Year: 2016

FCRA: No Harm, No Worries?

By: Emma Bechara

[Current events article: http://www.scotusblog.com/2015/11/argument-analysis-second-time-around-no-easier-for-justices-in-standing-case/]

A pending case before the United States Supreme Court, considered in a United States Supreme Court (SCOTUS) blog, brings to the forefront the question of whether or not a consumer plaintiff has legal standing to bring a class action lawsuit for a technical violation of the Fair Credit Reporting Act (FCRA). On 2 November 2015, SCOTUS heard oral arguments in Spokeo, Inc. v Robins, where the petitioner, Robins, alleged that Spokeo – a consumer reporting agency – published inaccurate information about him, which adversely affected his ability to get a job and such inaccurate publishing was a violation of the FCRA. There was no evidence presented that Robins suffered actual “concrete harm”.

The legal question before SCOTUS is:

“Whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.”

The answer to this question, if in the affirmative, will undoubtedly have important legal and commercial ramifications for data privacy law, and the future of consumer class actions in this sphere. An affirmative answer will inevitably open the floodgates for consumers across the United States to bring suits against consumer credit agencies and Internet companies for Federal privacy law violations. More alarmingly, as Robins could not show that he had suffered “actual harm” as a result of the alleged violations, a finding for him may also set a dangerous precedent that would allow consumers to have standing to sue for a violation of the FCRA, despite being unable to show that they had suffered harm.

This case considers an interesting dichotomy between the growing interests of consumer privacy, and the traditional views of the law requiring injury to a person. Currently, the FCRA provides consumers with up to $1000 in damages for inaccurate published reports. Is this enough? Perhaps dicta in from the court will shed light on this. Nonetheless, Spokeo argued that allowing consumers to sue, despite sustaining no concrete injuries, would invite class action abuse. According to the SCOTUS blog, this view is likely to be upheld by 7 of the Justices, with only two Justices- Justice Sonia Sotomayor and Justice Ruth Bader Ginsburg – “open to the possibility” of a plaintiff not being to show a “concrete, ‘real world’ harm”. Sadly, the passing of his Honor Justice Scalia has brought an element of uncertainty to the decision, and as Scott Flaherty notes, his Honor “penned three majority opinions that left an indisputable mark on the class action landscape, but now the court must grapple with key issues that linger”.

Information Privacy Law – Privacy Blog Assignment

By: Rachel Kultala

http://www.cio.com/article/3000472/what-are-the-rules-when-a-site-publishes-false-information-about-you.html

In November, the Supreme Court heard arguments in Spokeo v. Robbins. Robbins sued Spokeo under the FCRA because his profile on Spokeo included false information. Although Spokeo was unemployed at the time, his profile on Spokeo showed that he was employed. Additionally, the profile listed incorrect information regarding Robbins’ age, marital status, wealth, and education. The main issue in the case is whether Robbins had standing; the district court found that Robbins had failed to allege an injury in fact, while the circuit court held that alleging a violation of the FCRA was sufficient to establish standing.

After the Spokeo decision provided in the casebook, Spokeo changed its policies and provided a FAQ on its site about the FRCA. According to Spokeo, its data is not intended to be used to determine eligibility for employment or credit. Spokeo insists that its data is not intended for any purpose covered by the FCRA. This case, if Robbins is found to have standing, could provide answers for the questions raised after the Spokeo consent decree. In particular, what effect can Spokeo’s intent regarding how its data will or should be used have on whether it qualifies as a consumer reporting agency under the act? Although Spokeo was apparently able to unwittingly trigger the FCRA, is it also possible to trigger the FCRA while expressly disclaiming any covered purpose? These questions will not be answered by the Supreme Court, but could be addressed by the district court if Robbins has standing.

The FCRA’s creation of a private right of action is also at stake in this case. If the court holds that Robbins lacks standing, consumer advocacy groups fear that the private right of action under the FCRA will become completely ineffectual. Robbins has alleged that he did not receive offers of employment due to the mistakes in his profile. Tech companies worry that a ruling that Robbins has standing to sue will result in a flood of no-injury litigation. The FCRA’s provision of statutory damages gives an (very small) incentive for litigation, even when actual damages are minimal. However, in class actions, like the current case, the cumulative damages for the whole class could be substantial.

By: Themelis Zamparas

http://www.lexology.com/library/detail.aspx?g=d1c5f200-7fa4-485c-a535-76b8ca0852e8

This article reports the increase of lawsuits relating to the implementation of the FCRA provisions by employers and contemplates on the impact of the, still pending, SCOTUS decision on Spokeo, Inc v. Robins. The increase is quite important, giving rise to two questions:

1. Are the provisions of the FCRA clear enough and what obligations exactly do they impose on employers? In other words, is it the fault of employers that they are often exposed to liability under the FCRA or the complexity of certain obligations makes it difficult even for scrupulous employers to comply?
2. Is the FCRA steadily becoming yet another source of frivolous lawsuits and class actions? Or is this an indication that job applicants are becoming more and more conscious of the effect of consumer credit reports on the employer’s decision to hire them or not, and of the legal obligations that arise from the use of such reports?

The pending Supreme Court decision is expected to clarify the landscape regarding the requirements to be fulfilled in order to file an action under the FCRA, and in particular, regarding plaintiff’s standing to sue. As the article puts it “The issue is whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute. […] However, the majority of plaintiffs seeking damages for bare statutory violations of the FCRA cannot allege concrete, personal harm”. The case involves Thomas Robins, a Virginia resident who claims that Spokeo published inaccurate information about himself. The issue is whether the mere fact that Spokeo violated the Fair Credit Reporting Act, without more, give Thomas Robins a legal right – known as “standing” – to sue. It is very interesting to see whether the death of Justice Antonin Scalia will have any effect on the final decision. Justice Scalia posited that, under Robins’s interpretation, the failure, for example, of a credit reporting agency to provide a “1-800” number (required by the FCRA) would allow anyone to sue, even if it didn’t affect them at all. “You need more than just a violation of what Congress has said is a legal right” Scalia emphasized. On the other hand, some of the more progressive Justices (Sotomayor, Ginsburg) seemed more open to Robin’s interpretation of the FCRA. If Spokeo prevails, the writer of the article states that it is very likely that the Courts will put a halt to the rise of FCRA lawsuits.

Background Check Co. Hit With FCRA Class Action, Law 360 (Feb. 5, 2016), http://www.law360.com/articles/755625/background-check-co-hit-with-fcra-class-action.

By:Kelly Knaub

Employers use information all the time to draw conclusions about potential candidates employability and fit for job openings. Employers look to indicators such as education (level, major, university), past employment (companies, positions, responsibilities), community involvement, personality traits as gleaned through interviews and conversations with listed references, writing skills judged from cover letters, among others. These have become expected, despite the fact that these also do not have perfect correlations to job performance or job satisfaction and can also be construed as private. So why is other information – credit, health[1], etc. – different? Is the difference that we have some degree of control over what we put on our resumes, in our cover letters, and how we perform in an interview?[2]

If it is about control, is that necessarily a good thing – i.e., is it a good thing to allow people to control and thereby manipulate what they are sharing and presenting publicly, to perhaps hide facts that could reveal misfit for a job? Does that result in the best situation for the employer or the employee, or does it merely put off the time at which they learn about the misfit and/or dissatisfaction? What does control mean in the context of the lawsuit at hand? If the employer wants the information and a job applicant declines to authorize the data company to disseminate their personal information, can the employer draw negative inferences and decline to move that person forward in the application process?

On the flip side, while people are concerned about privacy and the potential adverse effects, maybe this data use has potential benefits for the job applicant – maybe as potential job candidates, we have delusions about what jobs we think we are qualified for, think we will be good at, think we will most enjoy; but perhaps this data could tell another story and proactively help us find jobs for which we are better suited, positions in which we will thrive and find more enjoyment and fulfillment. If we want to increase utility through efficient job performance and job satisfaction, then perhaps aggregating more data can help us achieve those end goals.

The problem then becomes where to draw the line. How do we, as a society, decide what factors to use? Who gets to be involved in this conversation and to what end? Individuals will have different opinions and will naturally want to include information that favors them and exclude information that disfavors them. How do we ensure that historic data does not dictate future outcomes for people?[3] How do we decide when it is appropriate to share information?[4] How do we protect those who decline to authorize these background checks? The decision in this pending class action will affect the timing, content and angle of these ongoing conversations.

[1] Rachel Emma Silverman, Bosses Tap Outside Firms to Predict Which Workers Might Get Sick, Wall St. J. (Feb. 17, 2016), http://www.wsj.com/articles/bosses-harness-big-data-to-predict-which-workers-might-get-sick-1455664940 (explaining employers attempt to access detailed information about employee’s health conditions (e.g., diabetes, cancer, heart conditions) to encourage “employees to improve their own health as a way to cut corporate health-care bills.”); see also Laura June, Your Job Can Now Predict When You’ll Have a Kid, N.Y. Mag, (Feb. 17, 2016), http://nymag.com/thecut/2016/02/your-boss-might-get-alerted-if-you-quit-the-pill.html (expressing alarm about using data on women who have stopped filling their birth control prescriptions to determine likelihood of impending pregnancy).

[2] Kelly Knaub, Background Check Co. Hit With FCRA Class Action, Law 360 (Feb. 5, 2016), http://www.law360.com/articles/755625/background-check-co-hit-with-fcra-class-action (narrowing in on control in explaining that the plaintiff “points to sections 1681b(b)(1) and (2) of the FCRA, which he says together protect the right of privacy of consumers by permitting them to control the dissemination of their personal information in consumer reports for employment purposes.”).

[3] E.g., if a certain zip code is historically associated with poor job performance, how do we ensure we are not predestining people to certain outcomes, precluding them from opportunities even though the individual may be an outlier/the conclusions from the data is not applicable to him/her?

[4] E.g., people may want to keep pregnancy private for a variety of reasons (e.g., risks that diminish drastically after the first trimester, want to tell friends and family before employers, fear they will be discriminated against when it comes to promotions), but at a certain point, the woman’s body will start to show the pregnancy, and to that extent she does not have control anymore anyway.

FTC Big Data report and FCRA

By: Kasumi Sugimoto

http://www.law360.com/articles/745610/why-2016-will-be-a-big-year-for-big-data

Last month, the FTC released a report “Big Data: A Tool for Inclusion or Exclusion?  Understanding the Issues.” It outlines the benefits and risks created by the use of big data, and provides suggestions for companies to maximize the benefits and minimize the risks. The Report mentions several federal laws that might apply to certain big data practices, including the Fair Credit Reporting Act (FCRA). In the report, the FTC mentioned following interpretation about the scope of FCRA concerning the use of big data:

1. The scope of CRAs and users of consumer reports

FCRA applies to consumer reporting agencies (CRAs), that compile and sell consumer reports containing consumer information that is used or expected to be used for decisions about consumer eligibility for credit, employment, insurance, housing, or other covered transactions. CRAs must ensure accuracy of consumer reports and provide consumers with access to their own information, and the ability to correct any errors.

Traditionally, CRAs included credit bureaus and background screening companies which analyze a traditional credit characteristic such as payment history. Recently, however, data such as zip code or social media usage are used to predict a person’s creditworthiness. The report clarifies that a company analyzing such data to make a report to be used for eligibility determination can be also subject to the FCRA obligation.

Companies that use consumer reports also have FCRA obligations, such as providing consumers with “adverse action” notices if the companies use the consumer report information to deny credit. On the other hand, the FCRA does not apply to companies when they use data derived from their own relationship with their customers for purposes of making decisions about them.

However, the report clarifies that if the company engaged a third party to evaluate such customer data on the company’s behalf for purposes of eligibility determinations, the third party would likely be acting as a CRA, and the company would likely be a user of consumer reports under the FCRA.

In addition, under the FCRA, even in cases where the creditor obtains information from a company other than a CRA, the creditor has to disclose the nature of the report upon the consumer’s request if the consumer’s application for credit is denied or the charge for such credit is increased as a result of reliance on the report.

The report ascertained that, this obligation will also apply to the case where a store finds a general analytics company report through a search engine and then uses the report to inform its credit granting policies. To use information for eligibility determination, a store has to establish a procedure for disclosure of the nature of the report, even if it obtained information from a company other than a CRA.

In sum, although the FTC clarifies the scope of FCRA concerning the use of big data, whether companies will be subject to the FCRA depends on the fact that how the report is used. Companies will be subject to the FCRA obligations if they make or use consumer analytics for eligibility determinations. On the other hand, based on the definition of CRAs, it seems that a data broker which did not intend to make a report for the purpose of eligibility determination will not be considered as CRAs. However, some consumer analytics can be useful for eligibility determination, even if they were not made for it. It should be further discussed whether a firm creating such analytics should be subject to the FCRA obligation.

2. The scope of consumer reports

In “40 Years FCRA Report” issued in 2011, the FTC stated, “information that does not identify a specific consumer does not constitute a consumer report even if the communication is used in part to determine eligibility.”

The FTC reverses this statement in the new report, and states that if a report is crafted for eligibility purposes with reference to a particular consumer or set of particular consumers, the Commission will consider the report a “consumer report” even if the identifying information of the consumer has been stripped. Thus, using anonymized general analytics can implicate the FCRA, if the analytics is used for eligibility determination of particular person.

However, as quoted article mentions, this seems inconsistent with the statute. According to the statute, the “consumer report” means communication of any information by a consumer reporting agency bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used for the purpose of determining the consumer’s eligibility, and the term “consumer” means an individual. So, “consumer report” must relate to the individual consumer applicant, and not the general population.

3. Conclusion

The report gives industry a notice that companies whose practices involve big data analytics and users of their reports should be mindful of the scope of the FCRA’s obligation. The FTC has tried to ensure transparency and accountability of data brokers, and the new report work as a warning to data brokers by using existing legal regime such as FCRA. However, as previously mentioned, the scope of CRAs requires further discussion. Also, inconsistency with statute about the use of anonymized consumer data should be overcome. The new FTC report is not a binding regulation. It remains to be seen how it will be received by industry and the courts.

By: Charlie O’Toole

Responding to these articles:

http://fortune.com/2015/06/18/shutterfly-lawsuit-facial-recognition/

 http://www.natlawreview.com/article/tag-you-re-it-biometric-information-privacy-act-class-action-against-shutterfly

In June, 2015, Brian Norberg filed a class action lawsuit in Illinois federal court claiming that Shutterfly, an online vendor of photo prints, had violated an Illinois statute governing the collection of biometric data. The case, Norberg v. Shutterfly, Inc., Case No. 15-cv-5351 (N.D. Ill.), came about when Norberg somehow noticed that, despite his never having used Shutterfly himself, the website had employed facial recognition software to analyze and store a record of his face from a photograph uploaded and tagged with his name by an acquaintance. Judge Charles Norgle, of the Northern District of Illinois, denied Shutterfly’s motion to dismiss in an order dated December 29, 2015.

This case, along with a handful of similar ones filed recently, rely on an Illinois statute that requires companies to disclose to consumers when they collect biometric data (such as fingerprints or voice recordings) and how that data may be used. 740 Ill. Comp. Stat. 14 (2008). Illinois and Texas are so far the only two states with laws expressly governing the collection of this kind of data. David Almeida and Mark Eisen note in their National Law Review article that the Illinois statute appears to be modeled in part on federal privacy statutes like Fair Credit Reporting Act, in that it provides a private cause of action, and also assigns relatively high statutory damages ($1,000–$5,000 per violation).

In United States v. Spokeo, Inc., No. CV12-05001MMM(JHx) (C.D. Cal., June 7, 2012), the FTC determined that an aggregator of personal information constituted a consumer reporting agency under the FCRA. Spokeo ultimately signed a consent decree, agreeing to pay a fine of $800,000 and reform its internal practices to comply with the FCRA, but its founder issued a credible statement claiming not to have known that Spokeo, which started as an aggregator of social media information, was regulated by the FCRA. Similarly, Shutterfly and its peer defendants in these more recent cases could plausibly have had no idea that a statute governing the collection of data gleaned from retinal scans and fingerprint readers could expose them to liability for using facial recognition software. Indeed, as Shutterfly pointed out in its motion to dismiss, the Illinois statute expressly excludes photographs from its scope, though Norberg successfully argued that a “faceprint” of the kind stored by Shutterfly’s software is not the same thing as the photograph itself.

Whatever the outcome of this round of privacy litigation, the Shutterfly case highlights the uneasy tension between the federalist/sectoral U.S. privacy law regime and the realities of an increasingly data-focused marketplace. On the one hand, consumers have reason for concern over the collection of more and more kinds of personal information. In particular, as new kinds of personal information become eligible for electronic collection, storage, and organization, various kinds of data aggregation may reveal or suggest information about people that they never contemplated disclosing, publicly or otherwise. On the other hand, the exploitation of “Big Data” is a major source of untapped social value, from businesses targeting advertising to consumers who are likely to be interested in their products, to analyzing anonymized health records organized by zip code in order to help prevent obesity. Caryn Roth et al., Community-level determinants of obesity, BMC Medical Informatics & Decision Making 14:36 (2014), http://www.biomedcentral.com/1472-6947/14/36.

Fragmenting U.S. privacy law by means of a sectoral system allows for the tailoring of legal standards for the public and private sectors, and for different industries that use information differently. In theory, this system could work better for industry and consumers, as laws can be tailored to strike the right balance between all the competing interests in each domain. The same benefits are often claimed for a federalist system of government—to take an example from the area of privacy law, the FCRA can set out a floor for acceptable data security, while individual states can strengthen one or more aspects of the law depending on their constituents’ special needs or preferences. It is arguably important for the U.S. to maintain its sectoral approach to privacy law to serve as a counterpoint to the E.U.’s influence in spreading an omnibus regime throughout much of the rest of the world. Having a major economic power using a different approach could serve as a good demonstration of the costs and benefits of each system. However, as industry continues to collect and configure data in new, unanticipated ways, deterrence effected by the threat of class actions, buttressed by the statutory damages imposed by most privacy-focused laws, may be a bridge too far.

Congress Considers Changes to FCRA to Expand Consumer Credit Files and Limit Use of Credit Reports for Employment Decisions

By: Eline Declerck

https://www.carltonfields.com/congress-considers-changes-to-fcra-to-expand-consumer-credit-files-and-limit-use-of-credit-reports-for-employment-decisions-01-21-2016/ (1/21/2016)

This article written by Jeffrey Rood of Carltonfields discusses two bills amending the Fair Credit Reporting Act that are currently making their way through Congress: “the Credit Access and Inclusion Act,” introduced on December 12, 2015, and “the Equal Employment for All Act,” introduced on September 16, 2015. Both bills are intended to benefit consumers.

The purpose of the Credit Access and Inclusion Act is to encourage utility and telecom companies and landlords to furnish all payment data, both positive and negative, to Credit Reporting Agencies (“full-file reporting”). Research has shown that most utility and telecom companies either report only negative information (delinquencies, defaults, and collections), or do not report at all. This is mainly caused by regulatory uncertainty on the legality of furnishing data to Credit Reporting Agencies. The amendment aims to address that uncertainty by affirmatively allowing full-file reporting.

Supporters of the bill argue that the increased reporting will help consumers with little credit history but who have a record of paying their utility, telecom, and rent payments on time. A more complete credit history will increase their access to affordable credit markets. Opponents however believe that the supporters are underestimating the number of consumers that will see their credit score lowered by this increased reporting. They disagree with the assertion that a low credit score would be better than no score, especially given the impact on employment chances and loans.

Given that both arguments have merit, a compromise could consist of permitting consumers to voluntary opt-in to full-file reporting – an option also mentioned in the article and which the opponents are not opposing. A voluntary opt-in would put consumers in control rather than giving utility and telecom providers a too broad discretion. It would allow consumers to benefit from full-file reporting while protecting those consumers who would be worse off. It would also be consistent with existing legislation in certain States that are prohibiting utility and telecom providers from sharing payment data without the customer’s consent.

The Equal Employment for All Act is intended to limit employers’ ability to use credit reports for “employment purposes,” one of the statutorily permissible purposes under the Fair Credit Reporting Act. The amendment would prohibit the use of consumer credit checks against prospective and current employees for the purposes of making adverse employment decisions. The bill follows the trend of State legislations that are increasingly limiting employers’ ability to use credit reports for employment purposes.

Support of the bill argue that credit reports are often inaccurate and claim that they bear little to no correlation to job performance or ability to succeed in the workplace. Opponents say that use of credit reports for employment purposes is limited and underline their importance for employees who are in charge of financial assets. Also, at least one study shows that living beyond one’s means and experiencing financial difficulties are the two biggest indicators of employee fraud.

Again, both sides seem to have valid arguments. A possible compromise could be to include limited exceptions to the prohibition for employee positions in charge of financial assets or especially vulnerable to employee fraud. But according to the article, this bill has little change of passing in the current Congress. Unlike the Credit Access and Inclusion Act, this bill does not have bipartisan support and similar legislation stalled in Congress in 2010.

The discussions regarding these amendments show the difficulties in regulating consumer data flows, especially in the context of credit reports. Credit reports are of significant importance for consumers as they directly impact their ability to loan money, find employment and rent an apartment. Credit reports should be accurate and consumers prefer having control over which data is reported and for which purposes they are used. Banks, employers and landlords on the other hand want to receive as much information as possible in order to be able to take informed decisions and limit their risks. Finding common ground and establishing rules suitable for all situations is not an easy task.