Yesterday, the Federal Trade Commission entered into a consent decree with Spokeo, Inc., for violations of the Fair Credit Reporting Act. As reflected in the FTC staff blog post, the FTC’s action against Spokeo is the first FCRA case to address the sale of data collected from online sources, including social media, in the context of employee screening.
Based on the FTC’s complaint, it appears that Spokeo assembled consumer information from online and offline sources, such as social networking sites and data brokers, to create consumer profiles for sale to third parties. These consumer profiles typically included name, physical address, email address, phone number, hobbies, ethnicity, religion, and photographs. Spokeo marketed these consumer profiles to human resources professionals, promoted them as a useful factor in deciding whether to interview a candidate, dedicated a portion of its website to recruiters, and offered special subscription plans to those recruiters. In 2010, Spokeo amended the Terms of Service on its website to state that it is not a consumer reporting agency and that Spokeo could not be used for FCRA-covered purposes. However, according to the complaint, Spokeo failed to take any action to ensure that third parties did not use its website and the information available on it for FCRA-covered purposes.
The FTC concluded in its complaint that Spokeo is a “consumer reporting agency” and that the consumer profiles sold by Spokeo are “consumer reports.” The complaint alleged that Spokeo violated the FCRA by failing to have the requisite procedures in place to limit the furnishing of consumer reports only for permissible purposes and to ensure the accuracy of information in consumer profiles. The complaint also alleged that Spokeo violated the FCRA because it failed to provide the standard “user” notice to third parties accessing consumer profiles, and because it furnished consumer profiles to third parties for whom Spokeo had no reason to believe had a permissible purpose. The complaint also alleged that Spokeo violated Section 5 of the FTC Act by directing its employees to post comments endorsing Spokeo to news and technology websites under account names that were developed by the company to give the impression that they were independent, ordinary consumers.
To settle these charges, Spokeo agreed to enter into a consent order with the FTC, which requires Spokeo to pay a civil penalty equal to $800,000 and prohibits the company from violating the FCRA and Section 5 of the FTC Act. If Spokeo subsequently violates the FCRA, FTC Act, or provisions in the consent order, the FTC will be able to fine Spokeo at levels substantially higher than what the FCRA alone permits. The consent order also imposes rigorous reporting and recordkeeping requirements on Spokeo and requires various forms of ongoing monitoring by the FTC.
Spokeo’s founder, Harrison Tang, responded to the action in a blog post stating that the company never intended to operate as a consumer reporting agency and has since implemented changes to its website to align with the FCRA. The FTC’s action against Spokeo is significant because it signifies the FTC’s intent to extend FCRA enforcement to companies that collect and sell consumer data that can be used in certain impermissible ways under the FCRA.