Analytics are crucial for web site and mobile app operators to understand their audience in order to provide a better user experience and to improve traffic and sales. The Federal Trade Commission ("FTC") on October 22, 2012 settled claims against web analytics company Complete, Inc. that its data practices violated users' rights and federal law. The settlement follows an earlier action against a company that had licensed Complete's user data tracking technology, which Complete offers companies to integrate into their own toolbars and rewards programs. If your company has a web site or mobile app, it uses web analytics and probably has engaged multiple vendors to collect and analyze user information. To avoid law enforcement actions and consumer class action litigation, companies should be looking closely at their data practices and policies, and those of third parties they work with.
- Collect only what you need and take measures to prevent collecting more
Web site and mobile app operators need to understand the technology they use. Complete's technology is alleged to have captured information during registration and e-commerce activities and in doing so collected and insecurely transmitted user names, passwords, credit card numbers and other personal information. Its filters designed to exclude such information are alleged to have not worked well and the FTC criticized Complete for not using common algorithms to screen out sensitive data like credit card numbers. Collecting more data than intended has been the basis of other FTC actions and of class action litigation.
- Protect the data you collect and have a breach response plan
The vast majority of states require protection of certain personal information, particularly sensitive data, and have requirements for notice and corrective action in the event security is compromised. The FTC takes the position that failure to employ security measures reasonably appropriate for the type of data is an unfair practice and thus companies have an affirmative duty to take steps appropriate under the circumstances to protect user data. The level of security for data like credit card information is far greater than that required for less sensitive data like user name and password. However, the FTC brought an action against Twitter for lax IT security protocols that resulted in hackers getting access to user names and passwords. The level of security should match the potential harm that may flow out of a security compromise, and what is commercially reasonable under the circumstances. However, all user data must be reasonably secured. Accessing what is reasonable and testing the integrity of security measures should be done regularly and companies should have a written plan addressing data security and what to do if security is breached.
- Obligate those you allow to access user data and know your obligations to them
For more information on In Re Complete, Inc. (FTC File No. 102 3155) see:
News Release: http://www.ftc.gov/opa/2012/10/compete.shtm