The FTC announced last week that analytics company Compete Inc. has settled charges that it violated federal law by using its web-tracking software to collect personal data without disclosing to consumers the extent of the information that it was collecting and that the company failed to honor promises it made to protect the personal data it collected. The proposed settlement requires that the company obtain express consent before collecting any data through software downloaded onto consumers' computers, that the company delete or anonymize the use of any data it already has collected, and that it provide directions to consumers for uninstalling its software. This is the latest in a string of enforcement actions alleging unfair and deceptive trade practices related to data collection and reflects the agency's continued focus on consumer online privacy.
Compete allegedly used tracking software to collect data on the browsing habits of consumers and sold reports on the data to clients to help improve website traffic and sales. The FTC's complaint alleged that the company convinced consumers to download its tracking software using deceptive methods, including by urging them to join a "Consumer Input Panel" and promising rewards for sharing their opinions about products and services. The company also allegedly promised that consumers who installed its Compete Toolbar, another type of software, would have "instant access" to data about the websites they visited. Once installed, the tracking component of the software allegedly operated in the background, automatically collecting information about consumers' online activity, including usernames, passwords, search terms, and sensitive information such as credit card and financial account information, security codes and expiration dates, and Social Security numbers.
The FTC charged that Compete's business practices were unfair or deceptive in 1) failing to disclose that Compete would collect detailed information consumers provided in making purchases, not just the web pages they visited, as the company represented; 2) making false and deceptive assurances to consumers that their personal information would be removed from the data it collected, by stripping the data of personally identifiable information before it was transmitted to the company's servers; and 3) representing that the company took reasonable security measures to protect against unauthorized access to or disclosure of personal information. According to the FTC's complaint, Compete allegedly failed to remove personal data before transmitting it, failed to provide reasonable and appropriate data security, transmitted sensitive information from secure websites in readable text, failed to design and implement reasonable safeguards to protect consumers' data, and failed to use readily available measures to mitigate the risk to consumers' data.
In addition to requiring that the company and its clients fully disclose the information they collect and obtain consumers' express consent before they collect data in the future, the proposed settlement bars Compete from making misrepresentations about its privacy and data security practices and requires that the company implement a comprehensive information security program with independent third-party audits every two years for the next 20 years.