FTC and EEOC Co-Publish Background Screening Compliance Guide

On March 10, 2014, the U.S. Federal Trade Commission (FTC) and Equal Employment Opportunity Commission (EEOC) co-published two guides to help employers and applicants understand how to implement a legally compliant background screening program. The two documents are titled Background Checks: What Employers Need to Know and Background Checks: What Job Applicants and Employees Should Know. The FTC is in charge of enforcing the Fair Credit Reporting Act (FCRA), a federal law that regulates collection, dissemination, and the use of consumer information. The EEOC enforces Title VII of the Civil Rights Act, which prohibits discrimination by employers on the basis of race, color, religion, sex or national origin.

Both agencies stress that employers get permission from applicants before getting background reports, and must not unlawfully discriminate in the use background checks. The agencies are both tasked with regulating background screening, so they decided to work together on this guidance. The objective of the guidance is that both sides (employers and job applicants) fully comprehend their rights as well as their obligations.

The first guide, Background Checks: What Employers Need to Know, contains instruction for employers on several steps of the background screening process. Both agencies include compliance information at each stage of the process. There is instruction on what to do before you get background information, how to use background information, and the disposal of background information.

The second short guide, Background Checks: What Job Applicants and Employees Should Know, serves to educate applicants and employees on their rights and how to handle a breach of their rights by an employer. The guidance is written in plain terms so as clearly understood by consumers. There is also contact information should an applicant/employee feel their rights have been violated.

You can find the full guide for employers here.

You can find the full guide for applicants and employees here. 

FTC Sends Warning Letters to Background Companies Using Mobile Apps

The Federal Trade Commission (FTC) issued warning letters to several companies that have designed and implemented easy background checks thru mobile devices.  In the letter the FTC states that the apps could violate consumer reporting laws.


The letter states the following:

"Under the FCRA, a company is a consumer reporting agency (CRA) if it assembles or
evaluates information on consumers for the purpose of furnishing consumer reports to third
parties. Consumer reports include information that relates to an individual's character,
reputation or personal characteristics and are used or expected to be used for employment,
housing, credit, or other similar purposes. For example, when companies provide information to
employers regarding current or prospective employee's criminal histories, they are providing
consumer reports because the data involves the individual's character, general reputation, or
personal characteristics. Such companies, therefore, are acting as CRAs in this capacity and
must comply with the FCRA. .....

The Commission reserves the right to take action against you based on past or future law
violations; your practices also may be subject to laws enforced by other federal, state, or local
law enforcement agencies. A violation of the FCRA may result in legal action by the FTC, in
which it is entitled to seek injunctive relief and/or monetary penalties of up to $3,500 per
violation."  says the FTC.

"The FTC and EEOC have stepped up efforts to enforce the Fair Credit Reporting Act.  With the adoption of the internet and the amount of data that can be accessed by companies, Credit Reporting Agencies (CRA's) must take additional steps to ensure the accuracy and efficacy of the data they report.   This cannot happen if the companies making these apps aren't reviewing the applicants records to ensure that they are held to the state and federal rules and standards." says Bill Whitford, CEO of S2Verify.

"Although I applaud the technology initiative, there can be steps taken to review the information before it is reported."  ... Bill Whitford

About S2VERIFY:
S2Verify is a leading process innovator in the application of background screening and employment screening technologies to the needs of business and individuals for employee and tenant information that is comprehensive in scope, delivered quickly to key managers, and easy to read, understand and use by authorized personnel. With offices in Atlanta, Chicago and Miami the privately-held company specializes in providing a customizable yet fully integrated, best-in-class set of background screening services that address business and consumer needs either poorly met or not met at all by leading, nationally-branded providers of mass-market background screening solutions

New Class Action Lawsuit against Major Financial Institution for FCRA Violations

A class action case filed against a large financial institution – one of the nation’s top 10 banks – shows once again that legal compliance is a critical part of any background screening program.  The lawsuit was filed on behalf of an employee alleging violations of the federal Fair Credit Reporting Act (FCRA). According to a press release from the Attorneys for the Plaintiff, the lawsuit alleges that the financial institution obtained background checks in violation of the FCRA and failed to provide required notices.  The Plaintiff seeks to represent a class of all of the financial institution’s employees and job applicants for the past three years.

The lawsuit – filed in the United States District Court for the District of Maryland – alleges the financial institution violated the FCRA in two ways:

• First, the lawsuit alleges that the financial institution’s authorization form is flawed. The law imposes strict formatting requirements on companies who do background checks. The Plaintiff alleges that by burying its background check authorization in a job application, including extraneous information, the financial institution violated the FCRA. The FCRA requires that a consumer receive a “clear and conspicuous” disclosure in a document that consists solely of the disclosure that a background report may be obtained for employment purposes. 
• Second, the lawsuit also alleges that the financial institution failed to provide copies of the background reports when it used them to take adverse employment actions, such as refusing to hire an applicant, refusing to promote an employee, or terminating an employee. The FCRA requires employers to provide consumers with copies of their background checks if the employer intends to take adverse action that is based in any part on the background check report, along with a statement of rights prepared by the Federal Trade Commission (FTC), so consumers have an opportunity to contest any information they feel is inaccurate or incomplete.  If the employer proceeds to take adverse action, a second post-adverse action notice is required.

Based on the Attorneys for the Plaintiff’s understanding of the financial institution’s practices, everyone who has applied or worked for the financial institution in the past three years should be eligible to receive statutory damages if the lawsuit succeeds. Additional information about the case can be found at www.nka.com/case/capital-one-fair-credit-reporting-act/

The lawsuit demonstrates that violations of the FCRA can create large potential liability.  Potential class members, including employees and prospective employees, may be entitled to statutory damages of up to $1,000 for each violation in the case of willful non-compliance. Class action lawsuits also create exposure for large awards of attorneys fees and the potential exposure to punitive damages.  A United States Supreme Court case decided in June 2007, Safeco Ins. Co. v. Burr, substantially increased the risk of punitive damages under the FCRA by ruling that a reckless disregard of the FCRA could be sufficient to show “willful” non-compliance.

Social Network Service Facebook Settles FTC Charges over Privacy Practices

According to a news release on the Federal Trade Commission (FTC) website, social network service Facebook has agreed to settle FTC charges of failing to keep promises of privacy after the company “deceived consumers by telling them they could keep their information on Facebook private and then repeatedly allowing it to be shared and made public.” The FTC’s eight-count complaint against Facebook – part of the agency’s ongoing effort to ensure companies live up to the privacy promises they make to American consumers – charged that the claims that Facebook made “were unfair and deceptive and thus violated federal law.”

The FTC complaint against Facebook – available at http://www.ftc.gov/os/caselist/0923184/111129facebookcmpt.pdf – listed a number of instances in which Facebook allegedly made promises that it did not keep:

• Facebook changed its website in December 2009 without warning users or getting their approval in advance so information some users designated as private – such as their Friends List – was made public.
• Facebook represented that third-party applications (“apps”) installed by users would only have access to user information they needed to operate when, in fact, the apps could access nearly all of the personal data of users.
• Facebook told users they could restrict sharing of data to limited audiences such as “Friends Only” when, in fact, selecting “Friends Only” did not prevent information from being shared with third-party apps used by friends.
• Facebook claimed its “Verified Apps” program certified the security of participating apps when it did not.
• Facebook promised users that it would not share their personal information with advertisers but it did.
• Facebook claimed that photos and videos of users who deactivated or deleted their accounts would be inaccessible but they remained accessible.
• Facebook claimed it complied with the United States – European Union (EU) Safe Harbor Framework that governs data transfer between the U.S. and EU but it did not.

As part of the proposed settlement, Facebook – the world’s largest online community with an estimated 800 million active users worldwide –  is required to take several steps to make sure the company keeps the privacy promises it makes to hundreds of millions of users in the future, including giving users clear and prominent notice and obtaining the express consent of users before their information is shared beyond the privacy settings they have established. More specifically, under the proposed settlement, Facebook is:

• Barred from making misrepresentations about the privacy or security of the personal information of consumers;
• Required to prevent anyone from accessing a user’s material more than thirty (30) days after the user has deleted his or her account;
• Required to establish and maintain a comprehensive privacy program designed to address privacy risks and to protect the privacy and confidentiality of consumers’ information; and
• Required to obtain periodic assessments of its privacy practices by independent, third-party auditors for the next 20 years to ensure that the privacy of consumers’ information is protected.

The Federal Trade Commission – the federal agency that works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them – will monitor compliance with its order under standard record keeping provisions contained in the proposed order.

In a November 29, 2011 post on The Facebook Blog, Facebook’s founder and CEO Mark Zuckerberg wrote that while overall the company had “a good history of providing transparency and control over who can see your information” he admitted that “a small number of high profile mistakes” such as “poor execution as we transitioned our privacy model two years ago” may have overshadowed much of the social network’s good work. He also wrote in depth about the issues concerning the privacy of personal information online:

I also understand that many people are just naturally skeptical of what it means for hundreds of millions of people to share so much personal information online, especially using any one service.  Even if our record on privacy were perfect, I think many people would still rightfully question how their information was protected. It’s important for people to think about this, and not one day goes by when I don’t think about what it means for us to be the stewards of this community and their trust.
Facebook has always been committed to being transparent about the information you have stored with us – and we have led the internet in building tools to give people the ability to see and control what they share. 

But we can also always do better. I’m committed to making Facebook the leader in transparency and control around privacy.

As we have grown, we have tried our best to listen closely to the people who use Facebook. We also work with regulators, advocates and experts to inform our privacy practices and policies. Recently, the US Federal Trade Commission established agreements with Google and Twitter that are helping to shape new privacy standards for our industry. Today, the FTC announced a similar agreement with Facebook. These agreements create a framework for how companies should approach privacy in the United States and around the world.

Later on in his post, Zuckerberg addressed specific FTC charges relating to Facebook:

Even before the agreement announced by the FTC today, Facebook had already proactively addressed many of the concerns the FTC raised. For example, their complaint to us mentioned our Verified Apps Program, which we canceled almost two years ago in December 2009. The same complaint also mentions cases where advertisers inadvertently received the ID numbers of some users in referrer URLs. We fixed that problem over a year ago in May 2010.

In addition to these product changes, the FTC also recommended improvements to our internal processes. We’ve embraced these ideas, too, by agreeing to improve and formalize the way we do privacy review as part of our ongoing product development process. As part of this, we will establish a biannual independent audit of our privacy practices to ensure we’re living up to the commitments we make.


Regarding the settlement with the FTC, Zuckerberg wrote that he looked forward “to working with the Commission as we implement this agreement” which he hoped would make clear that “Facebook is the leader when it comes to offering people control over the information they share online.” The post is available at https://blog.facebook.com/blog.php?post=10150378701937131.

FTC Issues Report: "Forty Years of Experience with the Fair Credit Reporting Act"

The Federal Trade Commission today issued a staff report, that compiles and updates the agency’s guidance on the Fair Credit Reporting Act (FCRA), the 1970 law designed to protect the privacy of credit report information and ensure that the information supplied by credit reporting agencies is as accurate as possible. A credit report contains information about a consumer’s personal and credit characteristics, character, and general reputation and is used to make credit, employment, insurance and other decisions.

"The employment screening rules and regulations continue to change and this will have an impact on our industry" says Bill Whitford, CEO of S2verify, LLC.

The new staff report, entitled “Forty Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report and Summary of Interpretations,” provides a brief overview of the FTC’s role in enforcing and interpreting the FCRA and includes a section-by-section summary of the agency’s interpretations of the Act.

The FTC is also withdrawing the agency’s 1990 Commentary on the FCRA, which has become partially obsolete since it was issued 21 years ago. The 1990 Commentary was comprised of a series of FTC statements about how it would enforce the various provisions of the FCRA. Since 1990, the FRCA has been updated several times, most significantly by the Consumer Credit Reporting Reform Act of 1996 and the Fair and Accurate Credit Transactions Act of 2003, known as the FACT Act. Both updates expanded the provisions of the FCRA.

The new staff report deletes several FTC interpretations in the 1990 Commentary that have since been repealed, amended, or have become obsolete or outdated. It also modifies some interpretations in the 1990 Commentary, and adds several interpretations reflecting changes that Congress has made to the FCRA over the years, rules issued by the FTC and other agencies under the FACT Act, statements in numerous staff opinion letters, and the staff’s experience from significant enforcement actions.

Recent legislation has transferred the authority to issue interpretive guidance under the FCRA to the Consumer Financial Protection Bureau (CFP. Withdrawing the 1990 Commentary now will ensure that this obsolete document does not transfer to the CFPB.


The Commission vote approving the staff report on the FCRA and withdrawing the 1990 Commentary was 5-0. The report and Federal Register notice can be found on the FTC’s website and as links to this press release. More information for consumers about the FRCA can be found here.

Company Settles "Class Action Lawsuit" for $4.3 million

The company failed to follow the Fair Credit Reporting Act (FCRA) by first obtaining written consent to conduct background checks and second they failed to offer the applicants a copy of their report or the Credit Reporting Agency's (CRA) contact information to obtain a copy.

The proposed settlement would pay the worker that was terminated because of a background check between $2,000 and $4,000 each.

This company was a subcontractor to a large metropolitan school district and provided transportation for children. 

Maybe it is time for you to reevaluate how you perform your employment screening, your consent, and how you notify your applicants of the outcome.  In addition, you should understand what your current CRA is providing and how it is impacted by the FCRA and State Laws.

Recently, we were preparing a consent for a new client.  After reviewing several Fortune 500 companies existing consents, we found NONE of them were in compliance with both the FCRA and the state regulations.  

Companies need to understand that these types of lawsuits and actions by the Federal Trade Commission over violations of the FCRA and state regulations will continue.