Background of the Claim
During its e-commerce activities, the company, however, allegedly regularly collected far more than basic browsing behavior. It also purportedly collected personally identifiable and sensitive information, such as user names, passwords, credit card numbers and social security numbers. Allegedly, its filters designed to exclude such information worked improperly and it transmitted this data in an insecure manner. The FTC criticized Compete for not using common algorithms to screen out sensitive data like credit card numbers.
The FTC alleged that Compete’s consumers downloaded software through advertisements that offered rewards to consumers to join opinion panels and through the download of a web toolbar that offered information to users. As a result, Compete was alleged to have misrepresented its data practices and failing to take reasonable efforts to protect user data, violating Section 5 of the FTC Act as both a deceptive and an unfair act or practice.
Terms of the Proposed Settlement
Under the proposed settlement, Compete must obtain the consent of consumers before collecting any data and it will have to delete or make anonymous the data it has already collected. Additionally, it must show users how to uninstall its tracking software from their computers. Finally, Compete must implement an information security program with outside audits every two years for the next 20 years. The FTC did not state whether Compete has to pay a fine. The proposed consent order will be available for public comment until November 19.
Lessons to be Learned
It is also important that companies review their agreements with their web site developers, cloud providers, ad exchanges and networks, analytics vendors, interactive agencies, marketing partners, and other third parties that employ technology on their websites or apps or deal with their consumer and employee data. Their third-party agreements should address (a) how data will be secured; (b) what must be done if security is or may have been compromised; (c) indemnity obligations; and (d) requirements for insurance coverage. An important risk management tool for companies is to audit their current website practices and third-party contracts to assess whether the agreements are followed, and to consider what contract terms are appropriate when entering into new arrangements with third parties that involve user data.
Many states require protection of certain personal information, particularly sensitive data, and most have statutory requirements for notice and corrective action in the event that security is compromised. In addition, the FTC takes the position that failure to employ security measures reasonably appropriate for the applicable type of data is an unfair practice, and prohibited by the FTC Act, and thus companies have an affirmative duty to take steps appropriate under the circumstances to protect user data. The level of security generally should match the potential harm that may flow out of a security compromise, and what is commercially reasonable under the circumstances. However, user data should be reasonably secured and be retained only as long as reasonably needed. Thus, it is important for a company to address what is reasonable and what risks are foreseeable. It is also important to regularly test the integrity of security measures, and have a written plan addressing data security and a response plan in the event of a breach.
How to Ensure Compliance
We live in the era of big data and information about consumers is one of a company’s most valuable assets. At the same time, consumer advocates and regulators in the U.S. and abroad are becoming increasingly concerned about ensuring that consumers have meaningful notice and choice regarding the collection and use of data about them. Companies need to determine what data they are collecting, where it is stored, how it is secured, and how and with whom it is shared and for what purposes. A first step is to undertake a comprehensive audit to understand the actual data practices and assess the adequacy of policies and procedures, involving all units involved in data, including IT, legal, HR, marketing, sales, and interactive. Many companies are implementing “privacy by design” by addressing on an ongoing basis, the privacy and data security issues when products, services, activities, and campaigns are in development since they have found that it is more efficient to address privacy and security issues then than as a response to problems after they arise.