Last week, the FTC settled allegations that data broker Spokeo, Inc. failed to comply with the Fair Credit Reporting Act (FCRA) and posted deceptive endorsements about its services on websites and blogs. Spokeo agreed to pay $800,000 in civil penalties and to abide by FCRA to settle the FCRA charges. It also agreed not to misrepresent the status of any user or endorser of its services and to disclose any “material connection” with a user or endorser.
The FTC touted this enforcement action as “the first Commission case to address the sale of Internet and social media data in the employment screening context,” and commented on the action in a series of three posts on the Bureau of Consumer Protection Business Center blog (here, here, and here) -- underlining the importance of the matter. From our perspective, there are two key takeaways: (1) FCRA applies broadly -- just because you think you’re not like a traditional credit reporting agency doesn’t mean you’re not covered; and (2) don’t have employees or others post comments about your services on other websites unless they are honest about who they are and they disclose their connection with the company.
FCRA regulates the distribution, use, and collection of information for “consumer reports.” (The FTC’s FCRA page is a good starting point for understanding FCRA’s requirements.) A critical question in determining what is a “consumer report” is whether the information in the report “is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer’s eligibility for” credit or insurance, employment, or for other authorized purposes. This is a fact-specific inquiry: Is the information actually used for one of the listed purposes? Is it the type of information that could be used for one of those purposes? Was it collected with the intent that it be used for one of those purposes? In the Spokeo case, the FTC alleged that Spokeo marketed and sold its services to human resources and recruiting professionals as a resource for making employment-related decisions. Spokeo apparently tried to get itself out from under FCRA by changing its terms of service about how its services could be used. But, it couldn’t turn back the clock -- at least not until it ensured that its customers were not using its services for covered purposes.
The FTC also alleged that Spokeo employees drafted and posted positive comments about Spokeo using account names that would lead readers to believe that they were being posted by independent consumers or business customers. If true, these allegations are actionable on at least two FTC Act grounds: First, making a false statement by misrepresenting who the commenter is (i.e., an employee of the company, not an ordinary consumer or business customer). Second, violating the FTC’s Endorsement Guidelines by failing to disclose a material connection between the endorser and the company (i.e., that the endorser is employed by the company; see Example 8 in 16 C.F.R. § 255.5). This rule applies in other contexts as well. A “material connection” which must be disclosed is any “connection between the endorser and the seller of the advertised product that might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience).”
In general, data brokers are currently a key enforcement priority for the FTC. The Spokeo settlement may be a harbinger of forthcoming FTC actions to more aggressively enforce the FCRA in the on-line context.