Yesterday, the Federal Trade Commission entered into a consent decree with Spokeo, Inc., for violations of the Fair Credit Reporting Act.  As reflected in the FTC staff blog post, the FTC’s action against Spokeo is the first FCRA case to address the sale of data collected from online sources, including social media, in the context of employee screening.  

Based on the FTC’s complaint, it appears that Spokeo assembled consumer information from online and offline sources, such as social networking sites and data brokers, to create consumer profiles for sale to third parties.  These consumer profiles typically included name, physical address, email address, phone number, hobbies, ethnicity, religion, and photographs.  Spokeo marketed these consumer profiles to human resources professionals, promoted them as a useful factor in deciding whether to interview a candidate, dedicated a portion of its website to recruiters, and offered special subscription plans to those recruiters.  In 2010, Spokeo amended the Terms of Service on its website to state that it is not a consumer reporting agency and that Spokeo could not be used for FCRA-covered purposes.  However, according to the complaint, Spokeo failed to take any action to ensure that third parties did not use its website and the information available on it for FCRA-covered purposes.

The FTC concluded in its complaint that Spokeo is a “consumer reporting agency” and that the consumer profiles sold by Spokeo are “consumer reports.”  The complaint alleged that Spokeo violated the FCRA by failing to have the requisite procedures in place to limit the furnishing of consumer reports only for permissible purposes and to ensure the accuracy of information in consumer profiles.  The complaint also alleged that Spokeo violated the FCRA because it failed to provide the standard “user” notice to third parties accessing consumer profiles, and because it furnished consumer profiles to third parties for whom Spokeo had no reason to believe had a permissible purpose.  The complaint also alleged that Spokeo violated Section 5 of the FTC Act by directing its employees to post comments endorsing Spokeo to news and technology websites under account names that were developed by the company to give the impression that they were independent, ordinary consumers.

To settle these charges, Spokeo agreed to enter into a consent order with the FTC, which requires Spokeo to pay a civil penalty equal to $800,000 and prohibits the company from violating the FCRA and Section 5 of the FTC Act.  If Spokeo subsequently violates the FCRA, FTC Act, or provisions in the consent order, the FTC will be able to fine Spokeo at levels substantially higher than what the FCRA alone permits.  The consent order also imposes rigorous reporting and recordkeeping requirements on Spokeo and requires various forms of ongoing monitoring by the FTC.

Spokeo’s founder, Harrison Tang, responded to the action in a blog post stating that the company never intended to operate as a consumer reporting agency and has since implemented changes to its website to align with the FCRA.  The FTC’s action against Spokeo is significant because it signifies the FTC’s intent to extend FCRA enforcement to companies that collect and sell consumer data that can be used in certain impermissible ways under the FCRA.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.