Suppose a company engages in an unfair and deceptive trade practice. It makes about $1 billion. The FTC investigates. A settlement is reached for a fine of $1 million and refunds to only some customers — yielding a net penalty of several million dollars — just a fraction of the spoils. That’s deterrence . . . FTC style!
I recently blogged about how the credit reporting agencies were attempting to use their legal obligation to provide people with free annual credit reports as a profit-generating tool instead. Apparently, the rather extreme measures I described in my post are tame compared to what privacy expert Bob Gellman describes in a DM News column:
The FTC charged that, starting in 2000, Experian deceptively marketed free credit reports by not adequately disclosing that consumers would automatically be signed up for a credit report monitoring service costing $79.95 annually if they didn’t cancel within 30 days. The settlement was reported in the Aug. 15 issue of DM News. The case began with a complaint filed by the Electronic Privacy Information Center and with a report from the World Privacy Forum.
That WPF report, released in February 2005 and updated in July, is noteworthy. It found that the federal requirement for free credit reports was used by more than 200 Web sites as an opportunity to deceive and misdirect consumers. The method was to attract consumers seeking free credit reports, then collect personal information or send the consumers to for-pay credit report sites.
The WPF’s findings only add to the Internet’s reputation as a hotbed for sleazy operators looking to cheat consumers. The credit bureaus contributed to this by refusing to let legitimate organizations offer links to the one-and-only legitimate free credit report site (www.annualcreditreport.com). It wasn’t until the WPF report came out that the bureaus were embarrassed into allowing linking to the legitimate site.
Enter the FTC. Gellman writes:
The FTC charged Experian under a statute that prohibits unfair or deceptive trade practices. Experian’s Web site said free all over the place, but consumers who accepted Experian’s pitch ended up buying a service that continued forever until the consumers objected. Experian had more than 9 million customers for this service, which began before the law requiring free credit reports was enacted.
Under the consent decree, Experian effectively promised not to continue with the deceptive practices, to pay a fine of just under $1 million and to offer refunds to some consumers.
But as Gellman notes, this settlement was ridiculously disproportionate to the massive profits Experian made through its unfair and deceptive trade practices:
Experian reportedly had 9 million customers paying $80 a year. That’s $720 million in revenue. Since some of those customers paid for more than one year of service and many are continuing customers, the total revenue probably exceeds $1 billion. . . .
What’s the consequence of violating the law? A fine of less than $1 million, plus refunds that might be a few million dollars more. But let’s say that the fine and refunds total $25 million. That is a pittance relative to the revenue.
Experian still maintains the FreeCreditReport.com website I spoke about in an earlier post that pulls up in a search for free credit reports. Despite its name, FreeCeditReport.com isn’t free. Experian frequently runs television ads about its site, and the ads even have a nice theme song with the name of the website as the lyrics. Meanwhile, I have yet to see an ad (or a catchy jingle) for the more obscurely-monikered official free credit report site, www.annualcreditreport.com. I believe that this behavior is shameful for Experian, and I also believe that the FTC should investigate its practices. Given the FTC’s anemic enforcement in the case Gellman describes, however, Experian would merely give a chuckle at that suggestion.
Originally posted at Concurring Opinions
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.