Data may well be the asset of the 21st century, but selling access to certain data about individuals may raise the risk of attracting unwanted attention from both regulators1 and class action litigants. As organizations collect more types of data about consumers, they are more likely to have data that may constitute “consumer report” data under the Fair Credit Reporting Act (FCRA).2 Organizations that try to monetize such data by selling access to consumer profiles can easily run afoul of the FCRA.
This article discusses recent Federal Trade Commission (FTC) enforcement actions against two background check companies that allegedly failed to avoid the FCRA trip wires and face a combined $1.5 million in fines.3 The FTC aggressively enforces the FCRA and violations commonly occur due to a failure to create and implement adequate policies and procedures. This article also explains how the U.S. Supreme Court may review the Ninth Circuit’s recent decision to join other federal appellate courts in making FCRA class action lawsuits easier to bring for plaintiffs. Given the appellate courts’ interpretations of the FCRA, plaintiffs likely will increasingly make FCRA claims in an effort to obtain compensation for alleged general privacy violations. Any organization that sells access to data profiles about individuals is advised to determine whether it must comply with the FCRA and, if necessary, implement policies and procedures that meet the FCRA’s requirements.
Fair Credit Reporting Act
Under the FCRA, a company is a “consumer reporting agency” (CRA) and has certain obligations if it assembles or evaluates information about individuals for the purpose of selling “consumer reports” to third parties.4
“Consumer Reports.” There are two requirements that must be met before information constitutes a credit report.5 First, the information must contain certain categories of data, i.e., data relating to credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. Second, the information must be used for the particular purpose of establishing eligibility for employment, housing, credit, or insurance, or other similar purposes. Therefore, to determine whether information constitutes a credit report, one must review the type of information and the use of the information.
Possible Consumer Reports in the Employment Context. The FCRA defines a consumer report used for “employment purposes” as “a report used for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.”6 Regulators and courts may conclude that consumer reports include employment screening reports about the prior work experience of job applicants, information in employment records, and information about education and licenses.7
CRAs’ Obligations Under the FCRA. The FCRA imposes several obligations on CRAs. Generally, a CRA must have procedures in place to ensure that it provides the information in a consumer report only to permitted third parties.8 For example, a CRA may provide a consumer report pursuant to a valid legal request, with a consumer’s consent, or to a third party that intends to use the information in connection with a credit transaction, employment, insurance underwriting, license eligibility, or other legitimate business related to a transaction initiated by the consumer.9 The FCRA requires a CRA to follow reasonable procedures to ensure the maximum possible accuracy of the information it provides in a consumer report and follow certain procedures for responding to a consumer’s dispute over the accuracy of such information.10 A CRA must also ensure that certain information is not included in a consumer report, e.g., old civil and criminal court records and other adverse items.11 Finally, a CRA must provide notice to any furnishers of information contained in the consumer report and any recipient of the report about their responsibilities under the FCRA.12
FCRA Obligations when CRAs Provide Consumer Reports for Employment Purposes. A CRA may provide consumer reports for employment purposes only to a third party that provides proper disclosures and obtains consent from the consumer about whom the information pertains. The third party must also certify that it will not use the information in violation of equal employment opportunity laws.13 The FCRA requires that when a consumer report contains negative public-record information, the CRA must provide notice to the consumer at the time of providing notice to a third party and maintain procedures to keep such public-record information up to date.14
Potential Consequences of Noncompliance. Federal and state regulators may bring actions against alleged FCRA violators.15 A consumer may also sue a CRA for willful or negligent noncompliance with the FCRA. For willful noncompliance, the FCRA states:16
Any person who willfully fails to comply with any requirement imposed under [the FCRA] with respect to any consumer is liable to that consumer in an amount equal to the sum of—
(1)(A) any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000; . . ..17
Recent Federal Trade Commission Enforcement Actions
The FTC regularly investigates organizations that it considers to be CRAs when they do not seem to follow procedures to provide the proper notices, perform necessary diligence on data recipients, or perform required diligence to ensure the consumer report data is accurate.
Two Alleged CRAs. According to the FTC’s complaint, InfoTrack sold background screening reports containing public information to employers so they could make decisions about hiring and other employment-related issues. Similarly, the FTC alleged that Instant Checkmate sold background reports pulled from public records and advertised them for use to establish a person’s eligibility for employment or housing. As such, the FTC concluded that InfoTrack and Instant Checkmate were CRAs that provided consumer reports to their customers and had FCRA obligations.
Alleged Noncompliant Practices. Both InfoTrack and Instant Checkmate allegedly knowingly failed to follow FCRA-compliant procedures in a way that constituted a pattern or practice. The complaint stated that Instant Checkmate failed to perform diligence on the recipients of the reports to ensure the recipients took reasonable steps to identify themselves to Instant Checkmate, certified the purpose for which the information was sought, and certified that the information would be used for no other purpose. Instant Checkmate allegedly furnished the reports to recipients who did not have a proper purpose. The FTC alleged that InfoTrack and Instant Checkmate failed to follow reasonable procedures to ensure the maximum possible accuracy of consumer report information. Both InfoTrack and Instant Checkmate also allegedly failed to provide notice to the recipients of the reports that stated their responsibilities under the FCRA. Moreover, InfoTrack did not provide required data furnisher notices to the third parties from whom it received information, and it did not notify consumers that public-record information about them was provided to employers, according to the complaint.
Given the knowing FCRA violations, the financial penalties are potentially higher. Both defendants agreed to significant financial judgments: $1 million for InfoTrack and $525,000 for Instant Checkmate. The defendants also agreed not to violate certain FCRA requirements or they risk additional penalties under the order.
These enforcement actions highlight the many ways an unwary seller of data can violate the FCRA if it is selling data that could be deemed a consumer report. They also demonstrate the severity of the penalties.
Class Action Against Spokeo
Online data aggregator Spokeo similarly agreed to an FTC consent order for its alleged failure to comply with the FCRA..18 The company also has been involved in a class action lawsuit that may make its way to the U.S. Supreme Court. On May 1, 2014, the company filed a petition for a writ of certiorari in the Supreme Court.19 to review the Ninth Circuit’s decision to join other federal appellate courts to hold that class action claims may be viable under the FCRA without proof of actual damages to the plaintiffs.20 Thus, the FCRA may prove to be attractive for a plaintiffs’ bar looking for ways around the obstacle of difficult-to-prove damages in privacy cases.
Class Action Complaint. The plaintiff filed a class action lawsuit alleging that Spokeo is a CRA that willfully failed to comply with the FCRA. He claimed that despite the notices on its website, Spokeo marketed its services to human resource professionals and persons and entities performing background checks. In particular, he alleged that Spokeo failed to provide required notices to furnishers and recipients about their FCRA obligations. Further, the plaintiff alleged that Spokeo failed to ensure that the information provided to recipients was accurate and that the recipients complied with their FCRA disclosure obligations. He alleged that the inaccurate information provided on Spokeo’s website “will affect his ability to obtain credit, employment, insurance, and the like,” particularly because “he is currently out of work and seeking employment.”
Trial Court Dismisses the Case. As in many other privacy cases, the trial court dismissed both the complaint and the amended complaint on the grounds that the plaintiff failed to meet Article III standing requirements when he did not adequately allege an injury-in-fact. The trial court concluded that the plaintiff’s concern that the information on the Spokeo website could affect his employment prospects was not an actual or imminent harm adequate to constitute an injury-in-fact. In a rare occurrence, the trial court first concluded that the plaintiff had adequately met the standing requirements in the amended complaint, but subsequently reversed itself and dismissed the case. The indecision of the trial court exemplifies courts’ challenges with standing in privacy cases. Courts have been struggling with and inconsistently analyzing the standing issue in privacy cases where the harm to the plaintiff is unclear.
Ninth Circuit Reverses Trial Court and Rules the Lawsuit May Continue. The Ninth Circuit reversed the trial court and concluded that the plaintiff has standing under the FCRA due to the act’s peculiar wording.21 Normally, for plaintiffs to meet standing requirements, they must adequately allege an injury-in-fact that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”22 As discussed in a prior article, the United States Supreme Court recently seemed to make meeting the injury-in-fact threshold more difficult.23 Under the Ninth Circuit’s holding in this case, however, standing has become a much easier threshold to cross in FCRA cases.
Ninth Circuit Holds That No Actual Damages Are Necessary to Sue Under the FCRA in Certain Circumstances. According to the Ninth Circuit, the FCRA does not require a showing of actual harm when a plaintiff sues for willful violations. The Ninth Circuit interpreted the damages portion of the statute such that a consumer can sue for (1) actual damages or (2) damages between $100 and $1,000 when a defendant willfully violates the FCRA. The Ninth Circuit concluded that the FCRA created a private cause of action for consumers to enforce their statutory rights, and a willful violation of those rights is a sufficient injury-in-fact to confer standing. Thus, plaintiffs have standing even without suffering actual damages as long as they claim that the defendant willfully violated the FCRA.
The Ninth Circuit’s conclusion seems to be consistent with holdings in the Sixth and Seventh Circuits where those courts also allowed class action lawsuits to continue without sufficient allegations of actual damages when the plaintiffs alleged that the defendants willfully violated the FCRA.24 Now, the U.S. Supreme Court will have an opportunity to weigh in.25
Is Your Organization a CRA and Does It Provide Consumer Reports? The FCRA risk has increased for organizations that gather and sell access to data about individuals. If your organization sells consumer data, now is a good time to assess whether it may be a consumer reporting agency under the FCRA. To comply with the FCRA, your organization will need to implement policies and procedures that govern how it collects consumer data, provides consumer report data, and provides notice to the data subjects, data furnishers, and data recipients. Failure to correctly determine whether FCRA compliance is necessary and to implement required policies and procedures may be costly, as the FTC’s actions show.
Has the Standing Requirement Been Eviscerated in FCRA Class Action Cases? FCRA class action litigation likely will be on the rise. In three circuits, plaintiffs in FCRA cases seem to be able to bypass most of the difficult-to-achieve standing requirements at issue in many privacy cases. Plaintiffs must still allege that their individual statutory rights under the FCRA have been violated and that the claims meet the standards of causation and redressability. However, in the Ninth Circuit, at least, these prongs are usually met by plaintiffs alleging willful violations of the FCRA that directly affect them.
Class Suitability and Merits Arguments Remain. After passing the standing threshold, plaintiffs still must meet class certification requirements. Moreover, meeting standing requirements does not factor into the assessment of whether a defendant actually violated the FCRA. Therefore, defendants may have valid legal arguments to make on the merits. Defendants can argue that they are not CRAs and that they do not provide consumer reports. They can also argue that they did not “willfully” violate the FCRA. However, defending cases on the merits is expensive, and many class action cases settle after a defendant loses on the motion to dismiss. Therefore, the number of class action litigants alleging FCRA violations likely will increase.
Does the Same Legal Conclusion Apply to Violations of Other Privacy Laws? The FCRA language granting individuals damages even without allegations of actual harm is uncommon. Normally, tort claims and alleged statutory violations require allegations of actual harm to meet standing requirements. Therefore, courts likely will continue to dismiss most privacy cases where plaintiffs do not adequately allege actual harm. However, enterprising plaintiffs will undoubtedly allege FCRA violations when possible to take advantage of the diminished standing threshold.
To alleviate FCRA-related risk, organizations that sell consumer data are advised to assess whether they may be considered consumer reporting agencies under the FCRA. If the organization believes it may be a CRA, it can implement the policies and procedures necessary to ensure compliance with the FCRA.
1 Eye on Privacy, “Policing Privacy: Undercover FTC Staff ‘Test-Shop’ Data Brokers to Identify FCRA Violators” (Sept. 2013), available at http://www.wsgr.com/publications/PDFSearch/eye-on-privacy/Sep2013/index.html#5.
2 15 U.S.C. § 1681 et seq.
3 United States v. Instant Checkmate, Inc., No. 14CV0675H (S.D.Cal. March 28, 2014); United States v. InfoTrack Information Services, Inc., No. 14-cv-2054 (N.D.Ill. March 25, 2014). This follows a January 2014 enforcement action against TeleCheck Services, Inc. that carried a $3.5 million fine.
4 15 U.S.C. § 1681a (f).
5 15 U.S.C. § 1681a (d).
6 15 U.S.C. § 1681a (h).
7 Federal Trade Commission, “40 Years of Experience with the Fair Credit Reporting Act: An FTC Staff Report with Summary of Interpretations,” available at http://www.ftc.gov/os/2011/07/110720fcrareport.pdf.
8 15 U.S.C. § 1681e.
9 15 U.S.C. § 1681b.
10 15 U.S.C. § 1681b, I.
11 15 U.S.C. § 1681c.
12 15 U.S.C. § 1681e (d).
13 15 U.S.C. § 1681b.
14 15 U.S.C. § 1681k.
15 15 U.S.C. § 1681s.
16 15 U.S.C. § 1681n, o.
17 15 U.S.C. § 1681n (a)(1)(A).
18 Press Release, Federal Trade Commission, “Spokeo to Pay $800,000 to Settle FTC Charges Company Allegedly Marketed Information to Employers and Recruiters in Violation of FCRA” (June 12, 2012), available at http://www.ftc.gov/opa/2012/06/spokeo.shtm.
19 Petition for Writ of Certiorari, Spokeo, Inc. v. Robins, No. 13-1339 (May 1, 2014).
20 Robins v. Spokeo, Inc., No. 11-56843 (9th Cir. February 4, 2014). See also Beaudry v. TeleCheck Servs., Inc., 579 F.3d 702, 705-07 (6th Cir. 2009); Murray v. GMAC Mortg. Corp., 434 F.3d 948, 952-43 (7th Cir. 2006).
21 Robins v. Spokeo, Inc., No. 11-56843 (9th Cir. February 4, 2014).
22 Clapper v. Amnesty Int’l USA, 568 U.S. ____, 133 S. Ct. 1138 (2013).; Monsanto Co. v. Geertson Seed Farms, 561 U.S. ___, 130 S.Ct. 2743, 2752 (2010).
23 See our Eye on Privacy article discussing the case, titled “Clapper v. Amnesty International USA: The U.S. Supreme Court Strengthens Defendants’ Shield Against Privacy Class Actions” (May 2013), at http://www.wsgr.com/publications/PDFSearch/eye-on-privacy/May2013/index.html#4.
24 Beaudry v. TeleCheck Servs., Inc., 579 F.3d 702, 705-07 (6th Cir. 2009) (holding that the FCRA “permits a recovery when there are no identifiable or measurable actual damages” when the information in the defendant’s systems contained allegedly false and negative information about the plaintiff); Murray v. GMAC Mortg. Corp., 434 F.3d 948, 952-43 (7th Cir. 2006) (holding that the FCRA “provide[s] for modest damages without proof of injury”).
25 The U.S. Supreme Court previously declined to hear the similar FCRA case coming out of the Sixth Circuit. The Supreme Court was not asked to hear the FCRA case in the Seventh Circuit.