The Federal Trade Commission’s (FTC) recent settlement against an online college savings program that used toolbars to collect personal information focused on what its members were actually giving away unwittingly – their personal information and data security – rather than on what they might be saving for college expenses.
The settlement in this case highlights the FTC’s continuous efforts to crack down on privacy and data security violations regarding the collection, use, and security of personal information. This time the focus was on the use of toolbars as a collection vehicle, and the related takeaways are in the form of important new rules for the use of toolbars or similar software for collecting personal information.
The defendant online service provides a membership program that permits its members to contribute to a savings account for college expenses. The contributions to the savings account are in the form of rebates and discounts from products and services purchased by members from participating merchant partners.
As part of its service to members, the service offers a software toolbar that is supposed to assist members in finding participating merchants based on online searches. Downloading and installing the toolbar is a default setting for members because in some instances the user is required to uncheck the toolbar option in order to opt out of the toolbar download.
Members using the toolbar are offered an “Enable Personalized Offers Option” for their browsers that enables the collection of information about the websites they visit for purposes of identifying participating merchants that provide eligible offers and discounts.
This toolbar and the privacy promises accompanying it are the basis of the FTC’s lawsuit against the membership service.
* [We are] “committed to earning and keeping your trust”;
* “We understand the need for… personal information to remain secure”;
* “We have implemented policies and procedures designed to safeguard your information”; and
* “We protect your data by… SSL, Data, and Password protection technology….”
The FTC’s Allegations
The FTC alleges that the membership service engaged in unfair and deceptive trade practices by:
* using a toolbar for the collection of personal information that exceeded the frequency and scope of the data collection promises by collecting extensive information including the names of all websites visited, all links clicked by the user and information that users entered into certain web pages, such as usernames, passwords, search terms, credit card information, expiration dates, security codes and social security numbers,
* transmitting data in clear text and thereby allowing third parties to easily intercept and steal data transmitted over the Internet,
* failing to disclose material facts to consumers regarding data collection and transfer practices, and
* failing to provide reasonable and appropriate security for the consumer information collected.
Conclusion – Important Settlement Takeaways
The settlement takeaways in this case are important for all Internet marketers that distribute toolbars or similar software (referred to by the FTC as “Targeting Tools”) for the collection of personal information.
Two settlement takeaways are noteworthy in terms of the FTC’s requirements for clear and prominent disclosures:
* timing – the disclosures must be before the installation of the toolbar or other similar software, and
Although the settlement does not mention “Privacy By Design” per se, the settlement takeaways listed above are consistent with the FTC’s commitment to this new approach to privacy first announced in the FTC’s Preliminary Staff Report issued in December, 2010.
This article is provided for educational and informative purposes only. This information does not constitute legal advice, and should not be construed as such.