The Federal Trade Commission today said data broker Spokeo will pay $800,000 to settle FTC charges it sold personal information it gathered from social media and other Internet-based sites to employers and job recruiters without taking steps to protect consumers required under the Fair Credit Reporting Act.
According to the FTC, Spokeo collects personal information about consumers from hundreds of online and offline data sources, including social networks. It merges the data to create detailed personal profiles of consumers. The profiles contain such information as name, address, age range and email address. They also might include hobbies, ethnicity, religion, participation on social networking sites, and photos.
IN PICTURES: The year in security mischief-making
The FTC alleges that Spokeo operated as a consumer reporting agency and violated the FCRA by failing to make sure that the information it sold would be used only for legally allowable reasons; failing to ensure the information was accurate; and failing to tell users of its consumer reports about their obligation under the FCRA, including the requirement to notify consumers if the user took an adverse action against the consumer based on information contained in the consumer report. The FTC also alleged that Spokeo deceptively posted endorsements of its service on news and technology websites and blogs, portraying the endorsements as independent when in reality they were created by Spokeo's own employees.
The FTC alleges that from 2008 until 2010, Spokeo marketed the profiles on a subscription basis to human resources professionals, job recruiters and others as an employment screening tool. The company encouraged recruiters to "Explore Beyond the Resume." It ran online advertisements with tag lines to attract employers, and created a special portion of the Spokeo website for recruiters. It created and posted endorsements of its services, representing those endorsements as those of consumers or other businesses.
The FTC said the case against Spokeo is part of its ongoing enforcement of the FCRA, a law passed by Congress to promote the accuracy, fairness, and privacy of information in the files of consumer reporting agencies, and to regulate the use and dissemination of consumer reports. The FTC alleges that Spokeo failed to adhere to three key requirements of the FCRA: to maintain reasonable procedures to verify who its users are and that the consumer report information would be used for a permissible purpose; to ensure accuracy of consumer reports; and to provide a user notice to anyperson that purchased its consumer reports. It also charges that Spokeo's misleading "endorsements" were a violation of the FTC Act. The proposed order is subject to court approval.
In response to the FTC announcement, Spokeo issued a statement (the full version is here) that in part reads: "A few years ago, we were eager to share our social network search tool with anyone who could find good use for it. Focusing on a prior version of our website, the U.S. Federal Trade Commission (FTC) believes that our targeted marketing (at that time) implicated the Fair Credit Reporting Act (FCRA), which regulates the collection, dissemination and use of consumer information, including credit information provided by consumer reporting agencies.
"It has never been our intention to act as a consumer reporting agency. We have made changes to our site and our internal business practices in order to ensure we don't infringe upon the FCRA's important consumer protections, and to ensure an honest and transparent service that will continue to be easy for our customers to use. We are a technology company organizing people-related data in innovative ways. We do not create our own content, we do not possess or have access to private financial information, and we do not offer consumer reports. Our agreement with the FTC will allow for a continued open dialogue regarding our business practices. We are eager to help shape the future of online information sharing. As we continue to provide new innovations within the people search industry, we are committed to making clarity and transparency top priorities for our customers."
Earlier this year the FTC sent letters to six unidentified mobile applications makers warning them that their background screening apps may be violating federal statutes. Specifically the FTC said if the app makers have reason to believe their background reporting apps are being used for employment screening, housing, credit or other similar purposes, they must comply with the Fair Credit Reporting Act which is supposed to protect consumer privacy and ensure that the information supplied by consumer reporting agencies is accurate.
According to the FTC, some of the apps include criminal record histories, which bear on an individual's character and general reputation and are precisely the type of information that is typically used in employment and tenant screening.
Under the FCRA, operations that assemble or evaluate information to provide to third parties qualify as consumer reporting agencies, or CRAs. Mobile apps that supply such information may qualify as CRAs under the act. CRAs must take reasonable steps to ensure the user of each report has a "permissible purpose" to use the report; take reasonable steps to ensure the maximum possible accuracy of the information conveyed in its reports; and provide users of its reports with information about their FCRA obligations. In the case of consumer reports provided for employment purposes, for example, CRAs must provide employers with information regarding their obligation to provide notice to employees and applicants of any adverse action taken on the basis of a consumer report.
According to the warning letters, the FTC has made no determination whether the companies are violating the FCRA, but encourages them to review their apps and their policies and procedures to be sure they comply with the FCRA. Future actions against those firms weren't ruled out if violations are found.