FCRA Compliance Guidelines 2026: Essential Requirements for Employers

Understanding FCRA: Foundation for Employment Background Checks

The Fair Credit Reporting Act is a federal law enacted in 1970 to promote accuracy, fairness, and privacy of information in consumer reporting agency files. When employers use third-party services to obtain background checks—called consumer reports under the FCRA—they become users of consumer reports. As a result, they must follow specific legal requirements throughout the entire hiring process.

A consumer report includes information bearing on a person's character, general reputation, personal characteristics, and mode of living obtained from a consumer reporting agency (CRA). This encompasses criminal records, credit history, employment verification, education confirmation, and driving records when compiled by a third-party screening company for employment purposes. The FCRA establishes a framework that balances employers' legitimate need to make informed hiring decisions with applicants' rights to privacy, accuracy, and fair treatment.

What Triggers FCRA Compliance

Understanding this framework is essential because violations can occur at multiple stages—from initial authorization through final hiring decisions. Each violation may constitute a separate legal claim. Moreover, the definition of what constitutes a consumer report continues to evolve with technology and regulatory interpretation.

The law applies when you use a third-party service to compile background information. Direct employer research—such as calling references yourself or checking public records without a CRA—typically falls outside FCRA requirements. However, the moment you engage a consumer reporting agency, you trigger all FCRA obligations.

Current Enforcement Landscape

The Consumer Financial Protection Bureau has maintained consistent scrutiny of FCRA compliance in employment contexts. Regulatory guidance and enforcement patterns have focused on several specific areas where employers frequently fall short of legal requirements. Understanding these focus areas helps employers prioritize compliance efforts.

Key enforcement focus areas include:

• Incomplete adverse action procedures: Employers have faced enforcement actions for failing to provide applicants adequate time to review background check information before making final decisions, violating the meaningful opportunity standard.
• Missing summary of rights documents: Organizations have been cited for neglecting to include the required FTC summary alongside consumer reports during pre-adverse action notices.
• Improper disclosure formatting: Companies have encountered liability for using disclosure and authorization forms that combined FCRA notices with liability waivers or other materials, violating the standalone requirement.
• Unauthorized information sharing: Businesses have faced claims for sharing background check information with individuals who lacked a legitimate business need to access it.

These patterns indicate that regulators examine the complete compliance workflow rather than isolated components. Systematic implementation has become essential for all employers regardless of size.

EXPERT INSIGHT: Working in HR, I sit at the intersection of policy and people every day. I have seen how hiring and screening decisions can either build trust or quietly damage it before someone even starts. Being successful at this means, at the very least, recalling that there is a real human who is behind each and every requirement with the desire to be treated with fairness. - Charm Paz, CHRP

The Permissible Purpose Requirement

Employers may only obtain consumer reports for permissible purposes defined in the FCRA. Employment purposes constitute a permissible purpose, but this authorization is limited to actual employment decisions. These include hiring, promotion, reassignment, and retention determinations.

Employers must establish clear policies that restrict access to background check information to decision-makers with legitimate employment-related needs. Documentation of the specific employment purpose for each background check request is required.

FCRA Compliance Workflow: Step-by-Step Implementation

Implementing FCRA-compliant background check procedures requires following a specific sequence of steps with precise timing and documentation at each stage. Deviation from this sequence constitutes the most common source of FCRA violations. Organizations must build systematic processes that ensure consistency across all hiring activities.

Step 1: Disclosure and Authorization

Before requesting any background check, employers must provide applicants with a clear and conspicuous written disclosure. This document must state that a consumer report may be obtained for employment purposes. Additionally, the disclosure must appear in a standalone document—it cannot be buried in an employment application or combined with other materials except for limited state-specific disclosures and liability waiver releases.

The disclosure should use clear, plain language that the average person can understand without legal expertise. After providing the disclosure, employers must obtain the applicant's written authorization before requesting the background check. This authorization must be a separate written document, though it may appear on the same page as the disclosure if clearly distinguished.

Many employers create a single-page document with the disclosure statement in the upper portion and the authorization signature section in the lower portion. This format satisfies FCRA requirements if properly formatted and not combined with extraneous materials.

Step 2: Obtaining the Consumer Report

Once proper disclosure and authorization are obtained, employers may request consumer reports from consumer reporting agencies. Employers should work with consumer reporting agencies that demonstrate compliance with FCRA requirements for accuracy, dispute procedures, and data security. Selection of a qualified CRA is an important compliance decision that affects the employer's risk profile.

When requesting reports, provide clear instructions about several critical factors:

• The scope of information needed for the specific position
• The exact employment position being considered
• Any state or local law restrictions that apply to the search based on work location
• Prohibited information types such as arrests without convictions in certain jurisdictions

Employers must certify to the CRA that they will comply with FCRA requirements, will not misuse the information, and have obtained proper authorization from the applicant. This certification creates legal accountability and establishes the employer's acknowledgment of compliance obligations.

Step 3: Pre-Adverse Action Process

If information in the consumer report may lead to an adverse employment decision, employers must follow the pre-adverse action procedure before making a final decision. Adverse employment decisions include not hiring the applicant, not promoting an employee, or terminating employment. This step is where many employers encounter compliance problems due to rushing or incomplete procedures.

Understanding the Waiting Period

The notice must be provided before the final decision is made, giving the applicant a reasonable opportunity to review the information and respond. While the FCRA does not specify an exact waiting period, compliance guidance commonly recommends employers wait at least five business days before proceeding to a final adverse action to ensure the waiting period is sufficient.

During this period, applicants may contact the employer to provide context, explain circumstances, or dispute inaccuracies. Employers should document all communications and consider any information the applicant provides before making final decisions.

Step 4: Individualized Assessment

Before taking adverse action based on criminal record information, employers should conduct an individualized assessment consistent with EEOC guidance. This evaluation should consider the nature and gravity of the offense, the time that has passed since the offense or completion of sentence, and the nature of the job sought or held. Simply applying automatic disqualification rules based on the presence of any criminal record creates substantial legal risk under both Title VII of the Civil Rights Act and various state fair chance hiring laws.

Document the individualized assessment process thoroughly. Include the specific factors considered, the reasoning for the decision, and any applicant input that was evaluated. This documentation provides critical evidence of good-faith compliance if the decision is later challenged.

Step 5: Final Adverse Action Notice

If the employer decides to take adverse action after completing the pre-adverse action process and individualized assessment, a final adverse action notice must be provided to the applicant. This notice formally concludes the FCRA-required process. It also triggers the applicant's dispute rights and additional protections.

Essential elements of the final adverse action notice:

• CRA contact information: The name, address, and telephone number of the CRA that supplied the report
• Decision responsibility statement: A clear statement that the CRA did not make the decision and cannot provide specific reasons for it
• Dispute rights notice: Information about the applicant's right to dispute the accuracy or completeness of any information with the CRA
• Free report entitlement: Notice that the applicant can obtain an additional free consumer report from the CRA within 60 days

Documentation and Record Retention

Employers must retain documentation of both the pre-adverse action notice and final adverse action notice. Records should include proof of delivery and the dates provided. Most employers should maintain these files for at least three years from the hiring decision, stored separately from general personnel files.

FCRA Compliance by Organization Type

FCRA compliance requirements apply equally to all employers regardless of size. However, implementation approaches should be tailored to organizational capacity and resources. Smaller organizations benefit from simplified systems, while larger enterprises require sophisticated infrastructure to manage volume and complexity.

Small Business Implementation Strategy

Small businesses (1-50 employees) typically lack dedicated HR departments and legal counsel, making simplified workflows essential. Create a compliance toolkit containing template disclosure forms, authorization forms, pre-adverse action letter templates, final adverse action letter templates, and the current FTC Summary of Rights document.

Designate one person as the background check coordinator responsible for managing all screening activities. Use a simple spreadsheet to document each background check, including dates of disclosure, authorization, report request, report receipt, adverse information findings, notice dates, and final hiring decisions. This centralized approach reduces inconsistency and ensures someone maintains compliance knowledge.

Enterprise Compliance Infrastructure

Enterprise organizations (500+ employees) require more sophisticated compliance infrastructure due to higher volume, multiple locations, and increased litigation risk. Establish a compliance committee with representatives from human resources, legal, and hiring managers meeting quarterly. Implement applicant tracking systems with built-in FCRA workflow steps and automated notices.

Develop training programs for all personnel involved in background check processes with annual refresher training. Conduct internal compliance audits at least semi-annually, reviewing samples of background check files to verify proper procedures. These audits should examine documentation completeness, timing compliance, and adherence to individualized assessment requirements.

Working With Consumer Reporting Agencies

Organizations of all sizes should work with consumer reporting agencies that provide compliance guidance while recognizing that employers remain ultimately responsible for compliance. Multi-state employers should consult legal counsel to ensure compliance with varying state and local requirements based on work location.

State and Local Law Overlay: Navigating Complex Requirements

While the FCRA establishes baseline federal requirements, state and local laws frequently impose additional restrictions. When federal and state/local laws conflict, employers must comply with the law that provides greater protections to applicants. This layered regulatory environment creates significant complexity for employers operating in multiple jurisdictions.

Ban-the-Box and Fair Chance Hiring Laws

Ban-the-box laws, now enacted in many states and numerous cities, restrict when employers may ask about criminal history during the hiring process. These laws typically prohibit criminal history inquiries on initial applications. Furthermore, they require employers to wait until later in the hiring process—often after a conditional job offer—before conducting background checks.

The timing and scope of ban-the-box laws vary significantly by jurisdiction:

• Coverage scope: Some apply only to public employers, while others cover private employers above certain size thresholds
• Timing restrictions: Some prohibit any criminal history questions until after an interview, while others allow questions after an initial application but before an offer
• Individualized assessment requirements: Many jurisdictions mandate specific consideration factors that employers must document
• Notice provisions: Certain states require employers to provide additional notices explaining rights under fair chance laws

Navigating Multi-State Ban-the-Box Compliance

Employers with multi-state operations should consult legal counsel to develop location-specific compliance protocols. These systems should identify which ban-the-box laws apply to each position based on work location and ensure hiring managers follow the appropriate sequence for each jurisdiction. Remote work arrangements add complexity, as you must follow the laws where employees physically work, not where your headquarters operates.

Salary History Inquiry Prohibitions

A growing number of states and cities prohibit employers from asking applicants about salary history or using previous compensation to determine job offers. These laws aim to reduce wage discrimination that perpetuates pay gaps. While not directly related to FCRA background checks, these laws affect the overall hiring process and may restrict what information employers can request during the same stages when background checks occur.

Employers should ensure that employment applications, interview protocols, and background check procedures all reflect applicable salary history restrictions. Integrated compliance across all hiring stages reduces the risk of inadvertent violations in one area affecting another.

Criminal Record Limitations by State

State laws create a complex patchwork of restrictions on what criminal record information employers may consider. Understanding these variations is essential for compliance, and consulting legal counsel is strongly recommended for multi-state operations. These restrictions often supersede what consumer reporting agencies may include in reports for employment purposes.

Key state-level variations:

• Arrest vs. conviction records: Several states restrict or prohibit consideration of arrest records that did not result in convictions, protecting applicants from being penalized for charges that were dropped or dismissed
• Sealed or expunged records: Most states prohibit consideration of records that have been legally sealed or expunged, and some require employers to treat inquiries about such records as though they never occurred
• Lookback period limits: Some states impose seven-year or other lookback periods for criminal records, though numerous exceptions may apply for positions with access to vulnerable populations
• Record type restrictions: Some jurisdictions prohibit consideration of certain offense types such as minor marijuana convictions or specific misdemeanors

Instructing Your CRA on State Restrictions

Employers must instruct consumer reporting agencies not to include information prohibited by applicable state laws. Additionally, hiring managers must not consider such information even if it appears in reports due to error. Create clear written instructions for your CRA that specify which state laws apply to each search based on work location.

State-Specific Disclosure and Notice Requirements

Some states impose additional disclosure, authorization, and adverse action notice requirements beyond federal FCRA mandates. These state-specific requirements must be incorporated into standard procedures. Failure to include required state-specific language can trigger separate state law violations even when federal FCRA requirements are met.

This table provides examples only and does not constitute complete state law guidance. Consult legal counsel regarding specific state requirements applicable to your operations and work locations.

AI-Assisted Background Screening: Emerging Compliance Considerations

The increasing use of artificial intelligence and automated decision-making tools in hiring processes creates new FCRA compliance challenges. Employers must address these issues carefully to avoid liability. Additionally, this remains an evolving regulatory area where guidance continues to develop at both federal and state levels.

Understanding Algorithmic Decision-Making Risks

Some modern background screening platforms use algorithms or AI to analyze background check information and generate hiring recommendations or risk scores. While these tools can increase efficiency, they raise significant compliance concerns. Employers remain fully responsible for hiring decisions even when using AI-assisted tools.

Automated systems that effectively make adverse decisions without human review and individualized assessment violate FCRA requirements. These platforms may also create Title VII disparate impact liability if they disproportionately screen out protected groups. Transparency and human oversight serve as essential safeguards against these risks.

Critical Requirements for AI-Assisted Screening

If you use platforms with algorithmic components, ensure they meet these requirements:

• Individualized consideration: Systems must allow consideration of legally required factors like the nature of the offense, time elapsed, and job relevance rather than applying blanket exclusions
• Human review capability: Platforms must allow for human override and individualized assessment by qualified personnel who can apply judgment and context
• Transparency mechanisms: Employers should understand how recommendations are generated and be able to explain the basis for decisions to applicants
• Disparate impact monitoring: Regular analysis must verify that systems do not create discriminatory outcomes based on protected characteristics

Conduct thorough due diligence before implementing AI-assisted tools. Request documentation of how the system makes decisions and what safeguards exist to prevent discriminatory outcomes.

Continuous Monitoring Programs

Some employers use continuous monitoring services that provide ongoing updates about employees' criminal records after initial hiring. While this practice may serve legitimate purposes in certain industries, it requires separate disclosure and authorization beyond initial hiring background checks. Additionally, continuous monitoring triggers adverse action procedures if negative information emerges.

Employers should consult legal counsel before implementing continuous monitoring programs. These systems must comply with the same FCRA requirements as initial background checks, including proper disclosure, authorization, and adverse action procedures.

Common FCRA Violations and Prevention Strategies

Understanding the most frequent compliance failures helps employers focus preventive efforts on high-risk areas. Many violations stem from seemingly minor procedural shortcuts that carry significant legal consequences. Moreover, patterns of violations often indicate systematic policy deficiencies rather than isolated errors.

Violation 1: Improper Disclosure Format

Combining the FCRA disclosure with employment applications, acknowledgment forms, liability waivers, or other documents is one of the most common violations. Courts have found that including even a single sentence of extraneous material in the disclosure document violates the standalone requirement. This violation frequently leads to class action litigation because it affects all applicants processed using the defective form.

Prevention Strategy: Create a dedicated disclosure document containing only the FCRA-required disclosure statement and any state-specific addendums that are legally permitted. Review the form annually to ensure no one has added content that compromises its standalone status. Train all HR personnel on the importance of maintaining document separation.

Violation 2: Incomplete Adverse Action Procedures

Failing to provide pre-adverse action notices, omitting the summary of rights document, not allowing adequate time between notices, and skipping final adverse action notices are frequent violations. These procedural failures often come to light through applicant complaints. Each omitted step may constitute a separate violation with its own damages.

Prevention Strategy: Implement a mandatory checklist or workflow system that requires completion of each adverse action step with documented proof before proceeding. Use technology to enforce waiting periods automatically and prevent premature progression through the workflow. Assign a specific compliance officer to verify completion of all steps.

Violation 3: Blanket Disqualification Policies

Automatically rejecting all applicants with any criminal record, without individualized assessment consistent with EEOC guidance, creates substantial legal risk. This approach also fails to comply with many state fair chance hiring laws. While blanket policies may seem administratively efficient, they create enormous legal exposure.

Prevention Strategy: Eliminate per se exclusion policies completely and implement structured individualized assessment protocols. These protocols should consider offense nature, time elapsed, and job relevance, with documentation of the analysis for each adverse decision. Train hiring managers on conducting these assessments consistently while exercising appropriate judgment.

Violation 4: Unauthorized Information Sharing

Sharing background check information with supervisors, coworkers, or others who lack a legitimate business need to access it violates FCRA confidentiality requirements. This violation may also trigger additional privacy law violations under state statutes. Oversharing often occurs when employers treat background check information like other general employment records.

Prevention Strategy: Establish strict access controls limiting background check information to decision-makers directly involved in the hiring or employment decision. Store background check records separately from general personnel files with enhanced security measures. Create a written policy defining who may access background check information and for what purposes.

FCRA Violation Penalties: Understanding the Risks

FCRA violations expose employers to multiple forms of liability that can rapidly escalate. Class action contexts, where systematic policy failures affect numerous applicants, create particularly severe financial exposure. Moreover, the fee-shifting provisions of FCRA mean that even defending against claims can become extremely expensive.

Statutory and Actual Damages

The FCRA provides for statutory damages of $100 to $1,000 per violation for negligent non-compliance, even without proof of actual harm. In class action lawsuits involving hundreds or thousands of applicants, these statutory damages alone can reach millions of dollars. Willful violations—those resulting from knowing or reckless disregard of FCRA requirements—can result in punitive damages in addition to statutory damages.

Courts have interpreted willful non-compliance broadly to include situations where employers should have known about requirements but failed to implement adequate compliance systems. If applicants suffer actual harm from FCRA violations, they may recover compensating damages in addition to statutory damages. Actual harm can include lost job opportunities when qualified applicants experience rejection due to flawed procedures.

Attorney's Fees and Litigation Costs

FCRA includes a fee-shifting provision requiring employers who violate the statute to pay the applicant's attorney's fees and litigation costs. In complex class actions, attorney's fees can equal or exceed the underlying damages. This provision makes FCRA cases attractive to plaintiffs' attorneys and incentivizes litigation even when individual damages are modest.

Regulatory Enforcement Actions

Beyond private litigation, the Consumer Financial Protection Bureau and Federal Trade Commission have regulatory authority to enforce FCRA compliance. Regulatory enforcement actions can result in civil penalties that are separate from private damages. They may also lead to consent orders requiring extensive compliance overhauls and ongoing monitoring by regulators.

Building Your FCRA Compliance Audit System

Regular self-auditing helps identify compliance gaps before they result in violations. These audits provide evidence of good-faith compliance efforts that may reduce liability if violations occur. Additionally, systematic auditing creates a culture of compliance awareness that reduces the likelihood of careless errors.

Monthly Compliance Checks

Monthly compliance checks should focus on real-time verification of current practices. Designate a compliance officer or HR professional to conduct monthly reviews of background check activities. These reviews should verify that disclosure and authorization documents are being provided correctly, timing requirements are being followed for adverse action procedures, required notices are being sent and documented, and information is being properly secured and access-limited.

Monthly verification catches problems quickly before they affect large numbers of applicants. Create a standardized monthly checklist that covers all critical compliance points. Document your monthly reviews to demonstrate ongoing compliance efforts.

Quarterly File Reviews

Quarterly file reviews provide deeper analysis of compliance quality. Conduct detailed reviews of a random sample of background check files each quarter. Check for completeness of documentation, proper sequencing of steps, appropriate individualized assessments, and compliance with state-specific requirements based on work location.

Document findings from these quarterly reviews and implement corrective actions for any deficiencies identified. Track whether deficiencies are one-time errors or patterns suggesting systematic problems requiring policy changes. Use quarterly reviews to identify training needs and policy improvement opportunities.

Annual Policy Updates and Training

Annual policy and training updates ensure your program remains current. Review and update all background check policies, procedures, and template documents annually to ensure they reflect current legal requirements. Download the current version of the FTC Summary of Rights document annually from the FTC website and update template files immediately.

Provide annual refresher training to all hiring managers and HR personnel involved in background check processes, highlighting policy changes and legal developments. Consult legal counsel regarding significant changes in federal, state, or local requirements that may require policy revisions.

Documentation and Retention Requirements

Maintain complete files for each background check including signed disclosure and authorization forms with dates, documentation of when reports were requested and received, copies of consumer reports provided to applicants, pre-adverse action notices with proof of delivery, documentation of waiting periods and applicant communications, individualized assessment notes, and final adverse action notices if applicable.

Most employers should retain background check files for at least three years from the hiring decision, and longer if any disputes or legal claims arise. Store files separately from general personnel files with appropriate security measures and access restrictions.

Conclusion

FCRA compliance requires systematic implementation of specific procedures at each stage of the background check process. With active regulatory enforcement, evolving state and local requirements, and growing use of AI-assisted screening tools, employers must prioritize compliance through tailored workflows, regular audits, and ongoing training. In addition to remedying a legal risk, strict compliance with these standards will help to protect candidate trust and institutional reputation within this transparent environment of recruiting. Those institutions that promote this compliance as a human resources competency will have a better chance to make recruiting decisions that result in equal and defensible outcomes.

Frequently Asked Questions

What is the most important first step for FCRA compliance?

Provide a standalone written disclosure to applicants before requesting any background check, explaining that a consumer report may be obtained for employment purposes. This disclosure must be a separate document and cannot be combined with employment applications. After providing this disclosure, obtain written authorization from the applicant before requesting reports.

How long should employers wait between pre-adverse action and final adverse action notices?

The FCRA does not specify an exact waiting period, but compliance guidance commonly recommends waiting at least five business days. This waiting period should be sufficient to give the applicant a meaningful opportunity to review the information, identify errors, and provide context or dispute inaccuracies with the consumer reporting agency.

Can employers use credit reports for all hiring decisions?

No, many states restrict or prohibit the use of credit reports for employment purposes except for positions involving specific financial responsibilities. Employers should consult legal counsel to review state laws applicable to the work location and position type before requesting credit reports. Limit such requests to roles where financial history is genuinely job-relevant and legally permissible.

Do FCRA requirements apply if the employer conducts background checks internally without using a third-party service?

FCRA requirements generally apply only when employers obtain consumer reports from consumer reporting agencies (third-party services). If an employer conducts background research directly—such as contacting references or reviewing public records without using a CRA—the FCRA typically does not apply. However, employers conducting internal research must still comply with other laws including privacy statutes and anti-discrimination requirements.

What should employers do if an applicant disputes background check information?

Document the dispute and provide reasonable time for the applicant to work with the consumer reporting agency to investigate and correct any errors. Refrain from making a final adverse decision until the dispute process is complete or sufficient time has passed. If the CRA confirms inaccuracies and provides a corrected report, base decisions on the corrected information.

Are there special FCRA requirements for positions involving driving or safety-sensitive work?

FCRA requirements apply equally to all employment positions, though employers may request additional types of background information relevant to specific jobs. For driving positions, motor vehicle records are appropriate and job-relevant. However, the same disclosure, authorization, and adverse action procedures must be followed regardless of position type, and employers should still conduct individualized assessments consistent with EEOC guidance.

How do ban-the-box laws affect FCRA compliance timing?

Ban-the-box laws affect when employers may request background checks, often requiring employers to wait until after a conditional job offer. Employers must comply with both the timing restrictions imposed by applicable ban-the-box laws and the disclosure, authorization, and adverse action procedures required by the FCRA. Consult legal counsel to understand requirements for specific work locations.

What records must employers keep to demonstrate FCRA compliance?

Maintain comprehensive files for each background check including signed disclosure and authorization forms with dates, documentation of when reports were requested and received, copies of consumer reports provided to applicants, and pre-adverse action notices with proof of delivery. Also include documentation of waiting periods and applicant communications, individualized assessment notes, and final adverse action notices if applicable, all retained for at least three years.

Can employers rescind job offers immediately after receiving negative background check information?

No, employers must complete the full adverse action process before rescinding job offers based on background check information. This includes providing the pre-adverse action notice package, waiting a reasonable period (commonly recommended as at least five business days) for the applicant to respond, and conducting an individualized assessment if criminal records are involved. Immediate rescission without following these steps violates FCRA requirements.

How should employers handle background checks for remote workers in different states?

Employers must comply with the laws applicable to where the remote worker will be physically located while performing job duties. This means identifying and following the ban-the-box laws, criminal record restrictions, lookback periods, and other state-specific requirements for each remote worker's location. Employers with multi-state remote workforces should consult legal counsel to develop location-specific compliance protocols.

Additional Resources

1. A Summary of Your Rights Under the Fair Credit Reporting Act
   https://www.consumer.ftc.gov/articles/pdf-0096-fair-credit-reporting-act.pdf
2. EEOC Guidance on Arrest and Conviction Records
   https://www.eeoc.gov/laws/guidance/enforcement-guidance-consideration-arrest-and-conviction-records-employment-decisions
3. Consumer Financial Protection Bureau - Background Screening
   https://www.consumerfinance.gov/consumer-tools/background-screening/
4. Federal Trade Commission - Using Consumer Reports for Employment Purposes
   https://www.ftc.gov/business-guidance/resources/using-consumer-reports-what-employers-need-know
5. National Conference of State Legislatures - Ban the Box State Laws
   https://www.ncsl.org/labor-and-employment/ban-the-box-laws