The FTC’s recent settlement with a web analytics company underscores its privacy and data security priorities
By Julie O’Neill
The FTC alleged that:
- Compete failed to disclose to consumers the full extent of the information that the software would collect from them. According to the complaint, Compete induced consumers to download its tracking software in various ways, including by encouraging them to: join a “Consumer Input Panel” that would reward them for sharing their opinions about products and services, or install the Compete Toolbar, which would give them “instant access” to data about the websites they visited. Compete generally described the software as collecting “the web pages you visit,” “the sites, products and services you interact with” and “the addresses of the web pages you visit online.” In fact, the FTC alleged, the software collected far more than browsing behavior or web page addresses, including information about consumers’ interactions with websites visited—such as usernames, passwords, search terms and other information submitted—as well as sensitive personal information, such as Social Security numbers and payment card information. According to the FTC, the company’s failure to disclose the true extent of the data collection was deceptive, in violation of Section 5 of the FTC Act.
- Compete misrepresented that it used reasonable measures to protect consumers’ data from unauthorized access. Moreover, its failure to have such measures in place was unfair. According to the FTC, although the company promised consumers that it would protect their personal information, it failed to take basic steps to do so. For instance, Compete allegedly transmitted sensitive personal information from secure web pages over the Internet in clear text and did not use readily available and low-cost tools to address the risk that the software would collect sensitive information that it was not authorized to collect. The FTC also charged that the company’s failure to use reasonable and appropriate security measures was unfair, in addition to being deceptive, because such failure “caused or was likely to cause substantial injury to consumers that was not offset by countervailing benefits to consumers or competition and was not reasonably avoidable by consumers.”
The proposed relief
The FTC’s proposed consent order with Compete contains the ban, customary in deception cases, on future misrepresentations about the company’s privacy and data security practices. Consistent with other recent data security settlements, the proposed order would also require Compete to implement a comprehensive information security program with independent third-party audits every two years for 20 years.
Why does this action matter?
The action against Compete is a continuation of a line of FTC cases involving allegedly surreptitious online data collection—beginning years ago with the FTC’s spyware cases and most recently its action against Upromise, Inc., a company that licensed the Compete software. The Compete action is noteworthy because it demonstrates that:
- The FTC continues to be serious about ensuring that consumers have all of the information they need to make informed decisions about how their data may be collected and used. In the FTC’s view, a failure to disclose material information collection, use and/or disclosure practices is deceptive. A practice is “material” if it would affect the consumer’s decision to engage with the company. Here, the FTC took the position that the collection of a wide variety of information submitted online—including sensitive personal information and not just the promised URLs—is material to consumers.
- The FTC continues to believe that a company’s failure to have reasonable measures in place to protect personal information is unfair, even if the company makes no data security promises and even, it appears, absent a breach. The FTC has brought a number of unfairness cases against companies that allegedly had inadequate data security practices in place—typically following a publicized breach. Its complaint against Compete mentioned no breach but nonetheless charged the company with unfairness, on the grounds that its “failure to employ reasonable and appropriate measures to protect consumer information—including credit card and financial account numbers, security codes and expiration dates and Social Security numbers—caused or was likely to cause substantial injury to consumers that was not offset by countervailing benefits to consumers or competition and was not reasonably avoidable by consumers.”
- The FTC continues to use a robust template for privacy and data security orders. If the case against Compete is any indication, the FTC will continue to impose onerous injunctive relief on companies that do not abide by their own privacy and data security promises, including the obligation—even where no breach has been alleged—to obtain an independent data security audit every other year for 20 years.
Julie O’Neill of Morrison Foerster LLP counsels clients in all areas of state and federal consumer protection law. She also assists clients with the creation of compliance programs for the laws regulating the collection, use, and disclosure of customers’ personal information. She previously served as a staff attorney in the FTC’s New York regional office, where she investigated violations of federal consumer protection law. She is recommended by Legal 500 US 2012 in the areas of data protection and privacy and marketing and advertising.