Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

CFPB provides guidance on employer responsibilities and surveillance under the FCRA

Federal Issues CFPB Consumer Finance Credit Reporting FCRA Privacy, Cyber Risk & Data Security

Federal Issues

On October 24, the CFPB published Consumer Financial Protection Circular 2024-06, providing guidance on the use of background dossiers, algorithmic scores, and other third-party consumer reports by employers in making employment decisions. The Bureau’s circular confirmed that such practices would be subject to the FCRA. The circular highlighted that background dossiers, which may include data from public records, employment history, collective-bargaining activity and other personal information about workers would be considered “consumer reports” under the FCRA. This also extends to reports on a worker’s risk level or performance.

The circular outlined several FCRA requirements that employers must follow when using consumer reports. For example, employers must obtain a worker’s permission before procuring a consumer report and provide notices before and upon taking any adverse actions based on the report. Additionally, employers are prohibited from using consumer reports for purposes other than those permissible under the FCRA.

The Bureau detailed the obligations of consumer reporting agencies which furnish these reports. These agencies must follow “reasonable procedures to assure maximum possible accuracy” of the information, disclose information in a worker’s file upon request, and investigate disputes alleging inaccuracies. Furthermore, the circular highlighted that these obligations apply, not only to initial hiring decisions, but also to ongoing employment evaluations.

The CFPB further addressed how it observed an increase in the monitoring and evaluation of workers, particularly in the era or remote work, facilitated by third-party technology companies. As described by the Bureau, such companies offer reports that may include monitoring workers’ activities and habits — including recording the number of messages workers send, the quantity and duration of meetings they attend, and workers’ time spent off-task through documenting their web browsing — as well as biometric information. Such data can be used to generate scores or assessments about worker productivity or risk, which employers may use to make automated recommendations or determinations related to pay, behavior, scheduling or disciplinary actions.

The CFPB emphasized that the FCRA’s obligations provide important protections for workers, including the right to know what is in their file at a consumer reporting agency, the ability to dispute incomplete or inaccurate information, and the prohibition of reporting outdated negative information. The circular also highlighted that consumer reporting agencies are limited in providing consumer reports only for “specified permissible purposes,” and they cannot share workers’ data with employers or others without a permissible purpose under the FCRA.