On March 17, 2017, the Federal Trade Commission (FTC) announced that it had reached a $500,000 settlement with Upromise, a membership reward service aimed at families saving for college. The FTC had alleged that Upromise violated a 2012 FTC consent order by failing to make required disclosures about its data collection and use practices and not obtaining third-party assessments as agreed. This settlement illustrates not only the FTC’s continued focus on online data privacy and security issues, but also the Commission’s interest in ensuring that companies adhere to the terms of their settlement agreements.

Background and 2012 Order

Upromise offers a loyalty program that is free to join and provides credit toward college savings plans, or toward paying down student loans for members who make eligible purchases from partner businesses.

In 2012, the FTC reached a settlement with Upromise following charges that the company was using its “TurboSaver” toolbar to collect consumers’ personal information without adequately disclosing the extent of the collection, then transmitting that data over the internet in an insecure manner. In the 2012 Order, Upromise agreed to (1) clearly disclose its toolbar data collection practices, including the types of information collected and how data was being used; (2) obtain affirmative consent from users prior to collecting their data; and (3) notify consumers who had previously downloaded the toolbar about the data collection and provide instructions to disable the toolbar. Upromise was also required to establish a comprehensive information security program and obtain biennial third-party security assessments for 20 years.

Complaint and Proposed Order

In its March 2017 Complaint, the FTC alleged that following the 2012 Order, from March 2013 to January 2016, Upromise violated the terms of the Order by failing to clearly disclose its data collection and use practices to consumers who downloaded its RewardU toolbar. Specifically, the FTC argued that Upromise’s disclosures were confusing to consumers and that its security assessment of the toolbar was inadequate.

The Stipulated Order prohibits Upromise from violating the 2012 Order and imposes a $500,000 civil penalty. Further, Upromise must:

  • Obtain an evaluation and report from a qualified, objective, independent third-party professional that specializes in website design of its practices regarding informed user consent to data collection and use, should it launch a future version of the toolbar;
  • Obtain written approval from the FTC of its security assessment’s scope and design relating to the future toolbar; and
  • Permanently expire any RewardU-related cookies it previously placed, and notify all consumers who downloaded the RewardU toolbar to uninstall the toolbar with instructions on how to effect the removal and delete associated cookies.

The Order also imposes additional compliance reporting, recordkeeping, and monitoring requirements.

It’s no secret that the FTC has become increasingly active in scrutinizing how companies are collecting, using, and securing consumer data online. This Order emphasizes that repeated violations can result in significant penalties, and that the FTC is keeping a watchful eye on companies it has previously called out for alleged data protection failures.