FCRA compliance violations have been the subject of frivolous lawsuits brought against employers. A recent Virginia Federal Court found that a plaintiff lacked standing to sue a company for obtaining his consumer report without a permissible purpose (Dilday v. DIRECTV).
At the heart of this case, the plaintiff claimed that DIRECTV obtained his consumer report from Equifax, but that he never had an account with DIRECTV. Contending that Equifax didn’t have a lawful or reasonable basis to believe that DIRECTV had a purpose to obtain and use his consumer report, he is entitled to damages. However, the plaintiff failed to plead exactly what those damages were.
Let’s back up just a bit. You may recall the Spokeo, Inc. v. Robins case that involved whether a person can bring a lawsuit when a company violates a federal privacy law. To do this, a plaintiff must have “standing” to sue. Spokeo argued that the case should be dismissed because the plaintiff didn’t prove “a concrete injury” (i.e. real and not abstract) due to a violation of the FCRA involving the publication of the plaintiff’s inaccurate personal information. The U.S. Court disagreed and denied Spokeo’s motion to dismiss, and Thomas Robins prevailed, suing Spokeo for willful violations of FCRA charging that the inaccurate information harmed his employment prospects. Because data brokers sell tremendous amounts of sensitive consumer data, often without verifying its accuracy or completeness, inaccurate data can have dramatically negative effects on individual consumers. The Court maintained the ability of consumers to use privacy and consumer protection laws to hold data collectors accountable for misuse of personal data. With the growing problem of data breaches and identify theft in the U.S., federal privacy laws are more critical than ever.
The notion that the FCRA creates a broad right to privacy and that FCRA violations cause “privacy issues” was rejected in Dilday. The judge noted “[w]hen a plaintiff alleges a statutory violation, he usually must plead an additional injury in order to satisfy the concreteness requirement” discussed in the Spokeo case. He further explained that while sometimes a violation of a statutory right is itself a concrete injury, the situation was a narrow exception where Congress codified a cause of action with intangible harms where recovery was permitted at common law.
The court went on to say that the right to privacy protected at common law was a narrow right applied only when highly offensive information became a matter of widespread, public knowledge. However, providing a consumer report to a user does not fall within that category. The Plaintiff could have only proceeded if the statutory violations were sufficient to constitute a concrete injury. However, the allegations did not themselves constitute an injury-in-fact in this case.
Hire Image is hopeful that more opinions such as this in favor of employers are to come. However, it does not mean that employers can now simply ignore FCRA compliance. Perhaps frivolous lawsuits and intense scrutiny on conducting background checks may subside but, until then, following the rules is critical. For more information on FCRA compliance click here.