An estimated 87% of companies now using AI-driven tools in their recruitment processes, and that figure has nearly doubled in just two years. AI-powered platforms can ingest millions of candidate profiles, enrich them with publicly available data, and deliver algorithmically ranked shortlists to employers far faster than a human recruiter. But, with that capability comes significant legal risk.
In Kistler v. Eightfold AI Inc., two job applicants filed a class action lawsuit alleging that Eightfold AI, a company that uses a proprietary large language model to score and rank job candidates for employers, is operating as an unregistered consumer reporting agency in violation of the Fair Credit Reporting Act (FCRA) and California’s Investigative Consumer Reporting Agencies Act (ICRAA). The complaint also asserts a California consumer protection claim for unfair and deceptive conduct. The complaint seeks national, class-wide relief, statutory damages, and punitive damages.
The case should be of immediate interest to employers that use or are considering AI-driven hiring tools, and to technology companies and service providers that develop or resell them. Below, we unpack the legal framework, explain plaintiffs’ theory, and offer some practical guidance for both groups.
The FCRA’s Three Threshold Questions
The FCRA applies when three conditions are met: (1) the entity furnishing the information qualifies as a “consumer reporting agency” (CRA); (2) the information it furnishes constitutes a “consumer report”; and (3) the report is used for an “employment purpose.” If all three are satisfied, a comprehensive set of obligations is triggered, for both the CRA and the employer.
Can an AI Platform be a Consumer Reporting Agency?
Under 15 U.S.C. § 1681a(f), a CRA is any person that, for monetary fees, regularly assembles or evaluates consumer information for the purpose of furnishing consumer reports to third parties. The Kistler plaintiffs allege this definition is met because Eightfold contracts with employers for compensation, assembles candidate data from multiple sources (applicant submissions, employer HR systems, and third-party public sources), evaluates that data using its proprietary AI, and furnishes the resulting reports to employer-clients.
The CRA definition is not limited to traditional credit bureaus. Any entity that assembles or evaluates consumer information from external sources and furnishes it to third parties for a statutory purpose can be deemed CRAs. In 2024, the Consumer Financial Protection Bureau (CFPB) issued guidance specifically addressing this point, noting that an entity can “assemble” or “evaluate” consumer information within the meaning of the statute “if the entity collects consumer data in order to train an algorithm that produces scores or other assessments about workers for employers.” Although the current CFPB leadership has rescinded that guidance, the underlying statutory provisions remain unchanged, and the Kistler lawsuit demonstrates that private plaintiffs are actively pursuing claims on this theory.
Could a Tech Platform’s Output be a Consumer Report?
A “consumer report” under 15 U.S.C. § 1681a(d)(1) is any communication of information bearing on a consumer’s “credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living” that is used, or expected to be used, as a factor in establishing the consumer’s eligibility for employment. The Kistler complaint alleges that the output from Eightfold’s platform satisfies this definition because it goes far beyond raw resume data. Indeed, the complaint assert that Eightfold’s platform incorporates AI-generated inferences about candidates’ “preferences, characteristics, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” and distills them into a “Match Score” that ranks candidates from 0 to 5 by “likelihood of success”. The scoring incorporates evaluations of skill overlap, title progression, seniority fit, “hireability,” culture and company similarity, and comparisons to hiring managers and high-performing employees.
The key takeaway is that the more an AI tool moves beyond organizing factual data (such as employment dates and job titles) and into generating subjective assessments, inferences, or scores about a candidate’s qualities, the stronger the argument that its output constitutes a consumer report under the FCRA.
Is the Report Used for Employment Purposes?
Under 15 U.S.C. § 1681a(h), “employment purposes” means use for evaluating a consumer for employment, promotion, reassignment, or retention. In Kistler, both named plaintiffs allege that they applied for positions, were scored by Eightfold’s platform, and were rejected without interviews, with the AI-generated reports serving as the basis for the adverse employment decisions.
What the FCRA Requires Once It Applies
If all three elements necessary to invoke the FCRA are met, the statute imposes a series of interlocking obligations on both the CRA and the employer.
The CRA must obtain a certification from the employer before furnishing a consumer report for employment purposes, confirming that the employer has complied and will comply with its own statutory obligations. This includes providing standalone disclosure to the candidate, obtaining the candidate’s written authorization, and following required adverse action procedures.
The employer must provide a clear and conspicuous standalone written disclosure to the candidate that a consumer report may be obtained for employment purposes and obtain the candidate’s written authorization before the report is procured. If the employer takes adverse action based on the report (such as declining to hire), it must provide the candidate with a copy of the report and a summary of rights before the adverse action, and a second notice after.
The Kistner complaint alleges that none of these steps occurred.
California’s ICRAA: A Broader and More Punitive Framework
Employers and service providers operating in or touching California face an additional layer of regulation under the Investigative Consumer Reporting Agencies Act (Cal. Civ. Code § 1786 et seq.). The ICRAA is California’s state-law counterpart to the FCRA, and it is broader and more protective.
The “Through Any Means” Standard
Under the FCRA, an “investigative consumer report” is defined more narrowly. It applies only when information about a consumer’s character, reputation, personal characteristics, or mode of living is obtained through personal interviews with people who know the consumer. AI-driven data assembly does not typically trigger this designation under federal law. Under the ICRAA, however, the same category of information triggers “investigative consumer report” treatment regardless of how the information is obtained “through any means” making AI-assembled profiled far more likely to qualify.
Significantly Higher Damages
The ICRAA provides for the greater of actual damages or $10,000 per violation, compared to the FCRA where damages are $100 to $1,000 per violation. In a class action, that differential can be enormous.
Practical Takeaways
For Employers
If you use or are considering using an AI-powered hiring tool that ingests candidate data from external sources, enriches it, and provides scored or ranked candidate assessments, you should evaluate whether that tool’s provider may be functioning as a CRA under the FCRA and, if you have any nexus to California, under the ICRAA. If the answer could be “yes,” consider whether any factual distinctions or changes to your hiring process would alter that conclusion. If these laws apply, ensure that your processes include standalone disclosure to candidates, written authorization before reports are procured (or in California, prior written consent), and full compliance with adverse action procedures, including pre-adverse-action notice with a copy of the report and a summary of consumer rights.
You should also require contractual representations from the technology provider that it will comply with its CRA obligations, including obtaining your certification before furnishing reports and providing you with summaries of consumer rights to deliver to candidates.
For Technology and Service Providers
If you assemble candidate data from external sources, apply AI or algorithmic analysis, and furnish the results to employers for use in hiring decisions, you should evaluate whether you are operating as a CRA.
If there is a reasonable argument that the FCRA applies, you need to ensure that you obtain employer certifications before furnishing reports, provide summaries of consumer rights, and structure your processes to support the employer’s disclosure, authorization, and adverse action obligations. You should also evaluate whether your business model could be structured to fall within a legal carve out, including your acting as the agent of the employer.
For providers with any California exposure, the ICRAA’s “through any means” standard and $10,000 per-violation damages make compliance particularly urgent. The combination of broad statutory definitions, high statutory damages, and an active plaintiffs’ bar means that the cost of noncompliance can quickly become existential should a class action be filed.
The Kistler lawsuit signals that plaintiffs’ counsel are securitizing the interplay between AI platforms and the FCRA. Employers and service providers that evaluate their obligations and implement compliant processes now will be far better positioned to meet this emerging risk.