A recent FTC settlement underscores that, in 2012, the FTC will continue to hold companies accountable for providing full disclosures about the extent to which their online services collect and transmit personal information. On January 5, 2012, the FTC announced a settlement with Upromise, Inc., a membership service that helps consumers save money for college, over charges that the company misled users about the extent to which it collected and shared their personal information through a “Personalized Offers” feature on a web browser toolbar, and then failed to properly secure the user information that it collected.
Upromise provides a service that allows users to contribute to a college savings account by collecting rebates that are acquired when users purchase goods and services from Upromise partner merchants. Upromise provided users with a web browser toolbar that highlighted Upromise’s partner merchants appearing in a user’s search results, thereby enabling users to more easily identify merchants that provide the college-savings rebates.
According to the FTC, when users enabled the “Personalized Offers” feature, the toolbar collected and transmitted the names of the websites visited by users, as well as information that users entered into those websites, including search terms, user names and passwords, and financial information. The Commission also alleged that users who downloaded the toolbar were told by Upromise that any personal information collected would be removed before it was transmitted, and that Upromise had security features in place to protect the personal information. The FTC claimed that Upromise’s alleged actions were unfair and deceptive and violated the FTC Act.
The FTC settlement bars Upromise from using its web browser toolbar to collect users’ personal information without clearly and conspicuously disclosing the extent of its data collection practices before users download the toolbar. Upromise also must destroy any personal information previously collected through the “Personalized Offers” feature, obtain consumers’ consent before installing or re-enabling its toolbar products, and notify users how to uninstall the toolbars currently residing on their computers. The settlement further bars Upromise from making material misrepresentations about the extent to which it protects the privacy and security of consumers’ personal information, and requires the company to establish a comprehensive information security program that includes biennial independent security audits for the next 20 years.