Guide
FCRA compliance for skip tracing
When the Fair Credit Reporting Act applies to skip tracing data — and when it doesn't. A practical guide for buyers, not lawyers.
This is not legal advice. We're not lawyers and the Fair Credit Reporting Act is a statute with real teeth and real lawyers. What this article does is explain the framework so you know which questions to ask your actual counsel before launching skip tracing inside your operation. For the official source, the CFPB's Regulation V implements the FCRA and is the primary federal rulebook.
When does the FCRA apply?
The Fair Credit Reporting Act applies whenever you use a "consumer report" — which includes most skip tracing data — for one of the FCRA's regulated purposes: credit decisions, employment decisions, insurance underwriting, housing/tenant screening, or determining eligibility for a government license or benefit. The FTC's credit reporting guidance for businesses is the most readable summary of these obligations.
If you're using skip tracing for a regulated purpose, FCRA imposes obligations including disclosure to the consumer, adverse-action notices, and the requirement that the data come from a "consumer reporting agency" that meets the FCRA's accuracy and dispute-handling standards.
When does the FCRA NOT apply?
FCRA does not apply when skip tracing is used for non-regulated purposes. Common non-FCRA use cases:
- Real estate marketing (cold calling property owners about off-market deals)
- Debt collection of an account you already own — under §604(a)(3)(A)
- Locating a subject for service of process — under §604(a)(1) (court order) or other carve-outs
- General business contact enrichment for sales or marketing
"Doesn't trigger FCRA" doesn't mean "no rules apply." It just means the rules are different — TCPA, CAN-SPAM, state consumer privacy laws, and DPPA may all still be in play.
What's a permissible purpose?
If you ARE using skip tracing for an FCRA-regulated purpose, you have to have a "permissible purpose" under §604. The most common ones for skip tracing buyers are:
- §604(a)(3)(A) — collection of an account on the consumer
- §604(a)(3)(F) — legitimate business need in connection with a business transaction initiated by the consumer
- §604(a)(1) — court order or subpoena
You document the permissible purpose in your own systems before you run the lookup. Your skip tracing vendor will typically ask you to certify compliance in their terms of service.
What we do on the vendor side
Skip Trace API logs every lookup with the requesting account, timestamp, input attributes, and the response. We do not return data that we know to be sourced through impermissible channels. We do not mix in data from scraped social media or leaked databases. The data graph we use is built from licensed contributory sources with documented chain of custody.
We also explicitly do not return identity records for minors as a policy matter.
Common FCRA mistakes
- Using skip tracing data for tenant screening without buying it from a CRA — this is the most common violation we see in litigation databases
- Mixing FCRA-regulated and non-regulated use cases on a single account without documenting which lookups are which
- Failing to provide adverse-action notices when an FCRA-regulated decision goes against the consumer
- Treating "I'm just looking up an old friend" as a permissible purpose — it isn't
What to actually do
1. Talk to your actual lawyer about which permissible purpose applies to your specific use case. 2. Document it in your own systems with a clear paper trail. 3. Make sure your skip tracing vendor's terms align with your stated purpose. 4. If you're using skip tracing for any FCRA-regulated decision, make sure your data source is registered as a CRA — most pure skip tracing APIs are not, including ours, because we're not built for credit/employment/insurance decisioning.