Consumer Loan Data Vendor Fined $1.5M by FTC, With Management Liability to Go With It – Privacy

United States: Consumer loan data vendor fined $1.5 million by FTC, with accompanying management liability

To print this article, all you need to do is be registered or log in to

As CPW has tracked, data privacy is a priority of the Federal Trade Commission (“FTC”). A proposed settlement agreement reached between the FTC and a lead generation company underscores this point, as well as the increased risk for company executives who fail to comply with applicable privacy regimes. Keep reading to learn more.

For your information, the FTC filed a complaint on January 5, 2022 seeking penalties, a permanent injunction, and other relief against ITMEDIA SOLUTIONS LLC (“ITMedia Solutions”), a lead generation company, and its affiliates in exclusive property, as well as against several directors of the companies individually. The FTC will generally file a lawsuit if it has reason to believe the named defendants are or will violate the law and if the Commission determines that a proceeding is in the public interest.

The FTC alleged in the complaint that since at least 2012, ITMedia has created and operated at least 200 separate websites encouraging consumers to complete loan applications online which would be broadcast to a select group of lenders for loan offers. These loan applications would include consumers’ personal information, such as their dates of birth, social security numbers, bank routing numbers, account numbers, and other information, and ITMedia has included representations on its websites that such information would only be used by lenders for loan offers. In fact, as alleged in the complaint, ITMedia sold consumer information as leads to various entities that were not all lenders or offered lending products, such as marketers, debit card sellers, debt negotiation and credit repair services.

The FTC’s complaint alleges that at least 84% of ITMedia’s consumers have had their information sold to non-lenders or used for marketing purposes. Additionally, the complaint alleges that ITMedia indiscriminately shared consumer PII and other sensitive information by widely sharing consumer information with various entities, regardless of how the entities said they would use that information. , and by not concealing sensitive information that has been distributed to potential buyers. .

Notably, the complaint also alleges that individual ITMedia executives were liable because they reviewed ITMedia’s statements to consumers, negotiated or signed contracts to sell information to consumers, or participated in the distribution of leads, or because they remained deliberately ignorant of these activities. One of the people named as a defendant was the general manager of one of ITMedia’s subsidiaries and another its general counsel. In a concurring statement, Commissioner Christine S. Wilson expressed concern that the overzealous pursuit of individual accountability of executives could have a chilling effect and should be used scrupulously, particularly with respect to in-house counsel. or other legal frameworks.

On January 6, 2022, the FTC and the defendants stipulated entry for a permanent injunctive and judgment order. Although the stipulated order has yet to be approved and signed by U.S. District Judge Dale S. Fischer of the Central District of California, this settlement has held several individuals liable for unlawful practices in their lead generation activities: Founders, the President Vice President of Business Operations, the owners of ITMedia affiliated LLCs, as well as the General Counsel and Chief Compliance Officer. The FTC, including Commissioner Wilson, found that since the General Counsel and Chief Compliance Officer frequently acted in a business capacity, holding him personally liable was justified under the law and “necessary to obtain an effective remedy.” .

The settlement prohibits defendants from (1) misrepresenting when and why they share consumer personal information, (2) selling or transferring personal information unless the consumer has requested a financial product or service (that is, i.e. loan, credit card, credit repair…), and (3) misuse of consumer reports, among other prohibitions. Defendants also agreed to (1) screen recipients of a consumer’s sensitive personal information to verify the legitimate need for such information, (2) comply with various compliance reporting and record keeping requirements, (3) destroy and direct receiving entities to destroy consumers’ personal information. Information obtained prior to order entry, and (4) pay $1,500,000 in civil penalties.

FTC authorities allow him to impose civil penalties of up to $46,517 per violation of Section 5 of the FTC statute, up from the maximum of $43,792 last year. This settlement follows the FTC’s recent trend of seeking civil penalties following the Supreme Court’s decision in AMG Capital.

This case is a wake-up call for other entities in a similar situation, particularly regarding the actions taken here with respect to company management and in-house counsel. As consumer data privacy remains an FTC priority going forward, readers should anticipate further developments in this direction at the application level.

The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.


Comments are closed.