Cyber-Screening, Social Media, and Fair Credit Reporting: Why We Need to Move Beyond the FTC’s Recent Spokeo Enforcement Action
As American employees, we are increasingly becoming aware that our current and potential employers are trawling the Internet to look for our social-media activity as a way of judging whether we should be hired or retained. Is that practice legal? As a baseline rule, it is, as long as the current or potential employer does not discriminate on protected grounds, such as race, religion, or gender.
Many companies are turning to private data-collection firms as a way of getting around possible discrimination claims or problems. To do so, they are hiring data brokers or aggregation firms that can collect data and “scrub” it (for example, by removing someone’s race). These companies—much like Experian, Transunion, or Equifax, which prepare traditional credit reports—are subject to the Fair Credit Reporting Act (FCRA)—a federal law that was designed to ensure that the information provided by third parties to employers or creditors is accurate, and that consumers are informed of any adverse decisions that are made about them, based on such information.
Are companies that compile social-media data subject to the FCRA? Until recently, the answer was unclear, but the FTC has now made it clearer. Indeed, the FTC recently imposed a $800,000 fine against one of these social-media-data companies, Spokeo, for its failure to adhere to the FCRA when collecting social-media data and passing it on to prospective employers.
In this column, I will discuss the implications of the FTC’s Spokeo enforcement action, and why it is important. I will also discuss why the collection and use of social-media data is inherently different from the collection of the kind of data that has traditionally been gathered for credit-reporting purposes. This contrast means that policymakers now need to look afresh at the FCRA to see how it does, or does not, adequately address the ways in which social-media data is used to assess consumer and employee behavior.
The FTC Action against Spokeo: A First Look at the FCRA and Social Media
The FCRA was enacted in 1970 to promote accuracy, fairness, and the privacy of personal information assembled by Credit Reporting Agencies (CRAs).
CRAs assemble reports on individuals for businesses that make decisions based on our financial history, including lenders, employers, landlords, and others. The FCRA provides important consumer protections for credit reports, consumer investigatory reports, and employment background checks. The FCRA’s primary protection requires that CRAs follow “reasonable procedures” to protect the confidentiality, accuracy, and relevance of credit information. To ensure that they do so, the FCRA establishes a set of Fair Information Practices for personal information that include a consumer’s rights to data accuracy, limited use of data, and a requirement of notice when data is used to make adverse decisions.
There are three major national CRAs in the United States: Experian, Trans Union, and Equifax. There are also smaller credit-reporting agencies that often provide regional services. And, as we have recently learned, social-media-data-collection companies (also referred to as data brokers) may also qualify as CRAs.
Typically, consumer credit reports contain information on financial accounts, and include credit card balances and mortgage information. In addition to compiling traditional consumer credit reports, new companies are now also creating social-media reports or profiles, which are supplied to employers as part of employment screenings.
The Spokeo FTC Action
On June 12 of this year, the FTC issued a press release announcing that online data broker Spokeo, Inc. would pay $800,000 to settle FTC claims that it had violated the FCRA when it sold personal data about potential employees to prospective employers in order to assist those employers in screening job applicants. This FTC enforcement action is the first to apply the FCRA in a social-media context.
The FTC alleges that from 2008 until 2010, Spokeo marketed employee and potential employee profiles on a subscription basis to human-resources officers, and job recruiters as an employment-screening tool. Spokeo collected information about individuals from the Internet and public records in order to create profiles that included contact information, marital status, and age, and, in some cases, more detailed information about hobbies, ethnicity, religion, participation on social networking sites, and photos.
Spokeo offered these composite profiles as a file or dossier that could serve as a factor in a company’s deciding whether to interview or hire a job candidate. Spokeo encouraged recruiters and employers to “Explore Beyond the Resume.”
Consumer reports are broadly defined in the FCRA as information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for credit or insurance; employment purposes; or any other purpose authorized under [15 U.S.C. § 1681b].” The FTC thus treated Spokeo’s reports as consumer reports.
Accordingly, the FTC found that Spokeo had acted as a CRA, and it alleged that Spokeo violated the FCRA by (a) failing to ensure that the consumer reports that it sold were used for legally-permissible purposes; (b) failing to ensure that the information it sold was accurate; and (c) failing to inform users of Spokeo’s consumer reports pursuant to its obligations under the FCRA.
The FTC’s complaint also alleged that Spokeo violated Section 5 of the FTC Act, which prohibits “unfair or deceptive” trade practices, by requesting that its employees post “deceptive” endorsements of its consumer reports. The employees posed as Spokeo customers when they posted the endorsements. The FTC’s order now requires that Spokeo remove (or request the removal of) these false endorsements, whether they appear on its own website or on third-party websites.
This is the FTC’s first enforcement action focused on the sale of information culled from social media for use in the employment-screening context. Not only is the FTC watching what social-media companies are doing with users’ information, but it is also paying attention to how data brokers are using information that has been collected through social-media sites.
In addition to imposing the $800,000 fine on Spokeo, the FTC’s settlement order also prohibits Spokeo from committing any future FCRA violations, and requires that the company refrain from making future misrepresentations about its endorsements.
Going Beyond the Spokeo Example: Why Social-Media Reports Are Still Problematic
The Spokeo case makes it clear that social-media profiling, when done by CRAs for the purpose of employment screening, is covered by the FCRA. Thus, companies that comply with the statute can legally use social-media profiling. One example of a company that is FCRA-compliant in the social-media area is SocialIntelligence (often referred to as SocialIntel). The FTC previously looked into SocialIntel’s practices and deemed them FCRA-compliant. Thus, according to the FTC, SocialIntel may continue to search for Tweets, Facebook photos and profile information, provided that it continues to comply with the FCRA.
The FTC’s letter to SocialIntel emphasized that when reports include information derived from social media, the same rules apply. For example, companies selling social-media background reports must take reasonable steps to maximize the accuracy of what’s reported from social networks and ensure that the information relates to the correct person. Such companies must comply with other FCRA sections, too—by providing copies of reports to people who request them, and by having a process in place if people dispute what has been said about them in a report.
At present, SocialIntel assembles a dossier that features both positive information—such as professional awards and charitable or volunteer work, and negative information that meets delineated criteria: online evidence of racist remarks; references to drugs; sexually-explicit photos, text messages, or videos; or displays of guns or bombs, for example. Negative social-media profiles may lead to job offers being withdrawn or not made in the first place. A SocialIntel spokesperson noted that one prospective employee was found using Craigslist to search for OxyContin, and was not hired as a result. Moreover, a woman who posted nude photos of herself on a photo-sharing site didn’t get a job she had applied for at a hospital.
SocialIntel keeps its reports FCRA-compliant by deleting all references to a person’s religion, race, marital status, disability, and other information that is protected under federal employment laws. Also, job candidates must consent to a background check, and are notified of any adverse information that a check uncovers, so that they can dispute its veracity.
According to SocialIntel, less than a third of the data it locates about individuals comes from major social-networking sites like platforms such as Facebook, Twitter and MySpace. Instead, much of the data comes from so-called “deep” Web searches that find blogs and posts on smaller social sites, and even on Craigslist.
In this way, SocialIntel scrapes the Internet for everything that prospective employees may have said or done online in the past seven years. SocialIntel can legally keep information obtained about consumers for up to seven years—the same period that applies to other information about us under the FCRA, such as our bill-payment history, that is contained on traditional credit reports.
But we all have expected for a long time that creditors will look at our bill-payment history, whereas we had not expected previously that our party photos or our blog posts from up to seven years ago would be used to make decisions about our employment prospects in the future. Of course, as time passes, our expectations will change. Still, the new business model that SocialIntel uses was not contemplated by the original FCRA or by consumers. Accordingly, our expectations and our understanding of how data may be used against us have not kept pace with the realities of today’s business models.
We should think carefully about these new models, asking questions such as, Isn’t it more troubling for a company to report on our social life and background retroactively for seven years, than for it to report retroactively on our financial histories and loan repayment patterns for the same period of time? It’s easy to see how financial responsibility would be highly and legitimately relevant to employment or credit decisions. But how is information about how we choose to spend our private time relevant to those kinds of decisions? Soon, social-media information may lead to new types of discrimination– for instance, discrimination against people who have guns and post photos of them online.
Many of us may have, until now, believed that if we deleted or erased something from Facebook or other websites, it was unlikely to come back to haunt us. But even when we delete something from Facebook “permanently,” that data may still be stored in SocialIntel’s files for up to seven years. That reality should change consumer expectations significantly. You can’t effectively delete information when data brokers have built it into your social-media profile, which they will then keep, update, and sell to potential employers.
For these reasons, policymakers ought to carefully re-examine the FCRA. Historically, the FCRA has dealt with the reporting of more objective data—data about spending, credit history, and the like. Should the same set of privacy and consumer protections still apply when we talk about more qualitative, and more subjective, data about consumers—the kind of data that can’t easily be plugged into a FICO score?
Requirements for Employers Who Use Social-Media Reports
Employers also need to consider the risks associated with cyber-screening. For them, there’s a downside to using a data broker for this process: Once you involve a third party in the background-check process, you are obligated to comply with the very specific requirements of the FCRA—and that may get you in trouble, as an employer. Consider, for example, that, as I mentioned above, the FTC’s complaint against Spokeo alleged that the company failed to follow the FCRA’s requirements when conducting its social-media searches on behalf of employers.
Although the FTC complaint focused on Spokeo’s obligations as a company that compiles social-media reports for employers, it additionally suggests that the FTC believes that those companies that purchased the reports from Spokeo may also have violated the FCRA. And an employer’s failure to comply with the FCRA can lead to private lawsuits and FTC investigations.
Among other things, employers should obtain express authorization from job candidates before running a check that includes ordering social- media reports, and employers should provide the relevant notice and disclosures required by the FCRA when they make adverse decisions based on information that is contained in these reports
Employment background checks can include information from a variety of sources: credit reports, employment and salary history, criminal records, and, these days, even social-media data. But regardless of the type of information a report that is used when making hiring decisions contains, the rules are the same: Both companies providing reports to employers and employers using reports must comply with the FCRA. Whether we should consider new approaches to social-media data is an open question—but one that deserves attention now.