On February 20th, after a period for public comment, the FTC approved a final order settling charges against Compete, Inc., a market research company that collects online data for the purpose of developing and selling reports about consumer behavior on the Internet. The action demonstrates the FTC’s continuing concern about online tracking technologies and follow-through on its intention to regulate their use, as manifested in its March 2012 Report entitled “Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers,” discussed on this blog here.
According to the FTC’s Complaint, beginning in 2006 Compete used two devices to obtain information from consumers. The first was a Toolbar which advertised that consumers would get “instant access” to information about the websites they visited. The second was the “Consumer Input Panel,” which allowed consumers to earn rewards by giving their opinions about products and services. By the end of October 2011, Compete had collected data from over four million consumers. The Complaint alleged four acts of misconduct based on Compete’s misrepresentations or failure to disclose information regarding the use of these devices.
First, Compete disclosed it was collecting browsing behavior or web addresses, but failed to disclose that its products would collect extensive information such as credit card and financial account numbers, security codes and expiration dates, and Social Security Numbers.
Second, Compete represented, expressly or implicitly, that it stripped all personal information out of the data it collected when it in fact did not properly scrub all personal data before transmitting it from consumers’ computers.
Third, Compete represented, expressly or implicitly, that it employed reasonable and appropriate measures to protect data from unauthorized access, when it in fact did not. The FTC alleged that Compete created unnecessary risks of unauthorized access by transmitting sensitive information from web pages, failed to design and implement reasonable safeguards, and failed to use readily available, low-cost security measures.
And fourth, that this failure to provide adequate security caused, or was likely to cause, substantial injury to consumers.
In the final order settling these charges, a number of restrictions were placed on Compete’s business practices over the next twenty years. Compete is prohibited from using software to collect any information in the future unless it first discloses to the consumer the types of information that will be collected and how the information will be used, and obtains the express consent of the consumer to collect, use, or share the information. Information collected prior to the date of the order must either be destroyed, or aggregated or anonymized before it is used. Compete must notify all affected consumers that they currently have or once had software on their computer which collects and transmits information to Compete, and must provide information on how to permanently disable or uninstall such software. Compete must also implement security measures to protect any information that is collected, and is required to obtain an initial, then biennial, assessment and report from a third-party professional regarding the adequacy of such protection.
The resolution of the Compete matter is further evidence of the FTC’s firm stance on tracking technologies as well as its focus on disclosure, consent, and security as touchstones of best practices in this area.