The Federal Trade Commission today said data broker Spokeo will pay $800,000 to settle FTC charges it sold personal information it gathered from social media and other Internet-based sites to employers and job recruiters without taking steps to protect consumers required under the Fair Credit Reporting Act.
According to the FTC, Spokeo collects personal information about consumers from hundreds of online and offline data sources, including social networks. It merges the data to create detailed personal profiles of consumers. The profiles contain such information as name, address, age range and email address. They also might include hobbies, ethnicity, religion, participation on social networking sites, and photos.
IN PICTURES: The year in security mischief-making
The FTC alleges that Spokeo operated as a consumer reporting agency and violated the FCRA by failing to make sure that the information it sold would be used only for legally allowable reasons; failing to ensure the information was accurate; and failing to tell users of its consumer reports about their obligation under the FCRA, including the requirement to notify consumers if the user took an adverse action against the consumer based on information contained in the consumer report. The FTC also alleged that Spokeo deceptively posted endorsements of its service on news and technology websites and blogs, portraying the endorsements as independent when in reality they were created by Spokeo's own employees.
The FTC alleges that from 2008 until 2010, Spokeo marketed the profiles on a subscription basis to human resources professionals, job recruiters and others as an employment screening tool. The company encouraged recruiters to "Explore Beyond the Resume." It ran online advertisements with tag lines to attract employers, and created a special portion of the Spokeo website for recruiters. It created and posted endorsements of its services, representing those endorsements as those of consumers or other businesses.
The case against Spokeo is part of the FTC's ongoing enforcement of the FCRA, a law passed by Congress to promote the accuracy, fairness and privacy of information in the files of consumer reporting agencies, and to regulate the use and dissemination of consumer reports. The FTC alleges that Spokeo failed to adhere to three key requirements of the FCRA: to maintain reasonable procedures to verify who its users are and that the consumer report information would be used for a permissible purpose; to ensure accuracy of consumer reports; and to provide a user notice to any person that purchased its consumer reports. It also charges that Spokeo's misleading "endorsements" were a violation of the act. The proposed order is subject to court approval.
Earlier this year the FTC sent letters to six unidentified mobile applications makers warning them that their background screening apps may be violating federal statutes. Specifically the FTC said if the app makers have reason to believe their background reporting apps are being used for employment screening, housing, credit or other similar purposes, they must comply with the Fair Credit Reporting Act which is supposed to protect consumer privacy and ensure that the information supplied by consumer reporting agencies is accurate.
According to the FTC, some of the apps include criminal record histories, which bear on an individual's character and general reputation and are precisely the type of information that is typically used in employment and tenant screening.
Under the FCRA, operations that assemble or evaluate information to provide to third parties qualify as consumer reporting agencies, or CRAs. Mobile apps that supply such information may qualify as CRAs under the act. CRAs must take reasonable steps to ensure the user of each report has a "permissible purpose" to use the report; take reasonable steps to ensure the maximum possible accuracy of the information conveyed in its reports; and provide users of its reports with information about their FCRA obligations. In the case of consumer reports provided for employment purposes, for example, CRAs must provide employers with information regarding their obligation to provide notice to employees and applicants of any adverse action taken on the basis of a consumer report.
According to the warning letters, the FTC has made no determination whether the companies are violating the FCRA, but encourages them to review their apps and their policies and procedures to be sure they comply with the FCRA. Future actions against those firms weren't ruled out if violations are found.
Follow Michael Cooney on Twitter: @nwwlayer8 and on Facebook.
Read more about wide area network in Network World's Wide Area Network section.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.