"However, when the company was just getting off the ground, we made the mistake of targeting certain advertising to human resources professionals, a practice regulated by FCRA," she elaborated.

"Those ads were ultimately removed," Saverice-Rohan said. "But I think one take-away from Spokeo's experience for other personal-data retailers is that mere reliance on your terms of use to demonstrate compliance with FCRA won't be sufficient."

Because credit-reporting agencies make sensitive personal data available to thousands of business clients, their vast stores of data are a magnet for identity thieves, who try to pose as legitimate buyers of consumer reports.

This is what happened in 2005 when a crime ring accessed over 163,000 consumer records in the databases of ChoicePoint and subsequently conducted at least 800 acts of account fraud, according the in a lengthy and highly publicized case. Similar cases have involved ACRAnet, Teletrack and Rental Research Services.