Consumer loan data seller receives $ 1.5 million FTC penalty, with associated liability

As CPW has followed, data privacy is a priority of the Federal Trade Commission (“FTC”). A proposed settlement agreement between the FTC and a lead generation company underscores this point, as well as the heightened risk for business executives failing to adhere to applicable confidentiality regimes. Read on to find out more.

For your information, the FTC filed a lawsuit on January 5, 2022 for penalties, a permanent injunction and other remedies against ITMEDIA SOLUTIONS LLC (“ITMedia Solutions”), a lead generation company, and its wholly-owned subsidiaries, as well as against several individual company executives. The FTC will generally file a complaint if it has reason to believe that the named defendants are violating or will violate the law and the Commission determines that a proceeding is in the public interest.

The FTC alleged in the complaint that since at least 2012, ITMedia has created and operated at least 200 separate websites encouraging consumers to complete loan applications online that would be distributed to a select group of lenders for loan offers. These loan applications would include consumers’ personal information, such as dates of birth, social security numbers, bank routing numbers, account numbers, and other information, and ITMedia included statements on its websites according to which this information would only be used by lenders for loan offers. In fact, as alleged in the complaint, ITMedia sold the consumer information as leads to various entities which were not all lenders or did not all offer loan products, such as marketers, sellers of debit cards, debt negotiation and credit repair services.

The FTC complaint alleges that at least 84% of ITMedia consumers have had their information sold to non-lenders or used for marketing purposes. Further, the complaint alleges that ITMedia indiscriminately shared consumer personal information and other sensitive information by widely sharing consumer information with various entities, regardless of how the entities have declared that they will use such information. information, and failing to obscure sensitive information that has been distributed to potential buyers. .

Notably, the complaint also alleges that individual ITMedia executives were liable because they reviewed ITMedia’s representations to consumers, negotiated or signed contracts to sell information to consumers, or participated in the distribution of leads, or because they have remained willfully ignorant of these activities. One of the people named as the defendant was the CEO of one of ITMedia’s subsidiaries and another as general counsel. In a concurring statement, Commissioner Christine S. Wilson expressed concern that an overzealous pursuit of individual accountability of leaders could have a chilling effect and should be used scrupulously, especially with regard to advisers. internal legal or other legal officers.

On January 6, 2022, the FTC and the defendants stipulated the entry of a permanent injunction and judgment order. Although the stipulated order has yet to be approved and signed by U.S. District Judge Dale S. Fischer of the Central District of California, this regulation has held several people responsible for illegal practices in the course of their lead generation activities: Founders, Vice President of Business Operations, Owners of ITMedia Affiliate LLCs, and General Counsel and Chief Compliance Officer. The FTC, including Commissioner Wilson, found that since the General Counsel and Compliance Officer frequently acted in a commercial capacity, holding him personally liable was justified under the law and “necessary to obtain redress. effective “.

The regulation prohibits defendants (1) from misrepresenting when and why they share the consumer’s personal information, (2) from selling or transferring personal information unless the consumer has requested a financial product or service (i.e. ie loan, credit card, credit repair…), and (3) misuse of consumer reports, among other prohibitions. The defendants also agreed to (1) screen the recipients of a consumer’s sensitive personal information to verify the legitimate need for that information, (2) comply with various declaration of compliance and record keeping requirements, (3 ) destroy and order recipient entities to destroy the consumer’s personal data. Information obtained prior to order entry, and (4) pay $ 1,500,000 in civil penalties.

FTC authorities allow it to impose civil penalties of up to $ 46,517 per violation of Section 5 of the FTC Act, up from a maximum of $ 43,792 last year. This settlement follows the recent trend by the FTC to seek civil penalties following the Supreme Court ruling in AMG Capital.

This case is a wake-up call for other entities in a similar situation, especially with regard to the actions taken here with regard to the management of the company and internal legal advisers. As the privacy of consumer data remains a priority for the FTC going forward, readers should anticipate more developments in this direction at the application level. Don’t worry, CPW will be there to keep you informed every step of the way. Stay tuned.

Comments are closed.