According to the New York Times and other sources, the Federal Trade Commission has levied a fine of $800,000 on Spokeo, the company that brands itself as a “people search engine.” The latter has chosen to settle the charges without admitting to any of the accusations. This is not the first time that the FTC has accused a company of lax or illegal (or both) data security and protection practices.
FTC Calls Spokeo Consumer Reporting Agency
Spokeo, despite billing itself as a “people search engine,” is actually a data aggregator from various publicly-accessible sources that are both online and offline (“including phone directories, social networks, photo albums, marketing surveys, mailing lists, government censuses, real estate listings and business websites,” according to Wikipedia).
Perhaps due to the breadth and comprehensiveness of the data, the FTC:
alleges that Spokeo operated as a consumer reporting agency and violated the FCRA by failing to make sure that the information it sold would be used only for legally allowable reasons; failing to ensure the information was accurate; and failing to tell users of its consumer reports about their obligation under the FCRA, including the requirement to notify consumers if the user took an adverse action against the consumer based on information contained in the consumer report. [networkworld.com]
The clincher for the accusation appears to be that Spokeo:
marketed the profiles on a subscription basis to human resources professionals, job recruiters and others as an employment screening tool. The company encouraged recruiters to “Explore Beyond the Resume.” It ran online advertisements with tag lines to attract employers, and created a special portion of the Spokeo website for recruiters. It created and posted endorsements of its services, representing those endorsements as those of consumers or other businesses. [networkworld.com]
Of course, Spokeo has denied trying to act as a consumer reporting agency, noting among other things that “we do not create our own content.” This is actually a very pertinent argument. After all, a consumer reporting agency doesn’t merely collect data — it also offers its own assessment on what a person is worth, credit-wise.
Still, Spokeo opted to spotlight the fact that they are not a consumer reporting agency, and that their data should not be used for such purposes. But, it did nothing to revoke or restrict access to subscribers who were essentially using it for objectives that are covered under the Fair Credit Reporting Act. One could even say that it encouraged people to do so, seeing how it tried to attract employers and recruiters.
Spokeo Accused of Astroturfing
The FTC has also accused the company of astroturfing:
The FTC also accused Spokeo of posting deceptive endorsements of the service, “portraying the endorsements as independent when in reality they were created by Spokeo’s own employees.”[latimes.com]
In a sea of comments, thoughts, blogs, tweets, and other information, I’d imagine that an astroturfing campaign by Spokeo’s employees would amount to…something negligible. On the other hand, it turns out that that’s a violation of the Federal Trade Commission Act:
The commission also charged Spokeo with violating the Federal Trade Commission Act by making false and misleading statements about the independence of comments that the company said were the views of ordinary consumers or business users of its products. [nytimes.com]
This is not the first time that the FTC has clobbered a company for misleading statements. Granted, that’s ultimately the FTC’s job: ensuring that marketing claims live up to their promises. But, it’s not just about truth-in-advertising for the obvious stuff, such as the veracity of the sharpness of a Ginsu knife after it has cut through this steel pipe!
For example, the FTC fined Rite Aid because the latter had proclaimed that
Rite Aid takes its responsibility for maintaining your protected health information in confidence very seriously. . . Although you have the right not to disclose your medical history, Rite Aid would like to assure you that we respect and protect your privacy.
The company was caught dumping documents without shredding them.
ChoicePoint “has not implemented reasonable and appropriate measures under the circumstances to maintain and protect the confidentiality and security of consumers’ personal information,” which contrasts with ChoicePoint’s public claims (documented in paragraphs 27 through 29, inclusive, of the complaint).
The company had a data breach in 2005 where over 145,000 people’s data was breached.
The “security measure claim” was also the reason why the FTC fined Twitter (of twitter.com fame):
The FTC said Twitter misled its users that it was taking appropriate security measures to safeguard their privacy. The company was using easily decipherable passwords, allowing employees to store information in vulnerable places, did not suspend accounts after a number of failed logins, did not set passwords to expire, and did not impose restrictions on administrator access, the FTC said.
At the rate that the FTC is levying fines and settling cases, it makes me wonder whether we’ll see the day when a company is put in the FTC’s sights because it lost a laptop that was not protected with encryption software but promised customers that it takes its data security seriously.
Related Articles and Sites: