The Federal Trade Commission has published a proposed settlement with Compete, Inc. a web analytics company, for violation of Section 5 of the FTC in connection with its collection, use, and lack of protection of personal information (including some highly sensitive information).
Compete uses tracking software to collect data on the browsing behavior of millions of consumers. Then, it uses the data to generate reports, which it sells to clients who want to improve their website traffic and sales.
According to the FTC, Consumers were invited to join a “Consumer Input Panel,” which was promoted using ads that pointed consumers to a Compete website, www.consumerinput.com. Compete told consumers that by joining the “Panel” they could win rewards while sharing their opinions about products and services. It also promised that consumers who installed the Compete Toolbar (from compete.com) could have “instant access” to data about the websites they visited.
Compete did not disclose to consumers that it would collect detailed information such as information they provided in making purchases, not just “the web pages you visit.” Once installed, the Compete tracking component operated in the background, and automatically collected information that consumers entered into websites, such as usernames, passwords, search terms, credit card and financial account information, security codes and expiration dates, and Social Security Numbers.
In addition, Compete represented to consumers that their personal information would be removed from the data it collected before transmitting it to its servers and that it would take reasonable security measures to protect against unauthorized access to, alteration, disclosure or destruction of personal information.”
The FTC accused Compete of violating federal law by using web-tracking software that collects personal data without disclosing the extent of the collection and by failing to honor promises it made to protect the collected personal data, not providing reasonable and appropriate data security; transmitting sensitive information from secure websites in readable text; failing to design and implement reasonable safeguards to protect consumers’ data; and failing to use readily available measures to mitigate the risk to consumers’ data.
The proposed settlement order would require Compete and its licensees to:
- Fully disclose what information they collect;
- Obtain consumers’ express consent before collecting any data from Compete software downloaded onto consumers’ computers;
- Delete or anonymize the consumer data it already has collected; and
- Provide directions to consumers for uninstalling its software.
In addition, the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years. A copy of the proposed consent decree with Compete is available at: http://www.ftc.gov/os/caselist/1023155/121022competeincagreeorder.pdf
Compete also licensed its web-tracking software to other companies. Upromise, one of Compete licensees, settled similar FTC charges earlier this year. The final consent order is available at: http://www.ftc.gov/os/caselist/1023116/120403upromisedo.pdf.