FTC Decision Jolts Collection of Customer Data

A proposed settlement between the Federal Trade Commission and Sears Holdings Corp. could portend a new wave of enforcement actions against companies that deceptively collect consumer information.

The settlement raps Sears Holdings—which owns both Sears and K-Mart—for enticing visitors to the stores’ Websites to enroll in a special “My SHC Community” program where they downloaded software onto their computers that tracked their online browsing. Only after consumers completed a multi-step registration process did Sears disclose in a lengthy user license agreement the full extent of the information the software tracked, according to the FTC’s complaint.

The FTC ordered Sears to destroy all data collected in the past, and said Sears must “clearly and prominently” disclose to Web users the types of data that will be monitored, recorded, or transmitted for any tracking software used in the future—and make that disclosure separately from any user licensing agreement, and before the software is actually installed. Sears must also disclose whether any third party used the data, the FTC said.

Kennedy

The enforcement action is newsworthy because FTC investigations rarely become public, and the Commission usually does not announce settlements unless “it’s one where they feel that the facts are very much on their side,” says Charles Kennedy, a lawyer with the law firm Morrison & Foerster.

The Sears settlement “sends a signal to the rest of American businesses about how the FTC wants them to behave in the future,” he says. “At the very least, they need to disclose what they’re doing in a way that they probably didn’t think they needed to before.”

“The enforcement action is newsworthy because FTC investigations rarely become public, and the Commission usually does not announce settlements unless it’s one where they feel that the facts are very much on their side.”

—Charles Kennedy,

Lawyer,

Morrison & Foerster

The settlement was announced June 6; the FTC accepted public comment on the deal until this week and will make a final decision on any other penalties shortly. Sears has not admitted any wrongdoing as part of the settlement.

Kennedy says the FTC appears to be telling Corporate America that it’s no longer acceptable to disclose in your privacy policy—a document few consumers read in detail—that your company engages in online tracking.

“They really want the online merchant to get up in the consumers’ face … and say, ‘By the way, in addition to all the other stuff in our privacy policy, we’re going to do this, and you better understand that,’” he says.

Leibowitz

The settlement also comes only months after new leadership took office at the FTC; Chairman Jon Leibowitz and David Vladeck, director of the Bureau of Consumer Protection, have both only been in office since spring. “I think it shows that they are on very firm ground, trying to regulate online tracking and behavioral advertising,” Kennedy says.

Indeed, in his first public speech in April, Leibowitz warned online advertisers that they are walking a fine line when it comes to self-regulation. “We will continue to monitor and report on developments and, if there isn’t an appropriately vigorous response, my sense is that Congress and the Commission may move toward a more regulatory model,” he said at the time.

Those aren’t the only threats the FTC has made against advertisers. As Compliance Week previously reported, the Commission also wants to update its guidelines concerning endorsements and testimonials in advertising—rules last updated in the 1970s, long before marketing in the Internet era came along. The proposed new guidelines would encompass various forms of electronic and viral marketing, such as blogs and message boards, and impose new expectations for marketing in traditional media as well.

Congress Weighs In

On June 18, the House Subcommittee on Commerce, Trade, and Consumer Protection also held hearings to weigh in on the issue of behavioral marketing. Sub-committee Chairman Bobby Rush summed up the question as such: “Is federal privacy legislation necessary, or should companies be trusted to discipline and regulate themselves?” Currently, no federal laws specifically govern behavioral advertising (that is, online advertising based on an Internet user’s online behavior). Nor does a comprehensive general privacy law exist.

One reason why behavioral advertising is so difficult to regulate is because it’s big business. According to a study released by the Interactive Advertising Bureau in June, online spending in the United States contributes $300 billion in economic activity.

As more and more companies have implemented tracking software, “it’s become an arms race of online advertisers to have the best technology,” Kennedy says. “If you can’t offer the most efficient advertising methods to the industry, than you’re not going to get the advertising dollar.”

CONSUMER PROTECTION

The following excerpt is from the FTC’s Self-Regulatory Principles for Online Behavioral Advertising examines Reasonable Security and Limited Data Retention for Consumer Data:

Commenters also discussed the second proposed principle, which calls upon companies

to provide reasonable security for, and limited retention of, consumer data collected for

behavioral advertising purposes.

A number of companies generally supported this principle as drafted. Echoing the

arguments raised about the Principles’ applicability to non-PII (non-personally identifiable information), other companies, as well as industry groups, recommended that the Commission limit the application of this principle to PII (personally identifiable information). These commenters also called for more flexibility in applying this principle, and stated that data retention should not constitute a separate, stand-alone principle; instead, according to these commenters, data retention should be viewed as one possible component of an effective security program. Several industry commenters suggested that the principle should allow companies to consider various factors in evaluating appropriate data retention periods, and should refrain from imposing a uniform requirement.

Although the consumer groups generally supported this principle as proposed, some

argued that the FTC should strengthen certain aspects of the principle. Individual consumers and

one privacy group suggested that the principle is too vague and should provide more detailed and

precise security standards. Two privacy groups stated that companies should retain data only as

long as needed to fulfill the identified use for which the company collected the data. Other

proposals included a requirement that companies anonymize all retained data, a requirement that

data be retained for no longer than six months, and a suggestion that the FTC hold a workshop to

explore issues related to the appropriate data retention standard.

For the reasons addressed above, staff believes the Principles should apply to all data

collected and used for behavioral advertising that reasonably could be associated with a

particular consumer or with a particular computer or device. Staff recognizes, however, that

there is a range of sensitivities within this class of data, with the most sensitive data warranting

the greatest protection. Accordingly, as proposed, the data security principle stated that,

consistent with existing data security laws and the FTC’s many data security enforcement

actions, the ‘protections should be based on the sensitivity of the data [and] the nature of a69

company’s business operations, the types of risks a company faces, and the reasonable

protections available to a company.” Staff believes that this scalable standard addresses the

commenters’ concerns while also ensuring appropriate protections for consumer data. Staff

therefore retains this language in the Principles without change.

Staff agrees with many of the commenters, however, that data retention is one component

in the reasonable security calculus, rather than a separate, stand-alone principle, and has clarified

the principle to reflect this position. The intent behind the principle remains unchanged,

however: companies should retain data only as long as is necessary to fulfill a legitimate

business or law enforcement need. As noted above, over the past year some companies have

changed their data retention policies to reduce substantially the length of time they maintain

information about consumers’ online activities. Staff commends such efforts.

Source

FTC Principles on Online Advertising (February 2009).

In his April speech, Leibowitz noted, “there are obviously benefits that targeting can bring to consumers in the form of more relevant advertising and the additional revenue that targeting can provide. This revenue may be vital to the survival of some industries.”

For the most part, advocates of regulation acknowledge the vital role that advertising plays in the economy, but nonetheless say baseline protections are in order. “My concern about the growing threat to our privacy and related consumer protection issues stems not from the activities of a single—or even several—major companies in this sector,” says Jeff Chester, executive director of the Center for Digital Democracy. “Rather, it is from the overall capability and direction of the online marketing industry when it comes to data collection marketing practices.”

Kennedy puts it more simply: “Nobody seems to be worried too much if you order a book from Amazon and they tell you about other books on the same subject, even though that does require them to track what you’re ordering.”

U.S. Rep. Rick Boucher, chairman of the House Subcommittee on Communications, Technology, and the Internet, said at the June 18 hearing that consumers should be given the right to “clear, concise information in an easy-to-find privacy policy, about what information a Website collects about them, how it is used, how it is stored, how long it is stored, what happens to it when it is no longer stored, and whether it is given or sold to third parties.”

Boucher said consumers should also have the right to opt out of such tracking, or to opt out of letting their data end up in the hands of third parties that work with the company in question.

Internet giants like Yahoo, Google, and Facebook say they are offering users the ability to more easily—and automatically—opt-out of advertising pitches. Anne Toth, head of privacy matters at Yahoo, for example, says Yahoo has cut the time it retains customer data from 13 months to 90 days.

Kennedy says any congressional action is worth watching, because the FTC “would like very much to have the assistance of Congress, rather than just sort of improvise an enforcement strategy by bringing in these one-at-a-time proceedings and entering into these settlements.”