Online lead generation continues to face increased scrutiny and regulation on multiple fronts, including from consumer groups, state regulators, the Federal Trade Commission (FTC), and the Consumer Financial Protection Bureau (CFPB). This squeeze is being felt by all participants—publishers, aggregators, and buyers—and, notably, the lines of legal responsibility and accountability continue to blur. All told, the viability of some forms of online lead generation is at stake.
The government agencies are targeting a broad set of business practices, from the representations made to consumers about the products, services, and merchants they are being connected to and how their data is being used, to the collection and security of personal information, and even whether the products or services ultimately sold to consumers comply with applicable (and some cases potentially inapplicable) laws.
This article reviews recent regulatory and enforcement activity by the FTC and CFPB related to online lead generation. Our review focuses on the three areas we believe the regulators will continue to most actively pursue: (1) use of deceptive advertisements to generate leads; (2) how sensitive consumer data is stored and whom it is shared with; and (3) whether, and the extent to which, publishers and lead aggregators are liable for the end users' legal compliance.
Lead generation is the practice of identifying or cultivating consumer interest in a product or service, and selling this information to third parties. The FTC has led the charge against what it believes are prevalent abuses committed by sellers and buyers of online leads. In addition to bringing enforcement actions against companies, which we discuss in some detail below, it also has spent considerable resources researching and understanding the industry.
In October 2015, the FTC hosted a workshop titled, "Follow the Lead: An FTC Workshop About Online Lead Generation," where a variety of stakeholders, including industry representatives, consumer advocates, and government regulators, discussed consumer protection issues. This workshop, and the subsequent public comment period that closed on December 20, 2015, provides key insights into how online lead generation works and its variations, and the types of conduct that that may be unfair or deceptive, and may be the start of identifying practices sellers and buyers of leads can adopt.
Of course, the FTC is not the only government agency focused on the intersection of lead generation activity and possible consumer harm. State regulators – in particular the New York State Department of Financial Services and Attorney General – and the CFPB also have been focused on the advertising and marketing of consumer financial services, such as student loans, mortgages, and payday loans, including by lead generators.
The CFPB's authority is both broader and narrower than the FTC's. It has broader authority to directly regulate third-party service providers, but it's narrower in the sense that it is limited to companies in the consumer finance space (e.g., loans, credit cards, and mortgages). In recent years, the CFPB has widened its focus to include companies, such as payment processors and advertising networks, that serve as vendors to financial services companies. It is relevant here that the CFPB has investigated several lead generators, particularly those involved in short-term, small-dollar loans, and, to date, has sued one such company.
There are three broad sets of laws that regulate lead generation:
- General advertising and marketing law principles, enshrined in the FTC Act, the Consumer Financial Protection Act (CFPA), and state laws (known as "mini-FTC Acts"), that prohibit unfair or deceptive acts or practices, including the dissemination of false or misleading advertising. The CFPA also prohibits "abusive" practices.
- Specific statutes, both state and federal, regulate certain marketing channels. For example, the Telephone Consumer Protection Act (TCPA) and CAN-SPAM Act regulate telephone and email communications, respectively, and the Telemarketing Sales Rule applies to many forms of telemarketing.
- There are statutes that regulate specific consumer products and services, such as mortgages, credit cards, and other consumer loans (e.g., Truth in Lending Act and Regulation Z, Credit Card Act, and the Mortgage Acts and Practices Advertising Rule ("MAP Rule" or Regulation N)). These laws typically regulate how such products are advertised, in addition to how they must be structured and serviced.
Deceptive Advertising to Generate Leads
For years, the FTC has been actively pursuing lead generation companies for using false or deceptive ads to induce consumers to submit a lead. It has targeted both publishers and network operators that play an active role in designing and/or distributing the allegedly deceptive ads. For example, in the cases against GoLoansOnline.com, Inc. (announced May 2014) and Intermundo Media, LLC (announced September 2014), the FTC concluded that ads targeting consumers seeking mortgage refinancing included unsubstantiated representations about the terms of the refinancing, including the interest rates, fees, and payment periods. According to the FTC, these advertised terms were not based on any mortgage credit products actually available to consumers by the companies in the network, and thus were deceptive. The FTC also alleged the ads failed to comply with the technical requirements of the Truth in Lending Act and Regulation Z and MAP Rule.
The FTC also has pursued affiliate or lead generation networks for their participation in the creation and/or dissemination of false or deceptive ads. In the case it brought against LeanSpa, a seller of weight-loss products, the FTC also sued LeadClick, the affiliate network with whom LeanSpa contracted to provide advertising services. Some affiliate marketers on the network used "fake news sites" to market LeanSpa's products, and the FTC alleged that LeadClick was liable for those deceptive websites because LeadClick (1) knowingly hired affiliates who used fake news sites, (2) knew those affiliates were using such sites, and (3) failed to object to their use. The court agreed, emphasizing LeadClick's role in vetting the affiliates and its authority to review their advertising. It also found that LeadClick actively participated in the deception by purchasing ad space at genuine news websites and then selling the space to the affiliates (thus creating "the bridge" between genuine and fake news sites, making the fake ones appear more legitimate).
For publishers, the implications of these cases are fairly straightforward. Advertising content, including emails, banner ads, SEO ads, and websites, must be truthful and substantiated, and include all material information necessary to ensure it is not misleading. Importantly,
- Advertising content cannot obscure where the lead information is going. This means that if the publisher is directing the consumer or the consumer's information to a lead aggregator instead of directly to the merchant, consumers need to be made aware.
- If the publisher does not know the exact terms of the offer that ultimately will be made to a consumer, it cannot make specific representations in its advertising, either expressly or implicitly, about such offers.
On the other hand, the rules of the road for lead aggregators and buyers are murkier. Whether these parties can be responsible for advertising created by others largely has been answered in the affirmative. The questions now are: Under what circumstances and to what extent are these parties responsible? While the exact bounds of the answers are not yet defined, at a minimum aggregators and buyers need to have basic due diligence, monitoring, and enforcement processes in place to vet and keep track of their advertising partners.
The collection and transfer of consumer data is the heart of online lead generation. The type of data collected varies by industry/product vertical, but typically includes the consumer's contact information, information about the device and IP address the consumer is using, and, notably, sensitive data such as Social Security Number, bank account and credit card numbers, etc.
The risk of consumer harm if this data were to get into the wrong hands is considerable. And, despite the significant data security measures taken by responsible parties involved in lead generation, there continues to be anecdotal examples that the FTC and other regulators cite of high rates of data breaches and unscrupulous sales, resulting in a proliferation of scams targeting consumers who submitted their data to lead generators. Whether real or perceived, the alleged consumer harm has become a primary area of concern for regulators and consumer groups.
Regulators are attacking this problem from multiple angles. While they have cracked down on the individuals and companies operating these alleged scams or otherwise engaged in illegal activities, they also have focused on the parties that transferred or sold the data to them.
For example, in its recent case against Sequoia One, LLC, a lead aggregator and generator for small-dollar loans, the FTC argued that Sequoia One knew or had reason to know that one of its buyers, Ideal Financial, used the purchased data to make unauthorized debits from consumers' bank accounts, thus causing injury to consumers. Among other things, the FTC pointed to the fact that Sequoia One continued to sell leads to Ideal Financial, which came under fire for large amounts of refunds or chargebacks, customer complaints, and inquiries by government agencies. At the request of the FTC, a federal court has frozen the assets of Ideal Financial.
In another example, the FTC targeted several affiliated data brokers, Sitesearch Corp., Leads Co., LLC, and LeapLab, LLC, and their founder for purchasing payday loan applications that contained consumers' bank account and Social Security numbers and other private information, that the parties then sold without permission to nonlender companies. The FTC alleged that the nonlenders were engaged in fraudulent email and telemarketing, and made the same allegations regarding the activities of Ideal Financial. The enforcement action has resulted in the founder reaching a settlement with the FTC with strict injunctive relief and nearly $10 million in suspended payments, and default judgments against the companies.
Other recent lead generation related cases include FTC v. Cornerstone and FTC v. Bayview Solutions, where settlements were reached against the defendants for allegedly exposing too much personal information about consumer-debtors.\
These FTC enforcement actions illustrate the importance of appropriate safeguards and other procedures to mitigate the risk of exposure of consumers' personal information without their permission.
End Buyer Compliance
Lead generators need to take into account the end purchasers' regulatory landscape when developing lead generation campaigns, especially in the area of consumer financial services. State regulators have been particularly active in online lead generation of consumer loans and other financial services. For example, states generally require a license to lend to their residents and many impose interest rate caps that make lending impractical to certain high-risk borrowers. While many online lenders take the position that they are not always required to obtain a license in the state where the borrowers reside, state (and, more recently, federal) regulators disagree. In recent years, states have pushed back on these lenders by halting their activities, forcing them to get licensed and, increasingly, preventing them from marketing to their residents.
For example, in 2015, the New York State Department of Financial Services announced a settlement with MoneyMutual, a lead generator for online lenders, based on MoneyMutual's marketing of short-term, small-dollar loans to consumers in New York—where payday loans are essentially illegal. It found that MoneyMutual's customers were not permitted to make such loans to New Yorkers, regardless of what MoneyMutual's clients may have represented to MoneyMutual, and thus the company could not collect lead information from consumers in New York.
This theme—holding the lead generators (and other service providers) responsible for their clients' legal compliance—is likely to grow. The CFPB has used similar theories of liability in analogous cases. For example, in its lawsuit against CashCall, a company that purchases and services loans, and others, the CFPB has argued that the underlying loans are void, and thus CashCall's attempts to collect on them are illegal. Specifically, the loans were originated by a company affiliated with a Native American tribe, which, based on tribal sovereign immunity, argues it is exempt from state licensing and usury laws. According to the CFPB, the lender is not exempt from state laws, the loans fail to comply with those loans, and, therefore, the loans were void and CashCall engaged in deceptive, unfair, and abusive practices when trying to collect repayments from the borrowers. While the CFPB cannot enforce state laws, its importation and federalization of state law requirements under its UDAAP authority is a novel theory that will also test the strength of the Bureau's ability to police "abusive" conduct.
Conclusion and Outlook
Lead generation is neither new nor illegal. Indeed, as Jessica Rich, Director, FTC Bureau of Consumer Protection, noted, "Lead generation is a well-established industry that has served a very important role in the marketplace for many, many decades." At the same time, government enforcement agencies continue to target lead generation in increasingly aggressive and novel ways.
It is worth noting that regulators appear to have adopted the position that all of the parties involved in the generation and purchase of a lead are required to police each other's activity, or face liability for each other's noncompliance. Given the level of "blindness" that is characteristic in online lead generation—for example, end buyers often do not know the identity of the publishers and vice versa—this is a serious and potentially insurmountable development.
Accordingly, all parties involved in lead generation will need to closely monitor developments in order to properly weigh compliance risks.