FTC Spanks Data Broker Spokeo With $800K Fine
FTC bills case as its first-ever enforcement related to "the sale of Internet and social media data in the employment screening context," puts other data brokers on notice.
Does your business sell background-check services? If so, you'd better not sell false data about consumers or write fake reviews that extol your services. Further, you must ensure that whoever buys your data plans uses it for legitimate purposes, and inform consumers when someone "adversely" uses their consumer report--for example, to deny them a job.
That's the message from a Federal Trade Commission complaint filed this month against data broker Spokeo, which agreed to pay $800,000 to settle all the charges.
More Security Insights
White PapersMore >>
The case began two years ago, after the Center for Democracy & Technology filed a complaint to the FTC alleging that Spokeo was engaging in unfair and deceptive business practices. "Spokeo sold shoddy consumer reports to prospective employers without offering the very basic protections required by law," said Justin Brookman, director of the CTD's project on consumer privacy, in a statement. "This is a really important case that will hopefully offer needed guidance on how the Fair Credit Reporting Act applies in the age of social media."
[ For the latest on the LinkedIn security breach, see LinkedIn Defends Security Practices, Leadership. ]
Likewise, the FTC has billed the case as its first-ever enforcement action related to addressing "the sale of Internet and social media data in the employment screening context." Since the FTC often uses these types of enforcement actions to signal what it views as acceptable and unacceptable practices, it's putting data brokers on notice that the agency will be reviewing their business practices.
"This case furthers the FTC's concerns with data brokers, as reported in the agency's recent privacy report, where it called for legislation to govern this industry," said Marc Roth, a partner in the advertising, marketing and media practice at law firm Manatt, Phelps & Phillips, via email. "The FTC argues that companies in this industry collect massive amounts of information about consumers with little or no transparency or opportunity for consumers to review or correct the information collected about them."
Indeed, the FTC complaint highlights the sheer volume of information available to--and collected by--data brokers. "Spokeo collects personal information about consumers from hundreds of online and offline data sources, including social networks," according to the FTC's complaint. "It merges the data to create detailed personal profiles of consumers. The profiles contain such information as name, address, age range, and email address. They also might include hobbies, ethnicity, religion, participation on social networking sites, and photos."
According to the complaint, from 2008 to 2010, Spokeo marketed--to HR professionals, job recruiters, and people who screened employees--a consumer report and employment background-check service it dubbed "Explore Beyond The Resume."
But ironically--for a company that sells background-check information--the FTC said Spokeo had faked information relating to its own services, putting it in violation of the Federal Trade Commission Act. Spokeo managers "directed ... employees to draft comments endorsing Spokeo, to be posted on news and technology websites [and blogs]," according to the FTC complaint. "These comments were reviewed and edited by Spokeo managers and then posted, using account names provided by Spokeo, that would give the readers of these comments the impression they had been submitted by independent, ordinary consumers or business users of Spokeo."
The FTC also accused Spokeo of having violated the Fair Credit Reporting Act (FCRA) by failing to adhere to three of its key requirements: "To maintain reasonable procedures to verify who its users are and that the consumer report information would be used for a permissible purpose, to ensure accuracy of consumer reports, and to provide a user notice to any person that purchased its consumer reports."
In its complaint, for example, the FTC noted that "Spokeo regularly furnishes consumer reports to third parties without procedures to inquire into the purpose for which the user is buying the report."
The Spokeo settlement is hardly the first FTC action against a data broker. The agency fined Choice Point $15 million in 2006, charging the data aggregation company with maintaining inaccurate data and failing to properly secure its data. ChoicePoint was acquired by LexisNexis--owned by Reed Elsevier--in 2008 for $3.6 billion.
According to Roth, the FTC's enforcement action against Spokeo demonstrates that the agency is now looking beyond traditional data-aggregation companies. "Spokeo is not a typical credit reporting agency in the traditional sense, such as the big three known agencies--TransUnion, Experian, or Equifax--which makes this an expanded approach by the FTC," he said.
"This case follows a February 2012 press release where the FTC announced that it had sent warning letters to three mobile app marketers that provide background screening apps that they may be violating FCRA," Roth said. "The FTC warned the apps marketers that if they have reason to believe the background reports they provide are being used for employment screening, housing, credit, or other similar purposes, they must comply with FCRA."
New apps promise to inject social features across entire workflows, raising new problems for IT. In the new, all-digital Social Networking issue of InformationWeek, find out how companies are making social networking part of the way their employees work. Also in this issue: How to better manage your video data. (Free with registration.)