August 29, 2022
The Federal Fair Credit Reporting Act (“FCRA”) is far from a clear statute that provides digestible guidance for compliance. Many obligations of end users and consumer reporting agencies (CRAs) covered under the FCRA are described with ambiguous and undefined terms, which creates a lot of legal “gray area” and confusion for folks who are endeavoring to figure out what they have to do in order to fully comply with the law.
Fortunately, one section of the FCRA, which describes what kinds of use of people data can trigger compliance obligations (“Permissible Purposes”), is communicated a bit more clearly than other sections of the statute.
The following is an overview of the top four use cases of people data, or permissible purposes, that are likely governed by the FCRA, provided that information is communicated by a consumer reporting agency. Remember, there are two prongs that trigger the FCRA, and we discuss this further in our blog post, Understanding the Basics of the Fair Credit Reporting Act.
The takeaway from that blog is that when both the (i) category of people data procured/provided, and, (ii) the recipient’s intended use of that data, fall under the scope of the FCRA, the communication and use of that data may be considered “consumer report” data – meaning FCRA compliance obligations are triggered. We dive deeper here into the “recipient’s intended use of data” prong. We will refer to these as Permissible Purposes throughout.
Here are 4 Permissible Purposes that may convince you to dive deeper into the glamorous world of the FCRA and understand how you may be obligated to comply.
The employment Permissible Purpose is triggered when people data assembled into a consumer report is intended to be used for employment actions. At the federal level, these actions include:
Federal Trade Commission (“FTC”) guidance tells us that the employment permissible purpose is perhaps not aptly named, because it includes not only use of people data in regard to “employees”, but also volunteers and independent contractors.
While some courts have issued opinions that the FCRA does not apply to “independent contractors” within that jurisdiction, by and large, independent contractors are baked into this broad permissible purpose bucket. So if you’re using consumer report data to inform any decisions listed above, you’re best served to check in with your in-house legal team or outside counsel to make sure your evaluation of data on these folks complies with the FCRA.
Similarly, the FTC has made clear that individuals on whom a consumer report is procured and used to assess eligibility status as a volunteer are also included in the “employment” Permissible Purpose category.
It seems strange, doesn’t it? Assessing consumer report data on an unpaid individual who offers their time freely to a business or organization wouldn’t normally cause one to pause and think that consumer reporting data procured on them could trigger regulatory and statutory obligations. But it does! So for all the non-profit entities out there who are obtaining public record data to evaluate potential volunteers for their organizations – watch out! Your use of people data could trigger compliance obligations under the FCRA!
It’s also worth mentioning that people data obtained in order to aid an employer organization’s investigation into misconduct by an employee is, surprisingly, clearly exempted by the FCRA. So if an employee is believed to have engaged in fraud or theft within their role, for example, the procurement of people data in efforts to complete an HR investigation into the alleged conduct is actually not subject to the FCRA.
We still encourage employer organizations to work through the specific circumstances in these cases with counsel to be doubly sure that the investigation is performed in a way that bypasses FCRA requirements.
Most of us have rented an apartment at some point in our lives. Remember consenting to a background check within your application? Almost without exception, when an individual applies to rent an apartment, a consumer report is procured by the landlord or rental agency to ensure they are not exposed to the risk of non-payment, criminal activity on the premises, or other less-than-ideal scenarios.
This use of people data, while not explicitly carved out as its own Permissible Purpose under the FCRA, is, without a doubt, regulated by the FCRA. Even individuals who own properties and rent them out in their personal capacity without the assistance of an agency will be subject to FCRA requirements if they procure people data and use that data to inform their decision on whether to rent the property, whether to increase the list price of the rental, and whether to impose additional restrictions on the rental.
So if you’re a property owner who loves to make some extra cash on renting out that property, and you’re evaluating people data to inform your decisions on rental specifics, you should take the time to research the FCRA. You have obligations, including disclosure and authorization, and adverse action notices, under this permissible purpose. In addition, you may be subject to local fair chance housing laws!
Anyone with a car or mortgage has had the “honor and privilege” of working with insurers. Many of us may have had the experience of receiving adverse action notifications from these insurers to explain why a rate is higher than what is standardly offered, or why we were denied as a client.
This is because the use of people data to inform whether to underwrite insurance for a consumer, and the terms of that offer, is a clearly defined Permissible Purpose under the FCRA. All highly rated insurance companies are aware of this and compliance is robustly built into their operations and communication frameworks.
Perhaps the most nebulous Permissible Purpose under the FCRA is “written instructions of the consumer to whom the report relates.” There’s not a large body of case law or guidance that specifically capture what exactly this category entails, but that’s also why it’s an important to be aware of this Permissible Purpose.
Broadly speaking, if an individual provides instructions in writing (email, electronic consent via a terms of service, on a form, etc.) for a third party to procure a consumer report on him/her/them, the FCRA may be triggered. This is an especially important category for online platforms and service providers to explore with legal counsel.
Risk and reputation-based platforms that use scoring or categorize individual consumers into risk categories, and then either use that information internally or communicate that information to another entity must be careful that they are not unintentionally triggering the FCRA by having their users directly or indirectly consent to procurement of their people data.
We could spend an entire blog discussing this very broad Permissible Purpose in more detail, but the takeaway here is that this is a potential minefield that must be explored with the assistance of counsel.
While there are lots of nuances to the Fair Credit Reporting Act, hopefully you now have a clearer sense of the four main FCRA use cases or “Permissible Purposes” to better understand if your use of people data falls under the Fair Credit Reporting Act.
Seeking people data? Reach out to us to see if our extensive suite of people data products fits your needs.