I hate to say I told you so, but … I told you so.
In mid-May I made a post on this blog and wrote an article for www.revenews.com discussing the FTC’s new “self-regulatory” principles for businesses engaged in online behavioral advertising. Some of the key take-aways from the FTC’s staff report were that it wants to provide consumers real transparency and control (i.e., a prominent notice and opt-out ability) over the collection of personally identifiable (or computer- or device-identifiable) data for behavioral advertising, and that it does not like the required disclosures and “choice mechanism” to be buried in a privacy policy or similarly lengthy legal document. I also warned readers not to be fooled by the “self-regulatory” moniker — it was only a matter of time before the FTC started filing complaints against violators for unfair or deceptive advertising practices under Section 5 of the FTC Act.
And so it has. On June 4 the FTC announced the settlement of an administrative action against Sears Holdings Management Corporation for allegedly encouraging website users to join an interactive community for which they would be required to download and install “research software” that Sears told them would confidentially track their “online browsing.” Actually, according to the FTC’s complaint, the software, which, unbeknownst to computer users, was always running in the background, tracked just about everything they did and viewed using their computers, both on and off the Internet, including the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and header and size information for web-based e-mails, and relayed this information back to Sears’ servers.
Initial disclosures, a linked privacy policy and buoyant statements encouraging consumers to become part of an interactive “My SHC Community” failed to communicate adequately the scope of the data collected or the unceasing operation of the tracking software. Only in a labyrinth of more detailed terms buried within the subterranean folds of a typically legalistic privacy policy and user license agreement (presented in a scroll box at the end of a lengthy registration process) was there full and accurate disclosure of what the software actually did and the types of data it collected.
From a privacy standpoint, Sears’ two cardinal sins appear to be (1) using general and harmless-sounding language like “online browsing” to describe the software’s tracking when it also tracked secure web sessions, sessions on third-party websites and (most misleading) certain computer activities not related to the Internet; and (2) burying the specifics in a legal document which was presented late in the process so that consumers were unlikely to see the pertinent information before they made the decision to download and install the software.
In the proposed settlement agreement submitted for public comment, the FTC requires Sears to stop collecting data from consumers who had previously installed the tracking software and to destroy all data collected to date. Notably, it also requires Sears, when advertising or disseminating such tracking software in the future, to clearly and prominently make highly detailed privacy disclosures, including the types of data and Internet interactions captured or monitored, how the data will be used and whether the data may be used by third parties.
These super-granular privacy disclosures must appear not only prior to the downloading and installation of the tracking software, but also “prior to the display of, and on a separate screen from” any final privacy policy, license agreement or terms of use. Consumers must also be prompted to opt-in to initiate the software download and collection of data by clicking a button or link where this option is clearly described and is not pre-selected. (This opt-in requirement actually goes further than the self-regulatory principles, which require an opt-in only for the collection of “sensitive” information, such as Social Security numbers, financial data, data about children and health information, for behavioral advertising purposes.)
To read the FTC’s complaint and the proposed settlement agreement and consent order, please click here.