Privacy Advisor

The FTC’s recent settlement with a web analytics company underscores its privacy and data security priorities

December 1, 2012

O'Neill_Julie



By Julie O’Neill

On October 22, the Federal Trade Commission announced that it had settled charges with Compete, Inc., a web analytics company that uses tracking software to collect data on consumers’ online browsing behavior. As explained in greater detail below, the FTC alleged that Compete had engaged in deceptive practices, in violation of Section 5 of the FTC Act, by misrepresenting the extent of its data collection practices and failing to honor its data de-personalization and other data security promises. The FTC further charged that the company’s failure to have reasonable data security practices in place was unfair, also in violation of Section 5. The proposed consent order would, among other things, require Compete to provide consumers with notice, outside of its privacy policy, of the types of data it collects and obtain their express consent to such collection.

The allegations

The FTC alleged that:

  • Compete failed to disclose to consumers the full extent of the information that the software would collect from them. According to the complaint, Compete induced consumers to download its tracking software in various ways, including by encouraging them to: join a “Consumer Input Panel” that would reward them for sharing their opinions about products and services, or install the Compete Toolbar, which would give them “instant access” to data about the websites they visited. Compete generally described the software as collecting “the web pages you visit,” “the sites, products and services you interact with” and “the addresses of the web pages you visit online.” In fact, the FTC alleged, the software collected far more than browsing behavior or web page addresses, including information about consumers’ interactions with websites visitedsuch as usernames, passwords, search terms and other information submittedas well as sensitive personal information, such as Social Security numbers and payment card information. According to the FTC, the company’s failure to disclose the true extent of the data collection was deceptive, in violation of Section 5 of the FTC Act.
  • Compete misrepresented that it would strip all personal information out of the data collected. According to the FTC, the company made unqualified promises in its privacy policy about its filtering of the personal information it collected. Specifically, it allegedly stated, “All data is stripped of personally identifiable information before it is transmitted to our servers. Our data collection techniques have been designed to purge personally identifiable information wherever we find it.” The company apparently attempted to keep these promises, but, in the FTC’s view, its measures were inadequate because its filters were too narrow and improperly structured, and it failed to use a simple, commonly used algorithm to filter out credit card numbers. According to the FTC, the company’s de-personalization promises were therefore deceptive.
  • Compete misrepresented that it used reasonable measures to protect consumers’ data from unauthorized access. Moreover, its failure to have such measures in place was unfair. According to the FTC, although the company promised consumers that it would protect their personal information, it failed to take basic steps to do so. For instance, Compete allegedly transmitted sensitive personal information from secure web pages over the Internet in clear text and did not use readily available and low-cost tools to address the risk that the software would collect sensitive information that it was not authorized to collect. The FTC also charged that the company’s failure to use reasonable and appropriate security measures was unfair, in addition to being deceptive, because such failure “caused or was likely to cause substantial injury to consumers that was not offset by countervailing benefits to consumers or competition and was not reasonably avoidable by consumers.”

The proposed relief

The FTC’s proposed consent order with Compete contains the ban, customary in deception cases, on future misrepresentations about the company’s privacy and data security practices. Consistent with other recent data security settlements, the proposed order would also require Compete to implement a comprehensive information security program with independent third-party audits every two years for 20 years.

In addition, the order would require the company to provide consumers with robust, out-of-policy notice of the types of data its software collects and obtain their express consent to such collection. The proposed order is specific: Compete must clearly and prominently, prior to the display of and on a separate screen from any privacy policy, end-user license agreement, terms of use or similar document, fully disclose the information it collects. Moreover, the proposed order provides that the notice must disclose, to the extent applicable, that the company will collect the following categories of data, as well as how it will use and disclose such data: completed and/or incomplete consumer transactions; communications in forms, online accounts, web-based e-mail accounts or search engine pages, and whether the information collected includes personal, financial or health information. These obligations apply both when Compete interacts directly with consumers, as well as when its clients use the Compete software to collect data from consumers.           

Why does this action matter?

The action against Compete is a continuation of a line of FTC cases involving allegedly surreptitious online data collection—beginning years ago with the FTC’s spyware cases and most recently its action against Upromise, Inc., a company that licensed the Compete software. The Compete action is noteworthy because it demonstrates that:

  • The FTC continues to be serious about ensuring that consumers have all of the information they need to make informed decisions about how their data may be collected and used. In the FTC’s view, a failure to disclose material information collection, use and/or disclosure practices is deceptive. A practice is “material” if it would affect the consumer’s decision to engage with the company. Here, the FTC took the position that the collection of a wide variety of information submitted online—including sensitive personal information and not just the promised URLs—is material to consumers.
  • The FTC believes that certain disclosures are sufficiently material to warrant clear and conspicuous disclosure at a meaningful point in time, outside of a company’s privacy policy. In recent years, the FTC has encouraged industry to provide consumers with this type of “just in time” notice. It recently reiterated this position in its proposed revisions to its rule implementing the Children’s Online Privacy Protection Act, stating that it urges industry “to provide consumers with notice and choice about information practices at the point consumers enter personal data or before accepting a product or service.” The proposed order against Compete provides for such notice. Moreover, it goes so far as to specify certain categories of information that must be addressed in the notice.
  • The FTC will remain vigilant in holding companies to their privacy and data security promises. For years, the FTC has brought deception charges against companies that allegedly failed to comply with their own representations—typically made in a privacy policy—about their information collection, use, disclosure and/or security practices. The action against Compete indicates that it continues to take this issue seriously.
  • The FTC continues to believe that a company’s failure to have reasonable measures in place to protect personal information is unfair, even if the company makes no data security promises and even, it appears, absent a breach. The FTC has brought a number of unfairness cases against companies that allegedly had inadequate data security practices in place—typically following a publicized breach. Its complaint against Compete mentioned no breach but nonetheless charged the company with unfairness, on the grounds that its “failure to employ reasonable and appropriate measures to protect consumer information—including credit card and financial account numbers, security codes and expiration dates and Social Security numbers—caused or was likely to cause substantial injury to consumers that was not offset by countervailing benefits to consumers or competition and was not reasonably avoidable by consumers.”

  • The FTC continues to use a robust template for privacy and data security orders. If the case against Compete is any indication, the FTC will continue to impose onerous injunctive relief on companies that do not abide by their own privacy and data security promises, including the obligation—even where no breach has been alleged—to obtain an independent data security audit every other year for 20 years.

 

Julie O’Neill of Morrison Foerster LLP counsels clients in all areas of state and federal consumer protection law. She also assists clients with the creation of compliance programs for the laws regulating the collection, use, and disclosure of customers’ personal information. She previously served as a staff attorney in the FTC’s New York regional office, where she investigated violations of federal consumer protection law. She is recommended by Legal 500 US 2012 in the areas of data protection and privacy and marketing and advertising.