A searchable database of 2,709 provisions from 285 FTC consent orders (1997–2026), organized by statutory topic, practice area, and remedy type. Every provision includes verbatim order language with paragraph-level citations and links to source documents on FTC.gov.
| Company | Year | Topics | Key Takeaway |
|---|---|---|---|
| General Motors LLC, General Motors Holdings LLC, and OnStar, LLC | 2026 | Section 5 Only | General Motors and OnStar collected detailed driving behavior data every three seconds and sold it to consumer reporting agencies without consumers' meaningful informed consent. |
| Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC | 2025 | COPPA | Disney failed to accurately designate child-directed YouTube videos as 'Made for Kids,' allowing targeted advertising and personal data collection on content directed at children. |
| Illuminate Education, Inc. | 2025 | Section 5 Only | Illuminate Education stored millions of students' personal data in plaintext with inadequate access controls, suffered a breach, and had made contractual security promises it did not keep. |
| Illusory Systems, Inc. | 2025 | Section 5 Only | Nomad marketed its cryptocurrency bridge as 'security-first' while deploying inadequately tested code with no incident response plan, leading to the near-total loss of user assets. |
| Apitor Technology Co., Ltd. | 2025 | COPPA | Apitor's robot toy app secretly collected precise geolocation data from child users via a third-party SDK without parental notice or consent. |
| AYLO GROUP LTD. | 2025 | Section 5 Only | Pornhub's operator actively distributed child sexual abuse material and non-consensual content for years while falsely claiming to promptly review and remove flagged material. |
| Roca Labs, Inc. | 2025 | Section 5 Only | Roca Labs falsely claimed its dietary supplement had a scientifically proven 90% weight-loss success rate and silenced unhappy customers with non-disparagement clauses. |
| GoDaddy Inc. | 2025 | Section 5 Only | GoDaddy marketed itself as a secure hosting provider with award-winning security while failing to implement basic controls, resulting in multiple major data compromises. |
| Aqua Finance, Inc. | 2025 | FCRA | Aqua Finance funded home water treatment financing arrangements whose terms were systematically misrepresented by dealers and structured deceptively as open-end credit in violation of federal lending law. |
| Avast Limited | 2025 | Section 5 Only | Avast collected consumers' detailed browsing histories through its privacy-protection software and secretly sold that data to over 100 third parties without adequate disclosure or consent. |
| COGNOSPHERE, LLC | 2025 | COPPA | HoYoverse collected children's personal data without parental consent and misled players about their true odds of winning loot box prizes, obscuring the actual cost of rare items. |
| IntelliVision Technologies Corp. | 2025 | Section 5 Only | IntelliVision marketed its facial recognition software as free of racial and gender bias and highly accurate when it had no testing to support those claims. |
| Mobilewalla, Inc. | 2025 | Section 5 Only | Mobilewalla collected and sold consumers' sensitive location data — including data revealing visits to medical facilities and places of worship — without meaningful consent and in violation of ad exchange terms. |
| Gravy Analytics, Inc. | 2024 | Section 5 Only | Gravy Analytics collected and sold precise mobile location data revealing consumers' sensitive characteristics — including health decisions and religious practices — without verifying user consent. |
| Vivint Smart Home, Inc. | 2024 | FCRA | Vivint's sales force fraudulently pulled third parties' credit reports without consent to qualify unqualified customers for financing, then passed those innocent parties' information to debt collectors. |
| Company | Date | Topics | Takeaway | Link |
|---|---|---|---|---|
| General Motors LLC, General Motors Holdings LLC, and OnStar, LLC | 2026-01-15 | Section 5 Only | General Motors and OnStar collected detailed driving behavior data every three seconds and sold it to consumer reporting agencies without consumers' meaningful informed consent. | Order |
| Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC | 2025-12-15 | COPPA | Disney failed to accurately designate child-directed YouTube videos as 'Made for Kids,' allowing targeted advertising and personal data collection on content directed at children. | Order |
| Illuminate Education, Inc. | 2025-12-15 | Section 5 Only | Illuminate Education stored millions of students' personal data in plaintext with inadequate access controls, suffered a breach, and had made contractual security promises it did not keep. | Order |
| Illusory Systems, Inc. | 2025-12-15 | Section 5 Only | Nomad marketed its cryptocurrency bridge as 'security-first' while deploying inadequately tested code with no incident response plan, leading to the near-total loss of user assets. | Order |
| Apitor Technology Co., Ltd. | 2025-10-15 | COPPA | Apitor's robot toy app secretly collected precise geolocation data from child users via a third-party SDK without parental notice or consent. | Order |
| AYLO GROUP LTD. | 2025-09-15 | Section 5 Only | Pornhub's operator actively distributed child sexual abuse material and non-consensual content for years while falsely claiming to promptly review and remove flagged material. | Order |
| Roca Labs, Inc. | 2025-07-15 | Section 5 Only | Roca Labs falsely claimed its dietary supplement had a scientifically proven 90% weight-loss success rate and silenced unhappy customers with non-disparagement clauses. | Order |
| GoDaddy Inc. | 2025-05-15 | Section 5 Only | GoDaddy marketed itself as a secure hosting provider with award-winning security while failing to implement basic controls, resulting in multiple major data compromises. | Order |
| Aqua Finance, Inc. | 2025-02-15 | FCRA | Aqua Finance funded home water treatment financing arrangements whose terms were systematically misrepresented by dealers and structured deceptively as open-end credit in violation of federal lending law. | Order |
| Avast Limited | 2025-02-15 | Section 5 Only | Avast collected consumers' detailed browsing histories through its privacy-protection software and secretly sold that data to over 100 third parties without adequate disclosure or consent. | Order |
| COGNOSPHERE, LLC | 2025-01-15 | COPPA | HoYoverse collected children's personal data without parental consent and misled players about their true odds of winning loot box prizes, obscuring the actual cost of rare items. | Order |
| IntelliVision Technologies Corp. | 2025-01-15 | Section 5 Only | IntelliVision marketed its facial recognition software as free of racial and gender bias and highly accurate when it had no testing to support those claims. | Order |
| Mobilewalla, Inc. | 2025-01-15 | Section 5 Only | Mobilewalla collected and sold consumers' sensitive location data — including data revealing visits to medical facilities and places of worship — without meaningful consent and in violation of ad exchange terms. | Order |
| Gravy Analytics, Inc. | 2024-12-15 | Section 5 Only | Gravy Analytics collected and sold precise mobile location data revealing consumers' sensitive characteristics — including health decisions and religious practices — without verifying user consent. | Order |
| Vivint Smart Home, Inc. | 2024-12-15 | FCRA | Vivint's sales force fraudulently pulled third parties' credit reports without consent to qualify unqualified customers for financing, then passed those innocent parties' information to debt collectors. | Order |
| Marriott International, Inc. | 2024-10-15 | Section 5 Only | Marriott and Starwood Hotels suffered three major data breaches affecting hundreds of millions of consumers due to persistently inadequate security practices. | Order |
| 1Health.io Inc. | 2024-09-15 | Health Breach Notification | Vitagene falsely claimed industry-leading security for DNA health data while publicly exposing the genetic and health records of over 2,600 consumers through unsecured cloud storage. | Order |
| Verkada Inc. | 2024-08-15 | CAN-SPAM | Verkada made false security claims for its building surveillance cameras, failed to implement basic security practices, and violated CAN-SPAM requirements in its marketing emails. | Order |
| Monument, Inc. | 2024-06-15 | Health Breach Notification | Monument falsely claimed its alcohol addiction treatment platform was HIPAA compliant and 100% confidential while sharing users' sensitive health data with advertisers. | Order |
| BetterHelp, Inc. | 2024-05-15 | Health Breach Notification | BetterHelp secretly shared consumers' sensitive mental health information with Facebook, Snapchat, and other advertising platforms for targeted advertising despite repeatedly promising strict privacy. | Order |
| Blackbaud, Inc. | 2024-05-15 | Section 5 Only | Blackbaud's deficient security practices allowed a cyberattacker to remain undetected for months and exfiltrate millions of consumers' personal data, which the company then misrepresented in its breach notification. | Order |
| Cerebral, Inc. | 2024-05-15 | Health Breach Notification | Cerebral secretly shared millions of patients' sensitive mental health and personal data with over twenty advertising platforms while falsely promising confidential, secure care and making it difficult to cancel subscriptions. | Order |
| InMarket Media, LLC | 2024-05-15 | Section 5 Only | InMarket Media misled consumers about location data use in its apps and SDK, collecting precise location data for advertising profiling while telling consumers it was only for app functionality. | Order |
| Ring LLC | 2024-04-15 | Section 5 Only | Ring gave employees and contractors unrestricted access to all customers' private home camera footage and failed to protect accounts from credential-stuffing attacks. | Order |
| X-Mode Social, Inc. | 2024-04-15 | Section 5 Only | X-Mode Social collected precise consumer location data through hundreds of apps and sold it—including sensitive locations like medical facilities—to government contractors without adequate disclosure or consumer consent. | Order |
| Rite Aid Corporation | 2024-03-15 | Section 5 Only | Rite Aid deployed inaccurate facial recognition technology without adequate safeguards, causing wrongful surveillance of innocent consumers including disproportionate harms to minority shoppers. | Order |
| Global Tel*Link Corporation | 2024-02-15 | Section 5 Only | Global Tel*Link copied 649,500 incarcerated individuals' personal data to an unprotected test environment, exposed it to the internet for days, and then misled consumers and facilities about the breach. | Order |
| Residual Pumpkin Entity, LLC | 2024-01-15 | Section 5 Only | CafePress failed to secure consumer data against well-known attack vectors, suffered a massive breach, misled consumers about the breach's scope, and withheld shopkeeper commissions as retaliation. | Order |
| Epic Games, Inc. | 2024-01-15 | Section 5 Only | Epic Games used dark patterns to charge consumers — including children — for Fortnite purchases without informed consent, and denied account access to those who disputed charges. | Order |
| TransUnion Rental Screening Solutions, Inc. | 2023-10-15 | FCRA | TransUnion's rental screening subsidiary reported duplicated eviction entries, inaccurate case dispositions, mislabeled debt amounts, and sealed records in tenant background reports. | Order |
| Instant Checkmate, LLC | 2023-10-15 | FCRA | Instant Checkmate and TruthFinder falsely advertised report accuracy, implied searched individuals had criminal records when they often did not, and offered fake data correction tools. | Order |
| Edmodo, LLC | 2023-08-15 | COPPA | Edmodo collected personal information from hundreds of thousands of children without parental consent and attempted to shift its COPPA compliance obligations onto schools. | Order |
| Amazon.com, Inc. | 2023-07-15 | COPPA | Amazon retained children's Alexa voice recordings indefinitely and failed to honor user requests to delete voice and geolocation data despite explicit promises of full deletion control. | Order |
| Easy Healthcare Corporation | 2023-06-15 | Health Breach Notification | The Premom ovulation app secretly shared women's sensitive health and geolocation data with third parties for advertising despite explicit privacy promises. | Order |
| Microsoft Corporation | 2023-06-15 | COPPA | Microsoft collected personal information from children on Xbox Live before notifying parents or obtaining required parental consent, and retained incomplete-registration data for years. | Order |
| Fashion Nova, LLC | 2023-05-15 | Section 5 Only | Fashion Nova suppressed hundreds of thousands of negative customer reviews to create a falsely positive impression of its products. | Order |
| Epic Games, Inc. | 2023-02-15 | COPPA | Epic Games violated COPPA by collecting children's personal data in Fortnite without parental consent, and enabled on-by-default voice and text chat that exposed children to harmful contact. | Order |
| GoodRx Holdings, Inc. | 2023-02-01 | Health Breach Notification | GoodRx repeatedly promised never to share users' health information with advertisers, then secretly transmitted prescription drug names and health conditions to Facebook, Google, and Criteo for targeted advertising. | Order |
| Chegg, Inc. | 2023-01-15 | Section 5 Only | Chegg failed to implement basic data security controls for years, resulting in multiple breaches that exposed tens of millions of students' personal information. | Order |
| DRIZLY, LLC | 2023-01-15 | Section 5 Only | Drizly stored sensitive credentials insecurely in public GitHub repositories and failed to enforce basic account security, allowing a hacker to steal data on 2.5 million consumers. | Order |
| Everalbum, Inc. | 2022-05-15 | Section 5 Only | Everalbum enabled facial recognition by default without user consent and used consumers' photos to train commercial AI without adequately disclosing this or deleting data when accounts were deactivated. | Order |
| Credit Bureau Center, LLC | 2022-04-15 | FCRA | Credit Bureau Center used fake rental property ads to lure consumers into hidden paid credit monitoring subscriptions falsely advertised as free. | Order |
| Kurbo, Inc. | 2022-03-15 | COPPA | Kurbo by WW collected personal data from children under 13 without adequate parental notice or verifiable consent. | Order |
| ITMEDIA SOLUTIONS LLC | 2022-01-15 | FCRA | ITMedia collected consumers' sensitive loan application data under the pretext of connecting them to lenders, then sold it to marketers, debt negotiators, and unknown entities. | Order |
| Ascension Data & Analytics, LLC | 2021-12-15 | GLBA | Ascension Data & Analytics handed mortgage documents containing sensitive consumer data to a vendor without conducting any security vetting, resulting in a cloud storage misconfiguration that exposed the data. | Order |
| MyLife.com, Inc. | 2021-12-15 | FCRA, TSR | MyLife.com used deceptive teaser results suggesting searched individuals had criminal or sex offender records to sell subscriptions, and made cancellation deliberately difficult. | Order |
| OpenX Technologies, Inc. | 2021-12-15 | COPPA | OpenX collected precise location data via a backdoor method that bypassed users' location permission denials, and collected children's personal data from child-directed apps without parental consent. | Order |
| Kuuhubb Inc. | 2021-07-15 | COPPA | Kuuhubb's Recolor App marketed as an adult coloring book contained a child-directed section through which it collected children's personal data for behavioral advertising without parental consent. | Order |
| Flo Health, Inc. | 2021-06-15 | Section 5 Only | Flo Health promised not to share women's reproductive health data with third parties but secretly disclosed it to Facebook, Google, and others. | Order |
| SkyMed International, Inc. | 2021-02-15 | Section 5 Only | SkyMed displayed a self-created 'HIPAA Compliance' seal implying government verification of its practices, and misled consumers about what was exposed in a data security incident. | Order |
| Zoom Video Communications, Inc. | 2021-02-15 | Section 5 Only | Zoom falsely claimed to offer end-to-end encryption for meetings and secretly installed software on Mac computers that bypassed Apple's security controls. | Order |
| AppFolio, Inc. | 2020-12-15 | FCRA | AppFolio included obsolete records more than seven years old and inaccurate information from an unvetted vendor in tenant screening reports used to deny housing. | Order |
| Midwest Recovery Systems, LLC | 2020-11-15 | FCRA | Midwest Recovery Systems collected debts consumers did not owe and 'parked' over $98 million in unsubstantiated debts on credit reports without first notifying consumers. | Order |
| Raging Wire Data Centers, Inc. | 2020-10-15 | Section 5 Only | Raging Wire Data Centers misrepresented its participation in or compliance with a privacy framework, based on provision titles alone as no factual background was available. | Order |
| EMP Media, Inc. | 2020-09-15 | Section 5 Only | MyEx.com publicly posted intimate images and personal information of individuals without their consent and charged victims thousands of dollars to have the content removed. | Order |
| Miniclip S.A. | 2020-07-15 | Section 5 Only | Miniclip falsely claimed for years to be a certified participant in the CARU COPPA safe harbor program after its certified status was terminated. | Order |
| Ortho-Clinical Diagnostics, Inc. | 2020-07-15 | Section 5 Only | Ortho-Clinical Diagnostics kept claiming Privacy Shield compliance on its website after its certification lapsed and even after Commerce warned it to remove those claims. | Order |
| HyperBeard, Inc. | 2020-06-15 | COPPA | HyperBeard operated child-directed mobile apps that allowed advertising networks to collect children's personal data for behavioral advertising without parental consent. | Order |
| Kohl's Department Stores, Inc. | 2020-06-15 | FCRA | Kohl's denied identity theft victims access to transaction records about fraudulent purchases made in their names. | Order |
| Alliance Security Inc. | 2020-05-15 | TSR, FCRA | Alliance Security and its CEO made over two million illegal telemarketing calls including to Do Not Call registrants, impersonated ADT, and obtained consumer reports without permissible purpose. | Order |
| Tapplock, Inc. | 2020-05-15 | Section 5 Only | Tapplock marketed its Internet-connected padlocks as 'unbreakable' and secure while critical physical and electronic vulnerabilities made them trivially easy to compromise. | Order |
| BoostMyScore LLC | 2020-03-15 | TSR | BoostMyScore sold illegal credit piggybacking services and charged prohibited advance fees while falsely guaranteeing FICO score boosts. | Order |
| RETINA-X STUDIOS, LLC | 2020-03-15 | COPPA | Retina-X sold covert device monitoring apps enabling stalking while falsely claiming consumers' data was kept private and secure. | Order |
| T&M Protection Resources, LLC | 2020-03-15 | Section 5 Only | T&M Protection Resources falsely claimed active EU-U.S. Privacy Shield participation after its certification had lapsed. | Order |
| Office Depot, Inc. | 2020-02-15 | Section 5 Only | Office Depot used a fake diagnostic software tool that automatically reported false malware findings to sell unnecessary repair services to consumers. | Order |
| Click Labs, Inc. | 2020-01-15 | Section 5 Only | Click Labs falsely claimed Privacy Shield certification on its website after never completing the certification process. | Order |
| DCR Workforce, Inc. | 2020-01-15 | Section 5 Only | DCR Workforce continued claiming active Privacy Shield compliance on its website after its certification had lapsed. | Order |
| Global Data Vault, LLC | 2020-01-15 | Section 5 Only | Global Data Vault continued claiming active Privacy Shield participation after its certification expired and also failed to obtain required annual verification while certified. | Order |
| Incentive Services, Inc. | 2020-01-15 | Section 5 Only | Incentive Services claimed Privacy Shield compliance on its website despite never completing the certification process for either framework. | Order |
| InfoTrax Systems, L.C. | 2020-01-15 | Section 5 Only | InfoTrax Systems failed to implement basic data security measures for sensitive consumer financial information, allowing a hacker to access its servers seventeen times undetected over nearly two years. | Order |
| LotaData, Inc. | 2020-01-15 | Section 5 Only | LotaData falsely claimed Privacy Shield certification on its website despite never completing the required certification steps. | Order |
| Medable, Inc. | 2020-01-15 | Section 5 Only | Medable falsely claimed to be EU/US Privacy Shield certified on its website after never completing the certification process. | Order |
| Mortgage Solutions FCS, Inc. | 2020-01-15 | FCRA, GLBA | Mortgage Solutions FCS publicly posted customers' sensitive financial and health information — including credit scores and medical conditions — in Yelp responses to negative reviews. | Order |
| TDARX, Inc. | 2020-01-15 | Section 5 Only | TDARX continued claiming Privacy Shield participation on its website after certification lapsed and also failed to obtain required annual verification while certified. | Order |
| Thru, Inc. | 2020-01-15 | Section 5 Only | Thru displayed Privacy Shield compliance claims in its privacy policy after never completing the certification steps for either the EU-U.S. or Swiss-U.S. frameworks. | Order |
| 214 Technologies, Inc. | 2020-01-15 | Section 5 Only | Trueface.ai falsely claimed it had self-certified to the EU-U.S. Privacy Shield framework when it had never completed the certification process. | Order |
| Cambridge Analytica, LLC | 2019-12-15 | Section 5 Only | Aleksandr Kogan and Alexander Nix built a Facebook app that falsely promised not to collect users' identifiable information while harvesting data from millions of users and their friends. | Order |
| Cambridge Analytica, LLC | 2019-12-15 | Section 5 Only | Cambridge Analytica misrepresented its data practices and privacy program participation in connection with harvesting personal data from millions of consumers. | Order |
| Unrollme Inc. | 2019-12-15 | Section 5 Only | Unrollme assured users it would never 'touch' their personal emails while secretly giving its parent company access to those inboxes to harvest and sell e-receipt data. | Order |
| LifeLock, Inc. | 2019-10-15 | Section 5 Only | LifeLock falsely marketed its identity theft protection service as comprehensive and complete when it actually covered only a narrow subset of identity theft scenarios. | Order |
| Google LLC and YouTube, LLC | 2019-09-15 | COPPA | Google and YouTube collected persistent identifiers from child viewers of child-directed YouTube channels to serve behavioral advertising without parental notice or consent. | Order |
| LightYear Dealer Technologies, LLC | 2019-09-15 | GLBA | DealerBuilt stored the personal information of over 14 million consumers and 39,000 employees in clear text without access controls or a written security program. | Order |
| SecurTest, Inc. | 2019-08-15 | Section 5 Only | SecurTest falsely claimed Privacy Shield certification on its website after failing to complete the required certification steps. | Order |
| D-Link Systems, Inc. | 2019-07-15 | Section 5 Only | D-Link marketed routers and IP cameras as secure while leaving them vulnerable to hard-coded credentials, command injection flaws, and backdoors. | Order |
| Equifax Inc. | 2019-07-15 | GLBA | Equifax's failure to patch a known security vulnerability for over four months led to a breach exposing the personal information of approximately 147 million consumers. | Order |
| Facebook, Inc. | 2019-07-15 | Order | ||
| James V. Grago, Jr., individually and d/b/a ClixSense.com | 2019-07-15 | Section 5 Only | ClixSense.com claimed to use encryption and the latest security techniques while storing 6.6 million users' data entirely in clear text with no encryption. | Order |
| UNIXIZ, Inc. | 2019-04-15 | COPPA | UNIXIZ collected personal information from over 245,000 children on its gaming site without verifiable parental consent and with grossly inadequate data security. | Order |
| Musical.ly | 2019-02-15 | COPPA | Musical.ly knowingly collected personal data from millions of children under 13 without parental notice or consent and failed to delete children's data when parents requested it. | Order |
| mResource LLC | 2018-11-15 | Section 5 Only | mResource continued claiming current Privacy Shield participation on its website after its certification expired without renewal. | Order |
| ReadyTech Corporation | 2018-11-15 | Section 5 Only | ReadyTech falsely claimed on its website to be actively certifying Privacy Shield compliance and committed to related dispute resolution, when it never completed certification. | Order |
| SmartStart Employment Screening, Inc. | 2018-11-15 | Section 5 Only | SmartStart claimed current Privacy Shield participation for nearly a year after its certification lapsed and never affirmed it would continue protecting EU personal data after withdrawal. | Order |
| VenPath, Inc. | 2018-11-15 | Section 5 Only | VenPath continued claiming active Privacy Shield participation after its certification expired and failed to affirm it would continue protecting EU consumer data. | Order |
| IDmission LLC | 2018-10-15 | Section 5 Only | IDmission publicly claimed Privacy Shield certification on its website despite never completing the required certification steps. | Order |
| RealPage, Inc. | 2018-10-15 | FCRA | RealPage used overly broad, inaccurate criminal record matching in tenant screening reports, causing wrong individuals' records to appear in consumer files. | Order |
| Uber Technologies, Inc. | 2018-10-15 | Section 5 Only | Uber falsely claimed to rigorously monitor employee access to rider and driver data and to use industry-standard security, when its actual practices fell far short. | Order |
| Apartment Hunters, Inc. | 2018-09-15 | Section 5 Only | Apartment Hunters charged fees for access to rental listings that were mostly inaccurate, unavailable, or identical to what was available for free online. | Order |
| BLU PRODUCTS, INC. | 2018-09-15 | Section 5 Only | BLU Products sold smartphones with preinstalled software that secretly transmitted users' text messages, location data, and contact lists to servers in China. | Order |
| Integrated Flight Solutions LLC | 2018-09-15 | Section 5 Only | NoveltyExcuses.com sold fake financial documents—including pay stubs and insurance cards—designed to look authentic enough to deceive lenders and landlords. | Order |
| Innovative Paycheck Solutions | 2018-09-15 | Section 5 Only | Innovative Paycheck Solutions sold fake pay stubs and bank statements marketed as authentic-looking documents for use in deceiving lenders and landlords. | Order |
| PayPal, Inc. | 2018-05-15 | GLBA | Venmo misled consumers about fund availability, privacy settings that did not work as described, and its bank-grade security claim while also violating Gramm-Leach-Bliley rules. | Order |
| Prime Sites, Inc. | 2018-02-15 | COPPA | Explore Talent collected personal information from over 100,000 children without parental consent and used false promises of casting opportunities to sell paid memberships. | Order |
| Sears Holdings Management Corporation | 2018-02-15 | Section 5 Only | Sears secretly installed software on consumers' computers that tracked nearly all internet activity — including financial and health data from secure sessions — while describing it as simple 'online browsing' research. | Order |
| Jerk, LLC | 2018-01-15 | Section 5 Only | Jerk.com misrepresented that profile content was created by users and that paid memberships would provide meaningful dispute rights. | Order |
| Lenovo (United States) Inc. | 2018-01-15 | Section 5 Only | Lenovo preinstalled man-in-the-middle adware on consumer laptops that intercepted encrypted web traffic and created serious security vulnerabilities without adequate disclosure. | Order |
| VTech Electronics Limited and VTech Electronics North America, LLC | 2018-01-15 | COPPA | VTech collected children's personal data through its online services without parental consent, maintained inadequate security, and falsely claimed personal information was encrypted during transmission. | Order |
| Decusoft, LLC | 2017-11-15 | Section 5 Only | Decusoft falsely claimed on its website to be certified under both the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks when it had never completed the certification process. | Order |
| Md7, LLC | 2017-11-15 | Section 5 Only | Md7 falsely claimed in its privacy policy to be certified under the EU-U.S. Privacy Shield Framework when it had only begun but never completed the application. | Order |
| TaxSlayer, LLC | 2017-11-15 | GLBA | TaxSlayer, a tax preparation service handling highly sensitive financial data, lacked a written security program, performed no risk assessments, and buried its privacy notice in a license agreement. | Order |
| Tru Communication, Inc. | 2017-11-15 | Section 5 Only | Tru Communication falsely claimed its website would remain compliant with the EU-U.S. Privacy Shield Framework when it had never completed the certification process. | Order |
| Ruby Corp. | 2017-09-15 | Section 5 Only | Ashley Madison used fake female profiles to lure users into paid memberships, falsely advertised a nonexistent security award, and charged for a deletion service that did not work. | Order |
| Turn Inc. | 2017-04-15 | Section 5 Only | Turn Inc. falsely told consumers that deleting cookies would stop its tracking, while secretly using unkillable Verizon tracking headers to continue surveillance. | Order |
| Upromise, Inc. | 2017-03-15 | Section 5 Only | Upromise violated a prior FTC order by burying required data collection disclosures in tiny gray text and obtaining sham compliance assessments that did not actually evaluate its RewardU toolbar. | Order |
| VIZIO, Inc. | 2017-02-15 | Section 5 Only | VIZIO covertly collected second-by-second television viewing data from millions of consumers by default and sold it to third parties while describing the feature only as providing 'program offers and suggestions.' | Order |
| LabMD, Inc. | 2016-09-15 | Section 5 Only | LabMD allegedly failed to implement reasonable data security practices, resulting in sensitive patient information becoming accessible on a public peer-to-peer file-sharing network. | Order |
| Practice Fusion, Inc. | 2016-08-15 | Section 5 Only | Practice Fusion sent patient satisfaction surveys implying responses would go privately to doctors, while actually posting them publicly on a physician rating website. | Order |
| Very Incognito Technologies, Inc. | 2016-08-15 | Section 5 Only | Vipvape falsely claimed in its privacy policy to participate in the APEC Cross-Border Privacy Rules system without ever obtaining the required certification. | Order |
| ASUSTeK Computer, Inc. | 2016-07-15 | Section 5 Only | ASUS marketed its routers as secure while leaving them vulnerable to authentication bypass attacks and exposing users' USB storage to public internet access by default. | Order |
| InMobi Pte Ltd. | 2016-06-15 | COPPA | InMobi secretly tracked users' locations without permission and collected personal data from children across thousands of apps without parental consent. | Order |
| Credit Protection Association, LP | 2016-05-15 | FCRA | Credit Protection Association furnished consumer data to credit bureaus without the required written accuracy and integrity policies, and failed to complete dispute investigations on time. | Order |
| Henry Schein Practice Solutions, Inc. | 2016-05-15 | Section 5 Only | Henry Schein falsely marketed its dental software as providing industry-standard encryption for patient data when it actually used a weaker, proprietary algorithm. | Order |
| Oracle Corporation | 2016-03-15 | Section 5 Only | Oracle told consumers that updating Java SE would give them 'the latest security improvements,' while the update process left older, vulnerable versions of Java installed on their computers. | Order |
| Sitesearch Corporation | 2016-03-15 | Section 5 Only | LeapLab collected consumers' sensitive payday loan applications and sold them to telemarketers and fraudulent merchants who used the data to make unauthorized bank account debits. | Order |
| Craig Brittain | 2016-01-15 | Section 5 Only | Craig Brittain operated a 'revenge porn' site, posting intimate photos of over 1,000 individuals without consent and running a sham removal service that charged victims to take down their own images. | Order |
| LAI Systems, LLC | 2015-12-15 | COPPA | LAI Systems allowed third-party ad networks to collect persistent identifiers from children through its kids' apps for targeted advertising without parental notice or consent. | Order |
| Retro Dreamer | 2015-12-15 | COPPA | Retro Dreamer knowingly allowed ad networks to collect children's personal data through its kids' apps for targeted advertising without parental consent, even after being put on notice. | Order |
| Wyndham Worldwide Corporation | 2015-12-15 | Section 5 Only | Wyndham Worldwide's inadequate network security led to three separate data breaches compromising over 619,000 payment card numbers across its hotel properties. | Order |
| Contract Logix, LLC | 2015-10-15 | Section 5 Only | Contract Logix continued displaying Safe Harbor participation claims on its website for nearly three years after its certification had lapsed. | Order |
| Dale Jarrett Racing Adventure, Inc. | 2015-10-15 | Section 5 Only | Dale Jarrett Racing Adventure falsely claimed Safe Harbor participation on its website when it was never a certified participant. | Order |
| Forensics Consulting Solutions, LLC | 2015-10-15 | Section 5 Only | Forensics Consulting Solutions continued claiming Safe Harbor compliance on its website for nearly three years after its certification lapsed. | Order |
| Golf Connect, LLC | 2015-10-15 | Section 5 Only | Golf Connect displayed inherited Safe Harbor participation claims on an acquired website after neither the predecessor nor the acquirer held a valid certification. | Order |
| Inbox Group, LLC | 2015-10-15 | Section 5 Only | Inbox Group falsely claimed on its website to be certified under the U.S.-EU Safe Harbor Framework when it had never participated. | Order |
| IOActive, Inc. | 2015-10-15 | Section 5 Only | IOActive displayed Safe Harbor participation claims on its website for approximately three years after its certification had lapsed. | Order |
| Jhayrmaine Daniels, d/b/a California Skate-Line | 2015-10-15 | Section 5 Only | California Skate-Line claimed to adhere to Safe Harbor Privacy Principles despite never having been a Safe Harbor participant. | Order |
| Jubilant Clinsys, Inc. | 2015-10-15 | Section 5 Only | Jubilant Clinsys continued claiming annual Safe Harbor self-certification and compliance on its website for over two years after its certification lapsed. | Order |
| Just Bagels Manufacturing, Inc. | 2015-10-15 | Section 5 Only | Just Bagels Manufacturing published Safe Harbor compliance claims on its website despite never having been a participant in either the U.S.-EU or U.S.-Swiss Safe Harbor Framework. | Order |
| NAICS Association, LLC | 2015-10-15 | Section 5 Only | NAICS Association continued claiming Safe Harbor compliance on its website for over a year after its certification expired. | Order |
| One Industries Corp. | 2015-10-15 | Section 5 Only | One Industries, a motocross gear seller, falsely claimed to adhere to Safe Harbor Privacy Principles when it had never self-certified or participated. | Order |
| Pinger, Inc. | 2015-10-15 | Section 5 Only | Pinger continued claiming certified compliance with U.S.-EU and U.S.-Swiss Safe Harbor Frameworks on its website after allowing its annual certification to lapse. | Order |
| Sprint Corporation | 2015-10-15 | FCRA | Sprint charged consumers higher fees based on their credit reports but failed to provide required risk-based pricing notices before they became contractually obligated. | Order |
| SteriMed Medical Waste Solutions | 2015-10-15 | Section 5 Only | SteriMed Medical Waste Solutions falsely claimed to be a registered Safe Harbor participant when it had never self-certified. | Order |
| Nomi Technologies, Inc. | 2015-09-15 | Section 5 Only | Nomi Technologies promised consumers opt-out rights at retail locations while never actually providing any in-store opt-out mechanism. | Order |
| Tricolor Auto Acceptance, LLC | 2015-09-15 | FCRA | Tricolor Auto Acceptance furnished credit information to reporting agencies without any written accuracy policies and failed to investigate consumer disputes it received directly. | Order |
| American International Mailing, Inc. | 2015-05-15 | Section 5 Only | American International Mailing continued claiming active EU-U.S. Safe Harbor participation for five years after its certification had lapsed. | Order |
| TES Franchising, LLC | 2015-05-15 | Section 5 Only | TES Franchising falsely claimed active participation in U.S.-EU and U.S.-Swiss Safe Harbor Frameworks and the TRUSTe Privacy Program when none of those certifications were current. | Order |
| PaymentsMD, LLC | 2015-02-15 | Section 5 Only | PaymentsMD secretly used consumers' registration for a free billing portal to collect comprehensive health information from pharmacies and health plans for a separate fee-based service. | Order |
| Snapchat, Inc. | 2014-12-15 | Section 5 Only | Snapchat falsely claimed messages disappeared permanently, that users received screenshot notifications, and that it did not collect location data, while also failing to secure user information. | Order |
| TinyCo, Inc. | 2014-09-15 | COPPA | TinyCo collected tens of thousands of email addresses from children through child-directed gaming apps without notifying parents or obtaining their consent. | Order |
| Yelp Inc. | 2014-09-15 | COPPA | Yelp's app registration feature accepted sign-ups from children under 13 for four years and collected their personal data without parental notice or consent. | Order |
| Credit Karma, Inc. | 2014-08-15 | Section 5 Only | Credit Karma's mobile app failed to validate SSL certificates, exposing users' Social Security numbers and credit data to interception on public Wi-Fi networks. | Order |
| Fandango, LLC | 2014-08-15 | Section 5 Only | Fandango's iOS app disabled SSL certificate validation for four years, exposing customers' credit card and login credentials to interception despite security promises. | Order |
| GMR Transcription Services, Inc. | 2014-08-15 | Section 5 Only | GMR Transcription falsely claimed HIPAA-compliant security while medical transcription files were stored in plain text on a publicly accessible FTP server. | Order |
| American Apparel, Inc. | 2014-06-15 | Section 5 Only | American Apparel falsely claimed active Safe Harbor certification for roughly six months after its certification had lapsed. | Order |
| Apperian, Inc. | 2014-06-15 | Section 5 Only | Apperian displayed the Safe Harbor certification mark and claimed compliance for over a year after its certification status had lapsed. | Order |
| Atlanta Falcons Football Club, LLC | 2014-06-15 | Section 5 Only | The Atlanta Falcons Football Club falsely claimed active Safe Harbor participation for nearly eight years after its certification had lapsed. | Order |
| Baker Tilly Virchow Krause, LLP | 2014-06-15 | Section 5 Only | Baker Tilly continued displaying the Safe Harbor certification mark and claiming certification for over two years after its certification had lapsed. | Order |
| BitTorrent, Inc. | 2014-06-15 | Section 5 Only | BitTorrent falsely claimed adherence to EU Safe Harbor principles for approximately five years after its certification had lapsed. | Order |
| Charles River Laboratories International, Inc. | 2014-06-15 | Section 5 Only | Charles River Laboratories claimed current Safe Harbor compliance for over two years after its certification had lapsed. | Order |
| DataMotion, Inc. | 2014-06-15 | Section 5 Only | DataMotion displayed the Safe Harbor certification mark and claimed active framework participation after its certification had lapsed. | Order |
| DDC Laboratories, Inc. | 2014-06-15 | Section 5 Only | DDC Laboratories, a DNA testing company, continued claiming Safe Harbor compliance for two years after its certification had lapsed. | Order |
| Fantage.com, Inc. | 2014-06-15 | Section 5 Only | Fantage.com falsely claimed active Safe Harbor participation for approximately 19 months after its certification had lapsed. | Order |
| Level 3 Communications, LLC | 2014-06-15 | Section 5 Only | Level 3 Communications falsely claimed active Safe Harbor certification for over a year after its certification lapsed. | Order |
| PDB Sports, Ltd. | 2014-06-15 | Section 5 Only | The Denver Broncos falsely claimed compliance with the EU Safe Harbor framework two years after its certification expired. | Order |
| The Receivable Management Services Corporation | 2014-06-15 | Section 5 Only | A debt collection agency displayed a lapsed Safe Harbor certification mark for nearly four years after its certification expired. | Order |
| Reynolds Consumer Products Inc. | 2014-06-15 | Section 5 Only | Reynolds Consumer Products continued claiming Safe Harbor compliance for years after its customer and HR data certifications both expired. | Order |
| Tennessee Football, Inc. | 2014-06-15 | Section 5 Only | Tennessee Titans ownership falsely claimed EU Safe Harbor compliance for more than four years after its certification expired. | Order |
| GeneLink, Inc. | 2014-05-15 | Section 5 Only | GeneLink and foruTM made unsubstantiated claims that their DNA-based supplements could treat diseases and mitigate genetic disadvantages, while failing to secure consumers' genetic data. | Order |
| GeneLink, Inc. | 2014-05-15 | Section 5 Only | GeneLink made false and unsubstantiated claims that its DNA-based supplements could treat diseases while failing to protect nearly 30,000 consumers' genetic and financial data. | Order |
| Goldenshores Technologies, LLC | 2014-04-15 | Section 5 Only | Goldenshores Technologies' Brightest Flashlight Free app secretly transmitted users' precise geolocation and device identifiers to advertising networks without adequate disclosure. | Order |
| InfoTrack Information Services, Inc. | 2014-04-15 | FCRA | InfoTrack provided inaccurate background check reports with unreliable sex offender data and failed to provide legally required FCRA notices. | Order |
| Instant Checkmate, Inc. | 2014-04-15 | FCRA | Instant Checkmate marketed background reports for employment screening purposes while failing to comply with any Fair Credit Reporting Act requirements. | Order |
| Aaron's, Inc. | 2014-03-15 | Section 5 Only | Aaron's provided its franchisees with spyware that secretly logged keystrokes, captured screenshots, and activated webcams on rented computers without consumers' knowledge or consent. | Order |
| Accretive Health, Inc. | 2014-02-15 | Section 5 Only | Accretive Health failed to implement reasonable data security measures to protect sensitive patient information, resulting in a laptop theft that exposed over 23,000 patients' data. | Order |
| TRENDnet, Inc. | 2014-02-15 | Section 5 Only | TRENDnet sold 'SecurView' cameras that transmitted login credentials in clear text and left live feeds of private areas exposed to hackers due to software security failures. | Order |
| TeleCheck Services, Inc. | 2014-01-15 | FCRA | TeleCheck failed to properly reinvestigate disputed consumer information and did not maintain reasonable accuracy procedures, while its affiliate TRS lacked required written data furnisher policies. | Order |
| Time Warner Cable Inc. | 2013-12-15 | FCRA | Time Warner Cable required consumers with weaker credit to pay deposits without providing the required risk-based pricing notices before they became contractually obligated. | Order |
| Certegy Check Services, Inc. | 2013-08-15 | FCRA | Certegy Check Services failed to maintain accurate consumer report information, required consumers to conduct their own reinvestigations, and lacked adequate dispute handling processes. | Order |
| HTC America, Inc. | 2013-07-15 | Section 5 Only | HTC introduced serious security vulnerabilities into millions of Android and Windows Mobile devices, exposing sensitive user data to third-party apps without permission. | Order |
| CBR Systems, Inc. | 2013-05-15 | Section 5 Only | CBR Systems falsely claimed to handle consumers' sensitive health and financial data securely while failing to implement basic data protection measures. | Order |
| Filiquarian Publishing, LLC | 2013-05-15 | FCRA | Filiquarian marketed mobile apps for employment background checks while operating as a consumer reporting agency without implementing any required FCRA procedures. | Order |
| Aspen Way Enterprises, Inc. | 2013-04-15 | Section 5 Only | Aspen Way Enterprises installed hidden monitoring software on rented computers to secretly capture consumers' sensitive personal information, including via webcam. | Order |
| B. Stamper Enterprises, Inc. | 2013-04-15 | Section 5 Only | B. Stamper Enterprises secretly monitored rented computer users via hidden software to capture passwords, medical records, and personal images. | Order |
| C.A.L.M. Ventures, Inc. | 2013-04-15 | Section 5 Only | C.A.L.M. Ventures used hidden monitoring software on rented computers to secretly spy on consumers in their homes, including activating webcams without consent. | Order |
| DesignerWare, LLC | 2013-04-15 | Section 5 Only | DesignerWare developed and licensed stalkerware that secretly activated webcams, logged keystrokes, and tracked consumers' locations on rented computers. | Order |
| J.A.G. Rents, LLC | 2013-04-15 | Section 5 Only | J.A.G. Rents secretly monitored rented computer users through hidden software, capturing sensitive personal information and tricking consumers with fake registration pop-ups. | Order |
| Red Zone Investment Group, Inc. | 2013-04-15 | Section 5 Only | Red Zone Investment Group installed covert monitoring software on rented computers to secretly surveil users and collect personal information without their knowledge. | Order |
| Showplace, Inc. | 2013-04-15 | Section 5 Only | Showplace secretly installed monitoring software on rented computers to capture consumers' webcam images, keystrokes, and personal data without their knowledge. | Order |
| Watershed Development Corp. | 2013-04-15 | Section 5 Only | Watershed Development secretly monitored rented computer users through hidden keylogging, screenshot, and webcam software without their knowledge or consent. | Order |
| Epic Marketplace, Inc. | 2013-03-15 | Section 5 Only | Epic Marketplace secretly exploited browser history to track consumers' visits to sensitive websites — including medical and financial pages — without disclosing this practice in its privacy policy. | Order |
| Equifax Information Services LLC | 2013-03-15 | FCRA | Equifax sold prescreened consumer credit lists to a company that resold them to third parties for general marketing, without maintaining adequate procedures to ensure permissible use. | Order |
| Compete, Inc. | 2013-02-15 | Section 5 Only | Compete collected consumers' sensitive financial and personal information through tracking software while falsely claiming it only anonymously collected browsing data. | Order |
| Path, Inc. | 2013-02-15 | COPPA | Path's mobile app silently collected users' entire phone contact lists without consent and knowingly gathered personal data from thousands of children without parental approval. | Order |
| PLS Financial Services, Inc. | 2012-11-15 | FCRA, GLBA | PLS Financial Services represented it maintained legally compliant security safeguards but discarded consumer documents containing sensitive personal information in unsecured dumpsters. | Order |
| Artist Arena LLC | 2012-10-15 | COPPA | Artist Arena collected personal data from over 101,000 children under 13 for celebrity fan clubs without proper parental notice or consent. | Order |
| Direct Lending Source, Inc. | 2012-10-15 | FCRA | Direct Lending Source purchased and resold prescreened consumer credit lists to entities running fraudulent loan modification schemes without verifying permissible use. | Order |
| EPN, Inc., also d/b/a Checknet, Inc. | 2012-10-15 | Section 5 Only | EPN, a debt collector, failed to implement reasonable data security, allowing a peer-to-peer app to expose sensitive consumer information on a public network. | Order |
| Franklin's Budget Car Sales, Inc., also dba Franklin Toyota/Scion | 2012-10-15 | GLBA | Franklin Toyota claimed to maintain legally compliant security safeguards while allowing a P2P app to expose nearly 95,000 customers' sensitive personal information. | Order |
| MYSPACE LLC | 2012-09-15 | Section 5 Only | Myspace transmitted users' personal identifiers to third-party advertisers without disclosure, enabling advertisers to link users' real identities to their browsing behavior. | Order |
| HireRight Solutions, Inc. | 2012-08-15 | FCRA | HireRight systematically failed to ensure accuracy of background screening reports, denied consumers access to their own files, and refused to properly reinvestigate disputes. | Order |
| Spokeo, Inc. | 2012-06-15 | FCRA | Spokeo marketed detailed consumer profiles for employment decisions while operating as an unregistered consumer reporting agency without any FCRA compliance procedures. | Order |
| RockYou, Inc. | 2012-03-15 | COPPA | RockYou failed to secure 32 million email addresses and passwords, and knowingly collected personal data from approximately 179,000 children without parental consent in violation of COPPA. | Order |
| Asset Acceptance, LLC | 2012-01-15 | FCRA | Asset Acceptance pursued consumers for debts without adequate verification, failed to disclose statute-of-limitations issues, and furnished inaccurate information to credit bureaus. | Order |
| ScanScout, Inc. | 2011-12-15 | Section 5 Only | ScanScout falsely told consumers they could opt out of tracking cookies by changing browser settings, when its Flash cookies were immune to browser-level controls. | Order |
| Jones O. Godwin | 2011-11-15 | COPPA | Skid-e-kids' operator claimed to collect parental email addresses and notify parents before activating children's accounts, but never actually did so. | Order |
| Frostwire LLC | 2011-10-15 | Section 5 Only | FrostWire's file-sharing apps deceived users about which files were being publicly shared on peer-to-peer networks. | Order |
| Google Inc. | 2011-10-15 | Section 5 Only | Google auto-enrolled Gmail users into its Buzz social network using their contacts, breaking promises that Gmail data would only be used for email. | Order |
| W3 Innovations, LLC | 2011-09-15 | COPPA | Broken Thumbs Apps collected over 30,000 email addresses from children through child-directed mobile apps without any privacy notice or parental consent. | Order |
| ACRAnet, Inc. | 2011-08-15 | FCRA, GLBA | ACRAnet, a credit reporting agency, failed to implement basic security safeguards for its clients, allowing hackers to access sensitive consumer credit reports through clients' unprotected networks. | Order |
| Fajilan and Associates, Inc. | 2011-08-15 | FCRA, GLBA | Statewide Credit Services sold sensitive credit reports to clients without verifying their security posture, enabling repeated hacker breaches of client networks. | Order |
| SettlementOne Credit Corporation | 2011-08-15 | FCRA, GLBA | SettlementOne Credit allowed client mortgage brokers without verified security to access sensitive consumer credit reports, enabling hackers to breach multiple client networks. | Order |
| Balls of Kryptonite, LLC | 2011-06-15 | Section 5 Only | Best Priced Brands deceived UK consumers by falsely presenting its U.S. businesses as UK-based retailers and misrepresenting prices, warranties, and consumer rights. | Order |
| Ceridian Corporation | 2011-06-15 | Section 5 Only | Ceridian falsely claimed its payroll processing service met high security standards while storing employee data in unencrypted clear text with no SQL injection defenses. | Order |
| CHITIKA, INC. | 2011-06-15 | Section 5 Only | Chitika told consumers that clicking its opt-out button stopped behavioral advertising tracking, but the opt-out cookie expired after only 10 days without any notice. | Order |
| Lookout Services, Inc. | 2011-06-15 | Section 5 Only | Lookout Services falsely claimed 24/7 network security monitoring for its I-9 compliance product while lacking basic security safeguards like strong passwords and URL authentication controls. | Order |
| TELETRACK, INC. | 2011-06-15 | FCRA | Teletrack sold consumer credit inquiry data to third-party marketers as mailing lists without a permissible purpose under the Fair Credit Reporting Act. | Order |
| Playdom, Inc. | 2011-05-15 | COPPA | Playdom allowed children under 13 immediate access to its online games and public profiles before obtaining any parental consent, violating COPPA. | Order |
| Twitter, Inc. | 2011-03-15 | Section 5 Only | Twitter falsely claimed to protect user information with robust security measures while allowing nearly all employees broad administrative access with easily-compromised credentials for years. | Order |
| US Search, Inc. | 2011-03-15 | Section 5 Only | US Search sold a paid 'PrivacyLock' service promising to remove consumers' personal information from its site, while leaving that data accessible through multiple types of searches. | Order |
| EchoMetrix, Inc. | 2010-11-15 | Section 5 Only | EchoMetrix sold parental monitoring software while secretly feeding children's online activity data to a third-party market research product sold to advertisers. | Order |
| Rite Aid Corporation | 2010-11-15 | Section 5 Only | Rite Aid publicly claimed to protect patient privacy but failed to implement adequate policies for secure disposal of sensitive health and personal information. | Order |
| ChoicePoint Inc. | 2010-09-15 | FCRA | ChoicePoint failed to verify the identities of prospective data subscribers, allowing fraudulent actors to access the personal information of approximately 163,000 consumers. | Order |
| Dave & Buster's, Inc. | 2010-06-15 | Section 5 Only | Dave & Buster's failed to implement basic network security measures, allowing an intruder to steal customers' payment card information from its restaurant networks. | Order |
| Central Credit, LLC | 2010-04-15 | FCRA | Central Credit, a consumer reporting agency, failed to provide legally required notices to furnishers, users, and consumers and lacked a compliant process for free annual file disclosures. | Order |
| Direct Marketing Associates, Corp. | 2010-03-15 | FCRA | Direct Marketing Associates mailed fake pre-approved auto financing solicitations using consumer credit data it obtained from credit bureaus under false pretenses. | Order |
| ControlScan, Inc. | 2010-02-15 | Section 5 Only | ControlScan sold privacy and security certification seals to websites while conducting little or no actual verification of those companies' data protection practices. | Order |
| Collectify LLC | 2010-01-15 | Section 5 Only | Collectify displayed Safe Harbor compliance claims on its website for nearly five years after its certification had lapsed. | Order |
| ExpatEdge Partners, LLC | 2010-01-15 | Section 5 Only | ExpatEdge continued claiming active Safe Harbor certification on its website years after its certification had lapsed. | Order |
| Gregory Navone | 2010-01-15 | FCRA | Gregory Navone falsely claimed his mortgage companies had robust data security, while personally storing consumers' sensitive financial documents without safeguards or proper disposal. | Order |
| Onyx Graphics, Inc. | 2010-01-15 | Section 5 Only | Onyx Graphics claimed to be 'Safe Harbor Certified' on its website after its certification had already lapsed. | Order |
| Progressive Gaitways LLC | 2010-01-15 | Section 5 Only | Progressive Gaitways falsely claimed Safe Harbor participation on two websites — one after its certification lapsed, and one that was never certified at all. | Order |
| World Innovators, Inc. | 2010-01-15 | Section 5 Only | World Innovators continued displaying Safe Harbor membership claims on its website for years after its certification expired. | Order |
| Iconix Brand Group, Inc. | 2009-10-15 | COPPA | Iconix collected personal data from roughly 1,000 children under 13 through fan and sweepstakes features without parental consent, violating COPPA and its own privacy policy. | Order |
| Cash Today, Ltd. | 2009-09-15 | Section 5 Only | Overseas payday lenders offered loans without required disclosures and then threatened consumers with arrest and prosecution to coerce repayment, even on potentially unenforceable loans. | Order |
| Metropolitan Home Mortgage, Inc. | 2009-08-15 | FCRA | Metropolitan Home Mortgage sent prescreened mortgage solicitations that lacked properly formatted opt-out notices as required by the FCRA and the Prescreen Rule. | Order |
| Quality Terminal Services, LLC | 2009-08-15 | FCRA | Quality Terminal Services denied jobs to applicants based on background check results without providing the legally required pre- and post-adverse action notices. | Order |
| TALX Corporation | 2009-07-15 | FCRA | TALX Corporation, a nationwide employment data reporting agency, failed for years to provide legally required notices to data furnishers and report users. | Order |
| Accusearch, Inc. | 2009-06-15 | Section 5 Only | Accusearch obtained consumers' confidential phone records by impersonating account holders and then sold those records to paying clients without consumers' knowledge. | Order |
| CVS CAREMARK CORPORATION | 2009-06-15 | Section 5 Only | CVS Caremark disposed of prescription bottles, pharmacy labels, and other documents containing consumers' personal and health information in unsecured public trash containers. | Order |
| James B. Nutter & Company | 2009-06-15 | GLBA | James B. Nutter & Company failed to implement basic information security safeguards and provided inaccurate privacy notices, resulting in its network being hijacked to send spam. | Order |
| Genica Corporation | 2009-03-15 | Section 5 Only | Genica Corporation falsely claimed to use state-of-the-art security for consumer data while actually storing credit card numbers and security codes in plain text, enabling SQL injection attacks. | Order |
| Premier Capital Lending, Inc. | 2008-12-15 | GLBA | Premier Capital Lending gave an unsecured third party login credentials to pull consumer credit reports and failed to monitor or audit use of that access. | Order |
| EMC Mortgage Corporation | 2008-09-15 | FCRA | EMC Mortgage made false representations to borrowers about loan balances and fees, charged unauthorized fees, and harassed borrowers in violation of multiple consumer protection laws. | Order |
| Reed Elsevier Inc. and Seisint, Inc. | 2008-08-15 | Section 5 Only | LexisNexis and Seisint failed to secure user credentials for their Accurint data products, allowing attackers to repeatedly access sensitive consumer records. | Order |
| The TJX Companies, Inc. | 2008-08-15 | Section 5 Only | TJX Companies stored customers' payment card data in clear text and used weak wireless security, enabling intruders to intercept vast amounts of sensitive information. | Order |
| ACTION RESEARCH GROUP, INC. | 2008-05-15 | Section 5 Only | Action Research Group impersonated account holders to fraudulently obtain confidential telephone records from carriers and sold them to third-party clients. | Order |
| GOAL FINANCIAL, LLC | 2008-04-15 | GLBA | Goal Financial failed to secure student loan applicants' sensitive data, allowing employees to steal thousands of consumer files for unauthorized use. | Order |
| Life is good, Inc. | 2008-04-15 | Section 5 Only | Life is Good falsely claimed to store customers' personal information securely while actually storing it in clear, unencrypted text. | Order |
| Ingenix, Inc. | 2008-02-15 | FCRA | Ingenix sold individual medical profiles — constituting consumer reports — to insurers without providing the legally required FCRA notice to those users. | Order |
| Milliman, Inc. | 2008-02-15 | FCRA | Milliman sold individual medical profiles to insurers for underwriting without providing the legally required FCRA notice to those insurer users. | Order |
| American United | 2007-12-15 | FCRA, GLBA | American United discarded consumer documents in an unsecured dumpster, failed to implement a written security program, and failed to provide customers with required privacy notices. | Order |
| CEO GROUP, INC. | 2007-12-15 | Section 5 Only | CEO Group sold confidential consumer telephone call records obtained through impersonation and false pretenses without account holders' knowledge or authorization. | Order |
| Guidance Software, Inc. | 2007-04-15 | Section 5 Only | Guidance Software falsely claimed strong data security while storing customer credit card data in clear text, enabling a hacker breach. | Order |
| Consumerinfo.com, Inc. | 2007-02-15 | Section 5 Only | Consumerinfo.com advertised 'free' credit reports but secretly enrolled consumers in a paid subscription service charged to the credit card they provided. | Order |
| Information Search, Inc. | 2007-02-15 | GLBA | Information Search, Inc. obtained consumers' confidential bank account data by impersonating customers to financial institution employees and then sold that information to clients. | Order |
| Integrity Security & Investigation Services, Inc. | 2006-10-15 | Section 5 Only | ISIS advertised and sold confidential consumer phone records and financial account information obtained by impersonating account holders without their authorization. | Order |
| CardSystems Solutions, Inc. | 2006-09-15 | Section 5 Only | CardSystems Solutions stored sensitive payment card data in a vulnerable format and failed to implement basic security, enabling a hacker to compromise millions of consumer records. | Order |
| Xanga.com, Inc. | 2006-09-15 | COPPA | Xanga knowingly allowed approximately 1.7 million children to create blogs and collected their personal data for targeted advertising without parental consent for five years. | Order |
| Nations Title Agency, Inc. | 2006-06-15 | GLBA | Nations Title Agency failed to implement basic security safeguards for consumers' mortgage-related financial data, enabling a hacker breach and violating privacy notice requirements. | Order |
| DSW Inc. | 2006-03-15 | Section 5 Only | DSW failed to implement reasonable security for sensitive payment card and bank account data it collected, leaving it vulnerable to a hacker who accessed information through multiple security gaps. | Order |
| Superior Mortgage Corporation | 2005-12-15 | GLBA | Superior Mortgage falsely claimed it encrypted consumer data submitted through its website using SSL while failing to implement required security under the GLB Safeguards Rule. | Order |
| Sun Spectrum Communications Organization, Inc. | 2005-10-15 | TSR, GLBA | Telemarketers falsely promised bad-credit consumers they were pre-approved for major credit cards, collected advance fees, and then never delivered the promised cards. | Order |
| BJ's Wholesale Club, Inc. | 2005-09-15 | Section 5 Only | BJ's Wholesale Club stored millions of payment card records in unencrypted form without proper access controls, enabling attackers to steal consumer financial data. | Order |
| Nationwide Mortgage Group, Inc. | 2005-04-15 | GLBA | Nationwide Mortgage Group failed to implement basic security safeguards for sensitive customer financial data and omitted required privacy notices. | Order |
| Vision I Properties, LLC | 2005-04-15 | Section 5 Only | CartManager International secretly collected consumer data through merchants' checkout pages and sold it to third-party marketers without disclosure. | Order |
| PETCO ANIMAL SUPPLIES, INC. | 2005-03-15 | Section 5 Only | PETCO falsely promised customers their credit card data was encrypted and completely secure, while actually storing it in unprotected clear text vulnerable to SQL injection attacks. | Order |
| Assail, Inc. | 2005-01-15 | TSR, GLBA | Assail ran a telemarketing scam that swapped promised credit cards for worthless stored-value cards while making unauthorized debits from consumers' bank accounts. | Order |
| Sunbelt Lending Services, Inc. | 2005-01-15 | GLBA | Sunbelt Lending failed to implement any meaningful security or privacy protections for customers' sensitive financial information, including Social Security numbers and credit histories. | Order |
| Gateway Learning Corporation | 2004-12-15 | Section 5 Only | Gateway Learning's 'Hooked on Phonics' business rented customers' personal information to third-party marketers in violation of its own promise never to share such data. | Order |
| Bonzi Software, Inc. | 2004-10-15 | Section 5 Only | Bonzi Software falsely claimed its InternetALERT security software would significantly protect computers from hackers when it could only monitor a limited number of ports. | Order |
| MTS, Inc. | 2004-06-15 | Section 5 Only | Tower Records exposed consumers' order and personal information online through a broken authentication flaw while falsely claiming its website was secure. | Order |
| UMG Recordings, Inc. | 2004-02-15 | COPPA | UMG Recordings collected extensive personal data from tens of thousands of children across its artist websites without adequate parental notice or verifiable parental consent. | Order |
| 30 Minute Mortgage Inc. | 2003-12-15 | GLBA | 30 Minute Mortgage falsely advertised low fixed-rate mortgages that did not exist, misrepresented itself as a direct lender, and falsely claimed SSL encryption protected consumer data. | Order |
| GUESS?, INC. | 2003-08-15 | Section 5 Only | GUESS? claimed its website encrypted all personal information while in reality storing data in plain text, vulnerable to well-known SQL injection attacks. | Order |
| Educational Research Center of America, Inc. | 2003-05-15 | Section 5 Only | ERCA collected personal data from millions of students under the guise of college recruitment surveys but secretly sold it to commercial marketers. | Order |
| Microsoft Corporation | 2002-12-15 | Section 5 Only | Microsoft falsely claimed its Passport service used strong security measures and safe servers while failing to implement basic safeguards against unauthorized access. | Order |
| Paula L. Garrett, d/b/a Discreet Data Systems | 2002-03-15 | GLBA | Paula Garrett ran an information brokerage that used impersonation and false pretenses to trick bank employees into disclosing customers' confidential account information, then sold that data. | Order |
| American Pop Corn Company | 2002-02-15 | COPPA | American Pop Corn Company collected children's personal information through its Kids Club website without parental notice or consent, while falsely claiming it would notify parents. | Order |
| Lisa Frank, Inc. | 2001-10-15 | COPPA | Lisa Frank's children's website collected personal information from children without parental consent and falsely claimed in its privacy policy that parental permission would be required. | Order |
| Bigmailbox.com, Inc. | 2001-04-15 | COPPA | Bigmailbox.com collected children's personal information through kids' websites without parental notice or consent and then used it for marketing. | Order |
| LookSmart Ltd. | 2001-04-15 | COPPA | LookSmart collected and publicly posted personal information of children under 13 on its message board service without parental consent. | Order |
| Monarch Services, Inc. | 2001-04-15 | COPPA | Monarch Services collected personal information from children under 13 on its kids' website without parental notice or consent. | Order |
| First American Real Estate Solutions, LLC | 1999-08-15 | FCRA | First American CREDCO routinely refused to reinvestigate disputed errors in merged credit reports, redirecting consumers to source repositories instead. | Order |
| Liberty Financial Companies, Inc. | 1999-08-15 | Section 5 Only | Liberty Financial's children's website collected personal information under a false promise of anonymity and never delivered the promised newsletter or prize drawings. | Order |
| ALDI INC. | 1997-09-15 | FCRA | ALDI denied job applicants based on consumer reports without notifying them that such information factored into the adverse employment decision. | Order |
| Bruno's Inc. | 1997-08-15 | FCRA | Bruno's Inc. denied job applicants based on consumer reports without notifying them that such information contributed to the adverse employment decision. | Order |
All data is available as structured JSON: