The federal Fair Credit Reporting Act, 15 USC 1681 et seq, as amended (“FCRA”), is a slight misnomer. While the title of the statute suggests this law applies only to credit-related data, it has a much broader scope – one not always realized by data consumers.
Business entities and people who purchase data on individuals (“people data”) should be aware of what the FCRA is, whether it applies to them, and, if so, how they may consider navigating the compliance complexities of the law.
Below is an overview of the FCRA and considerations that data consumers might find helpful in determining whether their intended use of people data would be regulated under the FCRA.
In the event a business or individual determines, in collaboration with its own legal counsel, that its intended use of people data may fall under the scope of the FCRA, implementing additional operational and compliance safeguards (or auditing current safeguards and data use frameworks) will likely be beneficial prior to the procurement of that data to mitigate noncompliance risk.
Disclaimer: The resources provided here are for educational purposes only and do not constitute legal advice. We advise you to consult your own counsel if you have legal questions related to your specific practices and compliance with applicable laws.
What is the Fair Credit Reporting Act?
The FCRA is a federal consumer protection statute that regulates both providers and users of certain categories of people data when that data is intended to be used for specific purposes.
When both the (i) category of data procured/provided, and, (ii) the recipient’s intended use of that data, fall under the scope of the FCRA, the communication and use of that data may be considered “consumer report” data.
When the “consumer report” criteria under the FCRA are met, the user of the procured data is regulated in various ways under the statute – for good reason!
The intention of the FCRA is to ensure information about individuals is used responsibly and fairly when such use has a meaningful impact on those individuals’ lives.
What categories of data may be regulated under the FCRA?
The FCRA only regulates “information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living.” Under the statue, “Consumer” simply means “an individual”.
This is a very broad scope of information, as many types of data can arguably be considered to bear on an individual’s character, reputation, and mode of living.
Unfortunately, there is not an exhaustive list of what kind of data explicitly falls into these categories, but industry standards suggest the following are within scope:
- Court record data (i.e. criminal and civil records)
- Driving record data
- Credit history
- Tenant/eviction history
- Employment history
- Drug screening results
What use cases may be regulated under the FCRA?
As previously mentioned, using data that falls within the “categorical scope” above does not itself trigger FCRA compliance obligations. Both the categorical criteria and the use case criteria (discussed below) must fall under the FCRA’s purview in order to render the data as regulated data.
When information falling into one or more of the above categories is expected to be used or collected for the purpose of serving as a factor in establishing the consumer’s eligibility for the following reasons, the FCRA may apply to a business’ or individual’s use of that data:
- In connection with the the extension of credit to, or review or collection of an account of, an individual, where the credit as issue is used primarily for personal, family, or household purposes.
- In connection with employment purposes (a decision to hire, terminate, or reassign an applicant for employment, employee, volunteer, or independent contractor).
- In connection with the underwriting of insurance to be used primarily for personal, family, or household purposes.
- In connection with a determination of the screened individual’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status.
- As a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation.
- If the user of information otherwise has a legitimate business need for the information
- (i) in connection with a business transaction that is initiated by the consumer; or
- (ii) to review an account to determine whether the consumer continues to meet the terms of the account.
Additionally, if a consumer provides written instructions to another party to procure a consumer report on him/her, the “use case” prong of FCRA applicability is satisfied, and that party’s use of data is likely regulated.
While no single blog post can provide an exhaustive list of what is required for a data consumer’s compliance with the FCRA (the FCRA itself is over 100 pages long!), the below are critical FCRA requirements that should be top-of-mind.
1. Consent to a Background Check
When a background check regulated under the Fair Credit Reporting Act is to be used for employment purposes, the individual who is subject to that background check must provide express consent to the check being performed. The consent must be obtained via a disclosure and authorization process that is prescribed by the statute.
Additionally, some states, like California, have stricter requirements for the language used in such disclosure and authorization. It’s important to discuss this requirement with legal counsel prior to initiating background checks on individuals so that you can implement compliance frameworks that comply not only with the federal law but also any additional state or local laws that apply.
2. Adverse Action
When an FCRA-regulated background check is used by the recipient of that background check in a way that adversely impacts the person screened, this is called adverse action. When adverse action occurs, a notice must be provided to that individual, informing him/her of the adverse impact. Depending on the particular use case, additional information may need to be provided with that notice.
The FCRA has teeth. Not only can state agencies initiate enforcement actions against a business or individual that has non-compliantly procured or used consumer report data, but an individual who is the subject of a regulated background check, or consumer report, has a private right of action under the statute.
This means that the individual can sue a user or provider of consumer report data for actual or statutory damages. Not only can noncompliance lead to a lawsuit or agency enforcement, but it can create reputational damage to a business and lead to operational disruption/distraction.
While Tessera cannot render legal advice to prospects and customers, Tessera prides itself on being a compliance advocate for its customers.
Our sales and legal teams are happy to further discuss any questions or concerns prospects and current customers may have regarding their use of data, and we can provide guidance on industry-standards and best practices to inform internal discussions on risk mitigation and compliance.