Two weeks ago, the FTC filed a district court complaint in Arizona against an operation that included three corporations and one individual. While touted as a case against data brokers (“FTC Charges Data Broker with Facilitating the Theft of Millions of Dollars from Consumers’ Accounts”), the single count unfair trade practices action really involves fraudulent and egregious conduct that took advantage of a particularly vulnerable population, but it nevertheless provides a few lessons for the data broker industry generally.
Financially strapped individuals visited payday loan websites that promised to help them obtain payday loans if they filled out online applications and provided information such as name, address, phone number, employer, SSN, and bank account numbers that often included a bank routing number. These websites sold the pay day loan applications to data brokers. The defendants in this case purchased the application information from other data brokers, not the payday loan websites.
The defendants then sold the applications to both lenders, often for as much as $10 to $150 per lead, and non-lenders. The focus of the FTC’s complaint is the application information that was sold to non-lenders. According to the complaint, from 2006 to 2013 the defendants sold 95% of the applications for about 50 cents each, sometimes multiple times, to non-lender third parties some of whom the defendants knew were engaged in fraud. Specifically, the complaint alleges that the individual who controlled the corporations was aware that one of the entities that purchased the application information, Ideal Financial and its web of corporations and individuals, was engaged in a fraudulent billing and debiting scheme. Ideal Financial is the subject of a separate FTC action and allegedly made over $24 million in unauthorized charges to consumer accounts.
The complaint highlights three main lessons for the data broker industry.
First, the FTC’s action underscores two key points from the FTC’s May 2014 Data Broker Report. One focus of the report was that consumer information is collected from a variety of sources often without the consumer’s consent. Data brokers need to be aware of the risks of undisclosed, non-consensual use of consumer information that leads to consumer harm. While most would question the wisdom of providing sensitive information online in an effort to obtain a payday loan, it is reasonable to assume that the millions of consumers who filled out online applications were hoping to get loans, and not have their accounts debited without their consent. Another point from the FTC’s report that the complaint illustrates is that the data broker industry is complex with multiple layers of data brokers selling data to each other.
Second, data brokers that sell information to others should exercise due diligence to learn how the data will be used and, if appropriate, contractually prohibit certain uses or onward transfers.
Finally, data brokers that purchase information should likewise exercise due diligence to learn where the data comes from and the circumstances under which it was provided by the consumer. If the information is sensitive, a data broker could require proof that the consumer had the opportunity to opt out of having the information shared with third parties.