On February 18, 2016, the U.S. Federal Trade Commission ("FTC") settled a dispute[1] against LeapLab LLC ("LeapLab") and others ("Co-Defendants") claiming that they knowingly sold consumer social security numbers, bank account details, and other information to third parties, who employed this information for illicit purposes. The Co-Defendants were subject to $5.7 million in collective monetary judgements and prohibited from further selling or transferring consumer data to third parties or misleading customers about loan application or offer terms.[2] They were also required to destroy all customer data in their possession within thirty (30) days. This case highlights the FTC's recent focus on the conduct of data brokers and similar organizations, with significant implications for those trading in consumer data.

The settlement follows a 2014 FTC complaint against Sitesearch Corporation (formerly LeapLab) and the other Co-Defendants citing charges of unfair trade practices in violation of Section 5 of the FTC Act[3] relating to the illicit sale of consumer personal and financial information. The FTC sought both equitable relief and the prohibition of the Co-Defendants' alleged misuse of applications for short-term loans known as "payday loans."[4] The payday loan applications contained consumer bank account details, personally identifiable information and other sensitive details provided by applicants on the Co-Defendants' websites. The FTC claimed that the Co-Defendants sold the applications to third parties they knew did not provide payday loans, but were instead scammers, telemarketers, or other non-lenders that used the consumer data for unlawful purposes, including the fraudulent purchase of financial products.[5]

One such third-party non-lender was Ideal Financial Solutions ("Ideal"), a defendant in a previous lawsuit brought by the FTC citing fraudulent purchases and transactions using consumer data purchased from third parties including the Co-Defendants, among others.[6] According to the FTC, Ideal's former Vice President of Marketing had knowledge that Ideal had used information from consumer payday loan applications to make unauthorized debits from consumers' bank accounts, which he shared with LeapLab after his appointment as Chief Marketing Officer.[7] Despite this knowledge, LeapLab continued to sell payday loan applications to Ideal, who debited over $4.12 million from consumer bank accounts using only the consumer information provided by the Co-Defendants.[8] To the FTC, this demonstrated that the Co-Defendants' knew that the personal loan applications they had sold were subsequently used by the purchasers to facilitate fraud and other illicit conduct, constituting unfair and deceptive trade practices in violation of §5 of the FTC Act.

Previously, the FTC primarily sought to address privacy issues posed by the collection, transfer, and sale of consumer information under the Fair Credit Reporting Act ("FCRA").[9] Since its enactment in 1970, the FTC has brought over 100 enforcement actions under the FCRA resulting in over $30 million in penalties against organizations that trade in consumer data.[10] Rapid changes in technology and the growing pervasiveness of "big data" have underpinned the FTC's closer examination of the conduct of organizations that trade in consumer data in recent years.[11] The FTC has since delineated three (3) primary categories of data broker companies that trade in consumer information: (1) those subject to the FCRA (i.e. traditional Consumer Reporting Agencies or "CRAs"),[12] (2) marketing and related companies not subject to FCRA, and (3) non-marketing companies not subject to FCRA (i.e. location or anti-fraud services).[13]  The lack of oversight of data brokers in the latter two categories prompted the FTC to rely on §5 of the FTC Act to address the unfairness to consumers posed by certain data brokers not subject to the FCRA regulations.[14] Under the FTC Act, an act or practice that "causes substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or completion" is considered unfair.[15]

This matter exemplifies the FTC's recent efforts to increase transparency and accountability of companies not subject to FCRA regulation but nonetheless trading in sensitive consumer information.[16] The settlement also offers insight into consumer protection concerns posed by the intersection of the data broker and lead generator industries.[17] While companies may examine the potential risks to consumers posed by the sale of their personal information to third parties under a reasonableness standard, the FTC has noted that for companies whose "stock-in-trade is personal information…what's reasonable under the circumstances may be different."[18]

Whether subject to the FCRA or not, U.S. regulators such as the FTC are examining companies that trade in consumer information with increased scrutiny. Moreover, data broker companies of all varieties are well served to ensure that the conduct of their downstream partners, affiliates, and customers is aligned with their own industry regulations and standards.