The FTC announced last week a settlement with Blue Global Media, LLC  and its CEO Christopher Kay.  The company operated 38 Internet domains that solicited online loan applications from consumers.  The applications collected extensive sensitive personal information, including social security numbers, bank routing numbers, credit scores, and incomes. The company represented to consumers it would use this information to match them with “trusted lending partners” that offered the most favorable loan offers, for example, with the lowest interest rate and the highest qualified loan amount.  As alleged, Blue Media offered these leads to potential buyers through multiple “ping trees”, which are automated, instantaneous, auction-style processes common in the payday lending industry. However, the company’s ping tree participants were not required to be engaged in lending or use lead information to offer loans. In fact, Blue Media allegedly sold the lead to the first buyer, regardless of whether the buyer was a loan provider or offered favorable terms to the consumer.  Blue Media received from buyers up to $200 for each lead sold. Blue Media collected more than 15 million loan applications in this manner. It allegedly sold 26% of the applications to non-lenders, and less than 2% to lenders. In many cases, these lenders were not legally authorized to make loans.

In addition, Blue Media made a number of data security promises it did not deliver. For example, the company represented in its privacy policy that it employed industry-leading security protocols and technology and would “never store [consumers’] information, so your online identity is always safe.” In contrast, Blue Media allegedly shared consumer information indiscriminately, failing to impose any restrictions or conditions to protect against the unauthorized access, use, modification, or disclosure of consumer information.

The FTC alleged these practices constituted unfair and deceptive acts in violation of Section 5. The settlement includes a judgment seeking all revenue received from these practices, an amount over $104 M.

The FTC has recognized the proliferation of online lead generation in various industries.  On October 30, 2015 the FTC held a public workshop entitled “Follow the Lead,” focused on lead generation practices and related privacy and consumer protection issues, which we discussed here and here. Here are some key takeaways from this case and other FTC guidance documents for lead generation operators:

  • Implement transparency and consumer choice. Disclose clearly and conspicuously to consumers what information is being shared and with whom; and allow consumers to make informed choices about when and how to share their personal information.
  • Exercise caution when selling leads that aren’t purchased through the ping tree (commonly referred to as a “remnant lead”). Depending on the circumstances, you may be liable under the FTC Act if the buyer has no legitimate need for the information.
  • Vet potential lead buyers before doing business with them and monitor lead buyers for any misuse of consumer data.
  • Engage in data security protocols that are appropriate for the sensitivity of the information you are collecting
  • Review your privacy policy regularly to ensure it accurately reflects your collection and disclosure practices.

The FTC released last week a paper summarizing and reflecting on its October 30, 2015 public workshop, “Follow the Lead,” which we previously discussed here and focused on lead generation practices and related privacy and consumer protection issues.  The paper expands upon many of the same principles addressed at the workshop, including how lead generation works and what benefits and risks arise from lead generation.  Notable takeaways include the following:

  • What is lead generation?  The paper defines lead generation broadly as “the process of identifying and cultivating individual consumers who are potentially interested in purchasing a product or service.”  A lead may consist of only the consumer’s name and contact information, or may involve more detailed and potentially sensitive information such as Social Security or consumer account numbers.
  • How does lead generation work?  LeadGenThe common thread of lead generation involves the collection of consumer information, typically on a website operated by a publisher or an affiliate.  From there, any number of things can happen.  The publisher or affiliate may sell the lead to another publisher or affiliate, to an aggregator, or to a merchant.  The FTC provided the adjacent figure to show some possible flows of leads.
  • What are the potential benefits of lead generation?  The FTC acknowledged that lead generation, when practiced ethically and consistent with consumer protection principles, can efficiently connect consumers with merchants they are interested in and promote competition.  Staff also noted that the sale of consumer leads could have positive effects on price and competition, as found in a research study discussed at the workshop in the mortgage lending context.
  • What are the potential concerns of lead generation?  The report noted that the lead generation and lead selling process is often hidden from consumers, which can lead to consumers providing information without knowing how and by whom their information will be used.  The FTC recommended that companies collecting information clearly and conspicuously disclose how the personal information will be used to facilitate informed consumer choice about when and how to share personal information.  In other cases, even where information is appropriately collected, it may be subsequently sold for nefarious purposes or purposes not authorized by the initial collection.  Staff recommended that companies involved in the lead generation process take steps to ensure that consumer information is used for legal and authorized purposes throughout the life of the lead.

Staff also highlighted recent enforcement actions against lead generators for using leads for unauthorized and illegal purposes and signaled that it could take action against entities even if they aren’t directly responsible for the problematic practice.  As noted in the report, “[i]gnoring warning signs that third parties are violating the law and pleading ignorance will not shield companies from FTC actions.”  Entities involved with lead generation should take note and ensure that they have considered the full life cycle of a lead before using or selling it.

On October 30, 2015, the FTC held a workshop on lead generation to explore online lead generation in various industries.  Lead generation, also called performance marketing, is the process of identifying or cultivating consumer interest in a product or service, and distributing this information to third parties.  Lead generation can facilitate comparison shopping and promote efficient connection of brands and consumers.  But the FTC is concerned when lead generation involves deceptive practices and misuse of consumers’ personal data.

The workshop brought together a variety of stakeholders, including industry representatives, consumer advocates, and government regulators. Although the opinions represented at the workshop were varied, a few themes recurred across the panels.

First, selling data for purposes beyond the initial consumer inquiry can be beneficial to consumers but also poses risks. Panelists agreed that leads must be accompanied by valid consent, and that consent is limited by the context of data collection and the consumer’s expectations.  Although cross-selling may connect consumers to products in an efficient way, that benefit needs to be balanced against the risk that the consumer will be bombarded with unwanted inquiries or will be unsettled by the scope of data sharing that has occurred (both of which would reflect poorly on the brand associated with the lead).  It is important to clearly disclose to the consumer what the information collected will be used for and how it will be shared, but some panelists questioned whether even strong disclosure language provides adequate warning when data will be widely shared.

Second, companies should prioritize a privacy analysis in their data collection practices. In some industries, it is common for leads to contain sensitive personal and financial information.  Panelists questioned whether any efficiencies of collecting this data at the outset were outweighed by the risk of consumer harm.  Some panelists encouraged companies to consider a two-step data collection process, where a lead contains only contact information that an advertiser can use to follow up with an interested consumer.  Relatedly, panelists discussed particular risks associated with holding sensitive remnant data, not only because of data security risks, but also because market pressures may drive a company to monetize that data by selling it.

Third, companies should make efforts to know and monitor their data sources and data buyers. Panelists were nearly unanimous in stressing the importance of monitoring upstream buyers of leads and downstream sellers of leads.  Multiple efforts are underway to promote best practices in the lead generation and online lending industries.  Representatives from LeadsCouncil and the Online Lenders Alliance served as panelists and explained their organizations’ goals for self-regulation.  In addition, panelists promoted tools aimed at helping companies verify lead information, prevent fraud, track sales of data outside of agreed-upon parameters, and monitor and audit affiliate marketers.  Although contract terms may establish compliance responsibilities, contract provisions likely will not fully insulate a company that acts without conducting the proper due diligence and monitoring.  And ultimately, good lead generation practices can benefit a brand, while questionable lead generation practices will result in lower quality leads and may reflect poorly on a brand.

Several panelists called for additional guidance from the FTC regarding lead generation practices even as the industry begins to develop its own standards and ethics. We will continue to monitor regulatory developments and industry trends.