Analytics are crucial for web site and mobile app operators to understand their audience in order to provide a better user experience and to improve traffic and sales. The Federal Trade Commission ("FTC") on October 22, 2012 settled claims against web analytics company Complete, Inc. that its data practices violated users' rights and federal law. The settlement follows an earlier action against a company that had licensed Complete's user data tracking technology, which Complete offers companies to integrate into their own toolbars and rewards programs. If your company has a web site or mobile app, it uses web analytics and probably has engaged multiple vendors to collect and analyze user information. To avoid law enforcement actions and consumer class action litigation, companies should be looking closely at their data practices and policies, and those of third parties they work with.

Complete represented in its privacy policy and FAQs that the web pages a user visited would be tracked so that Internet browsing behavior data could be anonymously transmitted to Complete and anonymously pooled with data from other users and that if personal information was collected Complete would make commercially reasonable efforts to strip out the personally identifiable information before transmitting it and to purge it from Complete's servers if it was inadvertently. However, the technology apparently regularly collected far more than basic browsing behavior, including in some cases personally identifiable and sensitive information, and transmitted it in an unsecured manner. As a result, Complete was alleged to have misrepresented its data practices and failed to take reasonable efforts to protect user data, violating Section 5 of the FTC Act as both a deceptive and an unfair act or practice.

There are lessons that can be learned from Complete's troubles. It is important to 1) make sure that your website's Privacy Policy accurately discloses what analytic and other user information is collected on your site or app, whether by you or your vendors, and how it is stored, used and shared; 2) make sure that the technology used by you and your vendors does not collect more than is disclosed; 3) employ protocols to appropriately protect the security of data as it is collected, transmitted, stored and used; and 4) carefully consider the terms of agreements with analytics and other parties that can access your users' data.

  1. Audit your data practices and update your Privacy Policy

The FTC alleged that Complete's privacy policy did not accurately describe what data it collected and inaccurately told users that the data would be anonymized. All too many privacy policies do not accurately reflect the company's actual privacy practices. Typically, this is not intentional. Rather, insufficient diligence may have been done regarding actual data practices, or those practices may have changed over the years and the company failed to update its privacy policy. Also, online and mobile analytics and advertising has become very complex with most sites and apps using many third party technologies and services, including use of cookies and other tracking technologies. Privacy policies need to accurately reflect what is happening under the hood. To do so, site operators need to audit and monitor their practices and those of third parties, including third party advertisers, that interact with their sites and apps. Failure to understand what is happening and disclose it in the privacy policy can lead to law enforcement actions and class action law suits. With respect to targeted advertising, there are self-regulatory guidelines that need to be complied with that may require certain notice and an ability for users to opt-out of the practice. Special rules apply to sites and apps directed to children under 13, where verified parental consent may be required before collecting certain user information. Further, if a site or app targets users located in Europe, consent from users to tracking is required and various European jurisdictions differ as to the form in which that consent can be obtained (e.g., an opt-out option as implied consent as compared to an express opt-in requirement).

  1. Collect only what you need and take measures to prevent collecting more

Web site and mobile app operators need to understand the technology they use. Complete's technology is alleged to have captured information during registration and e-commerce activities and in doing so collected and insecurely transmitted user names, passwords, credit card numbers and other personal information. Its filters designed to exclude such information are alleged to have not worked well and the FTC criticized Complete for not using common algorithms to screen out sensitive data like credit card numbers. Collecting more data than intended has been the basis of other FTC actions and of class action litigation.

  1. Protect the data you collect and have a breach response plan

The vast majority of states require protection of certain personal information, particularly sensitive data, and have requirements for notice and corrective action in the event security is compromised. The FTC takes the position that failure to employ security measures reasonably appropriate for the type of data is an unfair practice and thus companies have an affirmative duty to take steps appropriate under the circumstances to protect user data. The level of security for data like credit card information is far greater than that required for less sensitive data like user name and password. However, the FTC brought an action against Twitter for lax IT security protocols that resulted in hackers getting access to user names and passwords. The level of security should match the potential harm that may flow out of a security compromise, and what is commercially reasonable under the circumstances. However, all user data must be reasonably secured. Accessing what is reasonable and testing the integrity of security measures should be done regularly and companies should have a written plan addressing data security and what to do if security is breached.

  1. Obligate those you allow to access user data and know your obligations to them

Carefully look at your agreements with web site developers, cloud providers, ad exchanges and networks, analytics vendors, marketing partners and other third parties that employ technology on your site or app or deal with your user data. To the fullest extent possible under the circumstances, such agreements should spell out what the third party can and cannot do with the data, how the data will be secured and what must be done if security is or may have been compromised, require indemnity and provide for insurance coverage. If sensitive data is involved, this is crucial. Also, these third parties may require you to undertake certain obligations such as giving notice to users of the third party's privacy practices and linking to their privacy policy and/or opt-out mechanisms. Companies should accordingly audit their current situation to access if appropriate agreements are in place and being followed and should consider what terms are appropriate on an ongoing basis when entering into new arrangements with others where user data is involved.

For more information on In Re Complete, Inc. (FTC File No. 102 3155) see:

Complaint: http://www.ftc.gov/os/caselist/1023155/121022competeinccmpt.pdf

Consent Order: http://www.ftc.gov/os/caselist/1023155/121022competeinccmpt.pdf

FTC Analysis: http://www.ftc.gov/os/caselist/1023155/121022competeincanal.pdf

News Release: http://www.ftc.gov/opa/2012/10/compete.shtm