The Federal Trade Commission (FTC) recently settled a federal lawsuit in Arizona brought against Blue Global LLC and its CEO, arguing that the company had engaged in deceptive practices when it sold loan application data. Blue Global is a payday loan lead generator that operates at least 38 websites, including 247loan.com, and 3clickloan.com. According to the complaint, Blue Global solicited loan applications through its websites by promising that it would find consumers a loan with favorable terms from a large network of loan providers. Blue Global did not engage in customized matching, the FTC claimed, but instead assembled each consumer’s loan application information and electronically transmitted that information to potential buyers as a “lead.” These leads were offered to potential buyers (who were not required to be engaged in lending or use lead information to offer loans) in a sequenced sales process referred to as a “ping tree”: Blue Global transmitted the lead to the first potential buyer in the ping tree within seconds after the consumer submitted the loan, and if the potential buyer did not accept the lead, the next potential buyer was offered the lead. This process was continued until the lead was sold or every participant in the ping tree declined the purchase after having viewed the information. Blue Global received up to $200 for every lead sold.

Although Blue Global had disclosed to consumers that information would be shared only with “trusted lending partners,” the FTC found their sharing practices deceptive and misleading because, among other things, Blue Global did not require potential buyers to be lending partners at all. The FTC also found deceptive Blue Global’s claims that the information provided by consumers would be completely protected because the information was never redacted by Blue Global, and Blue Global did not ensure that the other entities were providing adequate protection.

As part of the settlement, Blue Global agreed to pay $104,470,817, as well as a permanent injunction stopping it from, among other things, selling or disclosing customers’ personally-identifiable information to anyone, unless the customer has requested financial services and (1) the sale, transfer, or disclosure is necessary to provide the requested financial service; (2) Blue Global has the consumer’s express, informed consent for the sale, transfer, or disclosure; and (3) Blue Global has established, implemented, and maintained procedures to verify the legitimate need for, and monitor the use of, consumers’ sensitive information by any entity to whom Blue Global sells, transfers, or discloses such information, including (a) obtaining certain certifications from such entities; (b) verifying the information contained in the certification; and (c) monitoring such entities.

TIP: Companies who regularly share personal information with third parties may find the settlement terms in this case helpful. In particular, this case offers helpful direction with respect to FTC expectations regarding a company’s obligations of oversight over third party recipients of personal data.