CFPB Advises Employers to Comply With the FCRA When Using AI-Powered Employee Monitoring Reports

According to a recent policy statement issued by the Consumer Financial Protection Bureau (the CFPB), employers that purchase or use certain reports generated about current or prospective employees—including those using AI-powered technologies to assess employees’ productivity—are required to comply with various requirements of the Fair Credit Reporting Act (the FCRA), including obtaining consent from employees prior to purchasing such reports and providing notices to employees before taking adverse employment actions based on such reports.

What does the CFPB’s policy statement say?

On October 24, 2024, the CFPB issued its latest circular (Circular 2024-06). Many employers are familiar with the FCRA’s requirements in the context of employee background checks and credit reports. Circular 2024-06 states that the FCRA also applies to the use of other types of third-party employee reports.

Specifically, Circular 2024-06 describes various types of reports generated and sold by third parties to employers, including those that analyze worker data and/or behavior (e.g., biometric information, interactions with customers, the number and quality of meetings attended, web browsing history, and keystroke frequency) to generate reports about employees. The CFPB advises that often these reports produce “scores” or other assessments about workers, a process that may involve AI-powered models programmed to find patterns and make predictions about employees.

In Circular 2024-06, the CFPB makes clear that it considers such third-party reports to be “consumer reports” when they are used in making hiring, promotion, reassignment, and retention decisions. That renders them subject to the FCRA. Circular 2024-26 further states that the FCRA may also apply to an employer’s use of a licensed software program to create such reports, although it is apparent that this could be a disputable point and would be dependent on the particular facts.

If an employer obtains reports that are subject to the FCRA, the employer is obligated to comply with the following requirements:

1. Provide FCRA notice and obtain employee consent. Before purchasing third-party reports that could be used for making decisions about hiring, promotion, reassignment, or retention, an employer must provide a disclosure to the employee concerning the possibility of obtaining such a report and must also obtain the employee’s written authorization. 
2. Provide pre-adverse action notice and copy of report. Before taking adverse action based on such a report, including reassignment, denial of a promotion, demotion, or termination of employment, the employer must provide notice to the affected employee along with a copy of the report and a description of rights under the FCRA, as prepared by the CFPB. 
3. Provide post-adverse action notice. If the employer decides to proceed with an adverse action after giving the affected employee an opportunity to respond to the pre-adverse action notice, the employer must provide an additional notice to the affected employee. That additional notice must include multiple elements, including notice of the adverse action and notice of the right to contest the contents of the report with the provider of the report.

What should employers do in response?

Based on the guidance set forth in Circular 2024-06, employers should review how they purchase and use third-party consumer reports concerning their employees, including those that monitor worker behavior or use AI-driven technologies to convey “scores” or other assessments about individual employees.

Employers that purchase and use such reports should implement processes, train managers and staff who assist with onboarding or who otherwise use the reports, and work with outside counsel and the applicable third-party vendors to ensure compliance with the FCRA, including by taking the steps outlined above.

The members of Goodwin’s Employment Practice are ready and available to work with clients to determine whether any particular third-party employee reports are potentially subject to the FCRA and, if so, recommend best-practice approaches for complying with the FCRA.

This informational piece, which may be considered advertising under the ethical rules of certain jurisdictions, is provided on the understanding that it does not constitute the rendering of legal advice or other professional advice by Goodwin or its lawyers. Prior results do not guarantee similar outcomes.