Calling All Data Brokers: The FTC Is Watching You9 Jul, 2012 By: Marc Roth
Since the beginning of 2012, the Federal Trade Commission (FTC) has made it clear that the collection and dissemination of consumer data is a high priority. Companies in the direct response industry that collect and sell consumer data to third parties are well advised to review their practices to ensure they are complying with all applicable laws, even if the coverage of such laws is not clearly obvious.
Earlier this year, the FTC issued a privacy report titled Protecting Consumer Privacy in an Era of Rapid Change. While the agency’s preliminary privacy report issued last year focused on issues relating to online behavioral tracking and ad serving and hinted at recommending legislation on that area, in this report, the FTC applauded industry’s continued attempts to self-regulate and appeared to retreat from a formal recommendation to Congress that a law be introduced to regulate these activities.
However, the final report did recommend that legislation be introduced to regulate the data brokerage industry. The FTC reported that data brokers collect massive amounts of information about consumers from various sources with little or no transparency and accountability, and given the risks associated with these practices, and absence of laws in this area, it concluded that legislation is warranted to govern this industry.
Perhaps the most significant indicator of the FTC’s focus on this industry to date has been the agency’s recent case against a data broker concerning the sale of Internet and social media data in the employment-screening context. In its first case of this sort to date, the FTC alleged that data broker Spokeo collected information about consumers from hundreds of online and offline sources, including social media networks, data brokers and other sources, and used that data to create detailed profiles of consumers (including a person’s name, age, hobbies, ethnicity, religion, use of social media, and photos), which it marketed to human resources professionals, recruiters and others as an employment screening tool. Based on these activities, the FTC alleged Spokeo operated as a consumer reporting agency and as such, violated the Fair Credit Reporting Act (FCRA).
Spokeo agreed to settle the FTC’s charges by entering into a consent decree that includes payment of an $800,000 civil penalty, various injunctive provisions and a ban on further violations of the FCRA. The Spokeo settlement follows warning letters sent by the FTC to three mobile app marketers earlier this year, which suggested that their background screening apps may be violating the FCRA.
These developments are interesting and important, since Spokeo, like the three app developers, does not appear at first blush to come within the purview of the FCRA as a consumer-reporting agency. To be sure, these companies are not consumer reporting agencies in the traditional sense, in that they do not obtain and aggregate consumer credit history data. Thus, this case reflects an expansive approach by the FTC in regard to how it intends to interpret the FCRA. But Spokeo may have determined its own fate by targeting professionals who were likely to use such information for the purposes covered by the FCRA, and advertising its data for purposes expressly covered by the FCRA.
Against this background, companies that collect and market data to third parties must be careful to not make any representations that their products may be used for credit, insurance or employment decisions. If covered, these firms will be required to comply with the FCRA’s stringent requirements or find themselves within the FTC’s sights.
Marc Roth is a partner in the New York office of Manatt Phelps & Phillips LLP, where he advises clients on marketing and privacy matters. Stacey Mayer, an associate in the same office, assisted in the preparation of this article. They can be reached at [email protected] and [email protected], respectively.