Jobseekers be wary: the hard-won privacy rights granted to you by federal and state law might not follow you into the digital space.
For forty years, individuals in the United States applying for jobs have held certain protections under the Fair Credit Reporting Act (FCRA). For example, in many circumstances a consumer who is rejected from a job due to information in an employment background check can review the information in that report and petition to have any inaccuracies corrected. 1 These rights are often supplemented by stronger state-level consumer protections, such as California’s Civil Code 1786 which allows a consumer access to her background check report even if she isn’t rejected from the position for which she applied. But as employment background checks move into the digital world—via websites such as Background Record Finder or mobile apps like the recently-released BeenVerified app—will jobseekers be able to maintain their protections?
There are dozens of websites that offer online background checks (Privacy Rights Clearinghouse’s Online Information Brokers list indexes several of them). These services cast a wide net over a consumer’s digital data—gathering up facts from court records, criminal records, driving history, voter registration, and sometimes even elements of one’s credit history. Increasingly, these services are also culling information from the social net—an individual’s Facebook profile, Flickr photos, Twitter stream, and more.
BeenVerified, which offers free and low-cost background checks through a website and recently-released mobile app, has been heralded as a "great tool for small and medium businesses to be able to conduct free, or cost-effective background checks."
But could FCRA as written apply to BeenVerified? It’s uncertain, though there’s definitely the potential - especially if BeenVerified promotes itself as a background-checking service for employers the way Spokeo did. While also uncertain, it’s more likely that BeenVerified would be covered by more stringent consumer protection laws, such as California’s Civil Code 1786, which covers investigative reports done by an employer in-house (instead of using a third-party background checking company). Employers who use these services may risk violating FCRA and other consumer reporting laws.
But these digital background checking companies are using the oldest trick in the book to circumvent the law. They add a little line to their terms of service, such as BeenVerified’s terms, which state:
WE ARE NOT A CREDIT REPORTING AGENCY FOR PURPOSES OF THE FAIR CREDIT REPORTING ACT (“FCRA”). AS SUCH, THE ADDITIONAL PROTECTIONS AFFORDED TO CONSUMERS, AND OBLIGATIONS PLACED UPON CREDIT REPORTING AGENCIES, ARE NOT CONTEMPLATED BY, NOR CONTAINED WITHIN, THESE TERMS AND CONDITIONS.
By merely stating that they can’t be used in ways covered by FCRA (even though they provide services identical to what would be covered by FCRA), BeenVerified attempts to duck the responsibilities imposed upon it by state and federal consumer protection laws. Whether this truly excises any legal responsibility from the reporting service or the employer might be open to debate—and perhaps interpretation by the Federal Trade Commission.2
So where does that leave the consumer? Unless and until the FTC or Congress decides to get involved in the debate, jobseekers probably can’t look to the law to protect their rights in the digital world. For now, we need the market to start self-regulating. Companies like BeenVerified have an opportunity to voluntarily adopt practices that safeguard consumer rights and privacy. This should happen now, without waiting however many years it may take for policymakers and the FTC to decide how they want to handle mobile employment background checks.
Voluntary best practices for online and mobile background checking services should strike a balance between consumer rights and feasibility. The eight OECD Fair Information Practices can provide guidance to these companies as they work to establish policies that safeguard consumer rights in the digital world. But there are a few common-sense, basic privacy safeguards these online and mobile background checking companies should implement right now:
- Allow individuals to look up their own records at no cost and provide a way to correct inaccuracies, in the same way a consumer can correct inaccuracies in a credit report.
- Allow individuals to suppress access to certain sensitive data sets—including current address and phone number—if they have a clear need for address confidentiality. This could include current and former law enforcement officers, public defenders, and judges as well as those enrolled in state address confidentiality programs, like victims of stalking and domestic violence.
- Indicate the original source of any data, so that individuals who discover inaccuracies can also correct the inaccuracies at the source.
- Ensure that data that has been restricted or suppressed is permanently suppressed—so that it does not repopulate the next time the data set is refreshed.
This is merely a start; there are a range of other ways companies like BeenVerified can voluntarily improve consumer rights, improve the accuracy of their data sets, and educate employers about the laws surrounding background checks.
We urge BeenVerified and others in that industry to consider the ramifications to individuals and take steps to safeguard the long-held consumer rights, even if for now it is unclear whether FCRA and similar laws will be enforced on these services. The power of the Internet and new technologies to make information more accessible is no excuse for disregarding the privacy rights of individuals.
- 1. This is only one of the consumer rights under FCRA, and there are a number of important exceptions to these rights that should be understood. Visit Privacy Rights Clearinghouse to learn more about FCRA and background checks. Note that a consumer can also obtain a copy of her consumer report annually from consumer reporting agencies. Learn more.
- 2. The FTC does not have rulemaking authority when it comes to FCRA, so they may be reluctant to take on employer’s use of online data brokers.