FTC Issues Final Order, Settles First FCRA Case with Mobile App Developer
The Federal Trade Commission (“FTC”) announced on May 1, 2013 that, following a public comment period, the Commission approved a final order settling charges that Filiquarian Publishing, LLC, Choice Level, LLC, and their CEO, Joshua Linsk, operated as a consumer reporting agency without taking consumer protection measures required by the Fair Credit Reporting Act (“FCRA”).
The FTC's settlement order prohibits the defendants from future FCRA violations and resolves the agency's first FCRA case involving mobile apps. Violations of the settlement order, which will stay in effect for twenty years, may be subject to civil penalties of up to $16,000 per violation.
According to the FTC, customers could download the app via iTunes or the Google Android store that allowed consumers to access hundreds of thousands of criminal records and conduct searches on potential employees. The data was provided by Choice Level to Filiquarian and then accessed by the customers through the mobile app.
The FTC claimed that the company failed to:
• Maintain reasonable procedures to verify their users;
• Confirm that the information would be used for a permissible purpose;
• Ensure that the information sold was accurate and would be used legally; and
• Inform users of their reports about their obligations under the FCRA, including the requirement to notify consumers if an adverse action was taken against them based on a report.
The app included disclaimers that its respective products were not to be considered screening products for insurance, employment, loans, and credit. Even though it additionally stated that it was not FCRA compliant, the FTC alleged that such disclaimers were not enough to avoid liability under the FCRA because the company advertised and expected that its reports could be used for employment purposes.
In March 2012, the Commission issued a report entitled Protecting Consumer Privacy in an Era of Rapid Change. In the report, the FTC specified that even if a company “is not compiling or sharing data for the specific purpose of making employment decisions, if the company has reason to believe the data will be used for such purposes, it would be covered by the FCRA."
Under the FCRA, communications that include information relating to an individual’s character, reputation, or personal characteristics and are used or expected to be used for employment, housing, credit, or other similar purposes indicate that a company is acting as a consumer reporting agency (“CRA”). App marketers can be deemed CRA’s if they provide this information to a third party, and such information is used or expected to be used for employment, housing, credit or similar purposes. CRA’s are required by law to comply with several different FCRA provisions, including taking reasonable steps to ensure the maximum possible accuracy of the information provided in consumer reports, and providing employers with certain information about their obligations under the FCRA.
Employers should also take note of this action. Background checks, and apps that make the process easier, are valuable employment tools. However, it is also a process that brings a wide range of privacy, safety, and compliance issues. If employers use apps to retrieve background information on applicants, they may qualify as a "user" of a third-party credit reporting agency.
If covered by the FCRA, employers must:
• Disclose to the applicant the employer's intention to obtain a consumer report and/or investigative consumer report;
• Obtain the applicant's advance authorization to conduct a background check;
• Notify the applicant in advance of the employer's intent to take adverse action based on the information contained in the report and provide a copy of the report and a notice of rights;
• Notify the applicant of the adverse action; and
• Comply with applicable state and local laws that also regulate the conduct of background checks.
While this settlement clearly reflects the FTC’s extended reach under the FCRA, it is also another strong indication of the agency’s intention to follow through with its warnings of enforcement actions concerning mobile apps that are not in compliance.
All companies that obtain or use personal information about consumers should be aware of the implications of this decision. Companies should review their practices and be aware that, according to the FTC, when it comes to data protection, privacy and consumer protection, apps are no different than websites, or printed ads. Make sure you’re honoring your obligations under the FCRA and other existing laws and regulations.
Stay Ahead of the Curve! Explore our comprehensive CLIClaw Compliance Library for in-depth resources and insights.
(Image Credit: iStock Photo)
This article is for information purposes only. It is not intended to be and should not be relied on as legal advice for any particular matter.