Specifically the FTC said if the app makers have reason to believe their background reporting apps are being used for employment screening, housing, credit, or other similar purposes, they must comply with the Fair Credit Reporting Act which is supposed to protect consumer privacy and ensure that the information supplied by consumer reporting agencies is accurate.
More on high-tech crime: From Anonymous to Hackerazzi: The year in security mischief-making
According to the FTC, some of the apps include criminal record histories, which bear on an individual's character and general reputation and are precisely the type of information that is typically used in employment and tenant screening.
Under the FCRA, operations that assemble or evaluate information to provide to third parties qualify as consumer reporting agencies, or CRAs. Mobile apps that supply such information may qualify as CRAs under the Act. CRAs must take reasonable steps to ensure the user of each report has a 'permissible purpose' to use the report; take reasonable steps to ensure the maximum possible accuracy of the information conveyed in its reports; and provide users of its reports with information about their FCRA obligations. In the case of consumer reports provided for employment purposes, for example, CRAs must provide employers with information regarding their obligation to provide notice to employees and applicants of any adverse action taken on the basis of a consumer report.
According to the warning letters, the FTC has made no determination whether the companies are violating the FCRA, but encourages them to review their apps and their policies and procedures to be sure they comply with the FCRA. Future actions against those firms weren't ruled out if violations are found.
The letter reads:
This letter concerns your company's mobile application(s) that may be in violation of the Fair Credit Reporting Act ("FCRA"),1 a federal law enforced by the Federal Trade Commission ("FTC").
Under the FCRA, a company is a consumer reporting agency ("CRA") if it assembles or evaluates information on consumers for the purpose of furnishing "consumer reports" to third parties. Consumer reports include information that relates to an individual's character, reputation or personal characteristics and are used or expected to be used for employment, housing, credit, or other similar purposes. For example, when companies provide information to employers regarding current or prospective employees' criminal histories, they are providing "consumer reports" because the data involves the individuals' character, general reputation, or personal characteristics. Such companies, therefore, are acting as CRAs in this capacity and must comply with the FCRA.
CRAs must comply with several different FCRA provisions, including taking reasonable steps to ensure the maximum possible accuracy of the information provided in consumer reports. A CRA must also provide those who use its consumer reports with information about their obligations under the FCRA.4 In the case of reports provided for employment purposes, for example, the CRA must provide employers with information regarding their obligation to provide employees or applicants with notice of any adverse action taken on the basis of these reports, and to notify them of their rights to copies of the reports and to a free reinvestigation of information the consumer believes to be in error. A model notice is available in 16 Code of Federal Regulations § 698, Appendix H, which can be found here.
At least one of your company's mobile applications involves background screening reports that include criminal histories. Employers are likely to use such criminal histories when screening job applicants. If you have reason to believe that your reports are being used for employment or other FCRA purposes, you and your customers who are using the reports for such purposes must comply with the FCRA. This is true even if you have a disclaimer on your website indicating that your reports should not be used for employment or other FCRA purposes.
We would evaluate many factors to determine if you had a reason to believe that a product is used for employment or other FCRA purposes, such as advertising placement and customer lists. At this time, we have not made a determination as to whether your company is violating the FCRA. However, we encourage you to review your mobile applications and your policies and procedures for compliance with the FCRA. You may find the full text of the FCRA and more information about the FCRA here.
The Commission reserves the right to take action against you based on past or future law violations; your practices also may be subject to laws enforced by other federal, state, or local law enforcement agencies. A violation of the FCRA may result in legal action by the FTC, in which it is entitled to seek injunctive relief and/or monetary penalties of up to $3,500 per violation.
If you have any questions, please call Anthony Rodriguez at (202) 326-2757.
Read more about anti-malware in Network World's Anti-malware section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.