Last June, the Federal Trade Commission assessed an $800,000 penalty on Spokeo, a data collection agency, for distributing personal information as a way for potential employers to screen job applicants. According to the above New York Times article, this was “the F.T.C.’s first case addressing the sale of Internet and social media data for use in employment screening.” Like the Google buzz case and the Path settlement discussed in the “FTC is getting serious about regulating mobile privacy” blog post, this indicates the FTC’s willingness to aggressively curb social media sites’ abilities to disseminate their users’ private information. Unlike those two cases, the FTC assessed the fine against Spokeo under the Fair Credit Reporting Act.
Based on this case, institutions can be considered consumer reporting agencies despite their best attempts to not fall under that label. In 2010, Spokeo changed its terms of service to state that it “was not a ‘consumer reporting agency’ and that consumers could not use its profiles for purposes that were covered by the Fair Credit Reporting Act.” Similar to the Google Buzz case, the FTC faulted the company for insufficient notice to subscribers about such a change in its practice. The FTC then argued that the “coherent people profiles” Spokeo made available—which included an individual’s marital status, hobbies, ethnicity, religion, and photos—constituted a “consumer report” under the definition in 15 U.S.C. § 1681b(d). This case highlighted an interesting strategy the FTC can employ in its quest to protect dissemination of social media users’ private information.