The Federal Trade Commission reached a settlement last week with a mobile app company, its data provider, and their CEO in its first Fair Credit Reporting Act ("FCRA") enforcement action involving mobile applications. The mobile application company designed mobile apps that enabled users to search criminal records databases and advertised the apps as tools for conducting criminal background checks on potential employees.
Under the FCRA, individuals or organizations that use outside entities, including apps, to procure certain background information on employees or applicants in connection with their employment (or potential employment) must comply with certain notice, authorization, and other rules. Although the companies included disclaimers in their terms and conditions stating that they were not FCRA compliant, that their products were not to be considered screening products for employment, insurance, loans, and credit screening, and that anyone who used their reports for such purposes assumed sole responsibility for FCRA compliance, the Commission viewed these disclaimers as insufficient to avoid liability under the FCRA because the mobile app company advertised that the reports could be used to conduct searches on potential employees, and therefore, the companies could expect them to be used for employment purposes.
The FTC complaint asserted three key FCRA violations against the companies: failure to maintain reasonable procedures to verify who their users are and that the background information would be used only for permissible purposes, failure to follow reasonable procedures to ensure that the information they sold was accurate, and failure to notify users of their reports of their FCRA obligations, including the requirement to notify consumers if an adverse action was taken against them based on a report. The FTC settlement order bars the companies from: (1) furnishing consumer reports to any person which the companies do not have reason to believe has a permissible purpose to use the report; (2) failing to maintain reasonable procedures to ensure the maximum possible accuracy of the information conveyed in their reports; and (3) failing to provide users of their reports with information about their obligations under the FCRA.
The lesson for mobile app developers is obvious: no disclaimer can eliminate FCRA liability if, despite the developers' protests to the contrary, the mobile app is intended to enable users to carry out searches and generate reports that violate the FCRA. The lesson for employers is even simpler: if they use mobile applications to conduct background checks on current or potential employees, they should assume that their searches are covered by the FCRA and should ensure that they operate in full compliance with the statute's notice, consent, and other requirements -- or risk the wrath of the FTC.
The administrative complaint filed by the FTC is In the Matter of Filiquarian Publishing, LLC, Choice Level, LLC, and Joshua Linsk.