The FTC announced last week that it has entered into a settlement with ITMedia Solutions LLC, a lead generation company, and a group of affiliated companies (collectively, ITMedia), and several individuals who served as officers of ITMedia, to resolve a complaint filed by the FTC in a California federal district court alleging that the defendants’ conduct violated the FTC Act and FCRA.  The settlement requires the defendants to pay a $1.5 million civil penalty to the FTC.

In its complaint, the FTC alleges that ITMedia:

  • operates websites that urge consumers to complete loan applications in which they are asked to provide sensitive financial information, including their Social Security numbers and bank account information.
  • induces consumers to complete applications by assuring that it will share information only with “qualified and trusty” loan providers and will only share information to find a loan for the consumer.
  • represents that loans are available without regard to credit scores or history to consumers who complete ITMedia’s application.
  • sells information to entities other than lenders (such as marketers, debt relief, and credit repair companies), and without regard for whether an entity purchasing leads would check and evaluate a consumer’s creditworthiness.
  • transmits loan applications to prospective lead buyers without masking or otherwise restricting access to sensitive information resulting in the sharing of sensitive information with multiple entities that have not committed to purchase the information.
  • lacks policies and procedures that require an entity obtaining leads to certify that it uses the information solely to respond to the consumer’s loan request or that provide for ITMedia’s assessment or investigation of whether lead purchasers safeguard information or use such information for purposes other than making a loan.
  • uses credit scores it purchases of consumers who submit applications for marketing purposes such as setting lead prices and sends information to potential lead buyers with codes identifying the range into which a consumer’s credit score falls or filter leads based on credit score ranges selected by potential buyers without requiring the potential buyer to identify each recipient or end user of the leads and certify it will use the leads only to respond to the consumer’s loan request.
  • represents to the consumer reporting agencies (CRAs) from which it purchases credit scores that it will use the scores to prequalify consumers without (1) acknowledging that it uses the scores for marketing purposes, (2) providing the identities of the entities to which it has furnished score-based information, or (3) providing the CRAs with the purposes for which such entities use such information.
  • shares sensitive information with entities that are not using the information solely to respond to the consumer’s request without the consumer’s knowledge or consent (or with any disclosures regarding such sharing “buried in dense text, in small font, and in single space type” that could only be reached via a hyperlink that did not appear on the same pages as the loan application and which consumers were not required to view before submitting an application.)

Based on the above allegations, the FTC alleges that the defendants’ violated:

  • the FTC Act by (1) making deceptive representations regarding how their information and applications would be used, and (2) unfairly distributing sensitive information without consumers’ knowledge or consent and without regard to whether the recipients are lenders or otherwise had a legitimate need for the information.
  • the FCRA by obtaining and using credit scores without a permissible purpose and reselling credit scores without complying with the FCRA’s reseller requirements.

In addition to payment of the $1.5 million civil penalty, the Stipulated Order requires the defendants to establish, implement, and maintain procedures to verify the legitimate need for and use of consumer’s sensitive information by any person to whom they sell, transfer, or disclose such information, and prohibits them from obtaining or using a consumer report for other than a permissible purposes and from reselling consumer reports without complying with FCRA requirements.

Since conducting a 2015 workshop on lead generation and issuing a staff paper in 2016, lead generation has been an FTC enforcement focus.  In its enforcement actions, the FTC has targeted both lead generators and users of their services.  Having continued to target lead generation during the Trump Administration, the FTC can be expected to target lead generation even more aggressively under Democratic leadership.  On February 2, 2022, from 12:00 p.m. to 1:00 p.m. ET, Ballard Spahr attorneys will hold a webinar, “What are the Compliance Risks for Lead Generators and Lead Buyers?”  Click here to register.