The facts of these related cases are particularly egregious and have generated three separate Commission actions. The defendants purchased more than hundreds of thousands of loan applications from the operators of payday loan websites and then sold the information to third parties who made millions of dollars of unauthorized charges. The Commission’s first action was filed in December 2013 and the FTC obtained a temporary restraining order an asset freeze against Ideal Financial Solution’s Inc. (“Ideal”). Ideal is the entity that made the unauthorized charges to consumers’ accounts. In December 2014, the FTC filed a complaint against Sitesearch Corporation, dba LeapLab, one of the entities that purchased the application information from the website and then sold it to Ideal. The complaint alleged that the selling of the sensitive information to Ideal was unfair. The most recent action against Sequoia One, LLC, Gen X Marketing Group, LLC and its principals includes identical allegations.
Three of the individual defendants in the Sequoia matter have settled and the remaining actions have not settled. The settlements prohibit defendants from assisting others engaged in selling, transferring, or otherwise disclosing the sensitive personal information and making misrepresentations relating to the likelihood that any person will obtain a loan. It also requires that the defendants provide sufficient customer information to enable the FTC to efficiently administer consumer redress, but then to destroy such customer information after being directed to do so by the FTC. The settlements included suspended judgments of $3.7 million and $7.1 million another, with two of the individuals paying $15,000.
Whether the Commission will continue to bring similar actions outside of the payday lending space is not known, but data brokers and those who sell consumer information should exercise due diligence to learn how the data will be used and, if appropriate, contractually prohibit certain uses or onward transfers. Moreover, data brokers that purchase information should likewise exercise due diligence to learn where the data comes from and the circumstances under which it was provided by the consumer. When dealing with sensitive information, a data broker should consider whether the consumer had the opportunity to opt out of having the information shared with third parties.