The Federal Trade Commission (FTC) announced that Compete Inc., a web analytics company, agreed to settle allegations that it engaged in unfair and deceptive practices by collecting personal data without disclosing the extent of the information it was collecting and failing to honor promises it made to protect the personal data it collected.
In its complaint, the FTC alleged that Compete persuaded consumers to download its tracking software by urging them to join a Consumer Input Panel and promising them rewards in exchange for sharing their opinions about products and services. Once installed, the tracking software automatically collected not only information about consumers’ online activity such web pages visited, but also usernames, passwords, search terms, credit card and financial account information, security codes, expiration dates and Social Security numbers. Compete used the consumer data to generate reports that were sold to third parties about improving website traffic and sales.
The FTC alleged that Compete violated Section 5 of the FTC Act by failing to disclose that it would collect more information than just the web pages that consumers visit, and failing to honor its consumer assurances that “all data is stripped of personally identifiable information before it is transmitted to our servers” and “we take reasonable security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of personal information.” With respect to data security, the FTC specifically alleged that Compete failed to provide reasonable and appropriate data security, transmitted sensitive data in an unsecure manner, failed to design and implement reasonable safeguards for consumer data, and failed to use readily available measures to mitigate risk to the data.
Compete’s settlement provides another example of the FTC’s continued enforcement related to tracking consumers’ online activity and data security. Yet, unlike other recent FTC settlements, Compete does not directly use the consumer data it collects to sell its own products and services to consumers. Consumer data is Compete’s product. As such, this settlement should send a signal to those who use data, as well as those who collect and distribute it, that the FTC expects them to be respectful of consumer privacy, provide reasonable and appropriate safeguards for such data, and to do what they say and say what they do when it comes to consumer data.
Under the settlement, Compete is required to:
- Disclose how the consumer data will be used, including any sharing with third parties;
- Obtain express affirmative consent to the collection, use and sharing of consumers’ data;
- Delete consumer data it has already collected or strip it of all personally identifiable information;
- Provide instructions to consumers on how to uninstall Compete’s software; and
- Implement a comprehensive information security program with third party audits every 2 years for 20 years.
Notably, Compete’s web-tracking software was also licensed to other companies, including Upromise, which settled similar FTC allegations in January 2012.