Should a prospective employer be able to “friend” you or even be able to demand your own Facebook password to vet you? When, if ever, should colleges, employers and lenders be able to look at your Facebook or other social network pages and posts to see if your friends or activities make you a better bet to enroll, hire or grant a loan to than someone else? Do you have loser friends or odd musical tastes? Does a measurement of your friends make a better credit score than a measurement of your bill-paying habits? What rights should you have to protect your social media privacy?
These are not random or hypothetical questions. The availability of “Big Data” has created a new front in the war on privacy. The glut of social media data is being mined for decision-making. Policymakers are taking notice.
Recently, California’s governor signed CALPIRG-backed laws preventing employers and colleges from demanding your social media passwords (ABC news story) as part of background checks. Meanwhile, the U.S. Federal Trade Commission has been vigilant against a growing number of companies scouring the Internet for public records, social media posts and other bits to create databases for sale to employers, colleges and creditors. Senators have raised questions.
In many cases, these activities run afoul of the Fair Credit Reporting Act (FCRA), which regulates the activities of credit bureaus and the firms that buy their credit reports and credit scores. The 1970 law protects consumers when information pertaining not only to their “creditworthiness” but, importantly, also to their “character, general reputation, personal characteristics, or mode of living” is bought and sold by third-parties.
One of the biggest problems for job applicants, so far, has been with firms that sell information, often derived from criminal or other public records, to employers for so-called “background checks.” The line between a “legal” background check and the illegal use of a credit report for employment purposes is being ignored by many firms, despite clear signals from the FTC that such activities will not be tolerated. The FTC is stepping up enforcement against background check companies that ignore the law’s clear accuracy, dispute and disclosure requirements, as in its 2012 action against HireRight. Today’s New York Times story “Retailers Track Employee Thefts in Vast Databases” by Stephanie Clifford and Jessica Silver-Greenberg explains how your inclusion in a fraud database, often containing only “scant” information, may prevent you from getting a retail job. “Broken Records,” a report by colleagues at the National Consumer Law Center, explores background check issues further. Just today, the FTC “warned” 6 data brokers that providing landlords information about prospective tenants may make them credit bureaus.
Importantly, however, the FTC has also served notice that any background check firms that think the sale of social media data is not covered by the law better think again. In 2011, it sent a message when it informed one firm, Social Intelligence Corp., that its sale of social networking data for employment purposes was subject to the FCRA. Then, in 2012, it stepped up enforcement, with an $800,000 fine against Spokeo in its “first Commission case to address the sale of Internet and social media data in the employment screening context.”
In her story “Bad Credit? Start Tweeting” in today’s Wall Street Journal, Evelyn Rusli reports on the newer practice of firms using social media data for credit decision-making.
“The FICO score is drawn from credit reports such as payment history, amounts owed and how long a person has successfully used credit. Lenddo and other sites like it are analyzing data from social networks and other factors to reach people who have a hard time getting loans. […] [The company Neo] doesn’t use the FICO score in its risk calculation. Instead, the company spends more time parsing through a person’s LinkedIn profile to determine how long users have held jobs, the number and quality of connections in their industry and geography and the seniority of their connections. [The company Affirm starts with your Gmail account and] draws on information from more than 100 databases and social networks, looking at an array of variables such as users’ locations and the number of personal connections.”
Whether these claims of greater predictive accuracy are true is a question for the market. Consumers, however, have rights, because when credit reports are sold for “credit, insurance, or employment” purposes, the FCRA’s protections are triggered.
But there are other gray areas where consumers may not have rights. Here are two.
The first is when a firm doesn’t become a credit bureau by selling the data, but intends to use it for its own purposes. That’s covered by the new California laws on protecting social media posts and passwords. The California laws explicitly prohibit asking for the information. Of course, we need to guard against weaker versions of those laws becoming empty rights. If, for example, an employer could ask for the information after consent, what applicant in a bad job market would say no?
The second gray area is that if information is collected and sold, but not for the specific FCRA-protected “credit, insurance, or employment” purposes, but other purposes, consumers may not be protected. On the Internet, as Natasha Singer of the New York Times reported last summer, social networking data, cookies and other crumbs are being vacuumed up and used to create “Secret E-scores.” I discuss the question of how to protect consumers in this new Internet data collection ecosystem in a forthcoming Suffolk University Law Review article (co-written with my colleague Jeff Chester of the Center for Digital Democracy). A draft of “Selling Consumers, Not Lists: The New World of Digital Decision-Making and the Role of the Fair Credit Reporting Act” is available at SSRN. The article explains how the use of E-scores has a direct bearing on financial and employment opportunities, but consumers may not always be protected.
Senior Director, Federal Consumer Program, PIRG
Ed oversees U.S. PIRG’s federal consumer program, helping to lead national efforts to improve consumer credit reporting laws, identity theft protections, product safety regulations and more. Ed is co-founder and continuing leader of the coalition, Americans For Financial Reform, which fought for the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, including as its centerpiece the Consumer Financial Protection Bureau. He was awarded the Consumer Federation of America's Esther Peterson Consumer Service Award in 2006, Privacy International's Brandeis Award in 2003, and numerous annual "Top Lobbyist" awards from The Hill and other outlets. Ed lives in Virginia, and on weekends he enjoys biking with friends on the many local bicycle trails.