Consumer Financial Protection Circular: Background Dossiers and Algorithmic Scores for Hiring, Promotion, and Other Employment Decisions

Consumer Financial Protection Circular 2024-06: Background Dossiers and Algorithmic Scores for Hiring, Promotion, and Other Employment Decisions

SUPPLEMENTARY INFORMATION:

Question Presented

Can an employer make employment decisions utilizing background dossiers, algorithmic scores, and other third-party consumer reports about workers without adhering to the Fair Credit Reporting Act (FCRA)?

Response

No. Similar to credit reports and credit scores used by lenders to make lending decisions, background dossiers-such as those that convey scores about workers-that are obtained from third parties and used by employers to make hiring, promotion, reassignment, or retention decisions are often governed by the FCRA. Many background dossiers that are compiled from databases collecting public records, employment history, collective-bargaining activity, or other information about a worker are "consumer reports" under the FCRA. Other types of consumer reports may include, for example, reports that convey scores assessing a current worker's risk level or performance.

Employers that use consumer reports-both initially when hiring workers and for subsequent employment purposes-must comply with FCRA obligations, including the requirement to obtain a worker's permission to procure a consumer report, the obligation to provide notices before and upon taking adverse actions, and a prohibition on using consumer reports for purposes other than the permissible purposes described in the FCRA.

The third-party providers furnishing these reports are "consumer reporting agencies" regulated by the FCRA, which (among other things) imposes an obligation to follow reasonable procedures to assure maximum possible accuracy, a requirement to disclose information in a worker's file to the worker upon request, and a requirement to investigate worker disputes alleging inaccuracies.

Consumer Reports for Employment Purposes

Similar to how credit reports and credit scores are commonly used by lenders, employers commonly purchase consumer reports to make employment decisions about workers. The most traditional form of consumer report in use in the United States for employment purposes is a background dossier that checks a worker's public records, including criminal history.

Recent technological advances have resulted in a rapid increase in the monitoring of workers across many sectors. ⁽¹⁾ This has been compounded by an increase in remote work. Together, these phenomena have resulted in an increase in third-party technology companies that have made it easier and more cost effective to track, assess, and evaluate workers. ⁽²⁾

Consumer reporting agencies and other background screening companies now offer a range of reports to employers, including those that record current workers' activities, personal habits and attributes, and even their biometric information. For example, some employers now use third parties to monitor workers' sales interactions, to track workers' driving habits, to measure the time that workers take to complete tasks, to record the number of messages workers send and the quantity and duration of meetings they attend, and to calculate workers' time spent off-task through documenting their web browsing, taking screenshots of computers, and measuring keystroke frequency. ⁽³⁾ In some circumstances, this information might be sold by "consumer reporting agencies" to prospective or current employers.

Some companies may analyze worker data  ⁽⁴⁾ in order to provide reports containing assessments or scores of worker productivity or risk to employers. ⁽⁵⁾ Today, such scores are used to make automated recommendations or determinations related to worker pay; predict worker behavior, including potential union organizing activity and likelihood that a worker will leave their job; schedule shifts or job responsibilities; or issue warnings or other disciplinary actions. ⁽⁶⁾

Analysis

Congress passed the FCRA in response to concerns about companies that assemble detailed dossiers about consumers and sell this information. ⁽⁷⁾ In doing so, Congress was particularly cognizant of the impact of so-called "credit reporting" on consumers' employment. Indeed, the Senate Report accompanying the bill that would be enacted as the FCRA noted in particular how "a consumer's future employment career could be jeopardized because of an incomplete credit report."  ⁽⁸⁾ To address those concerns, the FCRA regulates information in the form of "consumer reports," a term defined to include "any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for" certain purposes, including "employment purposes."  ⁽⁹⁾

While all of the general obligations of the FCRA apply to consumer reports provided for employment purposes, there are a few additional obligations that apply only to this kind of consumer report. For example, section 604(b) includes additional requirements when a consumer report is used for employment purposes, including a requirement to get permission from the worker. ⁽¹⁰⁾ It also generally requires employers to provide notice to workers and a copy of their report before taking adverse action. ⁽¹¹⁾ In addition, upon request by a worker, "consumer reporting agencies" must disclose the identity of anyone who has used a consumer report for employment purposes in the two-year period preceding the date the request is made, which is longer than the one-year period used for other purposes. ⁽¹²⁾ And "consumer reporting agencies" must follow certain procedures when reporting public record information for employment purposes. ⁽¹³⁾

Beyond the obligations that apply only to consumer reports used for employment purposes, the FCRA's general obligations also provide important protections for workers. Among other things, the FCRA provides workers the right to know what is in their file at a "consumer reporting agency" and dispute incomplete or inaccurate information, ⁽¹⁴⁾ requires such entities, in response to a consumer's dispute, to correct or delete inaccurate, incomplete, or unverifiable information, ⁽¹⁵⁾ and generally prohibits reporting of outdated negative information. ⁽¹⁶⁾ In addition to requiring that most employers give workers notice before taking an adverse action, the FCRA also generally requires that any person taking adverse action based on a consumer report provide notice to the consumer upon taking the adverse action. ⁽¹⁷⁾ Finally, the FCRA strictly limits "consumer reporting agencies" to providing consumer reports only for certain specified permissible purposes. ⁽¹⁸⁾ That means the background screener could not share consumer reports containing workers' data with employers or others, absent a FCRA permissible purpose. ⁽¹⁹⁾

When looking at whether an employer that makes employment decisions based on a report from a third party is regulated by the FCRA, enforcers should consider two key questions:

1. Does the employer's use of data qualify as a use for "employment purposes" under the FCRA?

2. Is the report obtained from a "consumer reporting agency," meaning that the report-maker "assembled" or "evaluated" consumer information to produce the report?

On the first question, the FCRA defines "employment purposes" to mean "a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee."  ⁽²⁰⁾ The FCRA thus applies both to information used for the purpose of evaluating a consumer for employment initially, and to information used for ongoing employment purposes- i.e., promotion, reassignment, or retention. ⁽²¹⁾

On the second question, a third party could be a "consumer reporting agency" that assembles or evaluates consumer information if they collect consumer information in order to furnish reports to employers. ⁽²²⁾ A company that employers use to help make employment decisions could meet this standard in a number of ways. For example, similar to a "nationwide consumer reporting agency," like Equifax, Experian, or TransUnion, some companies collect consumer data from third parties for dissemination to employers in background reports. Traditional background screening companies "assemble" or "evaluate" information about workers, often from public sources, such as criminal history records. Other firms might collect information from employers about workers' collective bargaining activity, or job performance, and then sell it to other employers to make hiring decisions.

In addition, an entity could "assemble" or "evaluate" consumer information within the meaning of the term "consumer reporting agency" if the entity collects consumer data in order to train an algorithm that produces scores or other assessments about workers for employers. For example, the developer of a phone app that monitors a transportation worker's driving activity and provides driving scores to companies for employment purposes could "assemble" or "evaluate" consumer information if the developer obtains or uses data from sources other than an employer receiving the report, including from other employer-customers or public data sources, to generate the scores. ⁽²³⁾

Not all third parties that assemble or evaluate data will qualify as "consumer reporting agencies." For example, section 603(d)(2)(A)(i) of the FCRA excludes from the definition of "consumer report" any "report containing information solely as to transactions or experiences between the consumer and the person making the report." But this exception applies only to reports containing information solely about transactions or experiences between the consumer and the report-maker. The exception by its own terms does not apply to a report containing information not about transactions or experiences between the report-maker and the consumer, such as when the report includes algorithmic scores, as described above.

About Consumer Financial Protection Circulars

Consumer Financial Protection Circulars are intended to promote consistency in approach across the various enforcement agencies and parties, pursuant to the CFPB's statutory objective to ensure Federal consumer financial law is enforced consistently. 12 U.S.C. 5511(b)(4).

Consumer Financial Protection Circulars are also intended to provide transparency to partner agencies regarding the CFPB's intended approach when cooperating in enforcement actions. See, e.g., 12 U.S.C. 5552(b) (consultation with CFPB by State attorneys general and regulators); 12 U.S.C. 5562(a) (joint investigatory work between CFPB and other agencies).

Consumer Financial Protection Circulars are general statements of policy under the Administrative Procedure Act. 5 U.S.C. 553(b). They provide background information about applicable law, articulate considerations relevant to the Bureau's exercise of its authorities, and, in the interest of maintaining consistency, advise other parties with authority to enforce Federal consumer financial law. They do not restrict the Bureau's exercise of its authorities, impose any legal requirements on external parties, or create or confer any rights on external parties that could be enforceable in any administrative or civil proceeding. The CFPB Director is instructing CFPB staff as described herein, and the CFPB will then make final decisions on individual matters based on an assessment of the factual record, applicable law, and factors relevant to prosecutorial discretion.

[FR Doc. 2024-26099 Filed 11-8-24; 8:45 am]

BILLING CODE 4810-AM-P

⁽¹⁾  Veena Dubal, On Algorithmic Wage Discrimination, UC San Francisco Research Paper No. Forthcoming (2023) https://papers.ssrn.com/sol3/papers.cfm?abstract_id=4331080 (hereinafter Algorithmic Wage Discrimination ); Merve Hickok & Nestor Maslej, A Policy Primer And Roadmap On AI Worker Surveillance And Productivity Scoring Tools (2023) AI Ethics 3, 673-687 (2023) (hereinafter Policy Primer ) https://link.springer.com/article/10.1007/s43681-023-00275-8.

⁽²⁾ Id.

⁽³⁾ See, e.g., Diego Areas Munhoz, "Robot Bosses" Spur Lawmaker Push to Police AI Job Surveillance, Bloomberg Law (Sept. 8, 2023) https://news.bloomberglaw.com/daily-labor-report/robot-bosses-spur-lawmaker-push-to-police-ai-job-surveillance; Remarks of Benjamin Wiseman at the Harvard Journal of Law & Technology on Worker Surveillance and AI, FTC.gov (Feb. 8, 2024), Jolt-2-8-24-final.pdf ( ftc.gov ).

⁽⁴⁾  Companies may engage in such analysis by making inferences and determinations about worker behavior and performance using algorithms, or sets of rules in computer programming code for solving a problem or performing a task based on input data. The algorithmic models used may also include "artificial intelligence" or "AI" models, which often develop and train algorithms using "machine learning," which is the process of gathering data and supplying it to the computer program to train the algorithm to find patterns or make predictions. Conventional algorithms and AI models may also set performance goals or other parameters based on external data-for instance, by comparing a worker's output to an industry standard.

⁽⁵⁾ See, e.g., Policy Primer; Diego Areas Munhoz, " Robot Bosses" Spur Lawmaker Push to Police AI Job Surveillance, Bloomberg Law (Sept. 8, 2023) https://news.bloomberglaw.com/daily-labor-report/robot-bosses-spur-lawmaker-push-to-police-ai-job-surveillance.

⁽⁶⁾ See, e.g., Algorithmic Wage Discrimination; Theara Coleman, The (ongoing) fight against workplace AI surveillance, The Week (Jan. 15, 2024) https://theweek.com/tech/workplace-ai-surveillance.

⁽⁷⁾ See generally 115 Cong. Rec. S2410-11 (daily ed. Jan. 31, 1969) (statement of Sen. William Proxmire).

⁽⁸⁾  S. Rep. 91-517, at 4 (1970).

⁽⁹⁾  15 U.S.C. 1681(d)(1)(B). Under the FCRA, the "term `consumer' means an individual." 15 U.S.C. 1681a(c). Among other things, the FCRA excludes from the definition of "consumer report" certain communications made to employers in connection with investigations of "suspected misconduct relating to employment" or "compliance with Federal, State, or local laws and regulations, the rules of a self-regulatory organization, or any pre-existing written policies of the employer." 15 U.S.C. 1681a(d)(2)(D), (y). This Circular does not focus on such communications.

⁽¹⁰⁾  15 U.S.C. 1681b(b)(1) (2). The issue of whether an employer can use dossiers, scores, or other surveillance on workers may also be a topic of negotiation at the individual or collective bargaining level.

⁽¹¹⁾  15 U.S.C. 1681b(3)(A). But see 15 U.S.C. 1681b(b)(3)(B) (C), (4) (exceptions from § 1681b(b)(3)(A) for workers in the transportation industry in certain circumstances and for consumer reports relevant to national security investigations in certain circumstances).

⁽¹²⁾  15 U.S.C. 1681g(a)(3)(A)(i).

⁽¹³⁾  15 U.S.C. 1681k. Subject to an exemption for national security investigations, CRAs that compile and report for employment purposes public record information that is likely to have an adverse effect on a consumer's ability to obtain employment must (1) notify the consumer that the information is being reported and of the name and address of the recipient, or (2) maintain "strict procedures" to ensure that the public record information is complete and up to date. Id.

⁽¹⁴⁾  15 U.S.C. 1681g(a); 15 U.S.C. 1681i(a)(1).

⁽¹⁵⁾  15 U.S.C. 1681i(a)(5).

⁽¹⁶⁾  15 U.S.C. 1681c.

⁽¹⁷⁾  15 U.S.C. 1681b(b)(3)(A), 1681m(a).

⁽¹⁸⁾ See 15 U.S.C. 1681b(a).

⁽¹⁹⁾  For example, courts have held that consumer reporting agencies generally cannot furnish consumer reports for targeted marketing. See Trans Union Corp. v. FTC, 81 F.3d 228, 233-34 (D.C. Cir. 1996).

⁽²⁰⁾  15 U.S.C. 1681a(h).

⁽²¹⁾  The FCRA's application to both prospective and current workers is confirmed by FCRA section 603(k), which provides that an "adverse action" under FCRA includes "a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee." 15 U.S.C. 1681a(k)(1)(B)(ii) (emphasis added). See also Ernst v. Dish Network, LLC, 49 F. Supp. 3d 377, 383 (S.D.N.Y. 2014) (background report was collected, expected to be used, and used for the employment purposes of "evaluat[ing] [the] Plaintiff for reassignment or retention as an employee").

⁽²²⁾  The FCRA regulates consumer reports as furnished by "consumer reporting agencies," which it defines as: "any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports." 15 U.S.C. 1681a(f).

⁽²³⁾  That may be true even when the assessment is performed through a software program licensed to employers, because the software provider furnishes the reports. Federal Trade Commission (FTC) staff opined more than two decades ago that a seller of particular software that allowed users to compile and de-duplicate credit report information from the three major nationwide consumer reporting agencies was not itself a consumer reporting agency, reasoning that the software seller was not "assembling or evaluating" any information itself. FTC Advisory Opinion (Oct. 27, 1997), https://www.ftc.gov/legal-library/browse/advisory-opinions/advisory-opinion-cast-10-27-97; see also FTC, 40 Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations at 12-13, 29 (July 2011). The FTC's guidance, however, focused on technology that was in existence at the time the guidance was drafted. Significant changes in the software and general technological landscape have taken place in the years since, rendering the FTC's prior guidance inapplicable to many of the kinds of technology used today. For example, software developers today often take a more active role in providing ongoing services to clients, such as by performing ongoing maintenance of the software, or by licensing services to clients instead of selling software as a point-in-time product. Accordingly, a third-party software provider could meet the definition of a consumer reporting agency where it assembles or evaluates consumer information to develop software that produces reports used to evaluate a worker "for employment, promotion, reassignment or retention," or where the software itself assembles or evaluates information about a worker to produce reports used for those purposes. Judicial decisions declining to find software providers to be CRAs are likewise distinguishable. For instance, in Zabriskie v. Fed. Nat'l Mortg. Ass'n, 940 F.3d 1022, 1029 (9th Cir. 2019), the court determined that Fannie Mae did not act as a CRA by licensing a proprietary software that allowed lenders to determine whether their loans met requirements for Fannie Mae to purchase, but relied on reasoning inapplicable to third-party software developers that analyze worker data that companies use for employment purposes. Id. (reasoning that Congress intended to exclude Fannie Mae from the definition of a "consumer reporting agency" and that Fannie Mae did not have the purpose of furnishing consumer reports to a third party, but rather to determine the loans' eligibility for purchase).