Skip to Content

Privacy & Data

CDT Complaint Against Spokeo Paves Way for $800,000 Settlement with FTC

On Tuesday, CDT received some long hoped-for news from the Federal Trade Commission:  The FTC had announced an $800,000 settlement with the online data broker Spokeo over Fair Credit Reporting Act violations.

Two years ago, I spent several weeks studying and documenting Spokeo’s abusive and illegal practices.  CDT contacted Spokeo in an effort to get them to fix their (many) problems but without success; we eventually filed a complaint with the FTC over Spokeo’s business practices in June of 2010.  The announced settlement is important because it sheds light on the extremely difficult question of what limits can (and should) be put on the use of publicly available information in the social media age.

In the United States, the collection and use of personal information is for the most part unregulated; however, the Fair Credit Reporting Act is one of a handful of narrow areas where we do have substantive privacy protections in law.  If you sell credit (or similar) reports about consumers, you need to follow some basic rules [] that were put in place in the 1970s to address widespread inaccuracy in the consumer reporting industry.  These rules include putting procedures in place to ensure information is correct, giving consumers the right to access and correct data, and telling consumers when an adverse decision is based on such a report.  In recent years, however, FCRA has been criticized for vagueness over how far its reach extends, as more and more data brokers offer products that purport to be just outside of FCRA’s narrow scope (such as “fraud prevention” or “identity verification” services).

Spokeo too alleged that its products were not covered by FCRA; the company sold extremely detailed (if wildly inaccurate) reports about millions of Americans, but added a small footnote to those reports saying that they couldn’t be used for credit or employment, or other FCRA purposes.  At the same time, however, Spokeo was aggressively promoting their products to prospective employers, creating a special “Recruiters” portal on their site, and buying online advertising based on keywords like “employment background checks,” “applicant screening,” and “recruiting.”  The FTC’s settlement with Spokeo stands for the important proposition that companies cannot merely aver themselves out of the scope of FCRA — products to be used for important decisions like credit and employment must incorporate FCRA’s protections to make sure those products are reliable.

This issue will only become more important over time, as more and more data is collected, correlated, and retained about all of us.  Spokeo, after all, was just a tiny company with (at least initially) only a handful of full-time employees, yet they were able to scrape public sources to make available consumer reports on millions of people.  Today, more and more companies are trying to mine social media when making employment and credit decisions.  In many cases, the consumers themselves are putting personal information out there using Facebook, Twitter, or any number of other publishing platforms — can they credibly complain if that information later comes back to bite them?

Some European lawmakers have recommended a very aggressive approach to this problem, calling for a “right to be forgotten” that gives users the right to eliminate negative information about themselves online, even if it’s truthful.  CDT has argued that a broad implementation of a “right to be forgotten” is infeasible, would place impossible burdens on intermediaries, and would violate others’ free expression rights.  However, the Free Credit Reporting Act is, to some extent, a right to be forgotten — negative information, like debts or arrests, can’t be included in consumer reports after a certain period of time.  We think it’s a limited and justifiable right, narrowly targeted to address real abuses, but there are others who have argued that FCRA is unconstitutional under the First Amendment because it prevents access to and the use of truthful information.  The Supreme Court recently invalidated a Vermont statute that limited commercial access to pharmacy records in order to target marketing campaigns.  In a recent class action complaint for violation of FCRA, a data broker has invoked this decision as an argument that FCRA too violates the First Amendment.  Court cases like these will soon flesh out how much, if any, commercial privacy law is constitutional in the U.S.

That sobering thought aside, the Spokeo settlement did contain an unexpected Easter egg with the news that Spokeo had paid its employees to seed social media sites with fake testimonials about Spokeo.  This practice (called astorturfing”) is another issue near and dear to CDT’s heart — we filed another FTC complaint against the company Medical Justice last year over posting fake reviews online. (And in my previous job with the New York Attorney General’s office, I brought an action [] against the plastic surgery company Lifestyle Lift for similar practices; the case eventually settled for $300,000).

The FTC has been rightfully aggressive on this practice in recent years, issuing detailed Endorsement Guides on how to virally promote products in social media, and bringing enforcement actions against companies promoting their services through anonymous reviews without disclosing their affiliation.  As consumers increasingly rely on purportedly neutral customer reviews on services like Yelp, Amazon, and TripAdvisor, we need to be able to trust that those reviews are really from disinterested consumers and not paid shills.  This too will be an area where the FTC may have to provide further guidance: while the Endorsement Guidelines were updated just two years, it is not entirely clear how they apply to newer forms of promotion, such as Likes on Facebook or sponsored hash tags on Twitter.  On microblogging and mobile platforms where space is at a premium, marketers have a tough challenge in finding out how to disclose any potential conflicts of interest behind a retweet or +1.