15 Jan

From the FTC Business Center Blog

By Tony Rodriguez and Jessica Lyon
January 10, 2013 – 2:00pm

Just saying you’re not a consumer reporting agency isn’t enough

You know that phrase “If it quacks like a duck. . . “?  It’s applicable in the Fair Credit Reporting Act context, too.  If a company meets the legal definition of a “consumer reporting agency,” it’s a consumer reporting agency.  Including a disclaimer that says, in effect, “But we’re not a CRA!” won’t change that.  That’s one important takeaway tip from the FTC’s settlement with Filiquarian Publishing, the agency’s first FCRA case involving mobile apps.

Filiquarian advertised that people who bought its apps — available for 99 cents from app stores like iTunes and Google Android (now GooglePlay) — could conduct a “quick criminal background check for convictions” in specific states.  Filiquarian also said that its apps could access hundreds of thousands of criminal records, and that users could conduct searches on potential employees as part of the hiring process.  But according to the FTC, Filiquarian, owner Joshua Linsk, and Choice Level, LLC (a related company that provided the criminal records) made a major mistake: They failed to comply with the FCRA.

A company is a “consumer reporting agency” under the law if it assembles and evaluates consumer report information for the purpose of providing those reports to third parties.  Reports include information that relate to a person’s character, reputation, or personal characteristics.  Typically, they’re used — or are expected to be used — for employment, housing, credit, or the like.  That’s what triggers a company’s obligations under the FCRA.  But a business that uses consumer reports for employment purposes has to comply with the FCRA, too.  Failing to implement any of the accuracy, dispute, or other safeguards required by the law could harm people’s reputations and employment prospects.

So how does the FTC determine if a business has reason to believe that its information is being used for employment or other FCRA purposes?  Lots of factors may be relevant, but one approach is to look at what the company says in its own ads.  In Filiquarian’s case, it specifically advertised that its reports could be used for hiring decisions on potential employees:

Are you hiring somebody and wanting to quickly find out if they have a record? Then Texas Criminal Record Search is the perfect application for you.

Here’s an interesting point for disclaimer mavens.  Filiquarian and Choice Level included statements in their apps and on their website that their background screening reports weren’t to be considered screening products for insurance, employment, loans, and credit applications (among other things) and that they weren’t FCRA-compliant.  That disclaimer didn’t cut much ice with the FTC, especially since it contradicted express representations in Filiquarian’s ads urging people to use the reports to screen potential employees.  Just saying that the info can’t be used for FCRA purposes doesn’t absolve a company from liability, concluded the FTC.

If you’ve been following  mobile apps and the FCRA, you should feel a sense of déjà vu.  Last year the FTC sent public warning letters to developers of six apps telling them:

If you have reason to believe that your reports are being used for employment or other FCRA purposes, you and your customers who are using the reports for such purposes must comply with the FCRA. This is true even if you have a disclaimer on your website indicating that your reports should not be used for employment or other FCRA purposes.

Sound familiar?

According to the FTC, what Filiquarian produced were “consumer reports” under the FCRA.  Specifically, the complaint charged three key FCRA violations:  failure to maintain reasonable procedures to verify who their users are and that the information would be used for a permissible purpose; failure to have procedures to ensure that the information they provided in consumer reports was accurate; and failure to provide notices to users and to those who furnished Filiquarian with information that was included in consumer reports.

The consent order contains provisions designed to ensure future compliance and requires the respondents to circulate the order to staffers with FCRA responsibilities.

What should businesses take from the case?  The mobile app angle offers a 21st century twist, but the message remains the same:  Companies offering background screening products for employment or other FCRA purposes — and the businesses that use them — have to stay in line with the law.  Another tip:  It’s wise to pay attention to what the FTC says in warning letters to other companies.

For more information, visit the BCP Business Center’s Credit Reporting page.