On July 3, 2017, the Federal Trade Commission (FTC) announced that it had settled charges that defendants Blue Global, an operator of dozens of consumer loan lead generation websites, and its founder and CEO, Christopher Kay, violated the FTC Act. The FTC alleges that the defendants had, among other practices, misled consumers about Blue Global’s data security practices and shared information characterized by the FTC as consumers’ “sensitive personal information” with a variety of potential bidders after promising to disclose such information only to “trusted lending partners” meeting specified criteria. As part of the settlement, the defendants are subject to a judgment for more than $104 million,¹ must maintain stringent oversight of third-party recipients of consumers’ sensitive personal information, and are enjoined from disclosing a consumer’s sensitive personal information other than when specified conditions, including having obtained that consumer’s express, informed consent, are met.

Background

The FTC Act prohibits deceptive and unfair trade practices.² According to the FTC’s complaint, the defendants operated a number of websites that solicit sensitive personal and financial information from consumers through loan applications with a false promise of matching consumers with favorable loan terms. The information collected by the defendants through Blue Global’s online loan applications, according to the complaint, included name, address, phone number, email address, date of birth, social security number, driver’s license number, credit score, bank routing and account numbers, and income, as well as employment, military, home owner, and bankruptcy status.

The FTC’s complaint charges the defendants with violating the FTC Act by making deceptive representations regarding: (1) matching consumers to lenders providing the lowest interest rate and other favorable terms; (2) the purported size and scope of Blue Global’s lender network; (3) loan application approval rates; and (4) the defendants’ controls and other measures relating to data security and data disclosure.

The FTC alleges that the defendants made consumers’ loan application information available to numerous entities other than “trusted lending partners,” including several entities whose businesses were unknown to the defendants. According to the FTC’s complaint, Blue Global only sold 2 percent of the loan application information it obtained to lenders, did not comply with its promises regarding the size and scope of its lender network or its attempts to help consumers secure loans with favorable terms, and did not impose restrictions or conditions in an attempt to protect consumers’ sensitive personal information when making it available to actual or potential lead purchasers.³ The FTC also alleges that most consumers were not approved for loans, running counter to the defendants’ representations. Further, the defendants allegedly failed to conduct diligence about the third parties with which Blue Global shared consumers’ information and continued to share such information “indiscriminately” even after Blue Global had received complaints from consumers about misuse of their information.

The FTC further alleges that the defendants represented to consumers that Blue Global would always keep consumers’ information secure and would only share consumers’ information with “trusted lending partners.” The FTC alleges that the defendants published misleading statements about data security and data handling practices, including, among others, assertions that Blue Global used “industry-leading online technology,” that information was “completely protected 24/7 GUARANTEED,” and that Blue Global’s “number one priority [was] to make sure any information [passed] along remains in good hands.” The defendants also allegedly published a privacy policy stating that Blue Global had “implemented and maintained reasonable security procedures and practices to protect against the unauthorized access, use, modification, destruction or disclosure of your Personal Information.” The FTC’s complaint alleges that these representations were contrary to the defendants’ practices, since the defendants did not impose any restrictions or conditions to protect against the unauthorized access, use, modification, destruction, or disclosure of consumers’ sensitive personal and financial information when provided to potential buyers or to entities that received it from potential buyers.⁴ The FTC noted, in particular, that loan applications were made available in full to prospective lead purchasers without any attempt to mask Social Security numbers or other sensitive personal information.

The FTC alleged that the foregoing misrepresentations and deceptive omissions of material fact constituted deceptive acts or practices that violated Section 5 of the FTC Act. The FTC further alleged that the defendants’ sharing and sale of consumers’ loan applications containing sensitive personal and financial information—without regard for whether recipients had a legitimate need for the information, and without consumers’ knowledge and consent—also constituted unfair acts or practices in violation of Section 5 of the FTC Act.

Settlement Provisions

The settlement permanently enjoins the defendants from:

• making misrepresentations relating to financial products or services, including, among other things, with respect to the manner or extent to which the privacy, confidentiality, or security of any personal information⁵ collected from or about consumers will be protected or maintained, the types of entities with which the defendants will share consumers’ personal information, and for what purpose such information will be shared;
• making any representation, unless the representation is not misleading and the defendants possess reliable evidence to substantiate it; and
• selling consumers’ sensitive personal information⁶ to any person, unless the consumer has requested a financial product or service and: (1) the sale, transfer, or disclosure is necessary to provide the requested financial product or service; (2) the defendants have obtained the consumer’s express, informed consent for the sale, transfer, or disclosure; and (3) the defendants have properly screened the third party, consistent with applicable requirements set forth in the settlement.

The settlement also requires the defendants to:

• establish, implement, and maintain procedures to verify the legitimate need for, and monitor the use of, consumers’ sensitive personal information;
• obtain signed and dated certifications from third parties with which consumers’ sensitive personal information is shared regarding, among other things, the business purpose for obtaining the consumers’ sensitive personal information and confirmation that the third parties will not sell, transfer, or otherwise disclose consumers’ sensitive personal information;
• conduct initial diligence and ongoing monitoring regarding the third parties with which consumers’ sensitive personal information is shared, including (1) initial diligence regarding the information provided by a prospective recipient of sensitive personal information, conducting periodic audits and investigating any legal actions, complaints, or reports the defendants have notice of that indicate misuse of sensitive personal information, and (2) ceasing the provision of sensitive personal information in circumstances outlined in the settlement; and
• destroy consumers’ sensitive personal information in the defendants’ possession, custody, or control that was obtained prior to entry of the FTC order proposed in the settlement.

Further, the settlement provides for entrance of a judgment in the amount of $104,470,817 against the defendants, although the judgment was suspended due to the defendants’ inability to pay.

Implications  

While the defendants’ alleged actions were egregious, this case illustrates a bedrock privacy and data security compliance principle: companies must ensure that their public statements and assurances regarding privacy and data security, including both privacy policies and other statements that may appear on websites, in advertisements, or in various other fora, are consistent with their actual practices and are not misleading. Companies examining their practices may find that they dedicate insufficient resources to monitoring externally facing statements relating to privacy and data security, particularly those outside of their published privacy policies. To help avoid FTC enforcement actions, companies should review their public-facing statements regarding data handling, both within and outside of their privacy policies, on a regular basis and, in particular, in connection with any new or modified data handling practices.

Additionally, this case highlights the importance of crafting responsible data sharing practices, including appropriate investigation and monitoring of third parties with which personal information, particularly sensitive personal information, is shared, and the establishing and maintaining controls upon the sharing of personal information.

For example, although these were just two of many troubling facts asserted by the FTC in its complaint, the defendants did not (1) take appropriate data minimization steps to mask sensitive personal information that was made available to entities that had yet to purchase a lead, nor did they (2) impose any restrictions or conditions, contractually or otherwise, to protect against unauthorized access, use, modification, destruction, or disclosure of consumers’ sensitive personal and financial information when in the hands of actual or prospective lead purchasers. These facts were alleged by the FTC to contravene data security representations made by the defendants.

Sharing of consumers’ personal information without appropriate practices and controls could place businesses at a significant risk of litigation and regulatory scrutiny. To help minimize the risk of FTC enforcement actions in view of the Blue Global settlement, companies should engage in appropriate vetting and monitoring of third parties with which they share consumers’ personal information, and should establish and implement appropriate data sharing controls.

¹ This monetary judgment is suspended based on the defendants’ inability to pay.

² See 15 U.S.C. § 45(a).

³ According to the FTC’s complaint, the defendants offered leads to potential buyers in a sequenced sales process referred to as a “ping tree.” In this process, leads containing consumers’ loan applications were made available to a potential buyer within seconds after a consumer submitted an application. If that buyer refused, the application was then offered to the next potential buyer in the ping tree sequence. This continued until the lead was sold or until all participants in the sequence had declined to purchase the lead after having viewed the information in the loan application.

⁴ The FTC’s complaint notes that on some of Blue Global’s websites, the defendants posted inconspicuous disclaimers that were inconsistent with certain of the representations made to consumers. The FTC’s complaint dismisses these, however, noting that even when they appeared, they were “buried in lengthy online terms that were not as prominent as the advertising that they contradicted or qualified.”

⁵ The settlement defines “Personal Information” as “information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information; (d) a telephone number; (e) a Social Security number; (f) a driver´s license or other government-issued identification number; (g) a financial institution account number; (h) credit or debit card information; (i) precise geolocation data of an individual or mobile device, including but not limited to GPS-based, WiFi-based, or cell-based location information; or (j) an authentication credential, such as a username and password.”

⁶ The settlement defines “Sensitive Personal Information” as “any of the following about a consumer: (a) a Social Security number; (b) financial institution account number; (c) credit or debit card information; or (d) any other information by which a consumer’s financial account can be accessed, or by which a consumer might be charged for goods or services, including through third parties such as telecommunications carriers.”