It's surprisingly easy to be deemed to be a "consumer reporting agency," and it can be expensive, as Spokeo, Inc., discovered in its order with the Federal Trade Commission (FTC) on June 12. Spokeo agreed to pay the FTC $800,000 and to change some of its business practices, although Spokeo did not admit any liability.
What did the FTC's complaint claim that Spokeo did?
According to the FTC's complaint, Spokeo:
- Assembled consumer information to create consumer "profiles," which Spokeo promoted as "coherent people profiles.”
- Organized these "profiles" by various descriptive headers, such as ethnicity, religion and social networks.
- Promoted these "profiles" to entities in the human resources, recruiting and background screening fields to serve as a factor in their interviewing and hiring. The FTC's complaint also stated that Spokeo purchased thousands of online keywords on these topics and Spokeo's website had a separate tab labeled "recruiters.”
- Changed its website terms of service in 2010 to state that it was not a "consumer reporting agency," but Spokeo did not take any action with respect to previously registered users.
Why did the FTC object to that?
The FTC enforces not only the Federal Trade Commission Act but also the Fair Credit Reporting Act (FCRA). The FCRA contains several requirements relating to "consumer reports." The FCRA defines a "consumer report" broadly:
Any written, oral or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for credit or insurance to be used primarily for personal, family or household purposes; employment purpose, or any other purpose authorized under section 604.4.
The FTC complaint alleged that Spokeo's selling consumer profiles for "employment purposes" resulted in Spokeo becoming a "consumer reporting agency" subject to FCRA. According to the FTC complaint, Spokeo did not comply with the statutory obligations of a consumer reporting agency, thereby violating both the FTC Act and the FCRA.
What is a consumer reporting agency required to do?
The FCRA has many requirements for consumer reporting agencies, including that they maintain reasonable procedures to limit the furnishing of consumer reports to the purposes specified in Section 604; follow reasonable procedures to assure maximum possible accuracy of consumer report information; provide a notice to the recipients/users of the consumer reports of their FCRA obligations, and not provide a consumer report to anyone that the consumer reporting agency does not have reason to believe has a "permissible purpose."
The FTC complaint alleged that Spokeo's data collection, aggregation and marketing activities did not comply with these requirements for a consumer reporting agency and, therefore, the FTC claimed Spokeo violated both the FCRA and Section 5 of the FTC Act (unfair or deceptive acts or practices).
What does the order require Spokeo to do?
Under the order, Spokeo must:
- Pay $800,000. Although the FTC cannot levy fines under Section 5 of the FTC Act, it has the authority to do so under FCRA.
- Refrain from violating the FCRA.
- Retain certain records for up to 20 years.
- And submit compliance reports within 14 days of an FTC request for the next 20 years.
Could Spokeo comply with its FCRA authentication obligations by placing a persistent cookie on an authorized user's computer without that user's opt-in consent so that the user need not authenticate for each and every session?
Under FCRA, Spokeo would have to authenticate users for their "permissible purposes" if Spokeo continues to offer consumer reports. Users typically find it inconvenient to go through the authentication process each and every time they visit a website. Spokeo would want to offer its users convenience—as many sites that simply require a password do—and could drop a persistent cookie on the user's computer once the user has authenticated in order to spare the user the effort of authenticating for the next visit(s).
Dropping a persistent cookie would require user consent by Spokeo customers in the European Union (EU), pursuant to the Article 29 Working Party's Opinion 04/2012, issued the same day as the FTC released the Spokeo documents. The EU previously adopted a directive requiring opt-in consent to cookies. The EU Directive includes an exception to the opt-in requirement, for a cookie that is "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service."
Because the persistent cookie in our example is not required for the site to function, nor has it been requested by the user, it does not appear to meet either criterion for an exemption as described in the Article 29 Working Party opinion. The opinion permits cookies "used for authentication services" but only "for the duration of a session." Even though Spokeo would be using a persistent cookie as part of its compliance process with FCRA to provide the service requested by the user, Spokeo would apparently need to have the user's consent to use a persistent cookie. Why? According to the opinion, "it is important to examine what is strictly necessary from the point of view of the user, not the service provider."
Implications for the future?
Spokeo is the FTC's first FCRA enforcement action to involve the use of social media in the context of screening for employment purposes. Notwithstanding Spokeo's claims that it does not create its own content, have access to private data or offer credit reports, the FTC nevertheless has treated Spokeo as a consumer reporting agency. The FTC's challenge under these circumstances indicates an agency trend to extend both the definitions and scope of the FCRA to conduct of companies that collect, aggregate and market consumers' personal online and social media data. In particular, it may be beneficial for Internet companies that collect and market consumer information to develop a strategy consistent with recent regulatory developments and/or specifically take steps to ensure that companies are not acting as
de facto
credit reporting agencies.
A version of this
originally appeared in Fulbright & Jarworksi’s client briefing.
