In early May, Theodore Moss, the CEO of online background-check provider Crimcheck.com, received a letter from the Federal Trade Commission (FTC) notifying him that “recent test-shopping contacts” had indicated that his company was possibly selling consumer information unlawfully.1 Crimcheck.com provides background-check services to businesses conducting employment screenings for potential job candidates.2 Such companies, often referred to as “data brokers,” collect and compile information on individual consumers, drawing from public sources such as court databases and consumer credit records to piece together profiles of individuals’ financial, retail, recreational, and criminal behaviors.3 But it is precisely that assembling of detailed information on individuals—even information compiled from public sources—that can trigger provisions of the Fair Credit Reporting Act, prompting the FTC to take a closer look at how these companies collect and use consumer information.
The Fair Credit Reporting Act
Under the Fair Credit Reporting Act (FCRA), consumer information used for employment, insurance, or credit purposes is subject to certain safeguards.4 Enacted in 1970, the FCRA was designed “to ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.”5 Section 1681a(f) defines a “consumer reporting agency” (CRA) as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties . . .”6 The term “consumer report” is further defined to include virtually any information used for extension of personal credit, insurance, or employment purposes.7 Read together, these two provisions indicate that an entity that collects consumer information later used for credit, insurance, or employment determinations is a CRA for purposes of the FCRA.
Qualifying as a CRA is consequential because it triggers a number of consumer protection measures. Among other steps, CRAs must do the following:
- Use reasonable measures to ensure that information contained in their reports is as accurate and up-to-date as possible8
- Ensure that the information will only be used for a permissible purpose under the statute9 (Section 1681b lists the exclusive set of permissible purposes)
- Obtain certification that consumer reports for employment purposes will be used in compliance with equal opportunity laws and that the potential employee authorized the report and has an opportunity to challenge any contents that result in adverse action10
- Ensure that consumer reports for credit evaluations be used only for firm offers of credit11
- Inform data buyers of their own FCRA obligations12
Clearly, an entity’s designation as a “consumer reporting agency” under the FCRA carries some substantial obligations.
FTC Enforcement Efforts
In recent years, the FTC has renewed its efforts to enforce the FCRA to protect consumer privacy. In December 2012, the FTC launched a study of the “data broker” industry, ordering nine different companies to disclose information concerning their collection and use of consumer data.13 Those orders followed on the heels of several earlier settlements with data brokers, with one, Teletrack, settling for $1.8 million after the FTC alleged that it unlawfully sold consumer report information without a permissible purpose.14 Another case, in which the FTC alleged that data broker Spokeo unlawfully marketed its consumer information to companies for use in hiring or recruiting, settled for $800,000.15
In May, the FTC conducted a sting operation to identify companies that provide or were willing to provide consumer information to buyers without complying with FCRA safeguards. FTC staffers targeted 45 data brokers, posing as company representatives or individuals seeking to purchase consumer information for use in screening consumer creditworthiness, insurance eligibility, or employment suitability.16 While a company may promote its products exclusively for marketing purposes, in the FTC’s view, “[e]ven if a company is not compiling and sharing data for the specific purpose of making employment, credit, or insurance eligibility decisions, if the company has reason to believe the data will be used for such purposes, it would still be covered by the FCRA.”17 According to the FTC, employees at ten companies were unaware of the necessary FCRA safeguards when selling consumer information for such purposes.18 Among the ten, six—Crimcheck.com, 4Nannies, Case Breakers, People Search Now, USA People Search, and U.S. Information Search—seemed willing to sell data for employment determination purposes; two—Brokers Data and US Data Corporation—seemed willing to sell data for insurance decisions; and two—ConsumerBase and ResponseMakers—seemed willing to sell pre-screened lists for credit offers.19 The FTC subsequently sent these ten companies warning letters, recommending that the companies review their products, internal policies and procedures, and employee training programs for compliance with the FCRA.20
The FTC noted that it was warning the recipients but that the letters were not formal complaints since it had not “evaluated” the companies’ practices for FCRA compliance.21 However, the FTC specifically pointed to the Teletrack settlement as an example of the penalties it could seek, as well as to another recent settlement in which a data broker was enjoined from certain practices and required to adopt FCRA compliance procedures for a period of 20 years.22
A Global Push
Internationally, the FTC’s efforts were complemented by similar actions by other member nations in the Global Privacy Enforcement Network (GPEN).23 According to its mission statement, GPEN aims to “connect privacy enforcement authorities from around the world to promote and support cooperation in cross-border enforcement of laws protecting privacy.”24 For 2013, GPEN member states are focusing on privacy practice transparency.25 Other member countries, including Canada, the UK, Australia, Germany, and Hong Kong, participated in their own compliance efforts in early May.26 In Canada, for instance, authorities conducted a “sweep” of numerous popular websites to check for privacy policies and contact information.27
The FTC’s sting operation, coupled with the actions of its international peers, is further evidence that regulatory authorities are keeping their eyes on privacy. As for the recipients of the FTC’s warning letters, there have been some mixed reactions, both to the commission’s interpretation of the FCRA and to its test-shopping operation. Even while the FTC has taken the position that CRAs, as defined by Section 1681a(f), encompass more than traditional credit bureaus,28 a few of the companies dispute whether they acted unlawfully or are CRAs to begin with. Mr. Moss, for his part, acknowledged that Crimcheck.com is a CRA, though he insisted that his company was in compliance with the FCRA.29 In contrast, Eric Kaminsky, CEO of US Data Corporation, disputed the FTC’s characterization of his business as a CRA, while at the same time praising the commission’s efforts to “catch people who are bad guys.”30
Even if the recipients agree that the FTC is right to go after the “bad guys,” the enforcement efforts are instead most likely to impact the unaware. Indeed, one goal of the FTC is to raise awareness about consumer privacy issues and to encourage businesses that unknowingly or unintentionally may be in violation of the FCRA to revisit their practices.31 Whether or not consumer information is sourced from public records or gathered only for marketing or sales purposes, it still may be subject to the FCRA’s many safeguards, depending on the information buyer’s purpose or intentions. Companies would be well advised to ensure their FCRA compliance, to avoid ending up on the FTC’s warning-letter mailing list.
1 Letter from Maneesha Mithal, Associate Director, Federal Trade Commission, to Theodore Moss, CEO, Crimcheck.com (May 3, 2013), available at http://www.ftc.gov/os/2013/05/130507databrokerscrimcheck.pdf.
2 Crimcheck.com, http://www.crimcheck.com (last visited June 19, 2013).
3 Natasha Singer, “Congress to Examine Data Sellers,” The New York Times, July 24, 2012, available at http://www.nytimes.com/2012/07/25/technology/congress-opens-inquiry-into-data-brokers.html; Craig Timberg, “FTC Warns Data Brokers on Privacy Rules,” The Washington Post, May 7, 2013, available at http://articles.washingtonpost.com/2013-05-07/business/39090758_1_data-brokers-personal-data-data-reports. Those profiles can then be sold to third parties for a variety of purposes. Id. According to one estimate, U.S. companies spend over $2 billion annually on such personal data from third-party providers. Danny Yadron, “FTC Says Brokers Bid Private Data,” The Wall Street Journal, May 7, 2013, available at http://online.wsj.com/article/SB10001424127887323687604578469392421956334.html.
4 See 15 U.S.C. § 1681 et seq.
5 Safeco Ins. Co. of Am. v. Burr, 551 U.S. 47, 52 (2007).
10 See 15 U.S.C. §§ 1681b(a), 1681b(b).
11 Letter from Maneesha Mithal, Associate Director, Federal Trade Commission, to Eric Rothchild, ResponseMakers (May 6, 2013), available at http://www.ftc.gov/os/2013/05/130507databrokersresponsemakers.pdf.
13 Press Release, Federal Trade Commission, “FTC to Study Data Broker Industry’s Collection and Use of Consumer Data” (Dec. 18, 2012), available at http://www.ftc.gov/opa/2012/12/databrokers.shtm.
14 Press Release, Federal Trade Commission, “Consumer Reporting Agency to Pay $1.8 Million for Fair Credit Reporting Act Violations” (June 27, 2011), available at http://www.ftc.gov/opa/2011/06/teletrack.shtm.
15 Press Release, Federal Trade Commission, “Spokeo to Pay $800,000 to Settle FTC Charges Company Allegedly Marketed Information to Employers and Recruiters in Violation of FCRA” (June 12, 2012), available at http://www.ftc.gov/opa/2012/06/spokeo.shtm.
16 Press Release, Federal Trade Commission, “FTC Warns Data Broker Operations of Possible Privacy Violations” (May 7, 2013), available at http://www.ftc.gov/opa/2013/05/databroker.shtm.
17 Federal Trade Commission, “Protecting Consumer Privacy in an Era of Rapid Change” (Mar. 2012). For example, when FTC staffers contacted US Data Corp. and expressed an intention to purchase data for insurance eligibility purposes, such a stated intention constituted sufficient notice to render the data covered by the FCRA even if US Data only promoted its products for use in marketing. See Letter from Maneesha Mithal, Associate Director, Federal Trade Commission, to Jeff Herdzina, US Data Corporation (May 2, 2013), available at http://www.ftc.gov/os/2013/05/130507databrokersusdata.pdf.
19 Mithal, supra note 11; Lesley Fair, “FTC Staff Goes Shopping for Info – with Interesting Results,” FTC Business Center Blog (May 7, 2013), http://business.ftc.gov/blog/2013/05/ftc-staff-goes-shopping-info-%E2%80%94-interesting-results.
21 See, e.g., Mithal, supra note 11; Fair, supra note 19.
22 Mithal, supra note 1 (citing In the Matter of Filiquarian Publishing, LLC, FTC File No. 112 3195 (May 1, 2013)).
23 Fair, supra note 19 (adding that GPEN “[n]etwork members are taking steps this [same] week to encourage companies to meet their obligations about the privacy of consumers’ personal information”).
24 “Action Plan for the Global Privacy Enforcement Network (GPEN),” Global Privacy Enforcement Network, https://privacyenforcement.net/public/activities (last amended Jan. 22, 2013).
25 Press Release, Office of the Privacy Commissioner of Canada, “Global Privacy Enforcement Network Internet Privacy Sweep: Questions and Answers” (May 6, 2013), available at http://www.priv.gc.ca/media/nr-c/2013/nr-c_130506_qa_e.asp.
28 Federal Trade Commission, supra note 17, at 68 (“The Commission has monitored data brokers since the 1990s, hosting workshops, drafting reports, and testifying before Congress about the privacy implications of data brokers’ practices.”) (citing “Identity Theft: Recent Developments Involving the Security of Sensitive Consumer Information: Hearing Before the Senate Committee on Banking, Housing, & Urban Affairs,” 109th Congress 7-8 (Mar. 10, 2005) (statement of FTC Chairwoman Deborah Platt Majoras),
available at http://www.ftc.gov/os/testimony/050310idtheft.pdf (“Although the most common example of a ‘consumer report’ is a credit report and the most common CRA is a credit bureau, the scope of the FCRA is much broader. . . . CRAs other than credit bureaus provide many different types of consumer reports. . . . Data brokers are subject to the requirements of the FCRA only to the extent they are providing ‘consumer reports.'”)).
29 “Crimcheck.com Complies with the Federal Fair Credit Reporting Act (FCRA),” PRWeb, May 8, 2013, http://www.prweb.com/releases/2013/5/prweb10713337.htm (“CEO, Ted Moss of Crimcheck.com stated that his company is in fact a CRA and has always complied with and will continue to comply with the FCRA. ‘Our firm has rigorous procedures which ensure maximum possible accuracy when conducting employment screening, all of our clients are put through a comprehensive due diligence process before they can order employment screening reports and they are thoroughly explained their obligations as well as the applicants[‘] rights under the FCRA.’ Moss furthered that, ‘To surmise that a call to a receptionist is evidence of wrong doing is like assuming the receptionist at your doctor’s office is qualified to give medical advice, the people who answer our phones do not set up new accounts and we do not sell data in the sense that the FTC implies. If the FTC expects to protect consumers they [sic] should at least get the facts straight.'”).
30 Katie Kaye, “FTC Sting Operation Results in Warnings to 10 Data Brokers,” Ad Age, May 7, 2013, http://adage.com/article/privacy-and-regulation/ftc-data-shopping-sting-results-warnings-10-data-brokers/241335.
31 Timberg, supra note 3 (quoting attorney for FTC’s Bureau of Competition that the warning letters hopefully would raise awareness of privacy issues and FCRA compliance).