A recent settlement between the Federal Trade Commission (FTC) and a lead generator provides new insight into the FTC’s enforcement of sensitive personal data collection and sales under the Fair Credit Reporting Act (FCRA) and the agency’s Section 5(a) authority.
On January 5, the Federal Trade Commission (FTC) filed a complaint, alleging that ITMedia Solutions LLC and its affiliates operated hundreds of different websites designed to induce consumers into providing sensitive personal information (including bank account information and Social Security numbers) for loan applications by falsely claiming that the data would only be shared with the defendants’ “trusted partners.” The FTC alleged that ITMedia Solutions and its affiliates subsequently distributed 84% of the loan applications to different marketers, debt relief and credit repair sellers, without regard for how consumer information would be used.
Section 5(a) Violations
In its complaint, the FTC cites representations made to consumers on IT Media Solutions’ network of websites, which assured consumers that their information only would be shared with “trusted lenders, lending partners and financial services providers.” The FTC alleges that these representations were “false and misleading” or were “not substantiated at the time” they were made and therefore “constitute deceptive acts or practices in violation of Section 5(a) of the FTC Act.” The FTC also alleged that the sales of sensitive information in this context constituted “unfair acts or practices” as these sales “cause[d] or are likely to cause substantial injury to consumers” that they “could not reasonably avoid themselves and that are not outweighed by countervailing benefits to consumers.”
In addition, the agency contends that the defendants violated the FCRA by unlawfully obtaining and reselling the consumer’s credit scores. ITMedia Solutions and its affiliates allegedly purchased the credit scores of consumers who submitted loan applications and then used those scores to maximize sales, including demanding a higher price for information on consumers with higher credit scores and sending consumer information to potential buyers with codes that communicated consumers’ credit scores. Use of credit scores for marketing was a violation of the FCRA, says the FTC.
Consent Order Requirements and Penalties
The defendants agreed to enter into a consent order with the FTC, which provides for a civil penalty of $1.5 million and prohibits the defendants from making misleading statements to consumers. The order further prevents the defendants from selling consumer information unless certain requirements are met. These requirements include:
- For FCRA compliance, the defendants only are allowed to distribute a consumer report or information from a consumer report if the defendants:
- Certify to the consumer reporting agency from which it purchased the report the identity of the end user of the information, and certify the permissible purposes under the FCRA for obtaining the consumer report;
- Obtain from persons to whom it distributes the information a certification of the end users and the permissible purpose; and
- Use reasonable procedures to verify the certifications received from persons to whom the defendants distribute information.
- For UDAP compliance in handling sensitive information obtained from consumers:
- Obtain “express, informed consent for the sale, transfer, or disclosure” of consumer information to a third party;
- Obtain certifications from any third party receiving information about the consumer that the information will be used only for specified purposes; and
- Take reasonable procedures to verify the certifications of recipients and to monitor the conduct of the recipients on an ongoing basis.
Lead generators and other businesses engaged in the handling of sensitive personal information must remain cognizant of the applicable data use and security restrictions in the FCRA and other sectoral privacy laws. These businesses also should monitor how the FTC exercises its Section 5(a) authority to restrict data sharing.