What CCPA Compliance Means in the Context of Background Checks

As with any forthcoming regulation, the California Consumer Privacy Act brings with it an urgency to act, the need to develop an effective compliance strategy — and a number of lingering questions.

Much like the General Data Privacy Regulation (GDPR) that came into effect for all organizations doing business with customers in the European Union last year, the CCPA is intended to enhance the privacy rights of citizens in California whose data is used across a wide variety of web sites, digital tools, and experiences.

The CCPA, which goes into effect on January 1, 2020, was passed in late 2018 and applies to any business that has more than $25 million in revenue with customers in the state of California. This also includes organizations that buy or sell personal information of 50,000 or more consumers, or derive 50 percent or more of their annual revenue from selling consumers’ personal information.

While the CCPA represents an important piece of legislation — and one that is already provoking considerable discussion about our future in a digital world — it doesn’t exist in isolation from other laws and regulations. 

Even early versions of the CCPA recognized the inherent tension between the CCPA and the Fair Credit Reporting Act (FCRA). Since the 1970s, the FCRA has provided important protections to consumers by governing how Credit Reporting Agencies (CRAs) compile background checks and deliver results to the companies requesting them. The California State legislature recognized the necessity of allowing CRAs to maintain compliance with this Federal Law and created an exemption for CRAs. 

In addition to the requirements regarding the use and reporting of consumer data, the FCRA mandates very specific procedural processes on CRAs when it comes to consumers accessing and interacting with their files. Because the FCRA also creates a right of action for consumers where CRAs fail to meet their obligations, CRAs have a practical need to maintain certain information not just to create accurate reports, but also to defend themselves in litigation. This need to preserve certain information means CRAs must create a compliance strategy that meets the requirements of the CCPA while also maintaining full compliance with the FCRA. 

Here’s a hypothetical scenario of what that might look like: 

An organization wants to hire someone for a particular role. They might work with a CRA to conduct a background check on one of the candidates. To facilitate the screen, the organization would have to collect the candidate’s personally identifiable information (PII) such as their name, social security number and driver’s license, among other things and pass that information to a CRA. In some instances, candidates are able to provide this information directly to the CRA.  Along with the candidate’s consent, this identifying information enables the CRA to conduct a search across criminal records databases, motor vehicle databases, and other sources relevant to the position. 

At a future date, the candidate who had been under consideration might make a request enabled by the CCPA, such as a request to delete their PII. The candidate is able to make this request to one of our customers or to Checkr directly. 

Checkr will receive and process these deletion requests to the extent our obligations under the FCRA allow. This means that we will be able to delete certain pieces of information but must retain other data elements due to our FCRA obligations. CCPA compliance for a CRA will look very different than compliance for an organization that does not have an express carve out for an existing, extensive body of law (see §1798.145(d)(1)).

The CCPA, like other privacy regulations, is centered around making consumers feel safer and more confident about the way their information is taken care of. Given the unique situation Checkr is in as a CRA, we are taking a very thoughtful approach to CCPA compliance. We recognize the need to maintain our FCRA obligations but also seek to comply with as much of the CCPA as possible by being transparent and providing our candidates control over their data. We are continuously monitoring developments in the law to ensure that candidates and customers alike feel safe and comfortable providing Checkr their data and to be the best business partners we can be.