Business Blog
Consumer reviews: The FCRA upshot of fighting ire with fire
California-based mortgage broker Mortgage Solutions FCS also does business under the name Mount Diablo Lending. And according to the FTC, the company gave consumers a devil of a time if they posted negative reviews on Yelp. Is your business pondering how to address unfavorable consumer comments? Heaven knows you should avoid Mount Diablo’s approach, which, according to the complaint, violated Regulation P, the Fair Credit Reporting Act, and the FTC Act.
For more than a year, when consumers posted negative reviews on Yelp.com about their experiences with Mount Diablo, owner Ramon Walker fired back with public responses on Yelp. But they weren’t just “Says you” replies. As part of their business, mortgage brokers have a substantial amount of personal data about their customers – credit histories, income sources, debt-to-income ratios, and even family dynamics. The FTC says the defendants revealed some of that highly confidential information in their Yelp responses.
For example, according to one rejoinder the defendants lobbed at a customer on Yelp:
The truth of the matter is you didn’t have one late 2 years ago. Your credit report shows 4 late payments from the Capital One account, 1 late from Comenity Bank which is Pier 1, another late from Credit First Bank, 3 late payments from an account named SanMateo. Not to mention the mortgage lates. All of these late payments are having an enormous negative impact on your credit score.
Another response from the company claimed, “The high debt to income ratio was caused by this borrower cosigning on multiple mortgages for his children. The borrower was also self employed and took high deductions from his business.”
In a third example cited by the FTC, the defendants referred to personal health information about a close relative of the consumer.
Among other things, the lawsuit alleges that Mount Diablo and Walker violated Reg P (you may know it by its previous name, the GLB Privacy Rule) by disclosing nonpublic personal information. In addition, the FTC says the defendants violated the Fair Credit Reporting Act by using information in credit reports for impermissible purposes – in this case, to clap back at consumers on Yelp. The complaint also alleges the defendants violated the FTC Act by deceptively claiming they wouldn’t publicly disclose consumers’ personal information and by unfairly revealing sensitive data in its online responses.
In addition to a $120,000 civil penalty for violating the FCRA, the proposed order imposes injunctive provisions to protect consumers in the future. Mount Diablo also must implement a comprehensive data security program, get third-party assessments every two years, and get annual certifications from a senior corporate manager that the company is complying with the order.
What can other businesses take from this settlement?
Responding to ire with fire is an unwise strategy. Retaliating against dissatisfied consumers is an imprudent response to negative feedback – and weaponizing their highly sensitive personal information is ill-considered, ill-advised, and illegal.
See to it that you’re complying with the CRFA. Some companies might try to prevent negative feedback by putting clauses in their form contracts that prohibit consumers from posting reviews about their products or performance. Let’s be clear: The FTC’s action against Mount Diablo doesn’t allege that the company used a clause of that sort. But if you’re thinking that a non-disparagement provision might nip negative comments in the bud, think again because the Consumer Review Fairness Act prohibits terms like that. The FTC has guidance on what your business needs to know about the CRFA.
Keep your information security program current. Aside from challenging the defendants’ response to negative reviews, the FTC says they also violated the Safeguards Rule, which requires certain companies to implement a comprehensive written information security program and test it regularly. According to the complaint, the defendants didn’t implement a program until May 2017 and never assessed its effectiveness. The FTC also says that for a six-year period, the defendants failed to provide customers with the clear, conspicuous, and accurate privacy notice required by Reg P. If your company is covered by the Safeguards Rule and Reg P, are you honoring the rules’ ongoing obligations?
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.