Spokeo, Inc., violated the Fair Credit Reporting Act (FCRA) when it sold detailed consumer information profiles to employers and recruiters, according to an $800,000 settlement announced by the Federal Trade Commission (FTC). The agency said the case was its first enforcement action to address “the sale of Internet and social media data in the employment screening context.”
The FTC complaint alleged a broad effort by Spokeo, a data broker based in Pasadena, Calif., to market its consumer data to employment recruiters and human resources professionals between 2008 and 2010. The company created a “Spokeo/HR” website, posted fake endorsements created by Spokeo employees, and strategically marketed its services on news and technology websites, the FTC said. Spokeo advertised that it had information on millions of consumers from “hundreds of online and offline sources” and could provide a person’s physical address, telephone number, marital status, age range, and email address. Some profiles could also include the person’s hobbies, ethnicity, religion, use of social media sites, photos, and “economic health graphics,” the FTC said. The agency did not specify what information employers purchased from the company during the two-year period.
The FCRA was enacted in 1970 to ensure fairness, accuracy, and the protection of consumer privacy rights by businesses that provide information for credit evaluations and employment background checks, known as consumer reporting agencies (CRAs). Violations of the act by CRAs may result in numerous sanctions, including civil penalties ranging from $2,500 to $3,500 per violation. The FTC alleged that Spokeo acted as a CRA and committed multiple FCRA violations by failing to ensure the accuracy of the information it sold and that it would be used only for legally permissible purposes. It also claimed that the company failed to tell data users of the users’ obligations under the FCRA, “including the requirement to notify consumers if the user took an adverse action against the consumer based on the information contained in the consumer report.”
The settlement agreement, filed in U.S. District Court for the Central District of California, enjoins Spokeo from committing further FCRA violations and mandates that it preserve accounting, personnel, training, and marketing records for 20 years. If it acts as a CRA in the future, the company also must record and preserve information on the identity of its clients. Spokeo did not admit liability in the settlement, but president and founder Harrison Tang announced in a blog posting that the company’s website had been revised and that a simple procedure for people to opt out of the Spokeo search engine had been created.
The settlement will not end litigation about Spokeo’s sale of consumer data. At least one plaintiff has appealed the dismissal of a federal class action that, like the FTC case, alleged the company’s data brokering activities violated the FCRA. The trial court dismissed Robins v. Spokeo, Inc., last year after finding harm to the plaintiff’s employment prospects to be “speculative, attenuated, and implausible.” The plaintiff appealed, arguing that the FCRA’s statutory damages obviated the need to prove other damages. The case is pending in the Ninth Circuit. (No. 11-56843 (9th Cir. filed Oct. 20, 2011).) Another class action alleging similar FCRA violations is pending in the Northern District of California. (Purcell v. Spokeo, Inc., No. 11-cv-06003-ODW-AGR (N.D. Cal. filed Sept. 3, 2010).)
Consumer data brokers may also face increased federal regulation. In a lengthy report issued in March, the FTC proposed legislation to give consumers access to data brokers’ information about them. The report also urged the data broker industry “to explore creating a centralized website where data brokers could (1) identify themselves to consumers and describe how they collect and use consumer data and (2) detail the access rights and other choices they provide with respect to the consumer data they maintain.”