State and federal regulators are turning their attention to the lead generation and data aggregation business – firms that compile massive databases of detailed consumer information ranging from spending and dieting habits to political affiliation.

Earlier this year, the Federal Trade Commission announced a $5.7 million settlement with Sitesearch Corp. – a group of lead aggregators and their principals – that the FTC alleged sold personal information of hundreds of thousands of consumers, including social security and bank account numbers, to buyers with “no legitimate need” for it. According to the FTC, defendants purchased the data from payday lending websites that had culled it from online loan applications submitted by cash-strapped consumers. The FTC’s complaint further alleged that “[a]t least one” of defendants’ customers used the purchased data to scam consumers by making unauthorized withdrawals from their bank accounts, and that the defendants knew or had reason to know that this had happened.

The FTC isn’t the only federal regulator focusing on lead generators. In a similar action filed in late 2015 by the Consumer Financial Protection Bureau, CFPB v. D and D Marketing, d/b/a T3Leads, the CFPB charged T3Leads, a lead aggregator, and its principals, with violating the Consumer Financial Protection Act (“CFPA”) of 2010 because they “failed to vet or monitor” either the sellers or purchasers of the data, and should have known that (i) the lead generating websites made false or misleading statements to potential borrowers, (ii) many of their customers were likely to charge above-average interest rates (contrary to the promises made on the lead-generating websites), and (iii) there was a “risk” that some customers would engage in abusive debt collection practices and fraud, because such conduct is common in the payday lending industry.

State attorneys general, too, are cracking down on abusive practices. In November 2015 and April 2016, the West Virginia Attorney General charged three pharmacies with participating in a single scheme to violate state consumer protection laws by misusing consumers’ healthcare data, which the defendants obtained through online “forms, surveys and other questionnaires.” The complaints allege that the defendants, including the pharmacies’ individual principals, used this information to generate forms directing doctors’ offices to transfer the consumers’ prescriptions to the defendant pharmacies.

We have written a comprehensive overview of this emerging area of regulatory enforcement for Bloomberg BNA’s Privacy and Security Law Report. Please click here for the full report.