On July 5, 2017, the Federal Trade Commission (FTC) entered into a stipulated order to memorialize a settlement with a lead-generation business, Blue Global LLC, and its CEO (Blue Global), in the U.S. District Court for the District of Arizona. The settlement entails both injunctive relief and an award of more than $104 million in damages, all arising from allegations that Blue Global’s “ping tree” lead-generation tool ran afoul of the FTC’s prohibition on unfair or deceptive acts or practices. The settlement comes as the result of the FTC’s complaint filed only days earlier (on July 3).

Blue Global operated a lead-generation business. In its complaint, the FTC alleged that Blue Global operated at least 38 internet domains that offered services to consumers looking for loans. The complaint also alleged that consumers were encouraged to fill out online applications, then “sit back while we do the dirty work” of matching those applications with a “network of more than 100 lending partners.”[1] These applications allegedly required consumers to provide personal information – including their name, address and contact information – as well as sensitive personal information such as Social Security numbers, financial account numbers, and credit and debit card information.

The FTC alleged that to induce consumers to complete the applications, Blue Global made a number of false representations. Namely, the websites allegedly guaranteed that Blue Global would match consumers’ applications to the lenders offering the lowest interest rates and other favorable terms; that Blue Global had a network of more than 100 lending partners to match the applications with; that consumers’ personal information would be kept secure and only shared with “trusted lending partners”; and that most consumers would be approved for a loan.[2]

But instead of connecting customers with potential lenders, the FTC alleged that Blue Global did little to no “matching” of consumers based on loan rates or terms, as a result of its reliance on its ping tree. A ping tree is a sequenced sales process that helps lead generators distribute and sell leads to buyers from different companies (as opposed to allocating leads to different sales agents). In a ping tree, a lead is provided to different buyers in sequence; if the first potential lead buyer doesn’t accept the lead, the lead will be sent to a succession of different buyers until it is accepted. Blue Global’s ping tree sales software allegedly allowed it to sell a consumer’s data within seconds of the consumer submitting an application.

The FTC criticized Blue Global for operating contrary to its representations to its customers. The FTC alleged that the process did not require ping tree participants to be engaged in lending or even to use lead information to offer loans. It further alleged that Blue Global made little to no effort to obtain information about the ping tree participants (e.g., it did not require addresses for the participants’ businesses and it did not require participants to guarantee that the information in the applications would be used only to offer loans).[3] The FTC also alleged that Blue Global inadequately monitored the customer data it was sending to the ping tree participants, and that it sent each potential buyer in the ping tree lead information that contained the consumers’ unredacted sensitive personal information.[4]

The FTC argued that these practices violated the FTC’s prohibition on unfair or deceptive acts or practices as set forth in Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). “Deceptive acts” include misrepresentations or deceptive omissions of material fact, and acts are “unfair” if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits.[5] The FTC alleged Blue Global engaged in unfair or deceptive acts or practices because its websites made representations regarding the matching process, network size, data privacy and loan approval rates, which the FTC argued were false and misleading; moreover, it alleged that Blue Global’s practice of sharing consumers’ personal information with any potential buyer caused or was likely to cause substantial harm to those consumers.

As part of the stipulated order for settlement, Blue Global is prohibited from making misrepresentations relating to financial products or services; restrained from selling, transferring or disclosing a consumer’s sensitive personal information except where a consumer has requested the service and given his or her express consent; and ordered to pay $104,470,817.[6] Blue Global must also implement a process to screen its lenders to ensure that sensitive personal information is being used only for the provision of loan services. The monetary judgment has been suspended, however, as Blue Global filed for Chapter 7 bankruptcy in the Central District of California on Jan. 25, 2017.[7]

In the end, Blue Global’s case serves as an important reminder to all entities that handle consumers’ sensitive personal information: Special care should be taken to protect the information, and to ensure that it is shared only with the necessary and appropriate parties and only for the purposes for which the consumer provided it.