FTC Sears Settlement Remakes Data Collection Disclosure Landscape

The Federal Trade Commission (“FTC”) recently approved a settlement of a complaint against Sears Holding Management Company (“Sears”) regarding the failure, by Sears, to disclose certain online data collection practices. The settlement, which reflects the FTC’s increasing focus on privacy, has received attention. Below is a summary of the case, and suggestions for companies that track online user behavior.

The Complaint

According to the FTC’s administrative complaint, Sears presented 15% of the visitors to its sears.com and kmart.com websites with a “My SHC Community” pop-up box.

Consumers who supplied e-mail addresses to Sears via the pop-up box received an e-mail from Sears, inviting them to register with Sears and to download a piece of “research” software that would track their online browsing. The “research” software application collected comprehensive information about the user’s web browsing activities, as well as information about the user’s personal computer. In exchange for becoming a member of the My SHC Community, and using the “research” software for at least one month, members would receive a $10 payment. 

The “My SHC Community” registration page presented a “Privacy Statement and User License Agreement” in a scroll box that displayed ten lines of the multi-page document at a time. The “research” software functions appeared on approximately the 75th line down in the scroll box. To register, users needed to check a box indicating that they agreed to the terms and conditions of the Privacy Statement before downloading and installing the application.

Importantly, the Privacy Statement disclosed several details regarding the application. It said, for example, that the application monitored “all Internet behavior” including “normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information.” 

The FTC complaint charged that Sears failed to adequately disclose the scope of the tracking software’s data collection in violation of Section 5(a) of the Federal Trade Commission Act. Specifically, the FTC said that Sears “failed to disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers’ computers, including information exchanged between consumers and websites other than those owned, operated or affiliated with [Sears], information provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts, and headers of web-based e-mails; track certain non-Internet-related activities taking place on those computers; and transmit nearly all of the monitored information…to [Sears’] remote computer servers.”

The Settlement

Under the settlement with the FTC, Sears has now agreed, among other things, to cease collecting data transmitted by any tracking application installed before the settlement date, and to destroy any information collected by any Sears tracking application prior to that date. If Sears advertises or disseminates any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor, record, or transmit. This disclosure must be made prior to installation of the software and separate from any user license agreement or privacy policy. Sears must also disclose whether any of the data will be used by a third party.

Guidance for Companies Considering Tracking Online User Behavior

In light of the FTC-Sears settlement, companies that track online user behavior should consider the following:

1. Recognize that the federal agency overseeing online advertising is focusing more and more  on privacy protection, and protection of consumers’ “dignity interest”. The FTC’s “Self Regulatory Principles for Online Behavioral Advertising” (advisory guidance for purposes of self-regulation) are available here  and should be considered carefully.

2. Disclose:
(a) all the types of data that will be monitored, recorded, transmitted – including whether the data may include information from the consumer’s interactions with a specific set of websites or from a broader range of internet interaction; whether the data may include transactions or information exchanged between the consumer and third parties in secure sessions; interactions with shopping baskets, application forms, or online accounts; and whether the information may include personal financial or health information;
(b)  how the data may be used; and
(c) whether the data may be used by a third party.

The disclosures should be clear and prominent and made prior to the display of, and on a separate screen from, any final Terms of Use or Privacy Policy.

3. Obtain express consent from the consumer to any download or installation and the collection of data. Consider having consumers click on a button or link that is not pre-selected (i.e., not the default option) and that is clearly labeled or otherwise clearly conveys that it will initiate those processes, or by taking a substantially similar action.

4. Make sure that all Terms of Use and Privacy Policies include additional levels of disclosure than would otherwise be standard. Draft Terms of Use and Privacy Policies so that disclosure of data collection, tracking, and use of personal information is prominently positioned (i.e., not buried in the legalese). Write in plain English.  

5. Engage an attorney with experience drafting website and software disclosures. Other laws and regulations (e.g., child protection and data security laws) may also apply.

Our Disclaimer

This post provides general coverage of its subject area. We provide it with the understanding that neither CyberLaw Currents nor Frankfurt Kurnit Klein & Selz is engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so.