Navigating U.S. Privacy Law and Background Screening

August 23, 2022 | Jenni Gray

For Consumer Reporting Agencies (CRAs), there’s a large framework of laws guiding the work of background screening companies. These include federal law such as the Fair Credit Reporting Act (FCRA), international legislation such as the General Data Protection Regulation (GDPR), and a patchwork of state and local laws like Ban the Box and other privacy acts.


Protecting consumers’ privacy

The Fair Credit Reporting Act (FCRA) is a federal law that was enacted in 1970. It helps protect the accuracy, fairness, and privacy of information collected by CRAs, and allows consumers to correct potential inaccuracies in reports. But the FCRA doesn’t only apply to credit reporting agencies! Since 1996, it applies to all CRAs, or any company that collects and/or refurbishes consumer data for a number of purposes, including employment, tenant screening, financial (such as loans and insurance), and more. This also includes employers that use consumer reports to make hiring decisions.


What about state privacy acts?

There are quite a few states that have already passed their own privacy acts, or are working to pass privacy acts. There are common themes through all five of them, including laying out rights for consumers, such as accessing or deleting information about them. Consumers may also opt-out of the sale of their data. They also outline obligations for entities who store or collect data, including the requirement to post privacy policies. 

The five states that have already passed privacy acts are:

      • California
      • Colorado
      • Connecticut
      • Utah
      • Virginia


While California’s first privacy law is already in effect, the remaining four states’ laws all go into effect next year.


California has two different privacy acts: the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

The CCPA was passed June 2018 and went into effect January 2020.

The CPRA was a ballot initiative which was passed to amend the CCPA. It passed November 2020 and goes into effect January 2023.


The Colorado Privacy Act (CPA) was passed July 2021 and goes into effect July 2023.


The Connecticut Data Privacy Act (CTDPA) was passed May 2022 and goes into effect July 2023.


The Utah Consumer Privacy Act (UCPA) was passed March 2022 and goes into effect December 2023.


The Virginia Consumer Data Privacy Act (VCDPA) was passed March 2021 and goes into effect January 2023.


What’s next?

With the recent passage of these five states’ own privacy acts, be on the lookout for more in the next few years. Four states still have privacy acts in committee this legislative session, while 23 more states have introduced privacy acts that are now inactive, but will likely pick back up in coming years. 

And, U.S. legislators have been working on the comprehensive American Data Privacy and Protection Act (ADPPA), which may wind up preempting these state laws altogether. 

Be sure to review with your legal team the privacy laws in states and countries in which your organization operates or hires, to see if or how your hiring processes may be impacted.

Supported By WordPress Database Support Services

Subscribe to the Cisive Newsletter