A recent settlement between the Federal Trade Commission (FTC) and a lead generator provides new insight into the FTC’s enforcement of sensitive personal data collection and sales under the Fair Credit Reporting Act (FCRA) and the agency’s Section 5(a) authority.

On January 5, the Federal Trade Commission (FTC) filed a complaint, alleging that ITMedia Solutions LLC and its affiliates operated hundreds of different websites designed to induce consumers into providing sensitive personal information (including bank account information and Social Security numbers) for loan applications by falsely claiming that the data would only be shared with the defendants’ “trusted partners.” The FTC alleged that ITMedia Solutions and its affiliates subsequently distributed 84% of the loan applications to different marketers, debt relief and credit repair sellers, without regard for how consumer information would be used.

Section 5(a) Violations

In its complaint, the FTC cites representations made to consumers on IT Media Solutions’ network of websites, which assured consumers that their information only would be shared with “trusted lenders, lending partners and financial services providers.” The FTC alleges that these representations were “false and misleading” or were “not substantiated at the time” they were made and therefore “constitute deceptive acts or practices in violation of Section 5(a) of the FTC Act.” The FTC also alleged that the sales of sensitive information in this context constituted “unfair acts or practices” as these sales “cause[d] or are likely to cause substantial injury to consumers” that they “could not reasonably avoid themselves and that are not outweighed by countervailing benefits to consumers.”

FCRA Violations

In addition, the agency contends that the defendants violated the FCRA by unlawfully obtaining and reselling the consumer’s credit scores. ITMedia Solutions and its affiliates allegedly purchased the credit scores of consumers who submitted loan applications and then used those scores to maximize sales, including demanding a higher price for information on consumers with higher credit scores and sending consumer information to potential buyers with codes that communicated consumers’ credit scores. Use of credit scores for marketing was a violation of the FCRA, says the FTC.

Consent Order Requirements and Penalties

The defendants agreed to enter into a consent order with the FTC, which provides for a civil penalty of $1.5 million and prohibits the defendants from making misleading statements to consumers. The order further prevents the defendants from selling consumer information unless certain requirements are met. These requirements include:

  • For FCRA compliance, the defendants only are allowed to distribute a consumer report or information from a consumer report if the defendants:
    • Certify to the consumer reporting agency from which it purchased the report the identity of the end user of the information, and certify the permissible purposes under the FCRA for obtaining the consumer report;
    • Obtain from persons to whom it distributes the information a certification of the end users and the permissible purpose; and
    • Use reasonable procedures to verify the certifications received from persons to whom the defendants distribute information.
  • For UDAP compliance in handling sensitive information obtained from consumers:
    • Obtain “express, informed consent for the sale, transfer, or disclosure” of consumer information to a third party;
    • Obtain certifications from any third party receiving information about the consumer that the information will be used only for specified purposes; and
    • Take reasonable procedures to verify the certifications of recipients and to monitor the conduct of the recipients on an ongoing basis.

Conclusion

Lead generators and other businesses engaged in the handling of sensitive personal information must remain cognizant of the applicable data use and security restrictions in the FCRA and other sectoral privacy laws. These businesses also should monitor how the FTC exercises its Section 5(a) authority to restrict data sharing.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Brooke Conkle Brooke Conkle

Brooke focuses her practice on complex litigation and federal consumer protection statutes, including the Fair Credit Reporting Act (FCRA) and Regulation V (Reg V), the Equal Credit Opportunity Act (ECOA) and Regulation B (Reg B), the Telephone Consumer Protection Act (TCPA), and Unfair…

Brooke focuses her practice on complex litigation and federal consumer protection statutes, including the Fair Credit Reporting Act (FCRA) and Regulation V (Reg V), the Equal Credit Opportunity Act (ECOA) and Regulation B (Reg B), the Telephone Consumer Protection Act (TCPA), and Unfair and Deceptive Acts and Practices laws (UDAP).

Photo of Graham Dean Graham Dean

Graham is an associate in the firm’s Cybersecurity, Information Governance, and Privacy Practice. In this role, Graham assists clients across various industries with issues related to data privacy. He has experience handling matters relating to the CCPA, CPRA, FCRA, CDPA, CPA, PIPA, LGPD…

Graham is an associate in the firm’s Cybersecurity, Information Governance, and Privacy Practice. In this role, Graham assists clients across various industries with issues related to data privacy. He has experience handling matters relating to the CCPA, CPRA, FCRA, CDPA, CPA, PIPA, LGPD, and a plethora of other privacy and banking secrecy laws in the Americas.

Photo of David N. Anthony David N. Anthony

David is an experienced trial attorney with a concentration in litigating financial services and business disputes, including class actions related to the FCRA, FDCPA, TCPA and other consumer protection statutes.

Photo of Ronald I. Raether, Jr. Ronald I. Raether, Jr.

Ron understands technology and specializes in responding to data integrity events (breach response) and advising companies on maximizing data use through multiple regulatory environments.

Photo of Alan D. Wingfield Alan D. Wingfield

Alan Wingfield is a partner in the firm’s Consumer Financial Services practice, with a focus on Financial Services Litigation and consumer law compliance counseling. Alan has represented businesses in many venues nationally in class action and individual consumer litigation. Alan’s practice includes compliance…

Alan Wingfield is a partner in the firm’s Consumer Financial Services practice, with a focus on Financial Services Litigation and consumer law compliance counseling. Alan has represented businesses in many venues nationally in class action and individual consumer litigation. Alan’s practice includes compliance counseling to help businesses with the myriad federal and state consumer protection laws and laws regulating financial services companies.

Photo of Chris Capurso Chris Capurso

Chris’ practice focuses on consumer financial services law, primarily on federal and state law compliance matters. Chris regularly advises financial institutions, lenders, and sales finance companies in the development and maintenance of closed-end and open-end lending, automobile finance, fintech, point-of-sale, small dollar, and…

Chris’ practice focuses on consumer financial services law, primarily on federal and state law compliance matters. Chris regularly advises financial institutions, lenders, and sales finance companies in the development and maintenance of closed-end and open-end lending, automobile finance, fintech, point-of-sale, small dollar, and other credit programs. He provides guidance on federal consumer protection laws and regulations, including TILA, ECOA, ESIGN, and GLBA.