Kistler v. Eightfold Turned 1B Profiles Into an FCRA Class Action

If you bought an AI sourcing tool in the last two years, the demo probably opened with a 0-to-5 "match score" pulled from public LinkedIn, GitHub, and Stack Overflow data. That pitch is now Exhibit A. The Kistler v. Eightfold complaint, removed to the Northern District of California as No. 3:26-cv-1768 and still in the pleading stage as of late April 2026, argues that score is a consumer report and the vendor producing it is an unregistered Consumer Reporting Agency.

This is not a bias case. It is a privacy case. And it lands on a different part of your compliance stack than every responsible-AI checklist you have been signing off on.

What the Kistler v. Eightfold lawsuit actually claims

Erin Kistler and Sruti Bhaumik filed in January 2026. Their theory is narrow and well-aimed. Eightfold, they say, compiled personal data including social media profiles, location data, and online activity, then sold employers a 0-to-5 "likelihood of success" score and labels like "team player" or "introvert" before any human reviewed the candidate. No disclosure to the candidate. No consent. No mechanism to dispute inaccuracies. That, the complaint argues, is the textbook definition of a Consumer Reporting Agency under 15 U.S.C. § 1681a(f).

The scale is the part that makes general counsel nervous.

1B+

FCRA carries statutory damages of $100 to $1,000 per willful violation, with class mechanics built in. Multiply that by a profile count Eightfold itself markets ("1.6+ billion career profiles and 1.6+ million skills" on its homepage) and you understand why plaintiffs' counsel includes Jenny R. Yang, the former EEOC chair, and Seth Frotman, the former CFPB general counsel. This is not an opportunistic filing. It is a test case built by people who have spent careers writing the rules they are now suing under.

Eightfold has denied the allegations and says the platform "operates on data intentionally shared by candidates or provided by our customers." That defense will be litigated. The pleading-stage question for the rest of us is simpler: does this theory work against any other vendor in the category?

It does.

Why the "we only use public data" defense already lost in 2017

The precedent everyone keeps quiet about is Halvorson v. TalentBin (3:15-cv-05166, N.D. Cal.). TalentBin aggregated public social and code-host data into recruiter dossiers. In 2017 it settled for $1.15 million and rewrote the product to comply with FCRA. Monster had acquired TalentBin in February 2014, and the settlement effectively ended the original product thesis.

The Kistler theory is TalentBin plus a score. Every sourcing platform that scrapes LinkedIn and GitHub and ranks candidates is now living inside a settled precedent and an open class action that points at the same statute.

A vendor can be perfectly unbiased and still be an unregistered consumer reporting agency. </pull> This is where most buyers get confused. Bias audits, NYC Local Law 144 reports, "Equal Opportunity Algorithm" certifications, ISO/IEC 42001 attestations: all of them address disparate impact. None of them address consumer reporting. A vendor can pass every audit on the market and still be exposed under Kistler. If a sales engineer answers an FCRA question by pointing at a bias report, end the call. ## The CFPB rescission is a trap, not a green light In June 2024, the CFPB issued Circular 2024-06 on "Background Dossiers and Algorithmic Scores," clarifying that a company meets the CRA standard if it "collects consumer data in order to train an algorithm that produces scores or other assessments about workers for employers." That circular was rescinded in 2025, and a lot of vendor decks now treat the rescission as a clean bill of health. It is not. The statute is unchanged. Private rights of action do not need CFPB blessing. The Kistler complaint still cites the rescinded circular as interpretive context because the plaintiffs do not need it to win. They need 15 U.S.C. § 1681a(f), which has been on the books since 1970. ## Mobley v. Workday is the other half of the pincer If Kistler attacks process, Mobley v. Workday (3:23-cv-00770, N.D. Cal.) attacks outcomes. The court dismissed claims that Workday was an "employment agency" but allowed claims that Workday acted as an "agent" of employers to proceed. Preliminary certification of an ADEA collective action was granted on May 16, 2025. Read together, the two cases form a pincer that most vendor risk frameworks miss: - **Workday's agent theory**: the vendor is liable for discriminatory outcomes regardless of what the buyer did. - **Kistler's CRA theory**: the vendor is liable for transparency failures regardless of whether the model was accurate. A sourcing platform can be sued on either theory independent of how the model performs. Your current vendor due-diligence checklist almost certainly only handles one. ## Why your company, not the vendor, eats the damages Here is the part that should change how you negotiate the next contract.

stat number: 88% label: AI vendors that cap their own liability, often at monthly subscription fees note: Only 17% warrant regulatory compliance, per the Jones Walker AI Law Blog. </stat>

Under FCRA, the employer-user is the entity required to obtain standalone disclosure and authorization, send pre-adverse and adverse action notices, and procure CRA certifications from the vendor. When the vendor's MSA caps liability at the monthly subscription fee, a class action lands on the line item that bought the seats, not the one that sold them. California's ICRAA makes this worse: it gives candidates the right to receive notice before a report is prepared, to check a box for a copy, and to know who has received the report in the last three years. None of that gets handled by your ATS by default.

If your sourcing workflow today is "vendor enriches a million profiles, surfaces a ranked list, recruiter reaches out cold," you are the named defendant in the next version of this complaint. Not the vendor.

What "exposed under the theory" looks like across the category

The Kistler theory does not stop at Eightfold. Any tool that generates an enrichment score from third-party data without applicant disclosure sits inside the same legal frame. HiredScore (now part of Workday), Phenom, Beamery, Fetcher, hireEZ, and SeekOut are all built around exactly the workflow the complaint describes. None of them are defendants today. All of them are exposed under the theory if a plaintiffs' firm decides to repeat the playbook, and Outten & Golden plus Towards Justice have every incentive to do so.

The risk gradient is roughly this:

• Highest exposure: tools that proactively enrich and score candidates before they apply, using inferred attributes like "likelihood to switch," "personality fit," or pre-built dossiers.
• Medium exposure: tools that score applicants who applied but were not told their public web profile would be incorporated.
• Lowest exposure: tools that help recruiters find and contact people based on stated facts (employer, repo, skill, location) without generating an opaque ranking score sold as predictive of job success.

That last category is where we put Refolk. You describe the person you want in plain English ("staff backend engineers in Berlin who maintain a Postgres extension and have shipped at a Series B"), and you get a ranked shortlist grounded in publicly stated facts across GitHub, LinkedIn, and the open web. There is no 0-to-5 "likelihood of success" label. There is no inferred personality category. The output is a sourcing list, not a hiring decision dressed up as one.

That distinction matters legally, and it also matters for how you talk to candidates. A recruiter reaching out with "I saw your Postgres extension and your work at Acme" is having a different conversation than one armed with "our system rated you a 4.2 introvert."

What to change before the next vendor demo

You do not need to wait for Kistler to resolve. The procurement changes are obvious once you stop treating bias audits as compliance.

Ask the questions your security team would ask about PII

For every AI sourcing or scoring vendor, get written answers to:

1. Do you generate any score, label, or ranking sold or implied to predict job success, fit, tenure, or behavior?
2. Is that score derived in part from data the candidate did not submit to my company?
3. Have you registered or held yourself out as a Consumer Reporting Agency under FCRA or ICRAA?
4. Will you contractually indemnify me against FCRA, ICRAA, and state CRA-equivalent claims arising from your product, without a cap tied to subscription fees?
5. Will you provide CRA certifications and dispute-handling workflow my recruiters can actually use?

Vendors that pass question 1 but fail questions 3 through 5 are the ones the next Kistler-style filing targets. Vendors that answer "no" to question 1 because they do not produce that kind of score sit outside the theory entirely. That is the bar Refolk was built against, and it is the bar your procurement team should be writing into MSAs starting now.

Rebuild the sourcing top-of-funnel around stated facts

The point of FCRA is consent and dispute rights over inferred facts about you. The cleanest defense is to stop using inferred facts in your outreach. Search the public record for the stated ones: companies, repos, languages, locations, roles, dates. A plain-English query against Refolk returns exactly that, with the source links recruiters can put in front of a candidate without a privacy conversation turning into a legal one.

Stop letting "responsible AI" pages substitute for an FCRA review

If a vendor's response to an FCRA question routes to a NIST AI RMF page or a fairness audit, you have not gotten an answer. Make legal review and security review sign separately. The Workday outcome side and the Kistler process side need different signoffs, and they will not get them in a single demo.

The window before the next filing

Kistler is still in the pleading stage. Mobley's collective action is barely a year into certification. The plaintiffs' bar has a playbook, a billion-profile target list of vendors, and statutory damages that scale with class size. The recruiters and founders who quietly rewire procurement and sourcing in the next two quarters will not show up in the next caption. The ones who keep buying "match score" products will.

FAQ

Is the Kistler v. Eightfold case settled or decided?

No. It was filed in January 2026, removed to the Northern District of California as No. 3:26-cv-1768, and remains in the pleading stage as of late April 2026. Eightfold has denied the allegations. Nothing here predicts the outcome, but FCRA private rights of action do not depend on a final ruling against Eightfold to threaten other vendors. Plaintiffs' firms can file parallel cases against other AI sourcing tools at any time.

Does this mean every AI recruiting tool is illegal?

No. The Kistler theory targets a specific pattern: scraping third-party data to generate a score or label sold as predictive of job success, without candidate disclosure or dispute rights. Tools that help recruiters search public information and contact candidates based on stated facts (employer, repo, location, skill) sit outside that pattern. The question to ask a vendor is whether their product produces an opaque predictive score and whether they will accept FCRA liability if it does.

Are we safe if we only use the tool internally and never share the score?

Probably not. FCRA defines a consumer report by how the information is assembled and used to evaluate eligibility for employment, not by whether the score leaves your building. The CFPB's now-rescinded Circular 2024-06 explicitly addressed this. The statute itself is unchanged, and Kistler argues the score being shown to a recruiter to triage applicants is already enough. Treat internal use the same as external use until your counsel says otherwise.

What is the fastest single change a recruiting team can make this quarter?

Audit your sourcing tools for any 0-to-5, A-through-F, or "fit" score derived from third-party data. For every one, get written CRA status and indemnity language from the vendor. Where you cannot get that, move the workflow to plain-English search over public facts (the model Refolk uses) so your outreach is grounded in evidence a candidate can see and verify, not in an inferred label they cannot dispute.