A “sting operation” (I’m not sure it took that much stealth, but hey) has uncovered 10 U.S. companies that may be willing to sell people’s data in violation of the Fair Credit Reporting Act, according to the U.S. Federal Trade Commission.

Commission paralegals and investigators pretended they were representing businesses or individuals on the market for consumer data such as credit scores. “They made very clear they intended to use the data for an FCRA-covered purpose,” Laura Berger, a commission attorney, tells Popular Science.

Out of 45 data companies commission staffers shopped with, they found 10 didn’t follow through with Fair Credit Reporting Act obligations such as asking for evidence that an employer buying data about an employee had informed the employee. (Remember those credit report releases you often have to sign when you start a new job?) The commission didn’t actually go through with any data purchases, however, so it can’t say if the companies perhaps would have followed the law later on in the purchasing process, Kristen Anderson, another commission attorney, says.

“In the contacts that we made with those companies, there just seemed to be a willingness to provide information for FCRA-covered purposes without necessarily complying with the law,” Anderson says.

ConsumerBase and one unnamed company seemed willing to sell lists of people pre-screened for credit card offers. Brokers Data and U.S. Data Corporation seemed willing to sell information insurance companies use to decide whom to cover and how much to charge., 4Nannies, U.S. Information Search, People Search Now, Case Breakers and USA People Search seemed willing to sell data employers use to decide whom to hire or to evaluate their employees.

The commission has sent the companies informal warning letters. Since it didn’t find hard evidence of wrongdoing, the letters don’t represent legal action. Instead, they “encourage” the companies to do some internal reviews.