FTC: Data broker Spokeo to pay $800,000 for selling personal data to employers for background checks

The Federal Trade Commission today said data broker Spokeo will pay $800,000 to settle FTC charges it sold personal information it gathered from social media and other Internet-based sites to employers and job recruiters without taking steps to protect consumers required under the Fair Credit Reporting Act.

According to the FTC, Spokeo collects personal information about consumers from hundreds of online and offline data sources, including social networks. It merges the data to create detailed personal profiles of consumers. The profiles contain such information as name, address, age range and email address. They also might include hobbies, ethnicity, religion, participation on social networking sites, and photos.

IN PICTURES: The year in security mischief-making

MORE: FTC: Identity theft still top consumer blight

The FTC alleges that Spokeo operated as a consumer reporting agency and violated the FCRA by failing to make sure that the information it sold would be used only for legally allowable reasons; failing to ensure the information was accurate; and failing to tell users of its consumer reports about their obligation under the FCRA, including the requirement to notify consumers if the user took an adverse action against the consumer based on information contained in the consumer report. The FTC also alleged that Spokeo deceptively posted endorsements of its service on news and technology websites and blogs, portraying the endorsements as independent when in reality they were created by Spokeo's own employees.

The FTC alleges that from 2008 until 2010, Spokeo marketed the profiles on a subscription basis to human resources professionals, job recruiters and others as an employment screening tool. The company encouraged recruiters to "Explore Beyond the Resume." It ran online advertisements with tag lines to attract employers, and created a special portion of the Spokeo website for recruiters. It created and posted endorsements of its services, representing those endorsements as those of consumers or other businesses.

The case against Spokeo is part of the FTC's ongoing enforcement of the FCRA, a law passed by Congress to promote the accuracy, fairness and privacy of information in the files of consumer reporting agencies, and to regulate the use and dissemination of consumer reports. The FTC alleges that Spokeo failed to adhere to three key requirements of the FCRA: to maintain reasonable procedures to verify who its users are and that the consumer report information would be used for a permissible purpose; to ensure accuracy of consumer reports; and to provide a user notice to any person that purchased its consumer reports. It also charges that Spokeo's misleading "endorsements" were a violation of the act. The proposed order is subject to court approval.

Earlier this year the FTC sent letters to six unidentified mobile applications makers warning them that their background screening apps may be violating federal statutes. Specifically the FTC said if the app makers have reason to believe their background reporting apps are being used for employment screening, housing, credit or other similar purposes, they must comply with the Fair Credit Reporting Act which is supposed to protect consumer privacy and ensure that the information supplied by consumer reporting agencies is accurate.

According to the FTC, some of the apps include criminal record histories, which bear on an individual's character and general reputation and are precisely the type of information that is typically used in employment and tenant screening.

Under the FCRA, operations that assemble or evaluate information to provide to third parties qualify as consumer reporting agencies, or CRAs. Mobile apps that supply such information may qualify as CRAs under the act. CRAs must take reasonable steps to ensure the user of each report has a "permissible purpose" to use the report; take reasonable steps to ensure the maximum possible accuracy of the information conveyed in its reports; and provide users of its reports with information about their FCRA obligations. In the case of consumer reports provided for employment purposes, for example, CRAs must provide employers with information regarding their obligation to provide notice to employees and applicants of any adverse action taken on the basis of a consumer report.

According to the warning letters, the FTC has made no determination whether the companies are violating the FCRA, but encourages them to review their apps and their policies and procedures to be sure they comply with the FCRA. Future actions against those firms weren't ruled out if violations are found.

Follow Michael Cooney on Twitter: @nwwlayer8 and on Facebook.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Michael Cooney

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts