The Federal Trade Commission made two recent announcements in support of its ongoing initiative to protect consumer privacy, settling an enforcement action against a data analytics company that allegedly failed to disclose adequately its consumer data collection practices and announcing that it will conduct a workshop on consumer data collection practices on December 6, 2012, in Washington, D.C.
Company Resolves FTC Claims Regarding Its Data Collection Practices
The FTC announced last week that analytics company Compete Inc. has settled charges that it violated federal law by using its web-tracking software to collect personal data without disclosing to consumers the extent of the information that it was collecting and that the company failed to honor promises it made to protect the personal data it collected. The proposed settlement requires that the company obtain express consent before collecting any data through software downloaded onto consumers' computers, that the company delete or anonymize the use of any data it already has collected, and that it provide directions to consumers for uninstalling its software. This is the latest in a string of enforcement actions alleging unfair and deceptive trade practices related to data collection and reflects the agency's continued focus on consumer online privacy.
Compete allegedly used tracking software to collect data on the browsing habits of consumers and sold reports on the data to clients to help improve website traffic and sales. The FTC's complaint alleged that the company convinced consumers to download its tracking software using deceptive methods, including by urging them to join a "Consumer Input Panel" and promising rewards for sharing their opinions about products and services. The company also allegedly promised that consumers who installed its Compete Toolbar, another type of software, would have "instant access" to data about the websites they visited. Once installed, the tracking component of the software allegedly operated in the background, automatically collecting information about consumers' online activity, including usernames, passwords, search terms, and sensitive information such as credit card and financial account information, security codes and expiration dates, and Social Security numbers.
The FTC charged that Compete's business practices were unfair or deceptive in 1) failing to disclose that Compete would collect detailed information consumers provided in making purchases, not just the web pages they visited, as the company represented; 2) making false and deceptive assurances to consumers that their personal information would be removed from the data it collected, by stripping the data of personally identifiable information before it was transmitted to the company's servers; and 3) representing that the company took reasonable security measures to protect against unauthorized access to or disclosure of personal information. According to the FTC's complaint, Compete allegedly failed to remove personal data before transmitting it, failed to provide reasonable and appropriate data security, transmitted sensitive information from secure websites in readable text, failed to design and implement reasonable safeguards to protect consumers' data, and failed to use readily available measures to mitigate the risk to consumers' data.
In addition to requiring that the company and its clients fully disclose the information they collect and obtain consumers' express consent before they collect data in the future, the proposed settlement bars Compete from making misrepresentations about its privacy and data security practices and requires that the company implement a comprehensive information security program with independent third-party audits every two years for the next 20 years.
FTC Announces Data Collection Workshop Will Be Held on December 6
Keeping with the commitment it made in its March 2012 report, Protecting Consumer Privacy in an Era of Rapid Change, the FTC announced it will conduct a workshop on December 6, 2012, to explore the practices and privacy implications of comprehensive collection of data on the online activities of consumers.
According to the announcement, the workshop will host consumer protection organizations, academics, business and industry representatives, and privacy professionals, among others, to examine the collection and use of data about users across the Internet by Internet service providers (ISPs), operating systems, browsers, social media, and mobile carriers, as well as potential benefits, privacy concerns, and related issues. The agency intends that this workshop will delve into issues beyond those covered in recent workshops on privacy, including those on online behavioral advertising and mobile privacy.
The workshop will cover these topics:
The methods used to collect data about consumers' activities across the Internet
The benefits and possible privacy challenges of comprehensive data collection
The entities that are capable of - and currently engaged in - comprehensive data collection
Consumer awareness of and attitudes toward comprehensive data collection
Effective methods for companies that engage in comprehensive data collection to inform consumers about data collection and provide them with meaningful choice
Privacy risks created by serving as a host for third-party applications
Existing choices among online products and services, and whether they give consumers sufficient meaningful options if they wish to avoid products or services that use comprehensive data collection
Existing legal protections and those that should be provided
The workshop will be free and open to the public.
For more information about the content of this alert, please contact Michael Mallow, Ieuan Jolly or Michael Thurman (follow him on Twitter @CPD_Attorney).
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.