Donate
security lock on computer circuit board
HomePublicationsBlogThe Recent CFPB Guidance on Worker Surveillance

The Recent CFPB Guidance on Worker Surveillance

December 4, 2024 
Mishal Khan

In October 2024 the Consumer Financial Protection Bureau (CFPB) released a circular laying out clear guidelines that employers must follow when they use algorithmic scores or background reports generated by third parties to make employment decisions. 

What is the CFPB?

The CFPB is the federal agency charged with protecting U.S. consumers from unfair practices in the financial sector. The CFPB enforces the Federal Consumer Reporting Act (FCRA).

What is the FCRA?

The FCRA is a law designed to safeguard consumer rights by regulating entities that collect, access, use, and share data about them. Under the law, third parties that generate background reports about consumers, such as credit bureaus and tenant screening services, are classified as “consumer reporting agencies.” The background reports that these third party entities generate, such as credit reports or scores, are officially classified as “consumer reports.” The FCRA mandates that when a company obtains a consumer report from a consumer reporting agency and uses it to make important decisions such as whether to rent or lend to a consumer, it must follow a specific set of rules such as obtaining consent and ensuring accuracy.

What problem does the new circular seek to address?

When Congress passed the FCRA, they were particularly concerned about employers using background reports to make decisions about workers. According to the CFPB, technological advances have only made it easier for third-party technology companies to gather increasingly large volumes of data on workers. Worker advocates have been documenting a range of harms from the proliferation of data-driven technologies at work such as productivity scoring systems, invasive forms of electronic monitoring, and “black box” algorithms whose inner workings are kept hidden from workers. Today third party companies can track a worker’s union or organizing history, personal habits and attributes, biometric information, sales interactions, web browsing patterns, and even their driving records. These companies routinely sell this data to employers, putting workers at risk of having “their careers determined by opaque third-party reports” without any accountability.

What does the circular do?

The circular is not detailing new rules, but is rather making explicit that both employers and third party entities using a range of new technologies to monitor, rank, and make decisions about workers must comply with longstanding regulatory requirements under the FCRA. The CFPB names both “background dossiers” as well as “algorithmic scores” that draw on data from third party monitoring systems as examples of consumer reports that fall under the purview of the FCRA. Their use by employers, therefore, triggers an obligation to obtain worker consent and provide transparency in the case of adverse decisions, and limits the permissible purposes for which background reports can be used.

When is coverage triggered?

Responsibilities under the FCRA are triggered when an employer obtains a consumer report from a consumer reporting agency to make or help make an employment decision.

What is an employment decision?

An employment decision is defined as a decision made “for the purpose of evaluating a consumer for employment, promotion, reassignment or retention as an employee.” It applies to both the initial hiring stage and to the context of ongoing employment.

What counts as a “consumer reporting agency” or a “consumer report”?

The circular states that any third-party entity that “assembles or evaluates consumer information in order to furnish reports to employers” could be considered a consumer reporting agency.

Under this definition a broad array of what the CFPB calls “background dossiers” could be classified as consumer reports (and the entities that generate them as consumer reporting agencies). For example, a firm that collects information from employers about a worker’s activity (e.g., performance, union activity) at work and sells it to future would-be employers would be considered a consumer reporting agency.

In addition, an employer’s use of an algorithmic scoring system could also be covered if, for example, it is trained on external consumer data. For example, some employers require workers to install mobile apps that generate scores about them for performance evaluation purposes. The entity that collected the data to train the algorithm that generates these scores could be considered a consumer reporting agency.

What are the key rights that workers have according to the CFPB circular?

1. Consent

  • Employers must obtain permission from workers before obtaining any consumer reports about them from a consumer reporting agency.

2. Transparency & disclosure

  • Workers have the right to know what is in a consumer report generated about them.
  • Employers must provide notice to workers and a copy of a consumer report generated about them both before and upon taking any adverse action against them.
  • Workers have the right to request the identity of any employer who has requested a consumer report to make an employment decision about them during the previous two years.

3. Right to challenge

  • Workers have the right to challenge any inaccurate data collected about them by consumer reporting agencies and employers must correct or delete any inaccurate, incomplete, or unverifiable data.

4. Limits of use

  • Consumer reporting agencies may only provide employers with a consumer report on a worker for certain permissible purposes.

Why is it important?

This action by the CFPB sets an important precedent for advocates who have long argued that new technologies are intensifying risks to workers’ job prospects, pay, and rights. The circular sends a strong signal that innovative policy solutions, strong guardrails, and clear guidance is needed to ensure that workers are protected from the increasingly harmful impacts of new workplace technologies.