[authors: Alan S. Kaplinsky, John L. Culhane, Jr., Beth Moskow-Schnoll, Jeremy T. Rosenblum, Mercedes Kelley Tunstall]
The Federal Trade Commission’s willingness to exercise its enforcement authority under the Fair Credit Reporting Act was evident again last week in its $800,000 settlement with data broker Spokeo, Inc., described in an FTC release as “the first Commission case to address the sale of Internet and social media data in the employment screening context.”
In a complaint filed in federal court in California, the FTC alleged that Spokeo created consumer “information profiles” using data collected from various sources—including social networking and other online sites—and sold the profiles to persons who used them as an employment screening tool. By doing so, the suit alleged, the data broker was providing “consumer reports” and was therefore operating as a “consumer reporting agency” under the FCRA.
The profiles allegedly included such information as name, address, age range, e-mail address, and, in some cases, hobbies, ethnicity, religion, participation on social networking sites, and photos.
Spokeo was accused of violating the FCRA by failing to:
maintain reasonable procedures to ensure profiles were provided only to users with a permissible purpose
ensure the maximum accuracy of the information in the profiles
provide the notice the FCRA requires consumer reporting agencies to provide to users of consumer reports
The complaint also challenged the data broker’s attempt to avoid the FCRA by changing the terms of service on its website to state that it was not a consumer reporting agency and that its website or information could not be used for FCRA purposes.
According to the complaint, the disclaimers were ineffective because the data broker did not revoke access to companies using the website or information for FCRA purposes or otherwise ensure that existing users did not use the broker’s website or information for FCRA purposes. (As discussed in our prior legal alert, the FTC also rejected the use of website disclaimers to avoid FCRA liability in letters warning of possible FCRA violations sent to marketers of mobile applications that provided background screening reports.)
Interestingly, the FTC’s complaint included an additional allegation that Spokeo had violated Section 5 of the FTC Act by posting, on news and technology websites, endorsements drafted by its employees that falsely gave the impression the endorsements came from independent users of the profiles.
In addition to barring future FCRA violations or endorsements that fail to disclose the broker’s connection with the endorser, the settlement requires the data broker to pay an $800,000 civil penalty, to create certain records relating to compliance for a 20-year period, and to maintain those same records for five years from the date they were created.
Lawyers in Ballard Spahr’s Consumer Financial Services Group and its Privacy and Data Security Group regularly provide advice to clients on FCRA compliance and defend clients in FCRA lawsuits.
The Consumer Financial Services Group is nationally recognized for its guidance in structuring and documenting new consumer financial services products, its experience with the full range of federal and state consumer credit laws throughout the country, and its skill in litigation defense and avoidance (including pioneering work in pre-dispute arbitration programs).
The Privacy and Data Security Group includes experienced lawyers who help clients navigate the many laws designed to safeguard health, financial, and other private information; counsel clients on compliance, data mining, online marketing, and mobile privacy; and assist clients in responding to security breaches.
The Consumer Financial Services Group also produces the CFPB Monitor, a blog that focuses exclusively on important Consumer Financial Protection Bureau developments. To subscribe, use the link provided on the right.
For more information, please contact Practice Leader Alan S. Kaplinsky, 215.864.8544 or firstname.lastname@example.org; Practice Leader Jeremy T. Rosenblum, 215.864.8505 or email@example.com; John L. Culhane, Jr., 215.864.8535 or firstname.lastname@example.org; Beth Moskow-Schnoll, 302.252.4447 or email@example.com; or Mercedes Kelley Tunstall, 202.661.2221 or firstname.lastname@example.org.