Tracelight
All posts
industry·

OSINT in pre-employment screening: staying FCRA-compliant

When you use OSINT findings in a hiring decision, FCRA's permissible-purpose rules apply. Here's the short version of what that actually requires.

If you use OSINT findings to make an employment decision in the United States — hire, fire, promote, deny — the Fair Credit Reporting Act applies. Not just to traditional background-check vendors. To you.

This trips up a lot of small employers and PI shops moving into the screening space. They assume FCRA is something the CRA worries about. It's not. The user of the report (you, the employer) carries permissible-purpose obligations of your own.

The four things FCRA actually requires

**Disclosure and consent.** You have to give the candidate a clear standalone notice that you're going to obtain a "consumer report" (which OSINT findings count as when used for employment purposes), and get their written consent. This must be a separate document — burying it in the offer letter is a §1681b violation that the FTC has fined hundreds of employers for.

**Pre-adverse action notice.** Before you decline a candidate based on something you found, you have to send them a copy of the report, a copy of the FCRA Summary of Rights, and give them a reasonable window (5 business days is the safe norm) to dispute the finding. This catches identity-mismatch errors — common in OSINT, where two people share a name.

**Adverse action notice.** After you make the final decision, send a second notice with the CRA's contact info and the specific reason. Keep records.

**Re-screening rules.** If you re-screen an existing employee with OSINT, you generally need fresh consent. The original onboarding consent doesn't cover ongoing surveillance.

What Tracelight does about this

We bake consent capture into the product. You can't generate a report flagged for FCRA use until consent is recorded against the subject — with a timestamp and an evidence link to wherever the consent was captured (signed PDF, recorded phone call, e-sign acknowledgment). The platform forces the order of operations that compliance requires.

The audit log records every viewer of a report and every download. If a candidate disputes the adverse action, you can produce the exact record they were judged on, who saw it, and when.

What we don't do

We are not a Consumer Reporting Agency. We are a tool. Your organization (or your CRA partner) is the reporter, and you carry the FCRA obligations. Tracelight makes compliance easier — we don't make you compliant by ourselves.

Practical takeaway

If you're a small PI shop expanding into employment screening, get a 30-minute consult with an FCRA-aware attorney before you take on the first paying client. The procedural rules look bureaucratic but they're cheap insurance: the statutory damages for noncompliance are $1,000 per applicant, and class actions are common.

FCRAbackground-checkscompliance

See Tracelight in action.

32 OSINT workers, court-ready citation trail, signed PDF in under a minute. 7-day free trial — no credit card.

Start free trial Try the demo

More posts

company
Tracelight is live: OSINT investigations with citation-anchored reports
Today we're launching Tracelight — a platform for private investigators, M&A diligence teams, and journalists who need OSINT work product they can defend in court.
how-to
What is OSINT? A practical primer for investigators
Open-Source Intelligence (OSINT) is the practice of gathering and analyzing publicly available information. Here's how it actually works in modern investigations.
how-to
How to verify an expert witness in five minutes
A practical playbook for vetting an expert witness — yours or opposing — using public-records OSINT. The credentials lie, the prior-testimony record doesn't.