Is Your ATS a Credit Bureau Now? The Eightfold FCRA Lawsuit

An AI applicant scoring tool can fall under the Fair Credit Reporting Act if it assembles outside data about candidates into an employment-eligibility “report” and hands that report to employers. That is the novel claim in Kistler v. Eightfold AI, a class action filed in January 2026 that asks a question most founders have never considered: is your hiring software quietly acting as a credit bureau? If a court agrees, the consumer-reporting duties most companies associate with background checks, disclosure, consent, a copy of the report, and a formal dispute window, would attach to ordinary AI resume screening.

This is a different legal theory from the bias lawsuits you have read about, and it is arguably more dangerous because it does not require anyone to prove the algorithm was unfair. It only requires proving the algorithm existed in secret. Below is what the case actually claims, how the FCRA test works, and what a defensible AI hiring pipeline looks like when a human, not a hidden score, owns every rejection. (This is general information, not legal advice. Talk to counsel about your specific stack.)

The headline: AI is allegedly running secret “credit reports” on job seekers

The short version: a federal class action alleges that an AI hiring platform built secret eligibility reports on applicants and rejected them without ever telling them. Kistler v. Eightfold AI was filed on January 20, 2026 in the Superior Court of California, Contra Costa County (No. C26-00214), then removed to federal court as Kistler et al. v. Eightfold AI Inc., No. 3:26-cv-01768 (N.D. Cal.). The named plaintiffs are Erin Kistler and Sruti Bhaumik, suing on behalf of a putative class of job applicants.

What makes this more than another HR-tech complaint is who signed it. The case is brought by plaintiff-side firm Outten & Golden LLP together with the nonprofit Towards Justice, and counsel of record includes Jenny R. Yang, the former Chair of the U.S. Equal Employment Opportunity Commission. Towards Justice has called it the first case from its AI in the Workplace Accountability Project. A former EEOC chair putting her name on a complaint is not an accident. This is a deliberate, strategic test case, and it is meant to set precedent.

The human stakes are simple. As Kistler puts it in the firm’s release: “I’ve applied to hundreds of jobs, but it feels like an unseen force is stopping me from being fairly considered.” Yang frames the legal harm: “Qualified workers across the country are being denied job opportunities based on automated assessments they have never seen and cannot challenge.”

What the lawsuit actually claims

The complaint alleges that Eightfold’s platform scores applicants and discards many of them before a human ever looks. According to the filing, Eightfold uses a proprietary large language model to generate a “Match Score” that rates each applicant on their “likelihood of success” in a role. The complaint states the Match Score “ranges from 0 through 5” in tenth-point increments (¶74). Crucially, it alleges that applicants are “often discarded before a human being ever looks at their application.”

The complaint also describes the data feeding that score. For each named plaintiff, it alleges Eightfold gathered “consumer report information including personal data, information regarding her education and work experience, social media profiles, location data,” plus inferences and “comparator applicant data drawn from millions of other individuals’ resumes and profiles” (¶~100, ¶~107). The platform’s reach, the complaint says, is enormous: it quotes Eightfold’s own marketing that its model incorporates “more than 1.5 billion global data points,” including the profiles of “more than 1 billion” people.

One caveat worth stating plainly: those billion-plus figures are Eightfold’s described training and reference corpus, repeated in the complaint, not a verified count of individuals whose data was misused. The accurate way to say it is that the model is trained on a corpus Eightfold says includes profiles of more than a billion people. The scale is an allegation, not a finding.

Here is what the lawsuit pointedly does not claim: that the algorithm is biased. There is no Title VII race, age, or disability theory here. The complaint pleads violations of the federal FCRA, California’s Investigative Consumer Reporting Agencies Act (ICRAA), and California’s Unfair Competition Law (UCL), with a demand for a jury trial. The theory is procedural, not about outcomes. The argument is that a scoring system existed in secret and was deployed without the process the law requires. A defendant could, in theory, have a perfectly fair algorithm and still lose this case.

Is an ATS a consumer reporting agency under the FCRA?

An applicant tracking system can fall under the FCRA if it assembles third-party or inferred data about candidates into an employment-eligibility “consumer report” and furnishes it to employers. A pure first-party tool that acts only on an employer’s own application data generally does not. But AI tools that pull in scraped social media, location data, and comparator profiles blur that line, and that blur is the entire fight in this case.

The statute defines a “consumer report” broadly (15 U.S.C. §1681a) as any communication by a consumer reporting agency bearing on a person’s character, reputation, personal characteristics, or mode of living, when used to establish eligibility for employment. The complaint argues that assembling outside and inferred data into an employment-eligibility score puts Eightfold squarely inside that definition and makes it an unregistered consumer reporting agency (CRA).

Whether that argument wins comes down to a few contested questions:

• Is the data first-party or third-party? The FCRA generally exempts a company reporting “solely as to transactions or experiences between the consumer and the person making the report.” If a tool only crunches the employer’s own application data, it likely is not a CRA. Plaintiffs argue Eightfold pierces that exemption because it ingests scraped and inferred outside data.
• Is the score “furnished to a third party”? A CRA furnishes reports to others. Eightfold may argue the Match Score stays inside the employer’s own hiring workflow and is never handed off.
• Is an LLM “match score” even a consumer report? Eightfold may argue a predictive analytic is not the kind of assembled report Congress regulated in 1970.

Nothing here has been decided. The case is at the pleading stage in the Northern District of California. The CRA theory is novel and untested, and the smart move is to treat it as a live risk, not a settled rule.

Eightfold vs. Workday: two different ways your AI hiring stack can get you sued

If you only track one AI hiring lawsuit, you are exposed to the other. Kistler v. Eightfold and Mobley v. Workday are heard in the same federal court but run on opposite theories, and your pipeline has to satisfy both.

The Workday case is about whether your tool discriminates. We covered it in depth in what the Workday AI hiring lawsuit means for every ATS. The Eightfold case is about whether your tool followed consumer-reporting process. They are two separate failure modes of the same underlying design: the opaque, automated, no-human-in-the-loop pipeline that scores and discards candidates before anyone reads the file. Fix the design and you reduce exposure on both fronts.

What FCRA “adverse action” would mean if your screening tool is a CRA

If a court decides your AI vendor is a CRA, the consumer-reporting duties do not just land on the vendor. They land on you, the employer, as a “user” of consumer reports. That is the part founders miss. Reportedly, Eightfold’s customers include Microsoft, Morgan Stanley, Starbucks, BNY, PayPal, Chevron, and Bayer (these companies are not defendants), but the FCRA imposes obligations on every employer that uses a covered report.

Those obligations come in four buckets:

1. Disclosure. A clear, conspicuous written notice that a consumer report will be obtained, in a standalone document.
2. Authorization. The applicant’s written consent before any report is created.
3. Pre-adverse-action notice. Before you reject, give the candidate a copy of the report plus a “Summary of Your Rights Under the FCRA,” and a reasonable window (commonly five or more business days) to dispute it.
4. Final adverse-action notice. After you reject, notify the candidate, identify the CRA, state that the CRA did not make the decision, and disclose the right to a free copy of the report within 60 days and the right to dispute its accuracy.

The plaintiffs allege they received none of this. Run that checklist against your own funnel honestly. If an AI tool scores candidates and your pipeline auto-rejects the low scores, and you have never sent a candidate a copy of their “report” or a dispute window, you are doing exactly what this lawsuit targets, regardless of how the CRA question ultimately resolves.

This is not a hypothetical risk. In 2023, the EEOC settled with iTutorGroup for $365,000 over software that auto-rejected older applicants. That was an anti-discrimination case, not an FCRA case, so the theory differs, but the lesson holds: auto-reject liability is real, and regulators and plaintiffs are actively looking for it.

The defensible pattern: a human owns every rejection

The single most protective thing you can do is make a named human the required gate before any rejection, with a written reason and a timestamp. The Eightfold theory targets one specific architecture: an opaque score that auto-discards applicants before any person sees the file. The defensible inverse is straightforward. AI assists a human reviewer, the reviewer makes a recommendation you can explain in plain language, and a named person owns the final decision with a recorded rationale.

Human-in-the-loop is no longer just good candidate experience. Between the FCRA theory here, the agent-liability theory in Workday, and the explicit human-oversight requirement in the EU AI Act for high-risk hiring systems, it is becoming a legal design constraint. If you cannot show that a person, not a black-box score, made the call, you are carrying risk under at least three separate regimes.

This is exactly how Kit’s hiring vertical is built. AI in Kit is assistive, not deciding. Its AI features produce application summaries and parse CVs to surface information to a reviewer; they do not emit an auto-reject, and no “0 to 5 match score” gates the pipeline. Reviews are qualitative and explainable: a reviewer records a recommendation on a named scale (strong no, no, neutral, yes, strong yes) tied to a specific person and stage, not an opaque “73% match” with no reasoning. And every rejection is an attributed, audited event with a required written rationale and the name of the person who decided it. That decision trail, who reviewed, what they recommended, who decided, and why, is exactly the documentation you would need to show a human made the call.

How to structure your pipeline: a founder’s checklist

You do not need to wait for a court ruling to harden your hiring stack. Six moves cover most of the exposure:

1. Never auto-reject on an AI score alone. Make a human the required gate before any rejection. A recorded decision with a rationale, or a reviewer recommendation, should precede every “no.”
2. Replace opaque scores with explainable recommendations. If you cannot state in plain language why a candidate was advanced or rejected, do not let a number drive the decision.
3. Keep an audit trail. Capture who reviewed, what they recommended, who decided, the rationale, and timestamps. Reconstructable history is your best evidence that a person made the call.
4. Add disclosure and consent at application time. Include a disclosure, a privacy policy link, and a retention window even if you believe you are outside the FCRA. It is cheap insurance and better candidate experience. Kit ships this as a first-class consent configuration.
5. Know what your AI vendor ingests. If a tool scrapes social media, location, or third-party data and scores eligibility, assume the FCRA question is live. Demand contractual FCRA certifications from the vendor.
6. Remember the duties land on you. If a tool is ever deemed a CRA, the adverse-action obligations attach to you as the user. Architect your pipeline so you are never the party auto-rejecting on a black-box score.

How Kit is built for this

Kit is an AI-native ATS designed around the assumption that a human owns every hiring decision. The AI reads fast so your team can read smarter; it never decides in the dark. Application summaries and CV parsing surface the signal, qualitative reviewer recommendations replace opaque scores, and a required rationale plus a named decision-maker close every rejection. CV-view tracking even records that a human actually opened the file. The result is the audit trail this lawsuit is implicitly defining as the standard of care.

If you are evaluating AI hiring tools right now, ask one question of each vendor: can it auto-reject a candidate before a human reads the application? If the answer is yes, you are looking at the architecture two federal lawsuits are built around. If the answer is no, and you can prove it with a decision record, you are building the defensible pipeline. That is the bet Kit is built on.

The Eightfold case may take years to resolve, and the CRA theory may or may not survive. But the direction is unmistakable: secret scoring is becoming a liability, and explainable, human-owned decisions are becoming the requirement. You can start free and structure your hiring around that reality today.