As CPW has been tracking, data privacy is a priority of the Federal Trade Commission (“FTC”). A proposed settlement agreement entered into between the FTC and a lead generation company underscores this point, as well as the heightened risk for executives at companies who fail to adhere to applicable privacy regimes. Read on to learn more.
By way of background, the FTC filed a Complaint on January 5, 2022 for penalties, a permanent injunction, and other relief against ITMEDIA SOLUTIONS LLC (“ITMedia Solutions”), a lead generation company, and its wholly owned subsidiaries, as well as against several of the companies’ executives in their individual capacities. The FTC will generally file a Complaint if it has reason to believe that named defendants are violating or will violate the law and the Commission determines that a proceeding is in the public interest.
The FTC alleged in the Complaint that since at least 2012, ITMedia created and operated at least 200 distinct websites encouraging consumers to complete online loan applications that would be circulated to a select group of lenders for loan offers. These loan applications would include consumers’ PII, such as their birthdates, Social Security numbers, bank routing numbers, account numbers, and other information, and ITMedia included representations on its websites that this information would only be used by lenders for loan offers. In fact, as alleged in the Complaint, ITMedia sold consumers’ information as leads to various entities that were not all lenders or did not all offer loan products, such as marketers, debit card sellers, debt negotiation and credit repair services.
The FTC’s Complaint alleges that at least 84 percent of ITMedia’s consumers had their information sold to nonlenders or used for marketing purposes. Additionally, the Complaint alleges that ITMedia indiscriminately shared consumers’ PII and other sensitive information by broadly sharing consumer information with various entities, regardless of how the entities represented that they would use that information, and failing to mask sensitive information that was distributed to prospective buyers.
Notably, the Complaint also alleges that individual executives of ITMedia were liable because they reviewed ITMedia’s representations to consumers, negotiated or signed contracts to sell consumer information, or participated in lead distribution, or because they remained willfully ignorant of those activities occurring. One of the individuals named as a defendant served as the chief executive of one of ITMedia’s subsidiaries and another as its general counsel. In a concurring statement, Commissioner Christine S. Wilson expressed concern that overzealous pursuit of individual executive liability could serve as a deterrent and should be used scrupulously, particularly with respect to in-house counsel or other legal executives.
On January 6, 2022, the FTC and defendants stipulated to the entry of an order for permanent injunction and judgment. Although the stipulated order still has to be approved and signed by United States District Judge Dale S. Fischer of the Central District of California, this settlement held several individuals liable for unlawful practices in the course of their lead generation activities: the founders, the vice president of business operations, the owners of ITMedia-affiliated LLCs, and the general counsel and chief compliance officer. The FTC, including Commissioner Wilson, reasoned that since the general counsel and chief compliance officer frequently acted in a business capacity, holding him personally liable was justified under the law and “necessary to achieve effective relief.”
The settlement prohibits the defendants from (1) misrepresenting when and why they share consumer’s Personal Information, (2) selling or transferring Personal Information unless the consumer requested a financial product or service (i.e. loan, credit card, credit repair…), and (3) misusing consumer reports, among other prohibitions. The defendants also agreed to (1) screen recipients of a consumer’s sensitive personal information to verify the legitimate need for such information, (2) comply with various compliance reporting and record keeping requirements, (3) destroy and instruct recipient entities to destroy consumer Personal Information obtained prior to the entry of the order, and (4) pay $1,500,000 in civil penalties.
The FTC’s authorities allow it to impose civil penalties of up to $46,517 per violation of Section 5 of the FTC Act, up from last year’s maximum of $43,792. This settlement follows the recent trend of the FTC seeking civil penalties following the Supreme Court’s decision in AMG Capital.
This case is a warning shot to other similarly situated entities—particularly in regards to the actions taken here in regards to company leadership and in-house counsel. As consumer data privacy remains a FTC priority going forward, readers should anticipate more developments along these lines at the enforcement level. Not to worry, CPW will be there to keep you informed every step of the way. Stay tuned.