July 9, 2020

Volume X, Number 191

July 08, 2020

Subscribe to Latest Legal News and Analysis

July 07, 2020

Subscribe to Latest Legal News and Analysis

July 06, 2020

Subscribe to Latest Legal News and Analysis

Help with Yelp: Posting Personal Information in Response to a Negative Review Can Land You in Hot Water

Virtually every company that provides goods or services to the public will, at some point, have a negative review posted online by a dissatisfied consumer. While such reviews are understandably upsetting, a company should not respond in kind with negative comments about the reviewer and certainly should not reveal personal or sensitive information about them.

One California business owner learned this the hard way. According to allegations in a complaint filed on behalf of the Federal Trade Commission (FTC), a mortgage company (through its sole owner) allegedly responded to consumers who posted negative reviews on Yelp by revealing their credit histories, debt-to-income ratios, taxes, health information, sources of income, family relationships, and other personal data. Further, several of the responses revealed the first and last names of the reviewers. According to the FTC, this conduct violated the Fair Credit Reporting Act (FCRA), which places a legal obligation on credit reports users to keep that information confidential and disclose it to third parties only when there is a legitimate need to do so.

The FTC further alleged that the company and its owner violated the FTC Act and other federal law, including by their failure to implement an information security program until September 2017 and not subsequently testing the program.

To resolve the litigation, the broker and his company agreed to pay a $120,000 penalty to settle the alleged FCRA violation. In addition, the broker and company are prohibited from misrepresenting their privacy and data security practices, misusing credit reports, and improperly disclosing nonpublic personal information to third parties. The company also was ordered to implement a comprehensive data security program to protect personal information it collects. It must obtain third-party assessments of this program every two years (for a period of 10 years). Furthermore, the company must designate a senior corporate manager responsible for overseeing the data security program to certify compliance with the order every year.

As for those negative online reviews, rather than privately seething or engaging in a personal attack on the person who posted it, a better approach would be to acknowledge the customer’s concerns and apologize for their experience (even if you believe they are wrong), say something positive about your company and your willingness to try to resolve the issue, and move to take the conversation offline by providing contact information should the reviewer wish to continue the discussion.

Copyright © 2020 Robinson & Cole LLP. All rights reserved.National Law Review, Volume X, Number 16


About this Author

Jean Tomasco, Robinson Cole Law Firm, Hartford, Labor and Employment, Litigation Law Attorney

Jean Tomasco's practice involves employer counseling and employment litigation, with an emphasis on the Employee Retirement Income Security Act (ERISA) and benefits litigation. She is a member of the firm’s Health + Benefits Litigation Team and its Labor, Employment, Benefits + Immigration Group.

Employee Benefits and Compensation Litigation

Jean has more than two decades of experience handling benefit claims litigation. She represents insurers, managed care organizations, and employers in benefit...