Thursday, March 24, 2016

Social Media-Based Screening and FCRA

By now, most employers are familiar with the requirements of the Fair Credit Reporting Act (FCRA) and understand how it impacts background checks and applicant screening. In short, FCRA says that if an employer uses a third party to conduct a background check or assemble background information about a job applicant or employee, certain requirements kick in.  The applicant or employee must consent to the background check in writing, must be provided with several specific notices during the process, and must be given an opportunity to dispute the information obtained.  Failure to comply with FCRA can lead to legal liability, so employers need to make sure that their own processes (and those of the third party they use to do background checks) are compliant. 
So where does social media come into this? Many employers routinely access social media to do their own applicant screening, and there is nothing inherently unlawful about that. If anti-discrimination laws are followed – that is, if applicants of a particular ethnicity, gender, age, or other protected characteristic are not singled out for screening, and if the employer does not consider protected characteristics in making employment decisions - the use of social media-based screening is legally acceptable and may be a helpful hiring tool.  When social media-based screening of applicants is done by a third party, however, the requirements of FCRA, as well as the requirements of anti-discrimination law, must be considered.
Regardless of what it’s called or how it’s obtained, background information obtained from a third party must be handled with care. The EEOC and the Federal Trade Commission (FTC) have both concluded that “cyber screening,” social media “scraping,” and information obtained from data aggregators and social media data collection companies are subject to the requirements of FCRA. That means that the collectors of such data must take reasonable steps to ensure the accuracy and relevance of the information they provide, and must require their employer-customers to certify that the information won’t be used in a manner that violates EEO laws.  Both data collectors and employers must keep the data secure and dispose of it properly when it’s no longer needed.  And for employers, there is no difference between information obtained from social media and information obtained through any other sort of background check by a third party.  FCRA requirements and restrictions apply. 
Employers who use or plan to use an internet or social media-based background screening service to identify prospective hires or check out applicants’ backgrounds should understand their FCRA obligations, and should keep the following in mind:
  • Providers of social-media based data should be able to demonstrate their understanding of and compliance with FCRA.
  • Any claim by a data collector or other provider that it is exempt from FCRA, and any claim that data provided doesn’t constitute a FCRA-controlled background check, should be treated with utmost skepticism. 
  • Before social media-based information from a third party is accepted or considered, employers should be confident of their internal practices and ready to comply with FCRA’s complicated notice provisions.
There is more than FCRA to think about when using social-media based information, of course.  The EEO laws noted above, including state and local laws, must be considered.  Data security and the protection of personally identifiable information are important.  But we find that FCRA is less known and less well understood than other legal obligations, and we know that new methods and providers of social media-based background checks are popping up all the time. We encourage employers to stay aware of the changing landscape and avoid its legal pitfalls.
Posted by Judy Langevin