Online Membership Service Settles FTC Charges That Browser Toolbar Deceptively Collected Consumers' Personal Information
Membership Toolbar Collected Personal Information
According to the FTC, Upromise is a membership reward service in which members receive rebates when making online purchases from merchants who participate in the Upromise program. Members were required to download and install the Upromise TurboSaver Toolbar (“Toolbar”) in their web browsers. Among other things, the Toolbar modified the user’s Internet browser to highlight Upromise merchants in consumers’ search results. The Toolbar, which was developed by a third-party service provider, had an optional “Personalized Offers” feature, which collected and transmitted information through the browser for analysis by the service provider. The FTC’s complaint was based on the use of the Toolbar to gather information about their members’ online behavior and to target advertising to the user.
FTC Claimed Tools Had Inadequate Privacy Protection
Upromise told its customers that the modified version of the Toolbar, called the “Targeting Tool,” gathered information about the websites that consumers visited. The FTC’s complaint alleged that Upromise failed to disclose the full extent of data collected through the software. The FTC claimed that the Targeting Tool collected information including: the names of all web sites visited; all links clicked; usernames, passwords, and search terms; financial account numbers, and Social Security numbers, all without the consumers’ knowledge. According to the complaint, the feature was enabled on at least 150,000 computers.
Upromise privacy and security statements also claimed that personal information might occasionally be collected by the feature, but a filter would remove it before transmission. According to the FTC, the filter was ineffective. For example, it blocked the entry of data in a field named “PIN,” but not in one named “security code.” Upromise also stated that personal information was encrypted before transmission, but the information was transmitted in clear text, according to the FTC. The policies further stated that Upromise had implemented procedures to safeguard personal information, and those procedures had been inspected by industry specialists.
Based on these alleged inconsistencies, the FTC claimed that Upromise misrepresented its privacy and security practices, including falsely stating that consumers’ data would be encrypted. The complaint alleged the inaccurate privacy assurances were constituted false and deceptive practices in violations of federal law.
FTC Claimed Company Failed to Use Readily Available Measures to Address Risks
According to the FTC, Upromise “failed to use readily available, low-cost measures to assess and address the risk that the Targeting Tool would collect such sensitive consumer information it was not authorized to collect.” FTC Complaint ¶ 14.b. Among other things, Upromise did not test the feature before distributing it and did not monitor its proper operation. Upromise also allegedly failed to adequately train its employees with regard to security risks.
According to the FTC
Tools for capturing data in transit, for example over unsecured wireless networks such as those often provided in coffee shops and other public spaces, are commonly available, making such clear-text data vulnerable to interception. The misuse of such information—particularly financial account information and Social Security numbers—can facilitate identity theft and related consumer harms.
Proposed Consent Order at 2544.
Upromise Must Make Clear Disclosures
Without admitting the FTC’s factual and legal allegations, Upromise agreed to a consent order, which required Upromise to destroy the data collected through the Personalized Offers feature, and to inform consumers of the types of information it might have collected, and how to disable the Personalized Offers feature and uninstall the Toolbar.
1. All the types of data that the Targeting Tool will collect, including but not limited to, if applicable, a statement that the data includes transactions or communications between the consumer and third parties in secure sessions, interactions with shopping baskets, application forms, online accounts, web-based email accounts, or search engine pages, and if the information includes personal, financial or health information.
Upromise must obtain consumers’ express consent to the enabling of the feature and the collection of data. Finally, Upromise is prohibited from misrepresenting its privacy and security practices. Upromise must establish and maintain a comprehensive information security program to be independently audited biennially for twenty years.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
©2012 Bloomberg Finance L.P. All rights reserved. Bloomberg Law Reports ® is a registered trademark and service mark of Bloomberg Finance L.P.