For many years, websites have operated on the belief that their online privacy policies and terms of service, especially when affirmatively assented to by means of a click-through agreement, are adequate and enforceable. A recent enforcement action by the Federal Trade Commission (FTC) against Sears Holdings, finalized at the end of August, has cast doubt on whether that longstanding reliance remains valid in today's more skeptical regulatory climate. But the FTC's real focus may have been on behavioral tracking.
The Sears Disclosures
In Sears, the defendant had made available for users of its website a downloadable software application. The software was to be used as part of a "My SHC Community" market research program. The application was presented via a pop-up box, accompanied by information touting the program as a means for consumers to obtain more relevant offerings in the future. In exchange for downloading the "research software" and retaining it for a month, users would be paid $10. Interested users were directed to a landing page, and thereupon to a registration page, at which they entered their names, addresses, ages and email addresses. Underneath the registration fields appeared a scroll box that presented a Privacy Statement and User License Agreement, 10 lines at a time. Beginning around line 75, users were informed that the software would:
monitor all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information.
About the only thing the software did not monitor was the text of instant and email messages, although the statement noted that the software would collect header information. The statement went on to describe how the information might be used, how consumers could stop participating and how they could remove the software.
Underneath the scroll box was a link that a consumer could click to print a copy of the privacy statement, and a blank check box acknowledging that the user had read the statement and terms. The user could not continue with the registration until checking the box.
In short, Sears took many of the actions that, for the past 15 years, websites have come to believe provide them with legal protection. Sears did, in fact, provide a statement that, on its face, seems to tell users that the software was going to track just about everything they did online, and users were required to click an acknowledgment—a click-wrap agreement—before enrolling and downloading the software. And the users were paid $10 for their trouble.
The FTC's Objections
So what was the problem? The FTC thought that Sears hadn't said enough, clearly enough. The FTC's complaint charged that Sears "failed to disclose adequately" that the software would "monitor nearly all of the Internet behavior that occurs on consumers' computers, including information exchanged between consumers and websites other than those owned by, operated by, or affiliated with the respondent, information provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts, and headers of web-based email; track certain non-Internet-related activities taking place on those computers; and transmit nearly all of the monitored information" to Sears. The FTC press release said that Sears' software could collect matters such as online bank statements, drug prescription records, video rental records, library borrowing history and the identities of senders and receivers of web-based emails.
Thus, the FTC believed that Sears' description did not divulge the full scope and extent of the data collection, and that Sears buried the description that was provided in the privacy statement. Accordingly, the FTC charged Sears with a failure to disclose adequately the scope of the data collection, a deceptive practice in violation of Section 5.
Concern over Tracking
The FTC's action against Sears raises a number of questions. Did the FTC's action signal a change in how websites must make disclosures? Are privacy policies alone now insufficient?
It may well be that the case is really less about the particular wording chosen by Sears than it is about the FTC's distaste for the nearly comprehensive tracking that the software performed. As such, the action echoes the FTC's grave concerns about deep packet inspection (DPI) by Internet service providers, seen last summer in the context of companies such as NebuAd and Pform. The Sears' software, in effect, attempted to replicate DPI, but on the user's computer rather than at the Internet on-ramp. When seen as a preemptive strike against DPI, the FTC's enforcement action becomes more understandable.
Similarly, the FTC staff report on behavioral targeting-which Sears' software use plainly would have facilitated-earlier this year urged the online community to develop improved forms of notice. The FTC may have felt that consumers needed better notice of the sweeping monitoring capabilities of the software, particularly when compared to the many words presented to users encouraging them to download the software and the general unfamiliarity of most consumers with such monitoring. So perhaps the FTC sought to use this case to establish some new ground rules for behavioral targeting notices. But in doing so, did it change the rules on Sears in mid-stream, charging as illegal disclosures quite similar to those that are standard today across many websites, and thereby undermining the enforceability of click-wrap agreements?
The FTC says "no." In response to comments on the proposed consent decree, the FTC contended that Sears does not undermine enforceability of click-wrap agreements, or set a new disclosure standard for online transactions. Rather, the FTC portrayed its action as consistent with prior cases in which it has found disclosures in an end-user agreement may not suffice to correct a misleading impression created elsewhere, citing FTC v. Cyberspace.com, LLC, 453 F.3d 119, 1200 (9th Cir. 2006) (fine print contractual notices insufficient to undo deceptive net impression) and other cases. The FTC stated that it continues to "approach the validity of EULA-only disclosure on a case-by-case basis, weighing what information is material to consumers and the overall, net impression upon the consumer regarding the transaction."
So what does all this mean? First, the FTC is taking the position that reliance on an accurate privacy statement of terms and conditions may not suffice, particularly if the agency disfavors the activity that is the underlying subject. Second, the FTC's actions raise the question of whether websites now have to take greater steps to "balance" promotional language with disclaimers. What disclaimers? How many? And at the least, websites may want to take a fresh look at their monitoring practices (if any), and at their corresponding promotional materials and disclosures, and review these with their legal counsel.