New Privacy Laws for Collection and Use of Personal Data of Consumers Focus on Background Checks

In an effort to create stronger privacy protections for consumers, several states passed laws in 2012 regarding the collection and use of Personally Identifiable Information (PII) of applicants and employees by employers during background checks, or had important privacy regulations passed in previous years take effect. In addition, the Federal Trade Commission (FTC) is requiring nine data broker companies that collect and sell personal information of consumers to reveal their privacy practices or lack thereof. The increased regulations for greater privacy protections for data collected during background checks is Trend Number 4 of the 6th Annual ‘ESR Top Ten Background Check Trends for 2013’ available at

Three states – Maryland, Illinois, and California – passed laws in 2012 prohibiting employers for asking for social media usernames and passwords of applicants and current employees for background checks:

Responding to an increase in reports of employers seeking to gain “inappropriate access” to social network profiles of job applicants, online social media giant Facebook issued a warning to employers in a blog posted on the company website in March 2012 titled ‘Protecting Your Passwords and Your Privacy.’ In the blog, Facebook’s Chief Privacy Officer said that the practice of asking job applicants for their social media passwords “undermines the privacy expectations and the security of both the user and the user’s friends” and could potentially expose businesses to “unanticipated legal liability” and that Facebook would “take action to protect the privacy and security” of users and consider “initiating legal action” where appropriate. The blog is available at:

In Massachusetts, a “third party provision” of the Massachusetts Data Privacy Protection Law took effect March 1, 2012. Massachusetts passed strict data privacy and security regulations, Massachusetts law 201 CMR 17.00, that went into effect March 1, 2010 to protect the personal information of Massachusetts residents by requiring businesses to have a multitude of safeguards including a comprehensive Written Information Security Policy (WISP). Effective March 1, 2012, any company, in any location, that holds personal information of Massachusetts residents must amend existing third party vendor contracts to require compliance with Massachusetts data security regulations. The law is available at:

Utah began this trend when it passed tough privacy laws for Personally Identifiable Information (PII) that took effect May 12, 2009 called ‘The Employment Selection Procedures Act.’ The law prohibited an employer with more than 15 employees from collecting an applicant’s social security number, date of birth or driver’s license number before a job offer or before the time when a background check is requested. In addition, if the person is not hired, the employer will not keep the information beyond two years. The employer also may not use the information for any other purposes and must maintain a “specific policy regarding the retention, disposition, access, and confidentiality of the information.” An applicant has the right to view the policy. See:

Along with states, the federal government is also interested in the privacy practices for background checks. In March 2012, the FTC – the agency that works for consumers to prevent fraudulent, deceptive, and unfair business practices – issued a report ‘Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers’ that called on the data broker industry to set forth a voluntary framework of best practices based on privacy, consumer control, and increased transparency for the collection and use of consumer data. There are no current laws requiring data brokers to maintain the privacy of consumer data unless used for credit, employment, or other similar purposes. The report is available at

In June 2012, the FTC took action against a data broker that compiled and sold detailed information profiles on millions of consumers that resulted in a settlement that included $800,000 in civil penalties for alleged violations of the federal Fair Credit Reporting Act (FCRA). The FTC alleged that the data broker operated as a Consumer Reporting Agency (CRA) and failed to take reasonable steps to ensure that the reports sold would be used only for purposes allowed by law, ensure the reports were accurate, and inform report users of their obligations under the FCRA, a law passed by Congress to ensure the accuracy and privacy of information in the files of CRAs and to regulate the use and dissemination of consumer reports. For more information, visit

More recently, in December 2012, the FTC issued nine orders to nine data broker companies for information to analyze the industry’s privacy practices. The FTC will use the responses received from data brokers to prepare a study and to make recommendations on whether, and how, the data broker industry can improve privacy practices.  Specifically, the FTC is seeking details regarding the nature and sources of the consumer information the data brokers collect, how they use the information, and how data brokers allow consumers to access and correct their information or to opt out of having their information sold. Read the FTC news release at The text of the FTC Order is at

On a more local scale, even some counties had privacy concerns in 2012. After the closure of a public access computer that had allowed searches of criminal records led to criticism that public information was less accessible, officials at San Luis Obispo (CA) Superior Court cited “privacy concerns over outdated criminal and victim information” that was “exposed to background checking contractors” as a reason why the Court removed the public computer. The Court Executive Officer, citing the California Rules of Court, was concerned with how case information in the Court’s database was used by those seeking to sell the data. See:

For more information about Employment Screening Resources (ESR) – ‘The Background Check Authority’ and nationwide screening company accredited by The National Association of Professional Background Screeners (NAPBS®) – visit or call Toll Free 888.999.4474. The 6th Annual ‘ESR Top Ten Background Check Trends for 2013’ is at

More information about these trends is available in the updated 2nd Edition of “The Safe Hiring Manual” by ESR Founder and CEO Attorney Lester Rosen. For more information, visit


About Employment Screening Resources (ESR):

Founded by safe hiring expert Attorney Les Rosen in 1997, Employment Screening Resources (ESR) – ‘The Background Check AuthoritySM’– provides accurate and actionable information that empowers employers to make informed hiring decisions for the benefit of their organizations, employees, and the public. CEO Rosen literally wrote the book on background checks with “The Safe Hiring Manual” and ESR is accredited by The National Association of Professional Background Screeners (NAPBS), a distinction held by a small percent of screening firms. Employers choosing ESR know they have selected an agency meeting the highest industry standards. To learn more about ESR, visit or call toll free 888.999.4474.

About ESR News:

The Employment Screening Resources (ESR) News blog – ESR News – provides employment screening information for employers, recruiters, and jobseekers on a variety of topics including credit reports, criminal records, data privacy, discrimination, E-Verify, jobs reports, legal updates, negligent hiring, workplace violence, and use of search engines and social network sites for background checks. For more information about ESR News or to send comments or questions, please email ESR News Editor Thomas Ahearn at To subscribe to the ESR News Blog Feed, visit To subscribe to the complimentary ESRcheck Report monthly newsletter, please visit