On January 7, 2022, the Federal Trade Commission announced that ITMedia Solutions LLC (“ITMedia”) will pay $1.5 million in civil penalties for allegedly operating websites that gathered sensitive consumer information, including Social Security numbers and bank account information, and selling the information to marketing companies in violation of the law.

According to the FTC’s complaint, ITMedia solicited consumers to provide their sensitive information through various loan application websites as part of the loan application process, and represented that such information would only be shared with “a trusted network of lenders” for the loan applications. However, per the complaint, ITMedia actually sold the information as “leads” to marketers, debt relief, and credit repair companies for their own business purposes, thereby placing consumers at risk for identity theft and scams. The FTC alleged that these practices violated Section 5 of the FTC Act as well as the permissible use restrictions of the Fair Credit Reporting Act.

The settlement agreement includes the $1.5 million civil penalty, a prohibition on making misleading statements to consumers, a prohibition on selling consumer personal information outside of specific and limited purposes, and a requirement to screen recipients of the information.

As the FTC continues to increase its focus on data privacy issues, this settlement serves as a reminder that companies must accurately represent their data practices, particularly when their activities include the collection and use of sensitive personal information. The upcoming changes to California, Virginia, and Colorado privacy law, effective in 2023, will also have important implications with respect to the processing of sensitive personal information.