On May 7, 2013, the Federal Trade Commission announced that it issued letters to ten data broker companies warning that their practices could violate prohibitions against selling consumer information under the Fair Credit Reporting Act (“FCRA”). The FTC identified the ten data broker companies after a test-shopping operation that indicated these companies were willing to sell consumer information without adhering to FCRA requirements.
The FTC noted that data broker companies that collect, distribute or sell consumer credit information are consumer reporting agencies (“CRAs”) under the FCRA. As CRAs, the data broker companies must verify the identities of their customers requesting the consumer information and ensure that these customers have a legitimate purpose for receiving the information.
As part of the test-shopping operation, FTC staff members posing as individuals or representatives of companies contacted 45 data broker companies seeking information about consumers to make decisions related to creditworthiness, eligibility for insurance and suitability for employment. According to the FTC, ten out of the 45 data broker companies appeared to violate FCRA requirements for CRAs. The FTC sent warning letters to the ten companies, which include 4Nannies, Brokers Data, Case Breakers, ConsumerBase, Crimcheck.com, People Search Now, U.S. Information Search, US Data Corporation and USA People Search. According to the FTC’s letters, the companies offered (1) “pre-screened” lists of consumers for making offers of credit; (2) consumer information for use in making insurance decisions; or (3) consumer information for employment purposes, without ensuring that that consumers’ information was protected.
The FTC issued the letters on May 2, 2013, in conjunction with an international privacy practice transparency sweep conducted by the Global Privacy Enforcement Network, which connects privacy enforcement authorities to promote and support cooperation in cross-border enforcement of privacy laws. The FTC’s letters are not official notices that the data broker companies are subject to FCRA requirements, nor are they formal complaints against the companies. Rather, these letters serve to remind the data broker companies to determine whether they are CRAs by reviewing their practices and how to comply with the FCRA if they are subject to its requirements. The letters come after the FTC had issued Orders to File Special Report in December 2012 to nine data brokerage companies, seeking information about how these companies collect and use personal data about consumers.