Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy, Employment Privacy

FTC Fines Data Broker $800,000 for Marketing Consumer Profiles to Employers Without Complying with FCRA

 In its first enforcement action under the Fair Credit Reporting Act ("FCRA")  to address the sale of Internet and social media data in the employment screening context, the Federal Trade Commission ("FTC") announced yesterday that it had entered into a $800,000 settlement with an online data broker, Spokeo, for allegedly marketing consumer profiles to employers and recruiters without complying with the requirements of FCRA.  In addition, Spokeo settled charges that it violated Section 5 of the FTC Act by posting surreptitious endorsements of its service under the names of others.

FCRA regulates the activities of "consumer reporting agencies," which include companies that, on behalf of employers and recruiters, compile reports about employees and job applicants that bear upon those individuals’ character, general reputation, personal characteristics, and/or mode of living and are "used or expected to be used . . . in whole or in part" as a factor for determining the individual’s eligibility for employment or other purposes designated under FCRA.  FCRA requires consumer reporting agencies who provide such reports to comply with various obligations under the law, such as (1) maintaining reasonable procedures to verify who its users are and the purposes for which its users will be using its reports; (2) ensuring the accuracy of its reports; and (3) providing certain notices to those who purchase its reports.

According to the FTC’s complaint, Spokeo collected personal information about consumers from hundreds of online and offline data sources, including social networks, merging that information into detailed personal profiles.  These profiles displayed certain information such as the person’s physical address, phone number, marital status, age range, email address, photos, and "economic health graphics," and were organized by descriptive headers denoting, among other things, the person’s hobbies, ethnicity, religion, or participation on social networking sites. 

Although Spokeo posted a disclaimer to its website stating that it was not a consumer reporting agency subject to FCRA and its services could not be used for employment screening purposes, the FTC alleged that Spokeo nonetheless marketed these profiles to businesses, including entities operating in the human resources, background screening, and recruiting industries, to serve as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview. 

Specifically, the FTC alleged:

  • Spokeo entered into Application Program Interface ("API") user agreements with, and provided high volume access to, paying business customers, including entities operating in the human resources, background screening, and recruiting industries.
  • In its marketing and advertising, Spokeo promoted the use of its profiles as a factor in deciding whether to interview a job candidate or whether to hire a candidate after a job interview.  Spokeo purchased thousands of online advertising keywords including terms targeting employment background checks, applicant screening, and recruiting.  Spokeo ran online advertisements with taglines to attract recruiters and encourage HR professionals to use Spokeo to obtain information about job candidates’ online activities.
  • Spokeo affirmatively targeted companies operating in the human resources, background screening, and recruiting industries.  It created a portion of its website intended specifically for recruiters, which was available through a dedicated tab labeled “recruiters” that was prominently displayed at the top of the Spokeo home page.  Recruiters were encouraged to “Explore Beyond the Resume.”  In addition, Spokeo promoted the Spokeo.com/HR URL to recruiters in the media and in marketing to third parties, and offered special subscription plans for its HR customers.
  • When Spokeo changed its Terms of Service in 2010 to state that users may not use the company’s website for FCRA-covered purposes, it failed to revoke access to or otherwise ensure that existing users, including subscribers who may have joined Spokeo through its Spokeo.com/HR page, or those who had previously purchased access to profiles through API user agreements, did not use the company’s website or information for FCRA-covered purposes.

For these reasons, the FTC concluded that Spokeo was a consumer reporting agency subject to FCRA, and because Spokeo did not comply with the obligations of FCRA-covered entities, it was subject to statutory penalties under FCRA of up to $3,500 per violation.

The FTC has been wrangling with the data broker industry under FCRA for some time.  Most recently, this past February the FTC sent letters to companies marketing background check mobile applications stating that the companies may be violating FCRA if they "have reason to believe" that the apps were being used for employment or other FCRA purposes.  At the time, the FTC stated in its letters that "we have not made a determination whether your company is violating the FCRA," noting that it "would evaluate many factors to determine if you had a reason to believe that a product is used for employment or other FCRA purposes."  

The enforcement action against Spokeo clarifies that two of the primary factors the FTC will consider are whether (1) consumer profiles are marketed for employment or recruitment purposes, and (2) high volume access is provided to paying business customers, particularly entities operating in the human resources, background screening, and recruiting industries.  Moreover, the FTC has clearly staked its position that merely maintaining a disclaimer that reports are not to be used for employment or other FCRA purposes will not insulate a data broker from a FCRA enforcement action.

Still, the issue is far from settled, as Spokeo provided a relatively clear-cut case for the FTC, given the direct marketing of its reports for HR purposes.  Although data brokers continue to be an area of focus for the FTC, the agency will have a tougher time proving that a data broker is subject to FCRA without evidence that the data broker marketed or targeted its products to employers.

Outside of the FCRA, Spokeo also settled charges that it committed an unfair or deceptive trade practice under Section 5 of the FTC Act by directing its employees to draft comments endorsing Spokeo to be posted on news and technology websites.  These comments were allegedly reviewed and edited by Spokeo managers and then posted using account names, provided by Spokeo, which would give the readers of these comments the impression they had been submitted by independent, ordinary consumers or business users of Spokeo. 

In its Guides Concerning the Use of Endorsements and Testimonials in Advertising, the FTC states that those who endorse the products or services of a company should disclose any material connections to the company, and because these Spokeo employees did not do so (presumably to bolster the credibility of the endorsements), the FTC claimed that the endorsements violated the FTC Act.  As a result, Spokeo is barred from making misrepresentations about its endorsements or failing to disclose a material connection with endorsers, and any further violation can lead to monetary penalties under the FTC Act.