While the FTC never seems to be carrying a particularly big stick, it has been threatening hard knocks on Internet companies that play fast and loose with user data. Spokeo is the latest enterprise to be licking its wounds.
Late last year, Facebook reached a settlement with the FTC over user privacy, submitting to independent audits for the next 20 years. A similar audit regime was accepted by MySpace last month, following accusations that the site was sharing personally identifying information with advertisers, despite undertaking not to do so.
In the case of Spokeo, the FTC assessed an $800,000 penalty for:
...marketing its consumer profiles without making sure that they would be used for legal purposes, failing to ensure their accuracy and neglecting to tell consumers of its own responsibilities under federal law.
Specifically, Spokeo, a social aggregator site, had been selling personal information to employers for the purpose of screening job applicants. No need to ask for a candidate's Facebook, Twitter, and Google+ passwords -- just have Spokeo gather any information that appears online, no matter how inaccurate.
I recall taking steps to have my profile removed from Spokeo a year or so ago, but I now see it's appeared again.
Spokeo's business model is to charge users a small monthly fee to access information including:
- Emails, addresses, and phone numbers
- Profiles from 80+ social networks
- Hidden pictures and blogs
- Info search engines can't find
Intrusive? Of course, but it claims that all the information it's selling is already in the public domain. It simply aggregates social network data and ties it to the kind of information you'd find in a phone directory. Indeed, Spokeo protests that:
We are a technology company organizing people-related data in innovative ways. We do not create our own content, we do not possess or have access to private financial information, and we do not offer consumer reports.
According to the Consent Decree, however, Spokeo is prohibited, among other things, from:
- Furnishing a consumer report to any person who does not have a permissible purpose to receive the consumer report
- Failing to maintain reasonable procedures to assure the maximum possible accuracy of the information concerning the individual about whom a consumer report relates
- Failing to provide the notice to users of consumer reports required under Federal law
Just to ice the cake, as it were, Spokeo was also slapped for posting completely fictional endorsements of its services.
If there's a key provision in the decree, it's the insistence that Spokeo take measures to ensure the accuracy of the information it gathers -- and presumably will continue to disseminate, in the appropriate manner. That's going to be a tough condition to fulfill if it's grabbing data from social platforms or blogs where, happily, users are under no particular obligation to tell the truth about themselves.
It's important to note that what Spokeo set out to do is not illegal; there just happen to be (alleged) problems with the way they went about it. Further reason for us all to be wary about what we post online, and to undertake regular checks on sites that claim to have information about us. Chances are it's false -- and you can bet it's for sale.
— Kim Davis , Community Editor, Internet Evolution