The FTC has brought a number of actions over the years against companies that shared or failed to protect consumer information in violation of privacy policy promises or transferred data in violation of specific laws, such as the Fair Credit Reporting Act.  In what may be viewed as charting new territory, the FTC recently brought a second action against a data broker for selling payday loan application information to entities that were not engaged in making any kind of loans to consumers. Both sets of defendants purchased payday loan application information from online payday loan websites where consumers provided personal information, including financial institution account information, on the applications.  The defendants purchased the application information from the websites and sold the information to third parties who did not make payday loans to consumers, but rather made unauthorized charges to consumers’ accounts.  The Commission alleged that the selling of such sensitive information was unfair.

The facts of these related cases are particularly egregious and have generated three separate Commission actions.  The defendants purchased more than hundreds of thousands of loan applications from the operators of payday loan websites and then sold the information to third parties who made millions of dollars of unauthorized charges.   The Commission’s first action was filed in December 2013 and the FTC obtained a temporary restraining order an asset freeze against Ideal Financial Solution’s Inc. (“Ideal”).  Ideal is the entity that made the unauthorized charges to consumers’ accounts.   In December 2014, the FTC filed a complaint against Sitesearch Corporation, dba LeapLab, one of the entities that purchased the application information from the website and then sold it to Ideal.  The complaint alleged that the selling of the sensitive information to Ideal was unfair.  The most recent action against Sequoia One, LLC, Gen X Marketing Group, LLC and its principals includes identical allegations.

Three of the individual defendants in the Sequoia matter have settled and the remaining actions have not settled.   The settlements prohibit defendants from assisting others engaged in selling, transferring, or otherwise disclosing the sensitive personal information and making misrepresentations relating to the likelihood that any person will obtain a loan.  It also requires that the defendants provide sufficient customer information to enable the FTC to efficiently administer consumer redress, but then to destroy such customer information after being directed to do so by the FTC.  The settlements included suspended judgments of $3.7 million and $7.1 million another, with two of the individuals paying $15,000.

Whether the Commission will continue to bring similar actions outside of the payday lending space is not known, but data brokers and those who sell consumer information should exercise due diligence to learn how the data will be used and, if appropriate, contractually prohibit certain uses or onward transfers.  Moreover, data brokers that purchase information should likewise exercise due diligence to learn where the data comes from and the circumstances under which it was provided by the consumer.  When dealing with sensitive information, a data broker should consider whether the consumer had the opportunity to opt out of having the information shared with third parties.