Possible Implications of FCRA Actions?

On August 8, 2012, the Federal Trade Commission settled with HireRight Solutions, Inc. (“HireRight”) for failure to comply with certain Fair Credit Reporting Act (“FCRA”) requirements. According to the FTC’s complaint, HireRight provides background reports on current and prospective employees to thousands of employers. These background reports contain public record information, including criminal histories. Employers use these reports to make hiring and benefits-related decisions. The FTC alleged that, because HireRight “regularly sells in interstate commerce information on consumers that it assembles for the purpose of furnishing consumer reports to third parties,” it functioned as a consumer reporting agency as defined by the FCRA. Accordingly, the FTC claimed that HireRight violated FCRA requirements by (1) failing to ensure maximum accuracy of its background reports, specifically noting that some background reports failed to reflect expungement of criminal records or provided obviously erroneous consumer report information (2) failing to provide consumers with access to information in their files and closed dispute investigations without written notice, and (3) failing to follow requirements that background screeners who use public information notify consumers that such information is reported or to ensure the reported information is complete and up-to-date. Despite initial appearances, however, the case has broader geopolitical implications.

For years, the United States has argued that the FCRA is the foundation of a privacy regime aimed at preventing harm to individuals. The FCRA requires consumer reporting agencies to comply with fair information practice principles, such as accuracy, access and correction, and imposes strong penalties for violations. In addition, FTC enforcement actions establish a basis for consumer private rights of action when companies fail to comply with the Act.

Many privacy organizations have repeatedly argued in international settings that the FCRA is a very broad law giving the FTC authority in almost all cases where companies aggregate information for the purpose of substantive decision making. However, many non-U.S. privacy policymakers believe that the FCRA is narrowly focused on preventing harm in credit-related decisions. The FTC’s two employment-related enforcement actions this year (the HireRight and Spokeo cases) make clear that employment is fully covered under the FCRA. By emphasizing the FCRA’s applicability in the employment context, the FTC helps strengthen the case for interoperability between very different privacy regimes. The more FCRA enforcement actions the FTC files against non-traditional consumer reporting agencies, the stronger the U.S. government’s arguments regarding interoperability with respect to information aggregation issues, and the more likely that discussions about interoperability will gain traction.