Can someone run our credit without our permission?*
Yes and No.
Yes, someone can run your credit without your explicit permission.
No, no one can run our credit without your implicit permission.
The operating phrases are Explicit Permission and Implicit Permission.
Explicit Permission or Explicit Consent is when someone gets your consent explicitly for a certain Action A e.g. run your credit.
Implicit Permission or Implicit Consent is when someone gets your consent for Action A implicitly by getting your consent for another Action B explicitly, where performing B requires that someone to perform A. In effect, when you give your consent for Action B explicitly, you have also given away your consent for Action A implicitly, perhaps without realizing it. One example of Action B is, you apply for a loan; Action A is for that someone to run your credit.
This topic is quite broad and comes into picture in many other areas e.g.:
- Access your banking details in return for using a Personal Finance Management service e.g. MINT, USA
- Enrol you for Product B when you buy Product A e.g. Airtel Payments Bank, India
- Access your Utility Bill when you use a service to pay a Mobile Phone bill e.g. Bharat Bill Pay Service, India
- Show personalized and targeted ads in return for consuming content e.g. Facebook, worldwide
- etc.
It’s self-evident that there’s a HUGE difference between Explicit Consent and Implicit Consent. The difference is often the subject of a lot of faux outrage on social networks.
On a side note, the exact language of the statement seeking consent will determine whether people will give consent or not (and realize whether they have given consent or not).
Years ago, I issued guidance to my retainer clients that people are more likely to give Consent if the consent statement is worded around Benefit rather than Feature. See https://www.finextra.com/blogposting/14695/open-banking-consent-is-key.
Recent studies seem to bear out my prediction in the context of Open Banking e.g. ING. See Consumers remain suspicious about open banking.
CCPA (California Consumer Privacy Act) is the first regulation I know that expressly recognizes the role of language - and possibility of deception via Dark Pattern - in consent. California outlaws wording, webpage buttons designed to hoodwink people into handing over their personal data.
*: This is the original question I answered. I’m repeating it to help me make sense of my answer in case it’s moved to / merged with some other question that I didn’t answer.