Earlier this week, the Federal Trade Commission (“FTC”) settled claims against a web analytics company involving allegations that the information it collected about users’ web browsing habits exceeded that which it stated in its privacy policy and FAQs. Analytics are important tools for web site and mobile app operators to understand their audience and increase traffic and sales. Claims such as these, however, demonstrate the need for companies to regularly review and ensure compliance with their data practices and policies.

Background of the Claim

The company involved in the settlement, Compete, Inc., stated in its privacy policy and FAQs that the web pages a user visited would be tracked so that Internet browsing behavior data could be anonymously transmitted to Compete and anonymously pooled. The company also stated that if personal information was collected, it would make commercially reasonable efforts to strip out all of the personally identifiable information before transmitting it, and purge from its servers any data that was inadvertently received.

During its e-commerce activities, the company, however, allegedly regularly collected far more than basic browsing behavior. It also purportedly collected personally identifiable and sensitive information, such as user names, passwords, credit card numbers and social security numbers. Allegedly, its filters designed to exclude such information worked improperly and it transmitted this data in an insecure manner. The FTC criticized Compete for not using common algorithms to screen out sensitive data like credit card numbers.

The FTC alleged that Compete’s consumers downloaded software through advertisements that offered rewards to consumers to join opinion panels and through the download of a web toolbar that offered information to users. As a result, Compete was alleged to have misrepresented its data practices and failing to take reasonable efforts to protect user data, violating Section 5 of the FTC Act as both a deceptive and an unfair act or practice.

Terms of the Proposed Settlement

Under the proposed settlement, Compete must obtain the consent of consumers before collecting any data and it will have to delete or make anonymous the data it has already collected. Additionally, it must show users how to uninstall its tracking software from their computers. Finally, Compete must implement an information security program with outside audits every two years for the next 20 years. The FTC did not state whether Compete has to pay a fine. The proposed consent order will be available for public comment until November 19.

Lessons to be Learned

There are several significant lessons that can be learned from Compete's troubles. It is important that a company: 1) accurately, clearly and conspicuously disclose in its privacy policies and terms of use the various types of user information collected on its websites and mobile apps (whether by the company or its vendors), and disclose how it is collected, stored, used and shared; 2) make sure that the technology it and its vendors use does not collect more than what is intended and was disclosed; 3) employ protocols to appropriately protect the security of data as it is collected, transmitted, stored and used; 4) carefully consider the terms of agreements with its vendors and other parties that can access users' data; and 5) develop and support a privacy culture.

It is also important that companies review their agreements with their web site developers, cloud providers, ad exchanges and networks, analytics vendors, interactive agencies, marketing partners, and other third parties that employ technology on their websites or apps or deal with their consumer and employee data. Their third-party agreements should address (a) how data will be secured; (b) what must be done if security is or may have been compromised; (c) indemnity obligations; and (d) requirements for insurance coverage. An important risk management tool for companies is to audit their current website practices and third-party contracts to assess whether the agreements are followed, and to consider what contract terms are appropriate when entering into new arrangements with third parties that involve user data.

Many states require protection of certain personal information, particularly sensitive data, and most have statutory requirements for notice and corrective action in the event that security is compromised. In addition, the FTC takes the position that failure to employ security measures reasonably appropriate for the applicable type of data is an unfair practice, and prohibited by the FTC Act, and thus companies have an affirmative duty to take steps appropriate under the circumstances to protect user data. The level of security generally should match the potential harm that may flow out of a security compromise, and what is commercially reasonable under the circumstances. However, user data should be reasonably secured and be retained only as long as reasonably needed. Thus, it is important for a company to address what is reasonable and what risks are foreseeable. It is also important to regularly test the integrity of security measures, and have a written plan addressing data security and a response plan in the event of a breach.

How to Ensure Compliance

We live in the era of big data and information about consumers is one of a company’s most valuable assets. At the same time, consumer advocates and regulators in the U.S. and abroad are becoming increasingly concerned about ensuring that consumers have meaningful notice and choice regarding the collection and use of data about them. Companies need to determine what data they are collecting, where it is stored, how it is secured, and how and with whom it is shared and for what purposes. A first step is to undertake a comprehensive audit to understand the actual data practices and assess the adequacy of policies and procedures, involving all units involved in data, including IT, legal, HR, marketing, sales, and interactive. Many companies are implementing “privacy by design” by addressing on an ongoing basis, the privacy and data security issues when products, services, activities, and campaigns are in development since they have found that it is more efficient to address privacy and security issues then than as a response to problems after they arise.

For more information on In Re Compete, Inc. (FTC File No. 102 3155), see the following: Complaint, proposed Consent Order, FTC Analysis, and News Release.