FCRA Compliance
Tool for AI Hiring
The Eightfold AI lawsuit (January 2026) exposed a compliance gap most employers don't know exists: AI screening tools that use third-party data are consumer reporting agencies under FCRA — and trigger adverse action notice requirements.
EmployArmor checks every AI tool in your stack for FCRA applicability, generates compliant adverse action notices, manages candidate consent, and tracks disputes — so one lawsuit doesn't become your lawsuit.
What FCRA Requires for AI Hiring
The Fair Credit Reporting Act creates four obligations for employers using AI tools that incorporate or generate consumer report data about applicants.
When FCRA Applies to AI Tools
FCRA applies when an AI hiring tool uses or incorporates consumer report data from a third-party provider — including credit histories, public records, criminal background data, or social media data sourced from a consumer reporting agency.
Adverse Action Notice Requirements
Before taking an adverse action based on an AI-generated score that incorporates consumer report data, employers must provide a pre-adverse action notice, wait a reasonable period (typically 5 days), then send a final adverse action notice with the CRA name and dispute rights.
Consumer Disclosure Obligations
Employers must disclose to candidates: the fact that a consumer report was used, the name and contact information of the consumer reporting agency, and a summary of the candidate's rights under FCRA — including the right to request a free copy of their report.
Candidate Dispute Rights
Candidates have the right to dispute inaccurate information in their consumer report. Employers must pause the adverse action process during an active dispute and review any dispute findings before proceeding with the hiring decision.
Stop the Eightfold problem before it becomes your problem
Most employers don't audit their AI tools for FCRA triggers. EmployArmor does it automatically — and generates the notices, consent workflows, and dispute tracking you need to stay clean.
- Adverse action notice generator — pre-adverse and final notices
- FCRA applicability checker for every AI tool in your stack
- Consent workflow capturing CRA authorization before screening
- Dispute tracking — pause adverse action during active disputes
- Eightfold AI and similar tool risk assessment
- Audit log of all disclosures, notices, and dispute resolutions
FCRA Applies Nationwide — California Goes Further
FCRA is a federal law with no employee threshold — it applies to every employer. California's ICRAA adds stricter consent and disclosure requirements on top.
| Jurisdiction | Requirement | Risk |
|---|---|---|
| Federal — All Employers | Applies whenever AI uses consumer report data | High |
| California | Stricter consent and disclosure requirements | High |
| All States | Federal floor applies; state laws may add requirements | Medium |
Updated March 2026. EmployArmor monitors FCRA enforcement actions and FTC guidance updates.
Why the Eightfold AI Lawsuit Changed FCRA Compliance
View AI hiring lawsuits tracker →Most employers think FCRA (15 U.S.C. § 1681 et seq.) only applies to traditional background check providers. The Kistler v. Eightfold AI case (January 2026) changed that understanding. The lawsuit alleged that Eightfold's AI talent platform — used by major employers to screen and rank candidates — constituted a consumer reporting agency because it generated scores using data about individuals. Under 15 U.S.C. § 1681b, any AI system doing this may require written candidate authorization before use.
This means employers using Eightfold and similar AI tools may have been required to send adverse action notices under 15 U.S.C. § 1681m, obtain written FCRA authorization, and provide dispute rights — without knowing it. The exposure is retroactive. The CFPB and FTC have both signaled increased scrutiny of AI scoring systems under FCRA. See the full landscape.
EmployArmor's FCRA compliance tool checks every AI tool you use for FCRA applicability and generates the disclosure and notice workflows automatically. Combined with your AI hiring compliance checklist, it closes the gap before a plaintiff's attorney finds it.
Frequently Asked Questions: FCRA Compliance and AI Hiring
Does FCRA apply to AI hiring tools?
Yes, when an AI hiring tool uses or generates consumer report data. Under 15 U.S.C. § 1681 et seq., if your AI tool incorporates third-party data about candidates — credit histories, criminal records, social media profiles — it may qualify as a consumer reporting agency, triggering full FCRA compliance including adverse action notices and candidate dispute rights.
What adverse action notices are required under FCRA?
Under 15 U.S.C. § 1681m, you must send a pre-adverse action notice with a copy of the consumer report and summary of rights, wait a reasonable period (typically 5 business days), then send a final adverse action notice including the CRA name and candidate dispute rights. Both steps are required — skipping either is a violation.
What are permissible purposes under FCRA?
Under 15 U.S.C. § 1681b, employers may obtain consumer reports for employment purposes only with the candidate's written consent, using a standalone FCRA disclosure form — not buried in an employment application. Using consumer report data without proper authorization is itself a violation.
Who enforces FCRA for AI hiring?
The FTC and CFPB have primary federal enforcement authority. The CFPB has specifically addressed AI scoring systems in supervisory guidance. State AGs can also enforce FCRA, and candidates have private right of action — including class actions — under 15 U.S.C. § 1681n for willful violations.
What are FCRA penalties for violations?
Statutory damages range from $100 to $1,000 per willful violation, plus actual damages, punitive damages, and attorney fees. In class actions like Kistler v. Eightfold AI, the aggregate exposure across thousands of screened candidates can reach tens of millions of dollars.
Close Your FCRA Gap Before You're Served
The Eightfold lawsuit is just the first. Audit your AI tools for FCRA triggers and build the notice workflows now.