In its first enforcement action under the Fair Credit Reporting Act (“FCRA”) about the sale of data compiled from publicly available online sources in the context of employment screening, the Federal Trade Commission (“FTC”) announced yesterday that it had entered into a $800,000 settlement with an online data broker, Spokeo, for allegedly marketing consumer profiles to employers and recruiters without complying with the requirements of FCRA. In addition, the FTC settled charges that Spokeo violated Section 5 of the FTC Act by posting surreptitious endorsements of its services under the names of others.
In the report issued by the FTC yesterday, the FTC calls on Congress to consider enacting targeted legislation to provide greater transparency for, and control over, the practices of information brokers and to allow consumers to access their data maintained by information brokers. The FTC notes that Congress could model any such legislation on a bill that the House passed during the 111th Congress, as well as similar bills introduced in the 112th Congress. These bills included some data accuracy and access provisions that were targeted specifically to information brokers. The bills are detailed in this blog entry.
Today the Federal Trade Commission (FTC) issued its long-awaited privacy report, “Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers,” which is intended to articulate “best practices” for companies that collect and use consumer data, and to assist Congress as it considers new privacy legislation.
On December 8, the House of Representatives by voice vote passed H.R. 2221, entitled the “Data Accountability and Trust Act,” which would require all organizations engaged in interstate commerce that manage or contract another to manage electronic data containing personal information to comply with a comprehensive set of standards designed to protect that information from unnecessary disclosure and to prevent identity theft and other fraud. Th eBill now heads to the Senate where passage this year is unlikely, but where consideration next year is expected.
On November 5, the Senate Judiciary Committee passed two bills that collectively would preempt a large swath of the patchwork quilt of state data security and breach notification laws that largely comprise the U.S. regulatory landscape today. While imminent passage is not expected, the prospects for a federal law are gaining momentum. Especially noteworthy are the criminal and civil penalties being proposed for companies that fail to properly deal with a data security breach.
The Personal Data Privacy and Security Act (“PDPSA”), recently reintroduced by Sen. Patrick Leahy (D-VT) and referred to the Senate Judiciary Committee proposes comprehensive federal regulation of data broker services. While enactment of the PDPSA remains uncertain, the draft legislation may presage future legislative and regulatory trends. Comprehensive Federal Regulation of “Data Brokers” Title II [...]