The Federal Trade Commission fined an online data broker who allegedly sold consumer reports containing internet and social media data in the context of employment screenings without adhering to the Fair Credit Reporting Act’s consumer protections.
By Alice Cheng
Data broker Spokeo recently agreed to pay $800,000 to settle Federal Trade Commission (FTC) charges in what is the FTC’s first Fair Credit Reporting Act (FCRA) case involving the “sale of internet and social media data in the employment screening context.”
Spokeo, a social network aggregator website, has long been notorious for the comprehensive profiles (including name, address, email address, phone number, hobbies, ethnicity, religion, etc.) it compiles and sells to third parties. Personal information of individuals is collected both online and offline, and profiles have been used for employment screening purposes—a practice that the FTC has alleged is in violation of the FCRA.
The FTC recently took legal action against the company after receiving an initial complaint about its practices from the Center of Democracy & Technology in 2010. The FCRA violations include failing to make sure that the information was sold for legally permissible uses only, failing to ensure that the information was accurate, and failing to notify users of the consumer reports about their obligations under FCRA.
The FCRA is a federal law regulating the collection, dissemination, and use of consumer information (including consumer credit information) to promote the accuracy, fairness, and privacy of such information. In order to avoid violating FCRA regulations, Spokeo says it will no longer build “consumer reports” and will no longer sell its information for employment screening purposes.
Aside from potential FCRA violations, such widespread collection of data by data aggregators like Spokeo continues to be an ongoing privacy issue. The collection of personally identifiable information, such as social security numbers or driver’s license numbers, carry obvious concerns, but even the collection of “non-sensitive” information can be problematic. Aggregation of this data is commonly used by advertisers to target prospective customers, or as in Spokeo’s case, sold to any willing buyers. While it may not always be easy to pinpoint any concrete harm to consumers, many are nevertheless uneasy about such compilations.
While the FTC has been increasingly vigilant regarding big data concerns, little progress is being made in developing data protection regulations. Continual changes in technology, such as the move to cloud computing services, may also invite further complications to developing appropriate regulations. Consumers need to be aware of what information is being collected and how it is used. Businesses need to be aware of what laws, rules and regulations govern their collection and use of information so they can assure successful compliance.