Are Background Checks Legal? Laws, Consent, and Compliance Explained

Background checks are legal, but that does not mean they are without legal constraints. Employers running checks on candidates, and individuals or investigators running checks on other people, all operate within a regulatory framework. That framework varies by purpose, jurisdiction, and who the subject is.

Anyone who orders a background check, or is subject to one, should understand the legal rules.

Is It Legal to Run a Background Check on Someone?

The legality of a background check depends on who is running it and why.

Employers running checks on job candidates are subject to the federal Fair Credit Reporting Act (FCRA) and a growing body of state and local employment screening laws. Background checks in this context are legal when conducted with proper disclosure and authorization.

Individuals running checks on other people, whether to research a potential business partner, verify someone they met online, or conduct personal due diligence, may access public records legally. They cannot use deceptive methods, access private records without authorization, or use results for prohibited purposes.

Licensed private investigators conducting background checks operate under state licensing requirements that govern investigative methods. PIs can access records and sources not available to the general public. They remain bound by federal and state law governing privacy and permissible purpose.

Background checks without a permissible purpose, such as curiosity, harassment, or stalking, are illegal. The FCRA strictly limits the purposes for which a consumer report can be obtained.

The Fair Credit Reporting Act (FCRA)

The FCRA is the primary federal law governing employment background checks. Key requirements for employers:

Disclosure. Before conducting a background check for employment purposes, an employer must provide a standalone written disclosure that a consumer report may be obtained. This cannot be buried in an application or combined with other documents.

Authorization. The candidate must provide written authorization before the check is conducted.

Pre-adverse action. An employer may intend to take adverse action based on the results of the background check, such as not hiring, not promoting, or terminating. Before doing so, they must provide the candidate with a copy of the report and a written summary of FCRA rights. They must also allow a reasonable time to dispute inaccurate information.

Adverse action. After the waiting period, if the employer still intends to proceed with the adverse action, they must provide a final adverse action notice.

Failure to follow these steps creates significant legal exposure. FCRA violations can result in actual damages, statutory damages, punitive damages, and attorney's fees.

Can Someone Run a Background Check Without Your Permission?

For employment purposes, no. FCRA requires written authorization. The legal picture is more complex outside employment contexts.

Public records are accessible to anyone. These include:

• Court filings
• Property records
• Business registrations
• Court judgments

Searching public records about another person is legal. Using deceptive methods, accessing private accounts, or obtaining records under false pretenses is not.

Private investigators operating under license have access to sources beyond public records. They operate within defined legal boundaries for their state and for the permissible purposes under federal law.

State and Local Background Check Laws

Federal law sets a floor; state and local law often adds to it. Notable examples:

Ban-the-box laws exist in more than 30 states and dozens of municipalities. These laws restrict when in the hiring process criminal history can be considered. They typically prohibit the criminal history question on initial applications and require that it only be addressed after a conditional offer.

California, New York, and Illinois have particularly detailed background check requirements. These include restrictions on the use of conviction history, mandatory individualized assessment procedures, and limits on what types of convictions can be considered for which roles.

EEOC guidance holds that blanket criminal history exclusion policies may violate Title VII if they have a disparate impact on protected classes. Employers should evaluate criminal history in context, not as an automatic disqualifier.

Permissible Purpose Under the FCRA

The concept of "permissible purpose" sits at the center of FCRA compliance and is often misunderstood. A consumer reporting agency may only furnish a consumer report for specifically enumerated reasons. Anyone who requests a report must certify that their use falls within one of those categories. The most common permissible purposes include:

• Employment screening with the candidate's written authorization
• Tenant screening by a prospective landlord
• Credit and insurance underwriting
• Situations in which the subject has given written consent for a specific transaction

What is not a permissible purpose is equally important. Running a report to investigate a neighbor, research a romantic interest, or gather intelligence on a competitor without a legitimate business need falls outside the statute. Obtaining a consumer report under false pretenses is a federal offense that carries criminal penalties in addition to civil liability. This is one reason that legitimate research into a potential business partner or litigation subject is often better handled through a licensed investigator conducting a due diligence investigation rather than a consumer report vendor. Investigative work relying on public records, court filings, regulatory databases, and direct source development operates outside the FCRA's consumer report framework while still respecting applicable privacy law.

Industry-Specific Screening Requirements

Many industries impose screening obligations that go well beyond general FCRA compliance. Examples include:

• Financial institutions subject to FDIC Section 19, which prohibits hiring individuals with certain convictions absent regulatory approval.
• Healthcare employers participating in Medicare and Medicaid, which must screen against the OIG exclusion list and state Medicaid exclusion lists before each hire and on an ongoing basis.
• Transportation employers regulated by the Department of Transportation, which must meet specific drug and alcohol testing requirements and driver history standards.
• Defense contractors, which must meet clearance adjudication standards that incorporate deep financial, foreign-contact, and personal conduct review.

Schools and organizations working with minors face their own landscape. Most states require fingerprint-based criminal history checks through state repositories and the FBI. Ongoing rap-back enrollment ensures that any future arrest triggers a notification. When an incident arises that requires looking beyond standard pre-employment screening, specialized work such as out-of-district investigations or civil rights and discrimination investigations becomes necessary. These reach findings that will hold up under scrutiny from regulators, auditors, and counsel.

International and Cross-Border Considerations

A growing share of background investigations involve subjects with histories outside the United States. Foreign records introduce legal and practical complications that domestic checks do not. Data protection regimes impose their own consent, purpose limitation, and data transfer requirements, including:

• The European Union's GDPR
• The United Kingdom's Data Protection Act
• Canada's PIPEDA
• Brazil's LGPD

A candidate who spent the last five years working in Frankfurt cannot simply be screened the way a domestic candidate can. The process must comply with both U.S. employment law and the local regime where the records reside.

Other jurisdictions restrict which records can even be accessed. Some countries do not make criminal records publicly searchable and instead require the subject to request and deliver their own certificate of good conduct. Others restrict credit information, media archives, or litigation records in ways that change what a background investigator can verify. For clients vetting international executives, joint venture partners, or acquisition targets, a structured corporate due diligence workflow coordinated with local counsel and licensed local investigators is typically the only defensible approach.

Common Compliance Mistakes and How to Avoid Them

The most frequent FCRA violations are not sophisticated; they are procedural. Common errors include:

• Disclosure forms with extraneous language such as liability waivers or at-will employment statements. These violate the standalone disclosure requirement and have generated substantial class action exposure.
• Collapsed adverse action processes that combine pre-adverse and final adverse notices into a single step. This eliminates the candidate's right to dispute inaccurate information and exposes the employer to statutory damages.
• Reliance on instant database searches without verifying hits against the primary source court record. This can surface records belonging to someone else entirely, with the wrong middle name, date of birth, or jurisdiction.

Another recurring issue is inconsistent application. One applicant may be screened more aggressively than another for a comparable role. Criminal history may be treated as an automatic bar for some candidates but weighed contextually for others. The resulting disparate treatment claims can be difficult to defend. Written screening matrices are the single most effective tool for avoiding these claims. They define which records are considered for which positions, at which stage of the hiring process, and with what individualized assessment process. For internal matters involving senior personnel, such as an allegation against a leader or officer, work handled through an executive misconduct investigation framework preserves both legal defensibility and organizational confidentiality.

Building a Defensible Screening Program

A defensible program starts with a written policy approved by counsel that maps each position category to the scope of screening that position requires. It continues with vendor selection, standalone disclosure and authorization forms reviewed against current case law, a documented adjudication matrix, and a carefully structured adverse action workflow with specified waiting periods. It finishes with periodic audits of the entire chain. The FCRA's statutory damages accrue per violation, and small procedural lapses become large liabilities at scale.

Organizations should also plan for the cases that fall outside routine screening. These often require investigative depth that a consumer report simply cannot provide, such as:

• Post-hire incidents
• Whistleblower allegations
• Suspected credential fraud
• Integrity concerns raised after acquisition

When those situations arise, Encyphir's licensed investigators conduct background research that is both thorough and legally sound. Our corporate clients rely on us to build FCRA-compliant screening workflows, and our certified fraud examiners add depth when sanctions, fraud history, or financial integrity checks are in scope. Contact us to discuss your specific situation.