Privacy & Information Security Law Blog

On January 6, 2022, the Federal Trade Commission reached a $1.5 million settlement with loan application company ITMedia Solutions LLC (“ITMedia”) over alleged violations of the FTC Act and Fair Credit Reporting Act (“FCRA”). The FTC alleged that ITMedia deceptively acquired and indiscriminately shared consumers’ sensitive personal information under the guise of connecting them with lenders.

Since 2012, ITMedia, operating under website names such as cashadvance.com, personalloans.com, and badcreditloans.com, allegedly solicited consumers’ sensitive personal information, including Social Security numbers and bank account information, for the purpose of sharing it with ITMedia’s “network of trusted lenders.” On some of these sites, ITMedia allegedly promised loans without credit score requirements for people with poor credit histories.

The FTC alleged that 84 percent of the loan applications that ITMedia received since 2016 were sold as marketing leads to a variety of marketers, debt relief and credit repair sellers, and other unauthorized parties, as opposed to lenders. In its complaint, the FTC alleged that ITMedia failed to impose use restrictions on the information sold and, in many instances, was not aware of the purposes for which companies were purchasing the consumers’ information.

As a result of ITMedia’s alleged deceptive practices, the FTC charged ITMedia with violating Section 5(a) of the FTC Act, 15 U.S.C. § 45(a). The FTC’s complaint also alleged that ITMedia unlawfully obtained and resold the credit scores of consumers who submitted information, in violation of Sections 604 and 607 of the FCRA, 15 U.S.C. §§ 1681b and 1681e. ITMedia neither admitted nor denied the allegations in the complaint, but agreed to settle the claims.

Pursuant to the proposed settlement order, ITMedia will pay a $1.5 million civil penalty. The settlement order prohibits the company from engaging in a variety of activities, including:

• misleading consumers, especially with respect to the purposes for which consumers’ information is collected and shared, and the entities with whom the information is shared;
• selling or disclosing consumers’ sensitive personal information, unless certain requirements are met, including obtaining express, informed consent;
• using or obtaining a consumer report for non-permissible purposes; and
• failing to comply with reasonable procedures for ensuring the legitimate use of consumer reports or sensitive personal information collected or disclosed by ITMedia.

Additionally, ITMedia will be required to destroy any impermissibly obtained sensitive personal information in its possession and instruct any recipients of that information to do the same. Within 90 days of the order and again one year after, ITMedia must submit a report verifying its compliance with the settlement order. The order also stipulates that ITMedia comply with certain recordkeeping and monitoring requirements.