On January 5, 2012, the FTC announced a settlement with Upromise, Inc., a membership service intended to help consumers save money for college, over charges that the company misled users about the extent to which it collected and transmitted their personal information through a “Personalized Offers” feature on a web browser toolbar, and then failed to adequately secure the user information that it collected. The FTC claimed that Upromise’s alleged actions were unfair and deceptive and violated the FTC Act.

FTC’s Complaint Allegations: Upromise provides a membership service that allows users to contribute to a college savings account by collecting rebates that are acquired when users purchase goods and services from Upromise partner merchants. Upromise offered users a downloadable web browser toolbar that highlighted Upromise’s partner merchants appearing in a user’s search results, thereby allowing users to more easily identify merchants that provide the college-savings rebates.

According to the FTC Complaint, when users enabled the “Personalized Offers” feature, the toolbar collected and transmitted the names of the websites visited by users and the links that were clicked on by users, as well as information that users entered into websites, including search terms, user names and passwords, and financial transaction information. The Commission also alleged that users who downloaded the toolbar were led to believe that any personal information collected would be removed before it was transmitted, and that Upromise had implemented adequate security safeguards to protect the personal information transmitted.

Settlement Provisions: In resolving these allegations, the FTC settlement bars Upromise from using its web browser toolbar to collect users’ personal information without clearly disclosing the extent of its data collection practices. Per the settlement, this disclosure must be made before consumers’ installation of the web browser tool, and appear separately from any “end user license agreement,” “privacy policy,” “terms of use” page, or similar document.

Upromise also must destroy any personal information previously collected through the “Personalized Offers” feature, obtain consumers’ consent before installing or re-enabling its toolbar products, and notify users how to uninstall the toolbars currently residing on their computers. The settlement further bars Upromise from making material misrepresentations about the extent to which the company maintains the privacy and security of consumers’ personal information, and requires the company to establish a comprehensive information security program that includes biennial independent security audits for the next 20 years. Going forward, a violation of the settlement could expose the company to up to $16,000 per violation.

What This Settlement Signals: The settlement with Upromise underscores that, in 2012, the FTC will continue to hold companies accountable for providing clear and conspicuous disclosures about the extent to which online-based products and services actively and passively collect personal information, whether companies are obtaining affirmative consent from consumers for such data collection, and appropriately securing the personal data in their control. It will be a busy year.

This post was written by Alysa Z. Hutnik.

2012 Signals Continued FTC Privacy Scrutiny: Web Browser Toolbar Triggers Enforcement Action