Spokeo Consent Decree Serves as Important Caution to Buyers and Sellers of Social Media Reports on Consumers to Understand and Comply with FCRA
As part of a settlement announced Monday, the FTC sends a reminder that the requirements of the Fair Credit Reporting Act (“FCRA”) apply to a service that aggregates data made publicly available on social media sites and then markets the data to businesses for use in hiring decisions. Web data aggregator Spokeo agreed to pay $800,000 to settle the charges, which included allegations that it failed to maintain reasonable procedures to assure its sale of information is for permissible purposes (in violation of Section 607(a)), failed to make required inquiries of its customers to assure their intended use of consumer data was permissible (Section 604), failed to implement reasonable procedures to assure the accuracy of its reports (Section 607(b), and failed to provide required User Notices to its customers concerning their obligations under FCRA (Section 607(d)). The FTC also alleged that Spokeo engineered endorsements that were intended to appear independent in violation of Section 5 of the FTC Act.
As the FTC notes in its announcement, the settlement is “the first Commission case to address the sale of Internet and social media data in the employment screening context.” Various commentators have previously warned of the risks of using social media for the same purposes as consumer reports. Here, Spokeo’s 2008 business model included explicit marketing to recruiters and human resources departments, including simply in the words and language used on the website. The Center for Democracy & Technology challenged its practices in a complaint filed with the FTC in 2010, and Spokeo added language to its terms of service declaring that it was not a consumer reporting agency and that its products could not be used for FCRA-covered purposes, but did nothing (more) to advise users (including existing users) of these limitations. The Spokeo website now suggests that users might be individuals looking for lost relatives or friends, or information about neighbors or celebrities, and its terms of service expressly prohibit use of the site for any purpose that would make Spokeo a consumer reporting agency.
The decision is not surprising. Last year, although the FTC elected not to pursue enforcement action against Social Intelligence Corporation after an investigation into its policies and procedures, the agency’s closing letter very clearly stated that reports including public information gathered from social networking sites are consumer reports, and Social Intelligence was a consumer reporting agency, because they were in use “as a factor in establishing a consumer’s eligibility for employment.”
For sellers of data consisting of aggregated social media data, the consent decree makes clear that FCRA applies to their service where buyers are using the data as a factor in employment decisions. Sellers whose purchasers may reasonably include persons using the data for employment purposes must take steps to educate purchasers about the applicability of FCRA, i.e., that they are receiving a “consumer report.” Therefore, sellers must advise purchasers of adverse action notice requirements and other employer obligations under FCRA. Turning a blind eye or having rote check-off’s may not be adequate, depending upon the context of the transactions. The seller must also take reasonable steps to ascertain whether a purchaser has one of the narrow sets of permissible purposes under FCRA. Further, sellers must “maintain reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the consumer report relates.”
For employers who want to purchase and view social media reports on potential hires, the FTC’s position makes it clear that they should be aware of whether they are purchasing from a properly classified Consumer Reporting Agency, or (as here apparently) from a company which inappropriately disclaims that status. Having an employment purpose renders the report a consumer report. Therefore, the reports must be obtained from a consumer reporting agency, and the adverse action notice requirements and other rules that FCRA imposes must be followed.
Of course, all of this applies only to matters subject to the laws of the United States. The use of such services elsewhere is a topic for another post.