After conducting an undercover sting operation, the Federal Trade Commission sent letters to ten data brokers warning them that they could be violating the Fair Credit Reporting Act.

As part of an increased focus on the FCRA, the agency used test shoppers to approach 45 companies seeking financial data about consumers for employment, credit, or insurance decisions. Pursuant to the FCRA, companies that collect, distribute, and sell such consumer information are considered consumer reporting agencies and must reasonably verify the identity of the purchasers, as well as ensure that the purchasers have a “legitimate purpose” under the Act to receive the information.

Of those researched, ten companies received warning letters because they “appeared willing to sell information without complying with the requirements of the FCRA,” the FTC said.

Recipients included (1) ConsumerBase and a second, unnamed company, which offered “pre-screened” lists of consumers to help make a firm offer of credit; (2) Brokers Data and US Data Corporation, which the agency said offered consumer information for use in making insurance decisions; and (3) Crimcheck.com, 4Nannies, U.S. Information Search, People Search Now, Case Breakers, and USA People Search, all of which appeared to offer information for employment purposes.

In its warning letters, the agency explained the duties required of a credit reporting agency and noted that disclaiming responsibility under the Act did not prevent potential liability. “Even if you place a disclaimer on your website indicating that your data must not be used for employment or other FCRA-covered purposes, you may still be a [credit reporting agency],” Associate Director Maneesha Mithal wrote. “Regardless of any disclaimers, if you do not intend to be a [credit reporting agency], you should have clear policies in place explaining the purposes for which you will and will not sell information, you should educate your employees and customer service representatives about the importance of not selling consumer information for FCRA purposes, and you should review all marketing materials to ensure that you are not marketing your products to HR professionals or employers.”

While the agency said it had not made a formal determination of whether the letter recipients had violated the FCRA, it encouraged them to review their products, services, policies, employee training, and other procedures for compliance – or face legal action which could lead to injunctive relief and/or monetary penalties of up to $3,500 per violation.

To read the agency’s warning letters, click here.

Why it matters: The test shopping effort was part of an international privacy-related initiative sponsored by the Global Privacy Enforcement Network. The FTC was one of several privacy enforcement authorities taking part in the transparency sweep “to promote and support cooperation in cross-border enforcement of laws protecting privacy.” The sting operation follows several warning letters sent to the operators of mobile apps and serves as a reminder that the FTC remains focused on the activities of data brokers. The agency also settled with online data broker Spokeo for $800,000 after the agency initiated a civil action alleging the company violated the FCRA, and it supports laws that would impose additional regulations on data brokers.