This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.
The provider of a membership reward service aimed at consumers trying to save money for college has agreed to settle FTC charges that it deceived consumers by using a web-browser toolbar to collect their personal information without making adequate disclosures about the information collected, the Commission announced yesterday.
The service provided by Upromise Inc. allowed member consumers to receive rebates when they buy goods or services from Upromise partner merchants. These rebates were placed into the consumers' college saving accounts.
According to the FTC, Upromise's website offered consumers a "TurboSaver Toolbar" download that would highlight participating merchants in consumers' search results. When downloading the toolbar, consumers saw a message that encouraged them to enable the "Personalized Offers" feature of the Toolbar, which Upromise allegedly claimed would collect information about the websites they visited "to provide college savings opportunities tailored to you."
Collection, Transmission of Personal Information
This feature allegedly collected and transmitted, in clear text, the names of all websites consumers visited and which links they clicked on, as well as information they entered into some webpages, such as search terms, user names, and passwords.
In some cases, the information collected included credit card and financial account numbers, user names and passwords used to access secured websites, security codes and expiration dates, and any Social Security numbers consumers entered into the webpages. The Toolbar transmitted consumers' information without encryption.
According to the FTC, the privacy statement associated with the toolbar stated that the toolbar would collect and transmit information about websites consumers visited, and that "infrequently" the collection might "inadvertently" collect a "name, address, email address or similar information," but that any personally identifying information would be removed before the data was transmitted.
Upromise, the FTC alleged, failed to disclose the extent of information collected by the toolbar and deceptively misrepresented that it encrypted data and took reasonable data security measures. The failure to protect consumers’ data from unauthorized access was itself an unfair practice, the FTC said.
The proposed settlement order, if made final, will require Upromise Inc. to clearly disclose its data collection practices and to obtain consumers' consent before installing or re-enabling any such toolbar products. Upromise also would have to tell consumers how to uninstall the toolbars already on their computers. The settlement will bar misrepresentations about the extent to which the company maintains the privacy and security of consumers' personal information.
Destruction of Data
Upromise agreed to destroy the data collected through the Personalized Offers feature of the toolbar, to provide clear and prominent disclosures to consumers, and to receive their affirmative consent before installing any similar product. In addition, the agreement requires Upromise to establish a comprehensive information security program and to obtain biennial independent security assessments for the next 20 years.
The Commission vote to issue the administrative complaint and accept the consent agreement package containing the proposed consent order for public comment was 4-0.
The action is In the Matter of Upromise Inc., FTC File. No. 102 3116. The complaint and an agreement containing consent order appear on the FTC website. A news release appears here.
Further information will be reported in the CCH Trade Regulation Reporter.