The Federal Trade Commission (“FTC“) has announced a stipulated settlement (“Settlement“) with ITMedia Solutions LLC and a number of its affiliates (collectively “ITMedia“), over alleged violations of the FTC Act and the Fair Credit Reporting Act (“FCRA“). Under this Settlement, ITMedia will pay $1.5 million in civil penalties.
According to the FTC’s complaint (“Complaint“), ITMedia, a loan application company and a lead generation services provider, has operated hundreds of websites that were designed to entice users into sharing sensitive financial data.
The FTC alleges that while ITMedia represented that this sensitive personal data would be disclosed to a qualified lenders in connection with loan proposals, ITMedia sold this data to a variety of unauthorized third parties (e.g. marketers and credit repair sells), that were not lenders. In addition, according to the Complaint, in many occasions ITMedia was not even aware of the purpose for which a third party was buying its users’ data, or the physical location of these entities, and therefore exposed its users to risks of identity theft and scams.
Based on the above, the FTC charged ITMedia with violations of the FTC Act due to, inter alia, deceptive representations regarding its use of users’ personal data and unrestricted sharing of sensitive personal data. The FTC also charged ITMedia with violations of the FCRA, which limits the purposes for which companies may obtain credit scores for, as ITMedia’s use of credit scores for market leads was not a permissible purpose.
Except for the civil penalties, the proposed Settlement will also apply various restrictions on ITMedia’s practices with regard to its users’ personal data, including the following:
- Prohibition from making misleading representations, including about the purposes for which users’ personal data is collected, and the recipients of the this data;
- ITMedia is required to screen the recipients of its users’ personal data;
- Prohibition from selling its users’ personal data outside a limited set of circumstances, such as users’ request for financial services, alongside express consent;
- ITMedia and its recipients of personal data will be required to destroy any sensitive personal data that they impermissibly obtained;
- Maintaining compliance with procedures to ensure the legitimate use and disclosure of its users’ sensitive personal data, and retaining certain records for 5 years; and
- Annual reports to verify its compliance with the Settlement.
The FTC also alleges that individual executives of ITMedia, including the CEO and the general counsel of one of ITMedia’s subsidiaries, were also personally liable for the violations. The personal liability is based on the fact that these executives have, inter alia, reviewed ITMedia’s representations to its users, negotiated or signed contracts for the sale of users’ data, and participated in formulating and implementing policies and practices for lead distribution.
It should be noted that one of the FTC’s Commissioners, Christine S. Wilson, has published a concurring statement, in which she stated that the FTC should carefully exercise its prosecutorial discretion regarding individual liability. According to this statement, a broad standard of individual liability, especially with regard to legal counsels, might deter qualified candidates from accepting employment and push executives to devote inefficient amounts of time to compliance at the expense of core business.
This recent regulatory action highlights the increased scrutiny over data protection, including in the financial and financial advertising sectors, and demonstrates the potential responsibility of key individuals to companies’ regulatory exposure.