FTC Settles with Data Brokers in Sale of Consumer Data Used for Illicit Purposes | White & Case LLP International Law Firm, Global Law Practice
FTC Settles with Data Brokers in Sale of Consumer Data Used for Illicit Purposes

FTC Settles with Data Brokers in Sale of Consumer Data Used for Illicit Purposes

White & Case Technology Newsflash

On February 18, 2016, the U.S. Federal Trade Commission ("FTC") settled a dispute[1] against LeapLab LLC ("LeapLab") and others ("Co-Defendants") claiming that they knowingly sold consumer social security numbers, bank account details, and other information to third parties, who employed this information for illicit purposes. The Co-Defendants were subject to $5.7 million in collective monetary judgements and prohibited from further selling or transferring consumer data to third parties or misleading customers about loan application or offer terms.[2] They were also required to destroy all customer data in their possession within thirty (30) days. This case highlights the FTC's recent focus on the conduct of data brokers and similar organizations, with significant implications for those trading in consumer data.

The settlement follows a 2014 FTC complaint against Sitesearch Corporation (formerly LeapLab) and the other Co-Defendants citing charges of unfair trade practices in violation of Section 5 of the FTC Act[3] relating to the illicit sale of consumer personal and financial information. The FTC sought both equitable relief and the prohibition of the Co-Defendants' alleged misuse of applications for short-term loans known as "payday loans."[4] The payday loan applications contained consumer bank account details, personally identifiable information and other sensitive details provided by applicants on the Co-Defendants' websites. The FTC claimed that the Co-Defendants sold the applications to third parties they knew did not provide payday loans, but were instead scammers, telemarketers, or other non-lenders that used the consumer data for unlawful purposes, including the fraudulent purchase of financial products.[5]

One such third-party non-lender was Ideal Financial Solutions ("Ideal"), a defendant in a previous lawsuit brought by the FTC citing fraudulent purchases and transactions using consumer data purchased from third parties including the Co-Defendants, among others.[6] According to the FTC, Ideal's former Vice President of Marketing had knowledge that Ideal had used information from consumer payday loan applications to make unauthorized debits from consumers' bank accounts, which he shared with LeapLab after his appointment as Chief Marketing Officer.[7] Despite this knowledge, LeapLab continued to sell payday loan applications to Ideal, who debited over $4.12 million from consumer bank accounts using only the consumer information provided by the Co-Defendants.[8] To the FTC, this demonstrated that the Co-Defendants' knew that the personal loan applications they had sold were subsequently used by the purchasers to facilitate fraud and other illicit conduct, constituting unfair and deceptive trade practices in violation of §5 of the FTC Act.

Previously, the FTC primarily sought to address privacy issues posed by the collection, transfer, and sale of consumer information under the Fair Credit Reporting Act ("FCRA").[9] Since its enactment in 1970, the FTC has brought over 100 enforcement actions under the FCRA resulting in over $30 million in penalties against organizations that trade in consumer data.[10] Rapid changes in technology and the growing pervasiveness of "big data" have underpinned the FTC's closer examination of the conduct of organizations that trade in consumer data in recent years.[11] The FTC has since delineated three (3) primary categories of data broker companies that trade in consumer information: (1) those subject to the FCRA (i.e. traditional Consumer Reporting Agencies or "CRAs"),[12] (2) marketing and related companies not subject to FCRA, and (3) non-marketing companies not subject to FCRA (i.e. location or anti-fraud services).[13]  The lack of oversight of data brokers in the latter two categories prompted the FTC to rely on §5 of the FTC Act to address the unfairness to consumers posed by certain data brokers not subject to the FCRA regulations.[14] Under the FTC Act, an act or practice that "causes substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or completion" is considered unfair.[15]

This matter exemplifies the FTC's recent efforts to increase transparency and accountability of companies not subject to FCRA regulation but nonetheless trading in sensitive consumer information.[16] The settlement also offers insight into consumer protection concerns posed by the intersection of the data broker and lead generator industries.[17] While companies may examine the potential risks to consumers posed by the sale of their personal information to third parties under a reasonableness standard, the FTC has noted that for companies whose "stock-in-trade is personal information…what's reasonable under the circumstances may be different."[18]

Whether subject to the FCRA or not, U.S. regulators such as the FTC are examining companies that trade in consumer information with increased scrutiny. Moreover, data broker companies of all varieties are well served to ensure that the conduct of their downstream partners, affiliates, and customers is aligned with their own industry regulations and standards.


[1] - Federal Trade Commission(F.T.C) v. Sitesearch Corporation, dba LeapLab, et al., No. 2:14-cv-02750 (D. Az. Dec. 22, 2014).
[2] - Id.
[3] - 15 U.S.C. §45(a).
[4] - According to the FTC, the defendants collected thousands of applications for short-term loans known as "payday loans" through their websites and sold the applications to non-lending third parties without the applicants' consent. Complaint at 5-6, F.T.C. v. Sitesearch et al.
[5] - The LeapLab defendants sold only about five (5) percent of lawfully acquired payday loan applications to authorized online lenders for $10 and $150 per application.  The remaining ninety-five (95) percent of applications were sold to non-lending third parties. Complaint at 6, F.T.C. v. Sitesearch et al.
[6] - According to the FTC, Ideal purchased over 2.2 million consumers' financial information from various data brokers in order to facilitate millions of dollars in fraudulent debits and transactions. Complaint at 7, F.T.C. v. Sitesearch, et al.  The FTC has since obtained a preliminary injunction to halt Ideal's operations while the case is pending in Nevada Federal District Court. See FTC v. Ideal Financial Solutions, Inc. et al, No. 213-cv-00143-MMD-GWF (D. Nev. Jan. 28, 2013).
[7] - Complaint at 9, F.T.C. v. Sitesearch et al.
[8] - Complaint at 10, F.T.C. v. Sitesearch et al.
[9] - 15 U.S.C. §§ 1681-1681x (2012).
[10] - See Data Brokers: A Call for Transparency and Accountability, U.S. Federal Trade Commission (May 2014), citing What Information Do Data Brokers Have on Consumers, and How Do They Use It?, S. Comm. On Commerce, Sci., & Transp., 113th Cong. (2013) (statement of Jessica Rich, Director of the Bureau of Consumer Protection, Federal Trade Commission); ftc.gov/sites/default/files/documents/public_statements/prepared-statement-federal-tradecommission-entitled-what-information-do-data-brokers-have-consumers/131218databrokerstestimony
[11] - See e.g. Federal Trade Commission, Data Brokers: A Call for Transparency and Accountability, U.S. Federal Trade Commission (May 2014); Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policymakers (2012); ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf — see also The Information Marketplace: Merging and Exchanging Consumer Data, F.T.C. Public Workshop (Mar. 13, 2001); ftc.gov/sites/default/files/documents/public_events/information-marketplace-merging-and-exchanging-consumer-data/transcript.pdf
[12] - The FCRA primarily regulates consumer information constituting "Consumer Reports" by companies that act as a "Consumer Reporting Agency" under the statute, including those that collect and maintain consumer data to provide to other companies for employment, consumer credit, insurance and other purposes. See 15 U.S.C. §§ 1681-1681x (2012).
[13] - See Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Business and Policymakers (2012).
[14] - The FTC is authorized to initiate federal district court proceedings to seek injunctive and equitable relief for violations of §5 of the FTC Act pursuant to 15 U.S.C. §§53(b) and 56(a)(2)(A).
[15] - 15 U.S.C. §45(n).
[16] - See, e.g. Federal Trade Commission v. Sequoia One LLC, et al, No. 2:15-cv-01512 (D. Nev. August 7, 2015) (F.T.C. claims that defendants sold consumer loan information in violation of §5 of the FTC Act resulted in a settlement with three (3) defendants including $10 million in suspended judgements and a prohibition on future misrepresentations related to loan applications); Federal Trade Commission v. Ideal Financial Solutions, Inc. et al, No. 213-cv-00143-MMD-GWF (D. Nev. Jan. 28, 2013).
[17] - Lesley Fair, Dealing in Personal Data? Seller Beware, FTC Business Blog (Feb. 18, 2016); ftc.gov/news-events/blogs/business-blog/2016/02/dealing-personal-data-seller-beware
[18] - Id.


This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP