An individual’s background is often evaluated for important decisions. When our society was smaller and more close-knit, individuals familiar with the interested person’s life and background filled this need. As our society became larger, however, the need for objective information became greater, and companies began drafting background reports. Several laws, including the Fair Credit Reporting Act (“FCRA”), began regulating this process. This evolution is not complete, however, and anyone involved with background reports, either as a creator or subject of one, should be mindful of a recent lawsuit that may have significant implications.
In United States v. MyLife.com, Inc., No. 20-cv-6692 (C.D. Cal. June 27, 2020), the Department of Justice, on behalf of the FTC, filed a lawsuit against MyLife.com (“MyLife”) and its CEO, Jeffrey Tinsley, for violations of the FCRA. The suit suggests that an organization that prepares reports containing information about a person’s background may be considered a consumer reporting agency (“CRA”) under the FCRA. The FCRA defines a CRA as:
[A]ny person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.
In relevant part, the FCRA defines a “consumer report” as:
[A]ny written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under Section 604.
Having to operate as a CRA under the FCRA would impose additional requirements, restrictions and liabilities on a business. Under the FCRA, a CRA may only provide consumer reports to those who it believes have an enumerated “permissible purpose” to obtain that report. CRAs must maintain and follow reasonable procedures to limit the furnishing of consumer reports and ensure that the information provided by the reports is as accurate as possible. CRAs must also provide a Notice of Users to anyone who receives a consumer report. These notices must advise recipients of their responsibilities when reviewing a consumer report and require a certification that the recipient will not use the report for any improper purposes.
In MyLife, the United States argues that MyLife is a CRA that provides “consumer reports” and should be held liable for evading its obligations under the FCRA. According to the complaint, MyLife markets background reports for certain FCRA-regulated activities that contain information regarding an individual’s background, such as criminal convictions. Notably, the complaint does not allege that MyLife’s reports include information related to an individual’s credit score. Instead, the complaint alleges that MyLife touted its services with the slogan that “[r]eputation is more important than credit.” The complaint also alleges that MyLife promoted its reports as a resource to consult when evaluating an individual’s eligibility for employment, loans, and housing. The complaint also alleges that MyLife did not restrict who could access its reports, so long as a subscription fee was paid.
The takeaway from this complaint and other cases involving similar facts is that a company that prepares and sells reports that include personal information of individuals must: (a) be mindful of how it markets such reports and describes the potential uses for them—scrutinize your marketing materials very carefully, making clear what such reports may and may not be used for; and (b) implement a customer credentialing process by which they learn (and confirm) how the reports will be used.
Failing to do these things creates real and significant risk that either a regulator or plaintiffs’ counsel will characterize your business as a CRA subject to the FCRA. Violation of the FCRA carries potential statutory penalties of up to $1,000 per violation, punitive damages and attorneys’ fees. Adopting strict controls over how reports are used will help you avoid this liability.
 E.g., Spokeo v. Robins, 136 S.Ct. 1540 (2016).