The Federal Trade Commission recently announcedÂ that it had charged in a federal court complaint (FTC pdf; archive pdf) that data broker LeapLab “soldÂ the sensitive personal information of hundreds of thousands of consumers — including Social Security and bank account numbers — to scammers who allegedly debited millions from their accounts.”Â There is anÂ industry for gathering data on individuals — there are data brokers such as LeapLab, Acxiom and Choicepoint, along with individual companies tracking individualsâ€™ online and offline behavior to create consumer profiles. (Here’s a greatÂ New York TimesÂ article from 2012 that takesÂ an in-depth lookÂ at â€œHow Companies Learn Your Secrets.â€)
The FTC said, “data broker LeapLab bought payday loan applicationsÂ of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions â€“ a defendant in another FTC case â€“ allegedly used the information to withdraw millions of dollars from consumersâ€™ accounts without their authorization.”
If LeapLab is guilty of these charges, it would not be the first data broker to do so, violating consumer privacy and the law. One of the most infamous incidents was in 2005, when data brokerÂ ChoicePointÂ soldÂ the records of more than 163,000 Americans to a criminal ring engaged in identity theft. The public learned of ChoicePointâ€™s sale of sensitive data to criminals becauseÂ Californiaâ€™s security breach lawÂ demanded it; federal law did not.Â ChoicePointÂ had to payÂ $15 million to settle the FTC investigation ($10 million in civil penalties and $5 million in consumer redress) in 2006. In 2009, ChoicePoint had to pay a fine andÂ agreed to stronger data security protections â€œto settle Federal Trade Commission charges that the company failed to implement a comprehensive information security program protecting consumersâ€™ sensitive information, as required by a previous court order. This failure left the door open to a data breach in 2008 that compromised the personal information of 13,750 people and put them at risk of identify theft.â€
Last year, the FTC investigated the practices of the data broker industry and found in a report, â€œData Brokers: A Call for Transparency and Accountabilityâ€ (FTC pdf; archive pdf), “that data brokers operate with a fundamental lack of transparency. The Commission recommends that Congress consider enacting legislation to make data broker practices more visible to consumers and to give consumers greater control over the immense amounts of personal information about them collected and shared by data brokers.â€ The FTC hadÂ gathered information onÂ nine data broker: Acxiom, CoreLogic, Datalogix, eBureau, ID Analytics, Intelius, PeekYou, Rapleaf and Recorded Future.
The FTC noted: “Data brokers collect consumer data from extensive online and offline sources, largely without consumersâ€™ knowledge, ranging from consumer purchase data, social media activity, warranty registrations, magazine subscriptions, religious and political affiliations, and other details of consumersâ€™ everyday lives.” Since the report’s release, Congress has not passed legislation to give consumers more control over the vast amounts of personal data gathered and used by the data broker industry.