As you are likely aware the primary law governing the practices of background screening firms also
known as consumer reporting agencies (CRAs) is the Fair Credit Reporting Act (FCRA).
What is the Fair Credit Reporting Act (FCRA)?
The Fair Credit Reporting Act (FCRA) is a federal law that regulates background screening firms reporting
of information on individuals or consumers. This includes requiring that employers and CRAs acting as
their agent:
Have a permissible purpose for accessing an individual’s records. Collecting and assembling
information for the purpose of reviewing an individual’s application for employment is a permissible
purpose.
Obtain written consent for the CRA to gather information on them on behalf of an employer.
Implement processes to ensure that information and records reported have the highest possible
accuracy.
Provide transparency to the information gathered on an individual. Consumers have the right to get
a copy of information reported that contributed to an employer taking an adverse action.
Provide consumers the ability to dispute information they believe to be inaccurate or incomplete.
Protect the privacy of the data assembled.
Also, a major privacy focused law that guides the work of background screening companies is the
General Data Protection Regulation (GDPR) which was implemented by the European Union and has
become a de facto global standard.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the
collection and processing of personal information from individuals who live and outside of the European
Union (EU).
For Consumer Reporting Agencies (CRAs), there’s a large framework of laws guiding the work of
background screening companies. These include federal law such as the Fair Credit Reporting Act
(FCRA), international legislation such as the General Data Protection Regulation (GDPR), and a
patchwork of state and local laws like Ban the Box and other privacy acts.
In addition, there are state level privacy laws that employers must adhere to.
What are the State Privacy Laws?
To date five states have passed privacy laws, four states still have privacy acts in committee this
legislative session.
The five states that have implemented privacy legislation California, Colorado, Connecticut, Utah and
Virginia generally share the following factors:
identifying rights for consumers, such as accessing or deleting information about them,
providing consumers with the right to opt-out of the sale of their data,
they outline the obligations for entities who store or collect data and
include the requirement to post privacy policies.
While California’s first privacy law is already in effect, the remaining four states’ laws all go into effect in
2023.
More information about the state laws follow:
California
California has two different privacy acts: the California Consumer Privacy Act (CCPA) and the California
Privacy Rights Act (CPRA).
The CCPA was passed June 2018 and went into effect January 2020. The law gives consumers the right
to tell businesses to not share or sell their personal information. Consumers also have the right to request
that a company delete all of their personal information.
The CPRA was a ballot initiative which was passed to amend the CCPA. It passed November 2020 and
goes into effect January 2023.
The California Privacy Rights Act (CPRA) is a state-wide data privacy bill that amends and expands the
existing California Consumer Privacy Act (CCPA). The CPRA works as an addendum to the CCPA,
strengthening data privacy rights for California residents, tightening business regulations and establishing
the California Privacy Protection Agency (CPPA) as lead enforcer and supervisor.
Colorado
The Colorado Privacy Act (CPA) was passed July 2021 and goes into effect July 2023.
According to Koley-Jessen attorneys at law:
“The CPA will apply to legal entities conducting business in Colorado or delivering products or services
targeted to Colorado residents that either (1) control or process the personal data of 100,000 or more
consumers during a year, or (2) control or process the personal data of 25,000 or more consumers and
derive revenue or receive a discount on the price of goods or services from the sale of personal data.
There is no applicable revenue threshold. “Consumers” are defined in the CPA to include Colorado
residents acting in their individual or household contexts. The CPA excludes individuals acting in a
commercial or employment context, job applicants, and beneficiaries of someone acting in an
employment context from its definition of “consumer.” “Personal data” under the CPA is defined to mean
“information that is linked or reasonably linkable to an identified or identifiable individual.” The CPA’s
requirements will not extend to de-identified data or publicly available information.” 1
Connecticut
The Connecticut Data Privacy Act (CTDPA) was passed May 2022 and goes into effect July 2023.
According to One Trust Data Guidance “the CTDPA establishes rights including a right to access,
deletion, as well as portability for consumers, and provides the right to opt-out of targeted advertising,
sale of personal data, and automated profiling. The CTDPA also establishes various controller and
processor obligations, privacy notice requirements, and grants the Connecticut Attorney General (‘AG’)
exclusive authority to enforce its provisions.” 2
Utah
The Utah Consumer Privacy Act (UCPA) was passed March 2022 and goes into effect December 2023.
According to Sullivan & Cromwell LLP attorneys at law the UCPA imposes a number of obligations on
businesses that control or process the personal data of Utah consumers, and grants these consumers a
range of new rights over the personal data that they previously provided to a business. Under the UCPA,
Utah consumers have the right to: (1) know or confirm processing activity; (2) access personal data; (3)
obtain a copy of personal data in a portable and readily usable format; (4) delete personal data; (6) opt
out of targeted advertising and sales of personal information; and (7) avoid discrimination as a result of
exercising their consumer rights under the UCPA. Importantly, the UCPA does not create a private right of
action for consumers and is only enforceable by the Utah Attorney General. The UCPA applies to any
entity that (1) conducts business in Utah, or produces products or services that are targeted to Utah
residents; (2) has annual revenue of $25 million or more; and (3) annually controls or processes the
personal data of at least 100,000 Utah residents, or controls or processes the personal data of at least
25,000 Utah residents and derives over 50% of its gross revenue from the sale of personal data. 3
Virginia
The Virginia Consumer Data Privacy Act (VCDPA) was passed March 2021 and goes into effect January
2023.
“According to Hutchinson PLLC, to comply with VCDPA companies need to inform consumers of their
rights under the Act and create a process through which consumers can exercise those rights. The Act
also implements other business obligations with regard to personal data. For example, companies subject
to the Act must obtain consent prior to collecting and processing certain categories of sensitive personal
data such as precise geolocation data, data about protected characteristics and genetic or biometric data.
Like the CCPA, the VCDPA also requires that when a company uses service providers to process data on
the company’s behalf, the company must enter into a special contract with that service provider which
implements the requirements of the Act and makes clear the service provider’s responsibilities with
respect to the personal data that they process.
Additionally, the VCDPA requires that companies only hold the pieces of data they need for a specific
purpose and for only as long as is necessary to achieve that purpose; these principles are
commonly referred to as purpose limitation and data minimization. The VCDPA also requires that
companies implement and maintain reasonable data security practices to protect the confidentiality,
integrity and accessibility of personal data.” 4
In addition to the state laws identified above U.S. legislators have been working on the
comprehensive American Data Privacy and Protection Act (ADPPA).
On June 23, 2022, the U.S. House of Representatives Subcommittee on Consumer Protection and
Commerce passed by voice vote H.R. 8152, the American Data Privacy and Protection Act
(“ADPPA”). This bipartisan legislation, sponsored by House Energy and Commerce Committee Chairman
Frank Pallone (D-NJ), committee Ranking Republican Cathy McMorris Rodgers (R-WA), subcommittee
Chairman Jan Schakowsky (D-IL) and subcommittee Ranking Republican Gus Bilirakis (R-FL).
While many more steps remain in the legislative process before the bill could be enacted, the vote marks
the furthest progress that any comprehensive federal privacy legislation has made in all the years
Congress has considered such legislation. Privacy legislation previously had appeared to be a relatively
low priority for this Congress, with few hearings and seemingly continued stalemate on key issues.
It would appear that whether at the state or federal level more privacy laws are in our future and
employers would be wise to follow these to stay on to of the implications for their business.
Bibliography:
- Husch Blackwell’s, Colorado Privacy Act Resource Center:
https://www.huschblackwell.com/industries_services/colorado-privacy-act. - One Trust Guidance, Connecticut – Data Protection Overview, May 2022;
https://www.dataguidance.com/notes/connecticut-data-protection-overview. - Sullivan & Cromwell LLP, Utah Consumer Privacy Act, April 27, 2022;
https://www.sullcrom.com/files/upload/sc-publication-utah-becomes-fourth-us-state-to-enact-
comprehensive-privacy-law.pdf. - Maccherone, Morgan M. Maccherone, An Overview of the Virginia Consumer Data Protection Act,
February 25, 2022; https://www.hutchlaw.com/blog/an-overview-of-the-virginia-consumer-data-
protection-act.