On October 24, 2024, the federal Consumer Financial Protection Bureau (CFPB) published a circular articulating its position that the Fair Credit Reporting Act (FCRA) applies to entities that offer workplace tracking technology, including AI algorithmic scores, as well as to the employers who use that information when making employment-related decisions.
The circular is prompted by CFPB’s [1] observation that “technological advances have resulted in a rapid increase in the monitoring of workers across many sectors,” and that “third-party technology companies . . . have made it easier and more cost effective to track, assess, and evaluate workers.”
The range of services offered by those companies (referred to herein collectively as “technology companies”), the CFPB notes, includes services that “record current workers’ activities, personal habits and attributes, and even their biometric information.”
Notably, the Federal Trade Commission (FTC) did not join this circular, and it is unclear, at least at this time, if the FTC shares the CFPB’s view.
The FCRA defines the term “consumer reporting agency” in relevant part as:
[A]ny person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports. [2]
The FCRA’s definition of “consumer reporting agency” has historically been interpreted to apply to credit reporting agencies as well as to vendors that compile background check reports for employers.
The CFPB’s circular extends that definition to untraditional “assemblers” of consumer information. For example, the CFPB advises that entities that “collect information from employers about workers’ collective bargaining activity, or job performance, and then sell it to other employers to make hiring decisions,” would qualify as FCRA-governed consumer reporting agencies. The CFPB’s conclusion also applies to any “entity [that] collects consumer data in order to train an algorithm that produces scores or other assessments about workers for employers.”
In reaching this conclusion, the CFPB’s circular, in a footnote, asserts its disagreement with guidance issued by the FTC in 2011 regarding the FCRA’s applicability to software. Specifically, in 2011, the FTC stated that “a seller of a software package that enables the purchaser to perform that task itself is not ‘assembling or evaluating’ the information and is thus not a CRA.” [3] In the circular, the CFPB distinguishes the inactive role played by software developers in 2011 with the “more active role” played by “software developers today,” who according to the circular provide “ongoing services to clients, such as by performing ongoing maintenance of the software, or by licensing services to clients instead of selling software as a point-in-time product.”
With this footnote, the CFPB seeks to bring under the ambit of the FCRA various companies that have historically not be subject to the CFPB’s authority.
The FCRA imposes a number of obligations on consumer reporting agencies, such as the obligation to ensure the accuracy and completeness of the information they supply to third parties and to investigate disputed information. Entities that assemble or evaluate worker data for employers, as well as software developers who license software to employers, should assess whether the tools and technologies they furnish implicate the FCRA.
The CFPB’s circular warns employers that their use of third-party monitoring tools and technologies for any “employment purpose” [4] may trigger their obligations under the FCRA, which apply both before and after a consumer report is requested.
Specifically, before requesting a report for “employment purposes,” employers must “clearly and conspicuously” disclose their intention to do and obtain the consumer’s written authorization. Then, if the consumer report contains information that may result in an adverse employment action, employers must comply with the law’s pre-adverse action [5] and final adverse action notification requirements. [6] In a footnote, the CFPB acknowledges that information used in connection with a suspected violation of written policy or law by a current employee is exempt from the FCRA and thus beyond the scope of the circular. [7]
The CFPB advises employers to ask themselves two “key questions” to determine whether the technology they are relying on to make employment decisions falls within the scope of the FCRA:
In terms of the first question, employers can assume that if the information or data an employer gathers has the potential to impact a hiring, assignment, or retention decision, then the purpose for the employer’s use qualifies as an “employment purpose.” This conclusion remains the same even if the information gathered plays a minor role in the employer’s overall assessment of an applicant or employee.
Importantly, the FTC and CFPB have historically ascribed a broader definition to the term “employment purposes” and have previously concluded that the term should “apply to situations where an entity uses individuals who are not technically employees to perform duties,” such as independent contractors, contingent staff, and volunteers. [8] The CFPB’s circular does not depart from that guidance, and the circular tellingly refers to “workers” generally, as opposed to “applicants” or “employees.” [9] Thus, if employers use tracking or monitoring technology on non-employee populations, they should be mindful of the potential FCRA risks associated with doing so.
As noted above, the CFPB’s circular extends the definition of “consumer reporting agency” to nontraditional “assemblers” of consumer information. By broadening this definition, the CFPB’s circular seeks to change the regulatory landscape for employers whose FCRA compliance efforts have been focused on “traditional” consumer reports, like pre- and post-hire background checks.
However, without a parallel, consistent statement from the FTC adopting the circular’s view and rejecting the FTC’s prior guidance, the reach of the circular to employers and companies offering technology is uncertain. The “circular,” which the CFPB issued without notice and comment rulemaking, also lacks the force of law and could easily be rescinded by new agency leadership.
The CFPB’s circular is a warning to employers using tracking technology, AI, or software to evaluate or assess “workers” for employment-related purposes, as well as the entities that furnish that technology. Employers and technology companies should continue to monitor the views of new CFPB and FTC leadership on the scope of the FCRA in the coming year.
Adopting procedures that are inconsistent with the circular nevertheless risks private litigation exposure for employers and technology companies. Willful violations of the FCRA expose defendants to statutory damages ranging from $100 to $1,000 per violation (i.e., per every employee impacted by the violation), punitive damages, and attorney’s fees and costs. Because applicants and employees are often impacted by an alleged FCRA violation uniformly, FCRA claims are uniquely amenable to class litigation and can create considerable monetary exposure for defendants.
The increased use of AI and machine-learning in the workplace has been accompanied by increased government oversight, as well as scrutiny and challenges from administrative agencies and the plaintiffs’ bar. For example, we have seen increased legislation at both the federal level (see our May 21, 2024 LawFlash) and local level, including New York and California (see our April 19, 2023 and August 29, 2024 LawFlashes, respectively).
As a result, employers should evaluate their use of AI to understand what AI tools are being used in the workplace, and understand which tools are covered by existing laws to ensure compliance.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
[1] The CFPB was granted rule-making authority over the FCRA in 2010 and shares enforcement authority with the FTC.
[2] See 15 USC § 1681a(f).
[3] See FTC, 40 Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations at 12-13, 29 (July 2011).
[4] The term “employment purposes” is defined in the FCRA as for the “purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.”
[5] The pre-adverse action requirement provides that if an employer intends to base an adverse employment action on a consumer report, the employer must provide the consumer with a copy of the consumer report and a copy of the FCRA Summary of Rights before finalizing that adverse decision. 15 USC § 1681b(b)(3). These documents are usually enclosed in a letter or attached to an email that informs the consumer that the report may impact their eligibility for employment. This letter and its enclosures are typically referred to as a “pre-adverse action notice.” The employer must then wait a “reasonable period of time,” which has been interpreted by courts as a minimum of five business days from the date on which the consumer receives the pre-adverse action notice, before finalizing the adverse decision.
[6] If, after five business days, the employer still intends to base an adverse employment action on the consumer report, the employer must send a final adverse action notice that includes specific information regarding the consumer’s rights under the FCRA, such as the right to dispute the accuracy or completeness of the report with the consumer reporting agency. Id. at § 1681m.
[7] Circular n. 9.
[8] See FTC, 40 Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations at 32 (July 2011).
[9] Using “worker”—a term not found in the FCRA—instead of terms used by the statute such as “consumers,” “employees,” or “persons” injects uncertainty in a document the agency represents is “intended to promote consistency in approach” regarding the FCRA. The CFPB uses “workers” even when quoting the statute. See n. 21 (“The FCRA’s application to both prospective and current workers is confirmed by FCRA section 603(k), which provides that an adverse action under the FCRA includes ‘a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee.’” (quoting 15 USC § 1681a(k)(1)(B)(ii)) (emphasis in original)).