Lead generation: When the “product” is personal data
Posted by Security on
used with permission from FTC.gov., Lesley Fair
There’s been a lot of talk about “ping trees” and other activities associated with the lead generation industry. The FTC’s concern is that consumers don’t get ponged in the process. A proposed settlement gives a glimpse into how one lead generation company operated and offers insights for businesses about compliance considerations when the “product” in question is consumers’ personal data.
Arizona-based Blue Global operated at least 38 internet domains with names like 247loan.com, clickloans.net, onehourloan.com, and netloanusa.com. The sites offered services to consumers looking for anything from small payday loans to installment loans of as much as $35,000. Consumers completed online loan applications that required scads of personal information — the usual stuff, of course, but also bank routing numbers, driver’s license numbers, dates of birth, and Social Security numbers.
So Blue Global lent money to consumers? No, that’s not what was going on.
The company told consumers to “sit back while we do the dirty work” of matching applications with their “network of more than 100 lending partners,” including one that would offer them “the best interest rates, lowest finance charges and longest repayment period.” The defendants also claimed “With four out of every five applications approved, you have an excellent chance of qualifying for a loan — regardless of your credit history!”
What’s more, Blue Global promised that “your personal information is completely protected 24/7 GUARANTEED!” As the company said on one of its sites, “It’s our number one priority to make sure any information you pass along remains in good hands.”
But according to the FTC, the defendants sold very few of the applications to actual lenders and didn’t match consumers and lenders based on loan rates or terms. In fact, the complaint charges that the company pretty much sold the leads — the data-laden loan applications — to the first buyer with a pulse willing to pay for them and without regard for how the buyer planned to use the treasure trove of confidential consumer information Blue Global was handing over.
You’ll want to read the complaint for an explanation of how those transactions happened, but it boils down to this. Within seconds of a consumer clicking ENTER, Blue Global was already peddling their personal data to the first potential buyer using a sequenced sales process known as a ping tree. If the first buyer didn’t accept the lead, Blue Global offered it to the next (and next and next) until someone finally bit or every ping tree participant declined — after viewing the unmasked confidential information contained in the lead, of course.
Blue Global had multiple ping trees running at once and received as much as $200 for each lead. What kind of screening did Blue Global undertake to make sure the people buying the leads were actually engaged in lending and used the information to offer loans? None, alleges the FTC. According to the complaint, Blue Global often sold loan applications to entities that didn’t even provide a business address. Not surprisingly, consumers complained that personal information in their applications was being misused by phantom debt collectors, but the FTC says the defendants ignored those warnings and others. What about that “number one priority” of ensuring data “remains in good hands”? It seems unlikely that the security of consumers’ confidential information broke into the defendants’ Top 40.
The complaint challenges alleged misrepresentations involving lending as well as unfair practices related to the use of consumers’ loan applications. One notable feature of the proposed settlement: The defendants will have to investigate and verify the identity of businesses to which they disclose consumers’ sensitive information, and must get consumers’ express consent for those disclosures. The proposed settlement includes a judgment for more than $104 million, which will be suspended based on defendants’ financial condition.
The main message for businesses is to exercise particular care if consumers’ confidential information is on the line. When the “product” you sell includes sensitive data, you’ve upped your compliance ante. Savvy companies take steps to vet prospective buyers and understand how that information is being used.