Information Direct
Compliance center

FCRA compliance, made practical.

A working guide to the rules that govern consumer reports, adverse action, state requirements, data security, and the forms you'll actually use.

FCRA essentials

Five obligations every employer needs to get right.

Written disclosure
Give applicants a clear, standalone written disclosure that a background check will be performed.
Written authorization
Obtain signed, written authorization before ordering a consumer report.
Permissible purpose
Only order reports for a permissible purpose, employment, credit, tenancy, or other FCRA-qualified reason.
Pre-adverse action
Before denying based on a report, provide the applicant with a copy and a reasonable window (typically 5 business days) to dispute.
Adverse action notice
If proceeding with denial, send final adverse action notice with Summary of Rights under FCRA.
Record retention
Retain authorizations and reports per federal and state schedules. Dispose of consumer info per FTC Disposal Rule.

Adverse action, step by step

  1. 1
    Review the report
    Look at the specific findings, dates, and dispositions. Is the record actually disqualifying for this role?
  2. 2
    Individualized assessment
    EEOC guidance: consider nature of offense, time elapsed, nature of the job. Document the reasoning.
  3. 3
    Pre-adverse action notice
    Send notice + copy of report + Summary of Rights. Wait the required period (varies by state).
  4. 4
    Handle disputes
    If the applicant disputes, we note the dispute, notify the source or furnisher within five business days when required, reinvestigate at no cost, and issue written results within the FCRA timeframe.
  5. 5
    Adverse action notice
    If still denying, send final notice with contact info for the consumer reporting agency.
  6. 6
    Retain records
    Keep the file per retention schedule.

State-specific requirements

Rules that add to (not replace) the federal baseline. This list is representative, always confirm the current rule in your state.

California (ICRAA & CCRAA)
Applicant copy on request; pre-notice of investigative consumer report; ban-the-box through state Fair Chance Act.
New York
Article 23-A individualized assessment required before denial based on criminal record.
Illinois
Employee Credit Privacy Act restricts credit-based decisions except for specified roles.
Massachusetts
CORI access tightly regulated; employer certification required for criminal record requests.
Colorado
Job Application Fairness Act: age-identifying info on initial application is restricted.
Washington / Oregon / Maryland
Salary history and/or credit inquiry restrictions for most roles.

Data security & privacy

ISO 27001-aligned controls

Information security controls mapped to ISO 27001 and reviewed on a regular schedule.

Encryption in transit & at rest

TLS 1.2+ for all connections. AES-256 for stored reports and PII.

Role-based access

Least-privilege access model. Every record access is logged and audited.

Powered with Digital Delve

Downloadable forms

Applicant release form
FCRA-compliant disclosure + authorization (PDF)
Download PDF
Credit card authorization
Standard CC auth for one-time orders (PDF)
Download PDF
Service agreement
Master services agreement, review before signup
Download PDF

Need help on a specific rule?

Our compliance team will walk through it with you.
Create Account