfeit this right by seeking “leave in the [this Court] instead of simply filing an amended complaint,” and “cit[ing] in support of his request the portion of Civil Rule 15 that says leave is required.” Glazer v. Chase Home Fin., LLC, 704 F.3d 453, 458 (6th Cir. 2013) (first citing Pure Country, Inc. v. Sigma Chi Fraternity, 312 F.3d

952, 956 (8th Cir. 2002) (holding that a party forfeited its right to amend once as a matter of course because it “expressly quoted and relied” on Rule 15(a)(2) instead of Rule 15(a)(1)(B) (emphasis removed)); and then citing Coventry First, LLC v. McCarty, 605 F.3d 865, 869–70 (11th Cir. 2010) (“Coventry … never filed an amended complaint as a matter of course. Instead, it chose to file a motion to amend. We conclude that, in doing so, it waived the right to amend as a matter of course and it

invited the District Court to review its proposed amendments.”)). In that event, a party may amend only with the opposing party’s consent or with leave of the Court. Fed. R. Civ. P. 15(a)(2). The Rule provides that the Court “should freely give leave when justice so requires.” Id. But when deciding whether to grant leave to amend, courts may consider among other things “futility of amendment.” Gen. Elec. Co. v. Sargent & Lundy, 916 F.2d 1119, 1130 (6th Cir. 1990). The touchstone for assessing futility is whether the proposed amended complaint could survive a Rule 12(b)(6) motion to dismiss. Rose v. Hartford Underwriters Ins. Co., 203 F.3d 417, 420–21 (6th Cir. 2000).

LAW AND ANALYSIS A. The Court Does Not Consider McAfee’s Surreply Because He Has Not Demonstrated Good Cause. Before turning to the merits of DataX’s Motion to Dismiss, the Court first addresses a procedural issue—namely, whether it will consider McAfee’s surreply. Although this Court’s local rules generally do not permit parties to file surreply briefs, a party may request leave to do so upon a showing of good cause. S.D. Ohio Civ. R. 7.2(a)(2). As this Court has previously explained, generally, good cause “exists where the reply brief raises new grounds that were not included in the movant’s initial motion.” Canter v. Alkermes Blue Care Elect Preferred Provider Plan, 593 F. Supp. 3d

737, 744 (S.D. Ohio 2022) (cleaned up). Good cause also exists “where a party seeks to ‘clarify misstatements’ contained in the reply brief.” Id. at 744–45 (citation omitted). Here, McAfee contends that his surreply brief is warranted because DataX argued in its reply brief, for the first time, (1) that McAfee failed to state a cognizable FCRA claim, (2) that the allegations in McAfee’s Amended Complaint cannot be considered for purposes of DataX’s Motion to Dismiss, (3) that McAfee’s position is

“merely that listing his Social Security number and address was sufficient to satisfy the FCRA’s disclosure mandate,” which McAfee says is a new and incorrect characterization of his argument, (4) that the Amended Complaint does not cure the alleged deficiencies in the original pleading, and (5) that denying McAfee’s request for disclosure was in McAfee’s best interest. (Doc. 8, #145–46). None of these allegedly “new” arguments provides a basis for McAfee’s surreply. Take them in order.

First, DataX’s reply brief is not the first time it has argued that McAfee failed to state an FCRA claim. Indeed, that’s the entire basis for DataX’s Motion to Dismiss. (See generally Doc. 4). Second, DataX’s reply addresses McAfee’s proposed Amended Complaint only because McAfee “makes numerous references [to it] throughout his Response to support his arguments.” (Doc. 7, #141). In other words, DataX is not making a “new argument” for dismissal; it is merely responding to McAfee’s use of the Amended

Complaint in his response brief. That’s a proper use of a reply brief, and it does not warrant a surreply. Cf. Liberty Legal Found. v. Nat’l Democratic Party of the USA, Inc., 875 F. Supp. 2d 791, 797–98 (W.D. Tenn. 2012) (“The Court finds that this argument is not a new argument, but rather a counterpoint in response to Plaintiffs’ theory of competitive standing. This is entirely consistent with the proper purpose of a reply brief, to address the opposing party’s arguments raised in a response brief.”).

At any rate, DataX is correct that the Court cannot consider McAfee’s proposed Amended Complaint in ruling on DataX’s Motion to Dismiss. The object of DataX’s Motion is to dismiss McAfee’s first Complaint, and the allegations contained in the proposed Amended Complaint do not bear on that task. True, McAfee’s Motion for Leave to File an Amended Complaint, if granted, would moot DataX’s Motion to Dismiss. But it doesn’t follow that the Court can consider the allegations in the Amended Complaint for purposes of considering a motion to dismiss McAfee’s original Complaint. (Although the Court can, and does, consider those allegations in connection with deciding McAfee’s motion for leave to amend, as discussed below.)

Third, read in context, DataX’s reply brief does not mischaracterize McAfee’s position in the way McAfee suggests. Although there is a single sentence in DataX’s reply brief that could be read as oversimplifying McAfee’s pleading and argument, (see Doc. 7, #142 (“Plaintiff argues that simply listing his address and social security number in his request, as alleged in the Complaint, was sufficient to satisfy the FCRA’s mandate.”)), DataX’s Motion to Dismiss makes clear that that sentence is, at best, an example of inartful drafting, rather than an affirmative misstatement of

McAfee’s position, (Doc. 4, #80 (noting that McAfee’s disclosure request “included his full name, current mailing address, date of birth, complete Social Security number, and a copy of his driver’s license”) (emphasis added)). Fourth, the question whether McAfee’s Amended Complaint cures the alleged deficiencies of McAfee’s first Complaint is a question that goes to McAfee’s Motion for Leave to File an Amended Complaint, not to his Motion for Leave to File a Surreply.

As already noted, the Court addresses that issue separately from the question of dismissal. See infra Law and Analysis, Part C. Finally, DataX’s reply brief does not present a new argument that “denial of a consumer’s disclosure is in the consumer’s best interest.” (Doc. 8, #146). Rather, the reply brief explains that one of the policy reasons animating the FCRA’s personal- identification requirement is “an added layer of security against identity theft.” (Doc. 7, #142). That’s an accurate statement of the purpose for which the provision of law at issue was promulgated, not a new ground on which to dismiss McAfee’s Complaint. See, e.g., Garland v. Equifax, No. 15 C 50305, 2017 U.S. Dist. LEXIS 217553, at *9–

10 (N.D. Ill. Oct. 27, 2017) (“These verification procedures are crucial because they accommodate a consumer’s right to access his personal credit information, while at the same time shielding that confidential information from impermissible third-party disclosure.”). In sum, McAfee has not shown good cause to consider his surreply. Accordingly, the Court DENIES McAfee’s Motion for Leave to File a Surreply (Doc. 8).

B. McAfee’s Operative Complaint Fails to State a Claim. Turn now to the merits of DataX’s Motion to Dismiss. DataX argues that (1) the FCRA’s statutory and regulatory regime permits DataX to require that McAfee provide a copy of his “Social Security card, W2, or 1099 form” as a condition of releasing McAfee’s data, (Doc. 4 #80–84), and (2) McAfee did not allege that he responded to DataX’s request for proof of McAfee’s identity, (id. at #85). McAfee

counters that his initial request to DataX contained the requisite “proper identification,” which makes DataX liable under the FCRA for its refusal to disclose the requested information. (Doc. 6-1, #130–33). Recall that the FCRA requires that CRAs, such as DataX, disclose all the information in a consumer’s file when that consumer files an appropriate request. 15 U.S.C. § 1681g(a)(1). But all such requests are subject to the requirements of 15 U.S.C. § 1681h(a)(1). And § 1681h(a)(1) requires that CRAs demand, as a condition of disclosure, that the consumer “furnish proper identification.” The Code of Federal Regulations then directs CRAs to “develop and implement reasonable requirements for what information consumers shall provide to constitute proof of identity.” 12

C.F.R. § 1022.123(a). The “reasonableness” of a CRA’s requirements is evaluated with a view to (1) ensuring that the required information is “sufficient to enable the [CRA] to match consumers with their files,” and (2) making the required information “commensurate with an identifiable risk of harm arising from misidentifying the consumer.” Id. § 1022.123(a)(1)–(2). The regulation provides “illustrative” examples of each consideration. Id. § 1022.123(b). Information that a CRA might require for purposes of matching consumers to their respective files includes the consumer’s

name, address, Social Security number, or date of birth. Id. § 1022.123(b)(1). And items that a CRA might consider accepting as “[a]dditional proof of identity” to mitigate misidentification (and the accompanying prospect of improper disclosure of potentially confidential information) include copies of government-issued identity documents, utility bills, or various other unspecified methods, such as “answering questions to which only the consumer might be expected to know the answer.” Id.

§ 1022.123(b)(2). Here, McAfee submitted a request for his file to DataX, and DataX responded by informing him that it could not oblige him absent McAfee providing a copy of his Social Security card, W2, or 1099 form. (Doc. 3, #49). But according to McAfee, because his initial request included his current mailing address, date of birth, Social Security number, and a copy of his driver’s license—information that, in McAfee’s view, amounts to “full identifying details”—that response from DataX violated § 1681(g)(a)(1) by requiring additional documentation. (Id.). The Court disagrees. Much like another court recently observed in similar

circumstances, “[t]o the extent that [McAfee] asserts that []he should have been provided a credit report without being asked for [] additional identity documents, the Court finds such an argument meritless as a matter of law.” Middlebrooks v. Experian Information Solutions, Inc., No. 1:20-cv-2279, 2020 WL 9600586, at *4 (N.D. Ga. Nov. 3, 2020). That’s because 12 C.F.R. § 1022.123 expressly permits DataX to “request the specific categories of documents that [DataX] requested here.” Id.; see Bell- Loffredo v. Equifax Information Servs., LLC, No. 2:21-cv-3637, 2022 WL 16894504,

at *3 (C.D. Cal. Oct. 6, 2022) (finding that a plaintiff’s § 1681g claim failed as a matter of law because he failed to verify his identity with items on a CRA’s list of approved documents); Samuel v. SageStream, LLC, No. 1:22-cv-1277, 2023 WL 9291572, at *3 (N.D. Ga. July 12, 2023) (“Defendants here sought to verify Plaintiff’s identity by seeking the type of identification information explicitly listed as appropriate in the CFPB regulations. It is undisputed that Plaintiff did not provide any of the

information. Under the circumstances, no jury could find for Plaintiff because Plaintiff has not alleged a legally viable claim for relief.”); Hicks v. Smith, No. 3:17- cv-251, 2020 WL 5824031, at *7–8 (W.D. Ky. Sep. 30, 2020) (granting summary judgment on § 1681g claim where a plaintiff’s Social Security card and driver’s license were not sufficient to identify the plaintiff under the CRA’s internal policies and procedures). And just as in Samuel v. SageStream, here it is “undisputed that [McAfee] did not provide” the information that DataX required. 2023 WL 9291572, at *3. Accordingly, McAfee’s FCRA claim fails as a matter of law. McAfee unsuccessfully attempts to distinguish Middlebrooks and cases of the

sort. In Middlebrooks, the plaintiff submitted a request for her credit report to Experian, providing her name, address, Social Security number, former address, and date of birth. Middlebrooks, 2020 WL 9600586, *1. Experian then wrote back, explaining that Middlebrooks had not furnished proper identification, and that she would need to provide (1) her full name, (2) her Social Security number, (3) her complete addresses for the past two years, (4) her date of birth, (5) one copy of government-issued identification (such as a driver’s license), and (6) one copy of a

utility bill, bank, or insurance statement. Id. And the court found that her failure to provide that information was fatal to her claim. McAfee argues that his case is “fundamentally different” because he submitted a request that “included all identifying information contemplated by the statute and implementing regulations,” including (1) his full name, date of birth, and current mailing address, (2) his Social Security number, and (3) a copy of his driver’s license.3 (Doc. 6-1, #135). All that, he

3 In his Memorandum in Opposition to Defendant’s Motion to Dismiss, McAfee also says that he provided a copy of a recent utility bill. (Doc. 6-1, #129). While McAfee’s Complaint does not allege that his initial submission contained the bill, his request to DataX, which McAfee attaches as an exhibit to his Complaint, notes that he enclosed “copies of utility bills” with the request. (Doc. 3-2, #64). Although a court analyzing a motion to dismiss under Rule 12(b)(6) generally must confine its review to the pleadings, Armengau v. Cline, 7 F. App’x 336, 343 (6th Cir. 2001), “a court may consider exhibits attached to the complaint … so long as they are referred to in the complaint and are central to the claims contained therein,” Gavitt v. Born, 835 F.3d 623, 640 (6th Cir. 2016). McAfee’s request is a core part of this litigation, and he refers to it in his Complaint. (Doc. 3, #52). So the Court credits McAfee’s assertion for purposes of evaluating DataX’s motion. says, satisfies the “consumer file match” and “additional proof of identity” criteria laid out in 12 C.F.R. § 1022.123(b)(1)–(2). In other words, McAfee finds in Middlebrooks a rule that says CRAs must accept the list of information identified

there as satisfying the statute. And then based on that, he contends that he submitted the additional forms of identification (e.g., a driver’s license) that the Middlebrooks court said that the plaintiff there had failed to provide. In other words, he contends that because he provided a statutorily complete set of information, DataX could not respond by requiring McAfee to provide additional documents. That misunderstands Middlebrooks. That case did not identify a list of documents that a CRA is statutorily required to accept as sufficient identification.

Rather, it simply noted the list of documents that Experian had required in that case, and observed that the plaintiff there failed to provide the listed documents and thus did not have a viable claim. Just so here—DataX has selected the list of documents that it requires to verify identity before sharing credit information, and McAfee failed to provide those documents. So Middlebrooks hurts him, rather than helping him Perhaps more importantly, DataX has not somehow violated 12 C.F.R.

§ 1022.123 by requesting identification other than a driver’s license. That section does not, as McAfee suggests, set forth a “reasonable identification standard” that consumers may satisfy by submitting documentation that the consumer deems sufficient under the section. (Doc. 6-1, #132). Rather, the section directs CRAs to “develop and implement reasonable requirements for what information consumers shall provide to constitute proof of identity.” 12 C.F.R. § 1022.123(a). In developing and implementing those requirements, CRAs must ensure (1) that the information required is sufficient to enable the CRA to match the consumer to their files, and (2) that the information required is commensurate “with an identifiable risk of harm

arising from misidentifying the consumer.” Id. § 1022.123(a)(1)–(2). True, the section provides examples of information that might constitute reasonable requirements. Id. § 1022.123(b). And among those examples are “[c]opies of government issued identification documents, utility bills, and/or other methods of authentication of a person’s identity”—categories which would seem to include the driver’s license that McAfee alleges he provided here. Id. § 1022.123(b)(2). But the regulation provides the examples “for illustrative purposes only.” Id. § 1022.123(b). In short, the regulation

does not require DataX to accept any one of those forms of identification that McAfee may choose to present. Rather, DataX could specify any reasonable form of identification it thought appropriate. And here DataX requested McAfee’s Social Security card (a “government issued identification document,” id. § 1022.123(b)(2)), or McAfee’s W2 or 1099 form (another listed “method[] of authenticat[ing]” McAfee’s identity, id.). The Court is certainly mindful that a CRA’s “extreme attention to

detail” might frustrate a person seeking disclosure of their credit information, but the Court is also “mindful that [DataX] has a duty to protect the confidentiality and security of [McAfee’s] information.” Ogbon v. Ben. Credit Servs., Inc., No. 10 Civ. 3760, 2013 WL 1430467, at *9 (S.D.N.Y. Apr. 8, 2013) (citations omitted). Against that backdrop, DataX cannot be faulted for electing a cautious approach. Beyond that, the Court cannot discern any sense in McAfee’s assertion that it should consider the reasonableness of DataX’s requirements “in light of the proper identification” that McAfee provided in his initial request to DataX.4 (Doc. 6-1, #137).

At the risk of undue repetition, 12 C.F.R. § 1022.123 authorizes CRAs—not consumers—to specify the kinds of documentation CRAs will accept for identification purposes. The Court declines to second-guess DataX’s otherwise reasonable personal- identification requirements merely because McAfee decided to submit other forms of identifying information that he thought sufficient. If McAfee’s preferred approach were the law, a CRA’s internal policies and procedures could be challenged anew every time a consumer’s request is denied after submitting some form of identification

to the CRA. That, in turn, would give potential FCRA plaintiffs an incentive to skirt a given CRA’s proper-identification requirements for the purpose of teeing up an FCRA claim.5

4 McAfee relies on two pieces of administrative guidance to bolster his argument on this front. The first is a CFPB advisory opinion, which McAfee characterizes as “interpreting 15 U.S.C. § 1681g(a)(1) to prohibit additional conditions beyond a consumer’s request and provision of proper identification.” (Doc. 6-1, #132). But the advisory opinion actually focuses on three other issues: (1) whether a consumer needs to use “specific language” in a disclosure request, (2) the information that must be disclosed to a consumer following a request, and (3) the sources of information that a CRA must disclose to a consumer. See Fair Credit Reporting; File Disclosure, 89 Fed. Reg. 4168 (Jan. 23, 2024). The second piece of guidance that McAfee cites is from the Federal Trade Commission (FTC). See What Tenant Background Screening Companies Need to Know About the Fair Credit Reporting Act, Fed. Trade Comm’n (October 2016), https://www.ftc.gov/business-guidance/resources/what-tenant-background-screening- companies-need-know-about-fair-credit-reporting-act [https://perma.cc/SL3N-YJQJ]. McAfee cites the guidance for the proposition that “unreasonable barriers violate the FCRA.” (Doc. 6- 1, #132). As explained, though, DataX’s requirements are simply not unreasonable. 5 Although McAfee does not cite them, there are some cases that comport with McAfee’s reading of the FCRA’s statutory and regulatory framework. For example, in Menton v. Experian Corp., a case from the Southern District of New York, Menton requested a copy of his credit report from Experian, “submitting as identification (1) a copy of his driver’s license; (2) a copy of a bank statement containing his name and address; (3) his home telephone Thus, McAfee’s argument that DataX’s request for a copy of McAfee’s Social Security card, W2, or 1099 form violates 15 U.S.C. § 1681g fails as a matter of law. And because McAfee “did not provide the requested information, [DataX] had no

obligation to send [McAfee] his credit reports.” Garland, 2015 U.S. Dist. LEXIS 170984, at *9 (N.D. Ill. Dec. 12, 2015). So the Court GRANTS DataX’s Motion to Dismiss (Doc. 4).6

number; and (4) the address of his law firm’s website, where Experian could access a photograph of Menton, as well as a variety of other means of identification.” No. 02 Civ. 4687, 2003 WL 941388, at *1 (S.D.N.Y. Mar. 6, 2003). Experian wrote back, explaining that it was unable to process Menton’s request without his Social Security number. Id. Menton then sent a follow-up letter with the same information, plus a notarized copy of his signature and a check for the appropriate fee. Id. When Menton received no response, he sued under the FCRA and the New York Fair Credit Reporting Act (NYFCRA). Id. Considering Experian’s motion to dismiss, the Southern District of New York rejected Experian’s argument that Menton did not provide the statutorily required proper identification. Id. at *3. While “Experian’s initial request for Mr. Menton’s social security number was not in and of itself improper,” the court found “no reason that Experian could not have verified Mr. Menton’s identity and provided him with his credit report soon after receiving the various alternative forms of identification which he did furnish.” Id. In other words, the Southern District of New York was “not persuaded by Experian’s argument that ‘proper identification’ as defined by the FCRA and NYFCRA should be narrowly construed to mean that, in all circumstances, a consumer must provide his Social Security number in order to receive his credit report.” Id. The Court rejects this analysis. The FCRA’s statutory and regulatory regime grants CRAs some discretion in crafting the personal-identification requirements that consumers must meet in order to obtain a copy of their credit report, provided the requirements are reasonable. See 12 C.F.R. § 1022.123(a). The mere fact that McAfee provided forms of identification that he deems sufficient does not render DataX’s request for additional documentation unreasonable. Moreover, rejecting McAfee’s claim here does not, as the Southern District of New York asserted, require the Court to hold that, “in all circumstances, a consumer must provide his [Social Security card, W2, or 1099 form] in order to receive his credit report.” Menton, 2003 WL 941388, at *3. Rather, the Court merely holds that DataX’s general requirement for documentation in those forms is reasonable in light of the two considerations laid out in 12 C.F.R. § 1022.123(a). 6 Given this conclusion, the Court DENIES McAfee’s Motion for Sanctions (Doc. 10). See supra note 2. As described above, the Court agrees with DataX’s view on the law. And the mere fact that Equifax’s counsel later transmitted McAfee’s file to him does not, in any way, suggest that DataX has put false factual assertions or frivolous legal arguments before the Court. Nor has McAfee made a colorable showing that DataX’s filings were submitted for an improper purpose. C. The Court Denies McAfee’s Motion for Leave to File an Amended Complaint Because the Proposed Amendment Is Futile. Separately, the Court considers whether McAfee’s proposed Amended Complaint cures the deficiencies identified above. As described below, it does not. While leave to amend should be “freely given,” courts may reject amendments that are futile. Beydoun v. Sessions, 871 F.3d 459, 469 (6th Cir. 2017). And a “proposed amendment is futile if the amendment could not withstand a Rule 12(b)(6)

motion to dismiss.” Id. (quoting Riverview Health Institute LLC v. Med. Mut. Of Ohio, 601 F.3d 505, 520 (6th Cir. 2010)). McAfee asserts that his proposed Amended Complaint “incorporates” more facts (e.g., McAfee’s inclusion of a utility bill in his initial submission to DataX, see supra note 3), “authenticates supporting exhibits, and more fully alleges the elements of Plaintiff’s claims, including negligence and willfulness under the FCRA.” (Doc. 5, #89). None, of these additions, though, help McAfee. At bottom, McAfee alleges the

same series of events he alleged in his first Complaint: (1) McAfee submitted an initial request for his file to DataX, including various forms of identification that he deemed sufficient, (Doc. 5-2, #108); (2) DataX denied that request because its internal policies and procedures require certain specific forms of identification—McAfee’s Social Security card, W2, or 1099 form, (id.); and (3) McAfee suffered damages as a result, (id. at #109–10). So McAfee’s proposed Amended Complaint fails for the same

reason his first Complaint does: the law permits DataX to require McAfee to submit the documents it specified, and the mere fact that McAfee chose to send various other forms of documentation does not render DataX’s request unreasonable. Thus, the Court DENIES McAfee’s Motion for Leave to File Amended Complaint (Doc. 5). CONCLUSION For the reasons set forth above, the Court DENIES McAfee’s Motion for Leave to File a Surreply in Further Opposition to Defendant’s Motion to Dismiss (Doc. 8), GRANTS DataX’s Motion to Dismiss Plaintiff's Complaint (Doc. 4), DENIES McAfee’s Motion for Leave to File Amended Complaint (Doc. 5), and DENIES McAfee’s Motion for Sanctions (Doc. 10). Because McAfee cannot cure the deficiencies in his Complaint, the Court DISMISSES this case WITH PREJUDICE. Consistent with that, the Court further DIRECTS the Clerk to enter judgment and to TERMINATE this matter on the Court’s docket. SO ORDERED.

November 10, 2025 DATE DOUGLAS R. COLE UNITED STATES DISTRICT JUDGE