The Consumer Financial Protection Bureau (CFPB) has issued new guidance, outlining that employers using tracking technology and artificial intelligence (AI) to monitor and make employment decisions about workers must now adhere to Fair Credit Reporting requirements Act (FCRA). This guidance indicates that while new technologies are changing workplace practices, compliance with federal law is mandatory, not optional.

FCRA in the Workplace: An Expanding Compliance Mandate

Traditionally, the FCRA has governed consumer credit reporting and lending practices, covering what are commonly referred to as background checks used in employment. However, as detailed in the CFPB Circular 2024-06 and recent statements from CFPB Director Rohit Chopra, the FCRA now also extends to a wide range of worker monitoring tools, particularly those that use data-driven information, algorithmic scores, or what the CFPB has called “master files.”

Master files are a term developed by the CFPB that refers to worker profiles compiled from various data sources, including public records, employment history, and productivity tracking. Unlike traditional background checks, which focus on criminal, employment, and educational background checks, background files can include additional, sometimes sensitive, details such as union activity, family leave use, and personal habits tracked by AI. However, both background files and traditional background checks must meet the same FCRA standards for accuracy, consent, and transparency.

As AI advances and remote work increases, many employers rely on third-party tools to track everything from productivity metrics to physical movement during shifts. The CFPB guidance clarifies that such information, particularly if it influences hiring, promotion, or day-to-day employment decisions, may qualify as a “consumer report” under the FCRA.

How workplace tracking technology and artificial intelligence fall under the FCRA

Employers are increasingly using master files and third-party scores to inform hiring decisions. While some tracking may simply record actions, such as time spent in certain locations or on certain tasks, many tools today use AI-based models to convert the raw data into scores or ratings. For example, an AI tool can generate a “risk” score based on web browsing habits or keystroke frequency, or a “productivity” score based on task performance metrics.

Under the FCRA, these assessments are regulated when they are generated by third-party providers of worker monitoring solutions and background files, which the CFPB now considers consumer reporting agencies. According to the CFPB and the Federal Trade Commission (FTC), which share enforcement authority for the FCRA, employers and consumer reporting agencies must follow them. FCRA requirements:

• Consent of the worker: Employers must obtain consent before requesting these consumer reports.
• Clear disclosure in independent format: The disclosure must be a clear and conspicuous written notice, in a stand-alone document, informing the worker of the intent to obtain a consumer report for employment purposes.
• Pre-Adverse and Final Adverse Action Notices: If an employer intends to take adverse action based on a consumer report — such as denying promotion or employment — it must provide the worker with advance notice of the adverse action, which includes a copy of the report or record and a summary of FCRA rights . The worker must have the opportunity to dispute the information before the final adverse action notice is issued.
• Accuracy and Dispute Rights: Consumer reporting agencies must ensure the maximum possible accuracy of these reports. Workers also have the right to dispute any incomplete, inaccurate or unverifiable information.
• Limitations on Use and Disclosure: Consumer Reports may only be used for specific permitted purposes, such as employment or redistribution. Sale or misuse of information for other purposes is prohibited.

In practical terms, if an employer uses the output of a third-party AI tool that tracks and scores an employee’s activities—whether to assess job performance, redeployment potential, or retention risk—they must treat it as a consumer report, however accompanied. legal obligations.

Best practices for employers using tracking technology, artificial intelligence and master records in employment decisions

With AI-generated tracking technology and background files increasingly used in the workplace, employers should take steps to ensure compliance with the FCRA. Background files—profiles that may include AI-based information on employee performance or risk—are regulated similarly to traditional background checks under the FCRA. Here are three best practices to support compliance:

1. Review supplier relationships and contracts: Confirm that third-party providers of tracking technology and AI assessment tools understand and fulfill their responsibilities under the FCRA. This ensures that the data provided is managed in accordance with FCRA standards, reducing compliance risk.
2. Establish clear consent and disclosure protocols: Employees should give informed consent before records are used in employment decisions. Transparency about how AI tracking data, scores, or ratings may affect hiring or promotions builds trust and supports the ethical use of data.
3. Prepare for worker disputes: Employers and their vendors should implement processes that allow workers to challenge and correct inaccuracies in these reports. This helps ensure that all underlying records used in employment decisions are accurate, reflecting the FCRA’s emphasis on fairness.

The way forward for compliance

With this updated guidance, the CFPB is signaling its intent to hold employers accountable for upholding workers’ rights in a technology-driven era of workplace surveillance. For employers, the cost of non-compliance could extend beyond penalties – it could disrupt workplace morale and expose companies to legal risks. As technology evolves, employers must be prepared to meet the challenges of worker privacy, data accuracy and FCRA compliance.