Cyber-Screening, Social Media, and Fair Credit Reporting - potential employers are trawling the Internet -
As American employees, we are increasingly becoming aware that our current and potential employers are trawling the Internet to look for our social-media activity as a way of judging whether we should be hired or retained. Is that practice legal? As a baseline rule, it is, as long as the current or potential employer does not discriminate on protected grounds, such as race, religion, or gender.
Many companies are turning to private data-collection firms as a way of getting around possible discrimination claims or problems. To do so, they are hiring data brokers or aggregation firms that can collect data and “scrub” it (for example, by removing someone’s race). These companies—much like Experian, Transunion, or Equifax, which prepare traditional credit reports—are subject to the Fair Credit Reporting Act (FCRA)—a federal law that was designed to ensure that the information provided by third parties to employers or creditors is accurate, and that consumers are informed of any adverse decisions that are made about them, based on such information.
Are companies that compile social-media data subject to the FCRA? Until recently, the answer was unclear, but the FTC has now made it clearer. Indeed, the FTC recently imposed a $800,000 fine against one of these social-media-data companies, Spokeo, for its failure to adhere to the FCRA when collecting social-media data and passing it on to prospective employers.
In this column, I will discuss the implications of the FTC’s Spokeo enforcement action, and why it is important. I will also discuss why the collection and use of social-media data is inherently different from the collection of the kind of data that has traditionally been gathered for credit-reporting purposes. This contrast means that policymakers now need to look afresh at the FCRA to see how it does, or does not, adequately address the ways in which social-media data is used to assess consumer and employee behavior.
The FTC Action against Spokeo: A First Look at the FCRA and Social Media
The FCRA was enacted in 1970 to promote accuracy, fairness, and the privacy of personal information assembled by Credit Reporting Agencies (CRAs).
CRAs assemble reports on individuals for businesses that make decisions based on our financial history, including lenders, employers, landlords, and others. The FCRA provides important consumer protections for credit reports, consumer investigatory reports, and employment background checks. The FCRA’s primary protection requires that CRAs follow “reasonable procedures” to protect the confidentiality, accuracy, and relevance of credit information. To ensure that they do so, the FCRA establishes a set of Fair Information Practices for personal information that include a consumer’s rights to data accuracy, limited use of data, and a requirement of notice when data is used to make adverse decisions.
There are three major national CRAs in the United States: Experian, Trans Union, and Equifax. There are also smaller credit-reporting agencies that often provide regional services. And, as we have recently learned, social-media-data-collection companies (also referred to as data brokers) may also qualify as CRAs.
Typically, consumer credit reports contain information on financial accounts, and include credit card balances and mortgage information. In addition to compiling traditional consumer credit reports, new companies are now also creating social-media reports or profiles, which are supplied to employers as part of employment screenings.
The Spokeo FTC Action
On June 12 of this year, the FTC issued a press release announcing that online data broker Spokeo, Inc. would pay $800,000 to settle FTC claims that it had violated the FCRA when it sold personal data about potential employees to prospective employers in order to assist those employers in screening job applicants. This FTC enforcement action is the first to apply the FCRA in a social-media context.
The FTC alleges that from 2008 until 2010, Spokeo marketed employee and potential employee profiles on a subscription basis to human-resources officers, and job recruiters as an employment-screening tool. Spokeo collected information about individuals from the Internet and public records in order to create profiles that included contact information, marital status, and age, and, in some cases, more detailed information about hobbies, ethnicity, religion, participation on social networking sites, and photos.
Spokeo offered these composite profiles as a file or dossier that could serve as a factor in a company’s deciding whether to interview or hire a job candidate. Spokeo encouraged recruiters and employers to “Explore Beyond the Resume.”
Consumer reports are broadly defined in the FCRA as information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for credit or insurance; employment purposes; or any other purpose authorized under [15 U.S.C. § 1681b].” The FTC thus treated Spokeo’s reports as consumer reports.
Accordingly, the FTC found that Spokeo had acted as a CRA, and it alleged that Spokeo violated the FCRA by (a) failing to ensure that the consumer reports that it sold were used for legally-permissible purposes; (b) failing to ensure that the information it sold was accurate; and (c) failing to inform users of Spokeo’s consumer reports pursuant to its obligations under the FCRA.
The FTC’s complaint also alleged that Spokeo violated Section 5 of the FTC Act, which prohibits “unfair or deceptive” trade practices, by requesting that its employees post “deceptive” endorsements of its consumer reports. The employees posed as Spokeo customers when they posted the endorsements. The FTC’s order now requires that Spokeo remove (or request the removal of) these false endorsements, whether they appear on its own website or on third-party websites.
This is the FTC’s first enforcement action focused on the sale of information culled from social media for use in the employment-screening context. Not only is the FTC watching what social-media companies are doing with users’ information, but it is also paying attention to how data brokers are using information that has been collected through social-media sites.
In addition to imposing the $800,000 fine on Spokeo, the FTC’s settlement order also prohibits Spokeo from committing any future FCRA violations, and requires that the company refrain from making future misrepresentations about its endorsements.
Going Beyond the Spokeo Example: Why Social-Media Reports Are Still Problematic
The Spokeo case makes it clear that social-media profiling, when done by CRAs for the purpose of employment screening, is covered by the FCRA. Thus, companies that comply with the statute can legally use social-media profiling. One example of a company that is FCRA-compliant in the social-media area is SocialIntelligence (often referred to as SocialIntel). The FTC previously looked into SocialIntel’s practices and deemed them FCRA-compliant. Thus, according to the FTC, SocialIntel may continue to search for Tweets, Facebook photos and profile information, provided that it continues to comply with the FCRA.
The FTC’s letter to SocialIntel emphasized that when reports include information derived from social media, the same rules apply. For example, companies selling social-media background reports must take reasonable steps to maximize the accuracy of what’s reported from social networks and ensure that the information relates to the correct person. Such companies must comply with other FCRA sections, too—by providing copies of reports to people who request them, and by having a process in place if people dispute what has been said about them in a report.
At present, SocialIntel assembles a dossier that features both positive information—such as professional awards and charitable or volunteer work, and negative information that meets delineated criteria: online evidence of racist remarks; references to drugs; sexually-explicit photos, text messages, or videos; or displays of guns or bombs, for example. Negative social-media profiles may lead to job offers being withdrawn or not made in the first place. A SocialIntel spokesperson noted that one prospective employee was found using Craigslist to search for OxyContin, and was not hired as a result. Moreover, a woman who posted nude photos of herself on a photo-sharing site didn’t get a job she had applied for at a hospital.
Read more -
http://verdict.justia.com/2012/07/17/cyber-screening-social-media-and-fair-credit-reporting
As American employees, we are increasingly becoming aware that our current and potential employers are trawling the Internet to look for our social-media activity as a way of judging whether we should be hired or retained. Is that practice legal? As a baseline rule, it is, as long as the current or potential employer does not discriminate on protected grounds, such as race, religion, or gender.
Many companies are turning to private data-collection firms as a way of getting around possible discrimination claims or problems. To do so, they are hiring data brokers or aggregation firms that can collect data and “scrub” it (for example, by removing someone’s race). These companies—much like Experian, Transunion, or Equifax, which prepare traditional credit reports—are subject to the Fair Credit Reporting Act (FCRA)—a federal law that was designed to ensure that the information provided by third parties to employers or creditors is accurate, and that consumers are informed of any adverse decisions that are made about them, based on such information.
Are companies that compile social-media data subject to the FCRA? Until recently, the answer was unclear, but the FTC has now made it clearer. Indeed, the FTC recently imposed a $800,000 fine against one of these social-media-data companies, Spokeo, for its failure to adhere to the FCRA when collecting social-media data and passing it on to prospective employers.
In this column, I will discuss the implications of the FTC’s Spokeo enforcement action, and why it is important. I will also discuss why the collection and use of social-media data is inherently different from the collection of the kind of data that has traditionally been gathered for credit-reporting purposes. This contrast means that policymakers now need to look afresh at the FCRA to see how it does, or does not, adequately address the ways in which social-media data is used to assess consumer and employee behavior.
The FTC Action against Spokeo: A First Look at the FCRA and Social Media
The FCRA was enacted in 1970 to promote accuracy, fairness, and the privacy of personal information assembled by Credit Reporting Agencies (CRAs).
CRAs assemble reports on individuals for businesses that make decisions based on our financial history, including lenders, employers, landlords, and others. The FCRA provides important consumer protections for credit reports, consumer investigatory reports, and employment background checks. The FCRA’s primary protection requires that CRAs follow “reasonable procedures” to protect the confidentiality, accuracy, and relevance of credit information. To ensure that they do so, the FCRA establishes a set of Fair Information Practices for personal information that include a consumer’s rights to data accuracy, limited use of data, and a requirement of notice when data is used to make adverse decisions.
There are three major national CRAs in the United States: Experian, Trans Union, and Equifax. There are also smaller credit-reporting agencies that often provide regional services. And, as we have recently learned, social-media-data-collection companies (also referred to as data brokers) may also qualify as CRAs.
Typically, consumer credit reports contain information on financial accounts, and include credit card balances and mortgage information. In addition to compiling traditional consumer credit reports, new companies are now also creating social-media reports or profiles, which are supplied to employers as part of employment screenings.
The Spokeo FTC Action
On June 12 of this year, the FTC issued a press release announcing that online data broker Spokeo, Inc. would pay $800,000 to settle FTC claims that it had violated the FCRA when it sold personal data about potential employees to prospective employers in order to assist those employers in screening job applicants. This FTC enforcement action is the first to apply the FCRA in a social-media context.
The FTC alleges that from 2008 until 2010, Spokeo marketed employee and potential employee profiles on a subscription basis to human-resources officers, and job recruiters as an employment-screening tool. Spokeo collected information about individuals from the Internet and public records in order to create profiles that included contact information, marital status, and age, and, in some cases, more detailed information about hobbies, ethnicity, religion, participation on social networking sites, and photos.
Spokeo offered these composite profiles as a file or dossier that could serve as a factor in a company’s deciding whether to interview or hire a job candidate. Spokeo encouraged recruiters and employers to “Explore Beyond the Resume.”
Consumer reports are broadly defined in the FCRA as information “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for credit or insurance; employment purposes; or any other purpose authorized under [15 U.S.C. § 1681b].” The FTC thus treated Spokeo’s reports as consumer reports.
Accordingly, the FTC found that Spokeo had acted as a CRA, and it alleged that Spokeo violated the FCRA by (a) failing to ensure that the consumer reports that it sold were used for legally-permissible purposes; (b) failing to ensure that the information it sold was accurate; and (c) failing to inform users of Spokeo’s consumer reports pursuant to its obligations under the FCRA.
The FTC’s complaint also alleged that Spokeo violated Section 5 of the FTC Act, which prohibits “unfair or deceptive” trade practices, by requesting that its employees post “deceptive” endorsements of its consumer reports. The employees posed as Spokeo customers when they posted the endorsements. The FTC’s order now requires that Spokeo remove (or request the removal of) these false endorsements, whether they appear on its own website or on third-party websites.
This is the FTC’s first enforcement action focused on the sale of information culled from social media for use in the employment-screening context. Not only is the FTC watching what social-media companies are doing with users’ information, but it is also paying attention to how data brokers are using information that has been collected through social-media sites.
In addition to imposing the $800,000 fine on Spokeo, the FTC’s settlement order also prohibits Spokeo from committing any future FCRA violations, and requires that the company refrain from making future misrepresentations about its endorsements.
Going Beyond the Spokeo Example: Why Social-Media Reports Are Still Problematic
The Spokeo case makes it clear that social-media profiling, when done by CRAs for the purpose of employment screening, is covered by the FCRA. Thus, companies that comply with the statute can legally use social-media profiling. One example of a company that is FCRA-compliant in the social-media area is SocialIntelligence (often referred to as SocialIntel). The FTC previously looked into SocialIntel’s practices and deemed them FCRA-compliant. Thus, according to the FTC, SocialIntel may continue to search for Tweets, Facebook photos and profile information, provided that it continues to comply with the FCRA.
The FTC’s letter to SocialIntel emphasized that when reports include information derived from social media, the same rules apply. For example, companies selling social-media background reports must take reasonable steps to maximize the accuracy of what’s reported from social networks and ensure that the information relates to the correct person. Such companies must comply with other FCRA sections, too—by providing copies of reports to people who request them, and by having a process in place if people dispute what has been said about them in a report.
At present, SocialIntel assembles a dossier that features both positive information—such as professional awards and charitable or volunteer work, and negative information that meets delineated criteria: online evidence of racist remarks; references to drugs; sexually-explicit photos, text messages, or videos; or displays of guns or bombs, for example. Negative social-media profiles may lead to job offers being withdrawn or not made in the first place. A SocialIntel spokesperson noted that one prospective employee was found using Craigslist to search for OxyContin, and was not hired as a result. Moreover, a woman who posted nude photos of herself on a photo-sharing site didn’t get a job she had applied for at a hospital.
Read more -
http://verdict.justia.com/2012/07/17/cyber-screening-social-media-and-fair-credit-reporting
No comments:
Post a Comment