The FTC announced last week a settlement with Blue Global Media, LLC and its CEO Christopher Kay. The company operated 38 Internet domains that solicited online loan applications from consumers. The applications collected extensive sensitive personal information, including social security numbers, bank routing numbers, credit scores, and incomes. The company represented to consumers it would use this information to match them with “trusted lending partners” that offered the most favorable loan offers, for example, with the lowest interest rate and the highest qualified loan amount. As alleged, Blue Media offered these leads to potential buyers through multiple “ping trees”, which are automated, instantaneous, auction-style processes common in the payday lending industry. However, the company’s ping tree participants were not required to be engaged in lending or use lead information to offer loans. In fact, Blue Media allegedly sold the lead to the first buyer, regardless of whether the buyer was a loan provider or offered favorable terms to the consumer. Blue Media received from buyers up to $200 for each lead sold. Blue Media collected more than 15 million loan applications in this manner. It allegedly sold 26% of the applications to non-lenders, and less than 2% to lenders. In many cases, these lenders were not legally authorized to make loans.

In addition, Blue Media made a number of data security promises it did not deliver. For example, the company represented in its privacy policy that it employed industry-leading security protocols and technology and would “never store [consumers’] information, so your online identity is always safe.” In contrast, Blue Media allegedly shared consumer information indiscriminately, failing to impose any restrictions or conditions to protect against the unauthorized access, use, modification, or disclosure of consumer information.

The FTC alleged these practices constituted unfair and deceptive acts in violation of Section 5. The settlement includes a judgment seeking all revenue received from these practices, an amount over $104 M.

The FTC has recognized the proliferation of online lead generation in various industries. On October 30, 2015 the FTC held a public workshop entitled “Follow the Lead,” focused on lead generation practices and related privacy and consumer protection issues, which we discussed here and here. Here are some key takeaways from this case and other FTC guidance documents for lead generation operators:

Implement transparency and consumer choice. Disclose clearly and conspicuously to consumers what information is being shared and with whom; and allow consumers to make informed choices about when and how to share their personal information.
Exercise caution when selling leads that aren’t purchased through the ping tree (commonly referred to as a “remnant lead”). Depending on the circumstances, you may be liable under the FTC Act if the buyer has no legitimate need for the information.
Vet potential lead buyers before doing business with them and monitor lead buyers for any misuse of consumer data.
Engage in data security protocols that are appropriate for the sensitivity of the information you are collecting
Review your privacy policy regularly to ensure it accurately reflects your collection and disclosure practices.

FTC Settles With Lead Generation Firm For Illegally Selling Consumer Data, False Data Security Promises