Michelle Cohen: Internet Privacy Lawyer on Internet Marketing
Video 1 of 3
Attorney Michelle Cohen: Increased Federal Enforcement of Mobile Commerce in 2013
Video 2 of 3
What to do if you think your company has had a data breach
Video 3 of 3
Michelle’s unfailing dedication to her clients is evidenced by the fact that her first client, whom she worked with as a first-year associate over 20 years ago, remains an active client. She establishes strong and lasting relationships by committing herself to client service. Michelle understands her clients’ business goals, guides them in their use of new technologies, and communicates with them as their business activities unfold.
Michelle’s practice is focused on helping her clients establish powerful and lasting relationships with their customers and prospects. Whether engaging audiences through sweepstakes/contests, social networks, telemarketing, text, or email marketing, Michelle ensures that her clients’ communications comply with current marketing and privacy laws and regulations. For clients who have embraced the popularity of online promotions and gamification, Michelle keeps programs running smoothly by providing guidance on the necessary rules, thresholds and disclosures in the midst of a constantly changing legal landscape. As clients rely more on social media to publicize promotions, Michelle provides up-to-the minute legal counsel related to the rules on Twitter, Facebook and other social sites.
As Ifrah Law increasingly leads the way in iGaming, Michelle advises daily fantasy sports and e-Sports companies on privacy matters, including drafting online terms and conditions, and preparing legal opinions and analysis to support iGaming companies’ launching of their services, including working with payment processors.
When clients find themselves involved in an enforcement matter with the Federal Trade Commission, Federal Communications Commission or state agencies, Michelle’s deep knowledge in these areas and her strong footing in the privacy community help her to resolve issues in the most expedient manner possible. Michelle has extensive experience defending individual and class actions in the consumer protection context, including dozens of Telephone Consumer Protection Act cases. She obtained a rare rescission of an FCC citation in a TCPA enforcement matter.
Michelle also advises clients as to what policies and procedures can be put in place to show a company’s good faith efforts, should the government come knocking. When companies are involved in potential data or security breaches, Michelle knows which questions to ask to ensure they have a sound legal strategy. She works with the company step-by-step to resolve the situation from both the government’s, and her clients’ as well as their customers’ points of view.
Previously, Michelle was a partner at Thompson Hine where she was a member of their telecommunications, corporate transactions & securities and emerging technologies groups. She began her legal career in the litigation department at Paul Hastings, where she spent seven years honing her litigation skills, prior to moving into their corporate practice. Her litigation experience gives her a solid foundation for helping clients avoid litigation as well as in advising them when they are faced with litigation. This litigation experience, coupled with her regulatory and corporate experience, allow Michelle to offer her clients a full complement of services.
Awards + Recognition
- Certified Information Privacy Professional (CIPP) certification, International Association of Privacy Professionals
- ALM 2013 Washington DC's Women Leaders in the Law
- ALM 2012 Top Rated Lawyer - Technology Law
- Martindale-Hubbell AV Preeminent Peer Review Rating
- Editorial Board Member, E-finance & Payments Law & Policy
- Editorial Board Member, E-Commerce Law & Policy
Professional + Community
- Board Member, Sewall-Belmont House & Museum
- Women in Cable and Telecommunications Past Board Member Washington, D.C. - Baltimore Chapter
- Federal Communications Bar Association
- District of Columbia Bar
- New York State Bar Association
- Women's Bar Association of DC
- Volunteer, Special Olympics
- Brandeis University Alumni Admissions Council
- Pro Bono Volunteer through the District of Columbia Bar
- Former Board member for the Law Firms Division of the United Way, National Capitol Area
Winning Big with a Celebrity Sweepstakes Endorsement
After developing a solid online promotions program over several years with Michelle Cohen advising on sweepstakes and contests, Michelle’s long-standing client, a digital wellness company, decided to energize its online efforts with a celebrity endorsement sweepstakes. The celebrity, a known health advocate and popular entertainer, partnered with our client to give away VIP ticket packages to his sold out shows in multiple cities.
Michelle crafted sweepstakes rules and reviewed promotional materials, including social media campaigns. The celebrity also used social media to organize in-person athletic meet-ups around the country, as part of his current touring schedule. This coast-to-coast campaign included sweepstakes at the on-site events. Michelle worked with our client on several aspects of its campaign, including social media messaging, drafting winner’s eligibility affidavits and ensuring compliance with state and federal sweepstakes laws, as well as social networks’ policies and requirements.
The result? Michelle’s client continues to develop exciting and clever online promotions that will engage their audience, while complying with applicable laws and regulations and maintaining positive relationships with key social networks.
Successfully Negotiating the Sale of Assets During a Government Investigation
When a company that is under investigation for money laundering decides to sell its assets, what was once a straightforward sales process becomes a complex negotiation. That is what happened with our client, a provider of diagnostic testing equipment.
Ifrah Law and Michelle Cohen represented the company in its sale of radiology and cardiology diagnostic services equipment, which involved numerous challenges. Understandably, the buyer was concerned about the ongoing criminal investigation, and Michelle worked closely with them to address their concerns about representations and warranties and possible post-sale seizure from the government. Additionally, since there were bank liens on some of the assets, Michelle worked with the bank’s outside counsel to arrange a prompt payoff, obtain a satisfactory pay-off letter and secure a release of the liens in order to close the deal. Michelle also worked with the buyer to create a creditor payment plan that would payoff unsecured creditors and obtain releases from them in order to address the buyer’s concerns about unsecured creditors seeking relief from the buyer. Finally, she created an employee fund (funded by the buyer) to pay for uncompensated leave time.
These complicated issues were resolved in less than two weeks, as a result of Michelle’s skilled negotiations with all parties. The buyer was represented by Delaware’s largest law firm.
Successful Resolution of a TCPA Class Action
Michelle Cohen’s client, a publicly-traded enhanced messaging provider, was involved in a large-scale class action alleging violations of the TCPA’s unsolicited facsimile advertising rules. In addition to having provided the client with TCPA advice for over 15 years, Michelle represented them in enforcement matters before the FCC, including obtaining the rescission of an FCC citation, a highly unusual ruling from the FCC, finding that the client had a valid defense to the citation.
This TCPA case involved the alleged sending of 125,000 unsolicited faxes. The class was suing for triple damages of $1500 per violation – up to $180 million. Michelle and her team handled discovery, including depositions and motions. When the other parties decided to enter mediation, Michelle represented her client through the mediation, to the settlement agreement and ultimate dismissal of the case. Given the damages at stake, this case was successfully resolved for Michelle’s client, whose settlement contribution fell below the limits of their insurance policy.
Ensuring TCPA Compliance for a Global Provider of Customer Management Services
On behalf of our client, a leading provider of customer management services with call centers around the world, Ifrah Law led a full-scale review of its customer communications to ensure that they comply with federal and state requirements, including those of the TCPA and the FTC’s Telemarketing Sales Rule (TSR). We addressed the many different types of calls that the company undertakes on behalf of its varied customer base – service calls, appointments, live sales calling and pre-recorded calls – to ensure that its call centers are using consistent protocols and controls in the United States, and that these protocols are in compliance with the TCPA and TSR. Our client trusted Ifrah Law with this extensive project due to our long history with managing TCPA matters – we have been involved with the TCPA since its inception in 1991 – and due to our prior work for the client, including successfully representing the client in two FCC inquiries.
We worked with the company’s Director of Privacy to develop a thorough understanding of the types of calls that the company makes for its customers, and the contractual protections that are in place and which could be revised to protect the company further. A critical aspect of this project was to educate leaders within the company that there are different TCPA requirements based on the type of call: technology used, person being called, whether the call is pre-recorded or live; mobile or business. We also wrote the call center guidelines and controls to ensure that all employees – from those being trained to the marketing team – had the same information regarding how to handle different types of customer call projects.
This large-scale process took a year to complete. Once the documentation was finalized, our client was ready to begin a company-wide training program on the guidelines, well in advance of TCPA rule changes.
Most of the attention involving the Telephone Consumer Protection Act (“TCPA”) has centered on the stream of class actions around the country. It is important to remember that the Federal Communications Commission (“FCC”) and state attorney generals can, and do, enforce the TCPA. In fact, the FCC recently issued citations to Lyft, the ride-sharing service, and First National Bank (“FNB”). Under the Communications Act, before the FCC may issue monetary penalties against a company or person that does not hold an FCC license or authorization, it must first issue a citation warning the company or person.
The TCPA requires prior express written consent for telemarketing calls/texts to mobile phones utilizing an autodialer or prerecorded call and for prerecorded telemarketing calls to residential lines. FCC rules mandate that the “prior written consent” contain certain key features. Among these requirements is the disclosure informing the consenting person that “the person is not required to sign the agreement – directly or indirectly – or agree to enter into an agreement as a condition of purchasing any property, goods, or services.”
For years, the FCC focused on actual consumer complaints of having received telemarketing calls/texts without the required prior express written consent. Interestingly, here, the FCC did not allege that either Lyft or FNB sent texts/robocalls without the required consent. The FCC’s accompanying press release indicates that its Enforcement Bureau initiated the two investigations after becoming aware of “violative provisions in those companies’ service agreements.” The citations issued to Lyft and FNB, along with recent correspondence by the FCC to Paypal concerning similar issues, represent new FCC attention on terms/conditions of service in the TCPA context, particularly on “blanket take it or leave it” agreements. The FCC Enforcement Bureau Chief, Travis LeBlanc, put all companies on notice, urging “any company that unlawfully conditions its service on consent to unwanted marketing calls and texts to act swiftly to change its policies.” The FCC directed Lyft and FNB to take “immediate steps” to comply with FCC rules and the TCPA – presumably meaning that the companies should immediately revise their terms and practices.
According to the FCC, Lyft’s terms require customers to expressly consent to receive communications from Lyft to customer’s mobile numbers, including text messages, calls, and push notifications. The messages could include Lyft-provided promotions and those of third party partners. The terms advise customers that they can opt-out by following the “unsubscribe” option, and that customers are not required to consent to receive promotional messages as a condition of using the Lyft platform or the services.
However, the FCC found that contrary to Lyft’s terms of service, Lyft does not actually provide “unsubscribe options” for consumers. If a consumer independently searches and gets to Lyft’s “help center,” the only option to opt-out subsequently prevents consumers from using Lyft’s service. Thus, per the FCC, “Lyft effectively requires all consumers to agree to receive marketing text messages and calls on their mobile phones in order to use services.”
The FCC concluded that while Lyft’s terms of service stated that consumers were not required to consent as a condition to using Lyft, in actuality, consumers could not refuse consent and remain Lyft users. Thus, the FCC cited Lyft, warning that it would be liable for any advertising text messages for which it did not collect proper, prior express written consent. The agency further stated that it would continue to monitor Lyft’s practices.
In FNB’s investigation, the FCC noted that consumers wishing to use FNB’s online banking services are required to agree to receive text messages and emails for marketing purposes at consumer-provided phone numbers. FNB customers wishing to enroll in the Apply Pay service are similarly required to consent to receive marketing-related text messages and emails. The FCC objected to FNB requiring consumers to agree to receive marketing text messages in order to use the online banking and Apple Pay services, and failing to inform consumers that they have the option to refuse consent. The agency reiterated that under FCC rules, prior express written consent to receive telemarketing messages requires that, among other things, consumers receive a clear and conspicuous disclosure informing the consumer of his or her right to refuse to provide consent.
When it comes to autodialed/prerecorded telemarketing calls and texts to mobile phones and prerecorded telemarketing calls to residential lines, companies need to be diligent in ensuring they have proper, defensible prior express written consent. The FCC’s citations to Lyft and FNB make clear that organizations may not rely on blanket mandatory opt-in agreements. While it may be acceptable to seek consent in terms of service, consumers must be informed of their opt-out abilities, and must be able to access the opt-out and still use the service or make the purchase.
Companies should review their service agreements and the operational mechanisms to make sure consumers have information on opting-out. Further, any opt-out mechanisms must work as promised. A user’s opt-out should not block services/purchases. Of course, the best way to obtain consent is to seek a separate, prior express written consent in an agreement that contains all the required elements, as follows:
- Is in writing (can be electronic);
- Has the signature (can be electronic) of the person who will receive the advertisement/telemarketing calls or texts;
- Authorizes the caller to deliver advertisements or telemarketing messages via autodialed calls, texts, or robocalls;
- Includes the telephone number to which the person signing authorizes advertisements or telemarketing messages to be delivered;
- Contains a clear and conspicuous disclosure informing the person signing that:
- By executing the agreement, the person signing authorizes the caller to deliver ads or telemarketing messages via autodialed calls, texts or robocalls; and
- The person signing the agreement is not required to sign the agreement (directly or indirectly) or agree to enter into such an agreement as a condition of purchasing any property, goods, or services.
As a reminder, the FCC repeatedly takes the position that the company claiming prior express written consent will bear the burden of providing that consent.
Every week, we learn about new data breaches affecting consumers across the country. Federal government workers and retirees recently received the unsettling news that a breach compromised their personal information, including social security numbers, job history, pay, race, and benefits. Amid a host of other public relations issues, the Trump organization recently discovered a potential data breach at its hotel chain. If you visited the Detroit Zoo recently, you may want to check your credit card statements, as the zoo’s third party vendor detected “malware” which allowed access to customers’ credit and debit card numbers. And, certainly, none of us can forget the enormous data breach at Target, and the associated data breach notifications and subsequent lawsuits.
For years, members of Congress have stressed the need for national data breach standards and data security requirements. Aside from mandates in particular laws, such as HIPAA, movement on data breach requirements had stalled in Congress. Years ago, however, the states picked up the slack, establishing data breach notification laws requiring notifications to consumers and, in many instances to attorneys general and consumer protection offices when certain defined “personal information” was breached. California led the pack, passing its law in 2003. Today, 47 states have laws requiring organizations to notify consumers when a data breach has compromised consumers’ personal information. Several states’ laws also mandate particular data security practices, including Massachusetts, which took the lead on establishing “standards for protection of personal information.”
Many businesses and their lobbying organizations have urged Congress to preempt state laws and establish a national standard. Most companies have employees or customers in multiple states. Thus, under current laws, organizations have to address a multitude of state requirements, including triggering events, types of personal information covered, how quickly the notification must be made, who gets notified, what information should be included in the notification, among others. State Attorneys General, on the other hand, assert that, irrespective of these inconveniences, their oversight of data breaches through the supervision of notifications and enforcement has played a critical role in consumer protection.
This week, the Attorneys General from the 47 states wrote to Congressional leaders, urging Congress to maintain states’ authority in any federal law, by requiring data breach notifications, and preserving the states’ enforcement authority.
The AGs’ key points are:
- State AG offices have played critical roles in investigating and enforcing data security lapses for more than a decade.
- States have been able to respond to constant changes in data security by passing “significant, innovative laws related to data security, identity theft, and privacy.” This includes addressing new categories of information, such as biometric data and login credentials for online accounts.
- States are on the “front lines” of helping consumers deal with the fallout of data breaches and have the most experience in guiding consumers through the process of removing fraudulent charges and repairing their credit. By way of example, the Illinois AG helped nearly 40,000 Illinois residents remove more than $27 million in unauthorized charges from their accounts.
- Forty states participate in the “Privacy Working” group, where state AGs coordinate to investigate data breaches affecting consumers across multiple states.
- Consumers keep asking for more protection. Any preemption of state law “would make consumers less protected than they are right now.”
- States are better equipped to “quickly adjust to the challenges presented by a data-driven economy.”
- Adding enforcement and regulatory authority at the federal level could hamper the effectiveness of the state law. Some breaches will be too small to have priority at the federal level; however, these breaches may have a large impact at the state or regional level.
Interestingly, just this week, Rep. David Cicilline (D-RI) introduced a House bill mandating that companies inform consumers within 30 days of a data breach. The bill also requires minimum security standards. Representative Cicilline’s bill would not preempt stricter state-level data breach security laws. The bill also contains a broad definition of “personal information” to include data that could lead to “dignity harm” – such as personal photos and videos, in addition to the traditional categories of banking information and social security numbers. The proposed legislation would also impose civil penalties upon organizations that failed to meet the standards.
Without a doubt data breaches will continue – whether from bad actors, technical glitches, or common employee negligence. The states have certainly “picked up the slack” for over a decade while Congressional actions stalled. Understandably, the state AGs do not want Congress taking over the play in their large and established “privacy sandbox.” Preemption will continue to be a key issue for any federal data breach legislation before Congress. As someone who has guided companies through multi-state data breach notifications, I have seen firsthand that requiring businesses to deal with dozens of differing state requirements is costly and extremely burdensome. Small businesses, in particular, are faced with having to grapple with a data security incident while trying to understand and comply with a multitude of state requirements. Those businesses do not have the resources of a “Target” and complying with a patchwork of laws significantly and adversely impacts those businesses. While consumer protection is paramount, a federal standard for data breach notification would provide a common and clear-cut standard for all organizations and reduce regulatory burdens. While the federal standard could preempt state notification laws, states could continue to play critical roles as enforcement authorities.
In the interim, companies must ensure that they comply with the information security requirements and data breach notifications of applicable states. An important, and overlooked aspect is to remember that while an organization may think of itself as, say a “Vermont” or “Virginia” company, it is likely that the company has personal information on residents of various states – for instance, employees who telecommute from neighboring states, or employees who left the company and moved to a different state. Even a “local” or “regional” company can face a host of state requirements. As part of an organization’s data security planning, companies should periodically survey the personal information they hold and the affected states. In addition to data breach requirements in the event of a breach, organizations need to address applicable state data security standards.
The FTC’s complaint stated that Nomi’s technology (called its “Listen” service) allows retailers to track consumers’ movements through stores. The company places sensors in its clients’ stores, which collect the MAC addresses of consumers’ mobile devices as the devices search for WiFi networks. While Nomi “hashes” the MAC addresses prior to storage in order to hide the specific MAC addresses, the process results in identifiers unique to consumers’ mobile devices which can be tracked over time. Nomi provided its retail clients with aggregated information, such as how long consumers stayed in the store, the types of devices used by consumers, and how many customers had visited a different location in a chain of stores. Between January and September 2013, Nomi collected information on approximately 9 million mobile devices, according to the FTC’s complaint.
Nomi’s settlement does not require any monetary payment but prohibits Nomi from misrepresenting the options through which consumers can exercise control over the collection, use, disclosure or sharing of information collected from or about them or their devices. The settlement also bars Nomi from misrepresenting the extent to which consumers will be provided notice about how data from or about a particular consumer or device is collected, used, disclosed or shared. Nomi is required to maintain certain supporting records for five years. As is typical with FTC consent orders, this agreement remains in force for 20 years.
What can companies learn from Nomi’s settlement, even those not in the retail tracking business?
- While this is the first FTC action against a retail tracking company, the FTC has repeatedly stated that it will enforce the FTC Act and other laws under its jurisdiction against emerging as well as traditional technologies.
- The FTC noted that Nomi had about 45 clients. Most of those clients did not post a disclosure or notify consumers regarding their use of the Listen service, and Nomi did not mandate such disclosures by its clients. The FTC did not address what, if any, obligation, these businesses may have to make such disclosures. Will it become common/mandated to see a sign in a retail location warning that retail tracking via mobile phones is occurring (similar to signs about video surveillance)? One industry group’s self-regulatory policy requires retail analytics firms to take “reasonable steps to require that companies using their technology display, in a conspicuous location, signage that informs consumers about the collection and use of MLA [mobile location analytics] Data at that location.” This issue will become more prevalent as more retailers and other businesses use tracking technology.
- Interestingly, the FTC brought this action even though traditional “personal information” was not collected (such as name, address, social security number, etc.). Organizations should not assume that collecting IP addresses, MAC addresses, or other less personalized information presents no issues. The FTC takes privacy statements seriously, whatever the information collected (though certainly there is more sensitivity toward certain categories such as health, financial, and children’s information).
The bottom line is “do what you say” when it comes to privacy practices. All companies should evaluate their privacy policies at least every six months to ensure that they remain accurate and complete, have working links (if any), and reflect a company’s current practices.
The FTC’s “Do Not Call” and “robocall” rules do not apply to political survey calls. So, if Hillary Clinton sought to “voice blast” a survey about international issues, she could do so without violating the Telemarketing Sales Rule (“TSR”). (Though under FCC rules she would have an issue calling wireless numbers). However, companies may not telemarket under the guise of exempt political calls. Caribbean Cruise Lines (CCL) and several other companies working with CCL recently learned this lesson the hard way. The FTC and a dozen state attorneys general sued CCL and others for offering cruises and vacation “add ons” following purported political calls. CCL settled, agreeing to pay $500,000 of a $7.2 million dollar penalty, and to comply with multiple compliance mechanisms.
CCL and the other defendants implemented an extensive calling campaign involving 12 to 15 million calls per day for approximately ten months offering a political survey. However, the survey calls invited consumers to “press one” to receive a “free” two-day cruise to the Bahamas (port taxes would apply). A live telemarketer working on behalf of CCL then offered consumers pre-cruise hotels, excursions, and other value packages.
While political calls remain exempt under the TSR’s robocall and Do Not Call provisions, if a caller offers a good, product or service during an otherwise exempt call, an “upsell” has occurred and the call is now telemarketing. FTC rules prohibit robocalls to telemarket except with prior express consent. Thus, the FTC asserted that CCL violated the TSR’s robocall provision since the called parties had not consented to the recorded sales calls. While the calls started as political survey calls, they were actually standard telemarketing, subject to all TSR telemarketing rules. The FTC also alleged violations of the Do Not Call rules, the caller identification rules, and the “company-specific Do Not Call requirements,” among other violations.
In addition to the reminder about “upsells” or “mixed messages,” this action highlights several important TSR enforcement lessons:
The FTC and State Attorneys General work closely in telemarketing enforcement – in this action, ten state attorneys general joined the FTC’s action.
Many of the State AGs involved tend to be those most active in telemarketing litigation– Florida, Indiana, Mississippi, North Carolina, Ohio, and Washington State.
The FTC does not require a company to actually make the prohibited calls. An enforcement action will lie where a company paid or directed others to make calls in violation of the TSR.
The TSR also bars third parties from providing “substantial assistance” to others who violate the rule. Here, the FTC’s complaint charged a group of five companies and their individual owner with assisting and facilitating the illegal cruise calls, by providing robocallers with telephone numbers to use in the caller ID field, to hide the robocallers’ identities.
As part of its settlements, the FTC may impose a variety of remedies, including requiring the seller (here, CCL) to monitor its lead generators.
The FTC may also bar the seller from purchasing leads from a lead generator who is determined by the seller to obtain leads through unlawful TSR calling.
The FTC will carefully review, and proceed against companies who violate other TSR provisions, including caller ID requirements, scrubbing of the federal Do Not Call database, and the company-specific Do Not Call list.
A settlement often requires ongoing recordkeeping. Here, the FTC required CCL to create records for ten years (and retain each one for 5 years), including records of consumer complaints and documentation of all lead generators.
The FTC and state AGs may proceed against individuals as well as companies.
Many states have their own “do not call” laws, caller ID requirements and TSR-similar rules which can be used to bolster claims and penalties.
* * *
While it should not come as a surprise that a “mixed message” call must comply with the TSR, the recent joint case against CCL and others serves as a potent reminder that the FTC and state attorneys general continue to monitor robocalling and other mass telemarketing campaigns. Further, the enforcers will use the full panoply of legal requirements and enforcement mechanisms to address telemarketing violations. The seller, the telemarketer, the lead generator, the caller ID provider, and any other party providing substantial assistance may find themselves at the receiving end of a call from the FTC if they fail to follow each of the TSR’s obligations or engage in activities that the TSR prohibits.
What do Whole Foods, Chuck E. Cheese, Michael’s Stores, Dollar General, Panera, Publix, and K-Mart have in common? Each of these companies has faced lawsuits (including class actions) under the Fair Credit Reporting Act (“FCRA”). Although Congress passed the FCRA way back in 1970 and litigation has focused on credit reporting agencies’ duties under the law, class action plaintiff firms have recently focused on the FCRA’s employer-related provisions. Several large settlements (such as Publix’s $6.8 million class action settlement, Dollar General’s $4 million, and K-Mart’s $ 3 million) have spurred further litigation. While some of the alleged FCRA violations may appear minor or technical in nature, these “technical violations” still result in costly lawsuits. Employers should re-familiarize themselves with the FCRA to avoid becoming class action defendants.
The FCRA’s Employer-Related Provisions
Many employers understandably want to conduct background checks on prospective employees, or current employees who may be obtaining new responsibilities or accessing sensitive information. In particular, companies in the retail and restaurant sectors, whose employees have access to cash receipts and credit card account numbers, want to guard against employees whose background checks may reveal issues of concern. Further, organizations whose employees enter homes and businesses (such as service providers – e.g., carpet cleaners, plumbers, contractors) have additional concerns about potential liability.
The FCRA is usually thought of as a federal law that regulates consumer reporting agencies, like credit bureaus. However, the FCRA also prescribes certain requirements for employers who use consumer reports. The FCRA broadly defines the term “consumer reports” as information prepared by a consumer reporting agency “bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for—credit or insurance to be used primarily for personal, family, or household purposes; employment purposes” or other permitted purposes. This definition draws in more than a traditional credit report. It can include driving records, civil lawsuits, and reference checks, among other information.
Disclosure and Consent
Employers may not obtain a consumer report from a consumer reporting agency unless they first make a “clear and conspicuous” written disclosure to the prospective employee/employee. The disclosure document must consist “solely” of the disclosure that a consumer report may be obtained. The job applicant/employee must provide written permission for the employer to obtain a consumer report. The FTC has indicated the disclosure form may include a signature line for the individual’s consent. (In 2001, the FTC also issued an opinion letter stating it believes such consent can be obtained electronically, consistent with the federal E-Sign law). The employer further certifies to the consumer reporting agency that is has a permissible purpose for the report and that it has complied with the FCRA and applicable equal opportunity laws.
These steps sound simple enough, however, litigation has ensued based upon employers’ alleged failures to comply. For instance, in the Whole Foods case in federal court in California, the plaintiffs claim the online application process included a liability waiver in the disclosure form for the background check, allegedly violating the FCRA requirement that a disclosure form not include other information. In a separate case in federal court in Florida involving retailer Nine West, the plaintiff alleges he did not receive a separate form, and that the background check authorization was on a web page with various other types of information.
Adverse Action Based on Report
If the employer intends to take “adverse action” against the prospective employee/employee (based even in part on the information in the report), the FCRA requires the employer to follow certain additional steps. The term “adverse action” includes “a denial of employment or any other decision for employment purposes that adversely affects any current or prospective employee.”
Before the employer takes the adverse action, it must provide a “pre-adverse action” notice to the affected person. This notice must include a copy of the consumer report and a statutory “Summary of Rights.” (This is an updated form, required since January 2013 by the new Consumer Financial Protection Board, which now has responsibility for FCRA rulemaking). The purpose of this notice requirement is to permit the individual to discuss the report with the employer before the employer implements the adverse action.
Next, if the employer intends to take the adverse action, the FCRA requires the employer to provide an adverse action notice to the individual. This notice must contain certain information, including:this is a test one
the name, address, and telephone number of the consumer reporting agency that provided the report;
a statement that the consumer reporting agency did not make the adverse decision and is not able to explain why the decision was made;
a statement setting forth the applicant’s or employee’s right to obtain a free disclosure of his or her report from the consumer reporting agency if the individual requests the disclosure within 60 days; and
a statement regarding the individual’s right to dispute directly with the consumer reporting agency the accuracy or completeness of any information contained in the report.
In a case involving Domino’s Pizza employees, the company settled a class action that included allegations that it took adverse employment actions against certain individuals based on information contained in consumer reports without providing those individuals the required notice and a copy of such reports in advance. K-Mart settled a class action suit based upon allegations that the statement of consumer rights provided to individuals after a background check contained outdated disclosures, among other alleged FCRA failures.
Liability and Enforcement
Plaintiffs can pursue a private right of action against employers for negligently or willfully violating the FCRA. Claims regarding negligent violations allow actual damages and reasonable attorneys’ fees and costs. Willful violations can result in actual damages or statutory damages ranging between $100 and $1,000, plus punitive damages and attorneys’ fees and costs. The Federal Trade Commission (“FTC”) has also brought actions against employers for FCRA violations.
10 Steps to Avoid Becoming a FCRA Defendant When Using Employment Background Checks
1. Review your current background check practices for prospective and current employees, including any online application materials.
2. Review disclosure/consent forms for compliance. Ensure you are presenting applicants or current employees with a simple, one page disclosure form. The form should inform individuals that you intend to obtain a consumer report for employment purposes.
3. You must obtain consent from the prospective employee/employee. You may include a line on the disclosure form for the individual to acknowledge and grant consent. Do not include other material, such as liability waivers, confirmation of at-will employment, or seek other consents.
4. If your application process is online, ensure the disclosure/consent is displayed separately, on one screen, without other content.
5. If you intend to conduct background checks periodically during an individual’s employment, state that in the disclosure and consent form.
6. Do not seek consent verbally. FCRA requires “written” consent (though FTC has stated it may be electronic).
7. Maintain backup of the disclosure and consent forms for at least 5 years from the date they were provided. (Lawsuits must be brought by the earlier of two years after the date of the plaintiff’s discovery of the violation, or five years after the date on which the violation occurred).
8. If you intend to take adverse action based on information in the consumer report, you should be providing the individual with a pre-adverse action notice, a copy of the consumer report, and the “Summary of Rights.” Ensure you are using the most updated “Summary of Rights.”
9. You should wait a reasonable amount of time (at least 5 days) before issuing an adverse action notice. Your company’s adverse action notice must contain the information required under the FCRA (see bulleted information, above).
10. Check state law regarding background checks for the states in which you operate/solicit employees. Some states have similar requirements to FCRA; others may further restrict the types of information you can request.
* * *
The FTC/EEOC have issued a joint statement on background checks. While many employers need to conduct background checks to avoid liability and risks to their businesses, employers also need to follow the FCRA’s mandates to avoid the deep end of litigation “pool.”