The Federal Trade Commission (“FTC”) recently approved a settlement of a complaint against Sears Holding Management Company (“Sears”) regarding the failure, by Sears, to disclose certain online data collection practices. The settlement, which reflects the FTC’s increasing focus on privacy, has received attention. Below is a summary of the case, and suggestions for companies that track online user behavior.
According to the FTC’s administrative complaint, Sears presented 15% of the visitors to its sears.com and kmart.com websites with a “My SHC Community” pop-up box.
Consumers who supplied e-mail addresses to Sears via the pop-up box received an e-mail from Sears, inviting them to register with Sears and to download a piece of “research” software that would track their online browsing. The “research” software application collected comprehensive information about the user’s web browsing activities, as well as information about the user’s personal computer. In exchange for becoming a member of the My SHC Community, and using the “research” software for at least one month, members would receive a $10 payment.
The “My SHC Community” registration page presented a “Privacy Statement and User License Agreement” in a scroll box that displayed ten lines of the multi-page document at a time. The “research” software functions appeared on approximately the 75th line down in the scroll box. To register, users needed to check a box indicating that they agreed to the terms and conditions of the Privacy Statement before downloading and installing the application.
Importantly, the Privacy Statement disclosed several details regarding the application. It said, for example, that the application monitored “all Internet behavior” including “normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information.”
The FTC complaint charged that Sears failed to adequately disclose the scope of the tracking software’s data collection in violation of Section 5(a) of the Federal Trade Commission Act. Specifically, the FTC said that Sears “failed to disclose adequately that the software application, when installed, would: monitor nearly all of the Internet behavior that occurs on consumers’ computers, including information exchanged between consumers and websites other than those owned, operated or affiliated with [Sears], information provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts, and headers of web-based e-mails; track certain non-Internet-related activities taking place on those computers; and transmit nearly all of the monitored information…to [Sears’] remote computer servers.”
Guidance for Companies Considering Tracking Online User Behavior
In light of the FTC-Sears settlement, companies that track online user behavior should consider the following:
1. Recognize that the federal agency overseeing online advertising is focusing more and more on privacy protection, and protection of consumers’ “dignity interest”. The FTC’s “Self Regulatory Principles for Online Behavioral Advertising” (advisory guidance for purposes of self-regulation) are available here and should be considered carefully.
(a) all the types of data that will be monitored, recorded, transmitted – including whether the data may include information from the consumer’s interactions with a specific set of websites or from a broader range of internet interaction; whether the data may include transactions or information exchanged between the consumer and third parties in secure sessions; interactions with shopping baskets, application forms, or online accounts; and whether the information may include personal financial or health information;
(b) how the data may be used; and
(c) whether the data may be used by a third party.
3. Obtain express consent from the consumer to any download or installation and the collection of data. Consider having consumers click on a button or link that is not pre-selected (i.e., not the default option) and that is clearly labeled or otherwise clearly conveys that it will initiate those processes, or by taking a substantially similar action.
5. Engage an attorney with experience drafting website and software disclosures. Other laws and regulations (e.g., child protection and data security laws) may also apply.
This post provides general coverage of its subject area. We provide it with the understanding that neither CyberLaw Currents nor Frankfurt Kurnit Klein & Selz is engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so.