On July 5, 2017, the FTC announced a settlement with Blue Global Media, LLC ("Blue Global") and its CEO Christopher Kay over allegations that the company solicited consumers to provide sensitive information based on false pretenses and then shared that information with potential buyers without any regard for the protection or security of that information. The settlement provides key insights into the FTC's current position on the processing of sensitive information.
Allegations and Stipulated Order
According to the FTC, starting in 2009, Blue Global created a series of websites that claimed to find loans for consumer applicants. Blue Global requested sensitive information from consumers through these websites, including Social Security and driver's license numbers, and represented it would use that information to search its lender database to find loans with the most favorable terms. Blue Global further represented that it kept the information secure using industry-leading online technology and only shared the information with its trusted lending partners.
According to the FTC, all was not as it seemed. The FTC alleged that Blue Global did not actually have systems in place to find loans for consumers or to secure consumers' sensitive information. Rather, Blue Global rebranded consumers' sensitive information as "leads" and offered such leads to potential buyers, many of which were not even lenders. Further, Blue Global allowed potential buyers to view the leads prior to purchase and without any contractual restraints on the use or sharing of such information.
The FTC alleged that Blue Global violated Section 5 of the FTC Act by (a) deceptively misrepresenting to consumers how it used and secured their sensitive information; and (b) unfairly sharing and selling consumers' sensitive information without vetting the recipients and without consumers' knowledge or consent, which caused or was likely to cause substantial injury to consumers.
The FTC stipulated to entry of an order with Blue Global and Mr. Kay. Among other things, the settlement (i) fined the parties $104 million, which was suspended due to bankruptcy proceedings; (ii) required the destruction of previously collected information; and (iii) enjoined the sharing of consumers' sensitive information without prior express consent and procedures in place to verify the legitimate need and use of the information.
- The processing of sensitive information continues to attract regulator scrutiny. This settlement is yet another example of the FTC taking action against a company that processes consumers' sensitive information. The FTC sends a strong signal with its $104 million stipulated monetary judgment.
- Make accurate disclosures and do not overpromise. The FTC alleged that Blue Global made promises that did not align with its actual practices and that it could not keep, such as promising that consumers' information was "completely protected 24/7 guaranteed." Companies should carefully review all the representations they make to consumers, not just those found in their privacy policies.
- Do not make contradictory disclosures or bury disclosures. The FTC pointed out that Blue Media posted inconspicuous disclaimers on its websites that contradicted some of the more prominent representations it made to consumers. For example, deep in its online terms, Blue Media apparently stated that it was not responsible for the security of personal information transferred to third parties. The FTC found that such statements did not override statements made elsewhere on Blue Media's website. As a practical takeaway, companies should not make statements on their websites that contradict language in their online terms.
- Security is key when processing sensitive information. Even if Blue Media secured consumers' sensitive information while processing it on its own systems, disclosing that information without any conditions to potential buyers constituted a failure to maintain reasonable security measures. Companies should have policies and procedures in place to protect consumer information on their own systems as well as on the systems of their service providers, and depending on the type and scope of the data, when in the possession of third parties.
- Executive officers may be held personally liable for company actions. The FTC brought its action against both the company and the CEO. The CEO apparently reviewed and approved the content of the websites, approved the sharing of the sensitive information with non-lenders, and set policies for the storage and security of the sensitive information. Thus, as a reminder, company employees have a responsibility to carefully evaluate the decisions they make regarding the processing of consumer information as they could be held personally liable for company actions.
This post first appeared in Frankfurt Kurnit's Focus on the Data blog (www.focusonthedata.com). It provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.