The Federal Trade Commission (“FTC”) is soliciting public comments on a petition filed by Sears Holdings Management (“Sears”) to reopen and modify a 2009 FTC order regarding the tracking of personal information on their software apps. The petition is notable for a number of reasons. First, the Sears consent order was a seminal order in the development of the FTC’s privacy jurisdiction, standing for the proposition that a company cannot “bury” disclosures that consumers would not expect in long privacy notices. Second, the concept of modifying 20-year consent orders is an important one in light of changes over time. Third, the petition seeks to correct the unintended consequences that a consent order can have on future technologies when such an order regulates present ones.
In the 2009 FTC order, Sears settled charges that it failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software app. As part of that 20-year consent order, Sears agreed to make certain disclosures and obtain consent in connection with its downloadable software app and future ones that “monitor, record, or transmit information.” The petition argues that the 2009 FTC order should be modified to update its existing definition of “tracking application,” presently defined as:
any software program or application . . . that is capable of being installed on consumers’ computers and used . . . to monitor, record, or transmit information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted from or transmitted to the computers on which it is installed.
The petition seeks to modify this definition to exempt information about “(a) the configuration of the software program or application itself; (b) information regarding whether the program or application is functioning as represented; or (c) information regarding consumers’ use of the program or application itself.”
The petition argues that this modification is necessary for three reasons. First, changed circumstances in the mobile app arena have rendered the 2009 FTC order’s broad definition of “tracking application” impracticable. The FTC’s original administrative complaint targeted Sears’ desktop software application, which could track users’ activities outside of its boundaries. Since then, software distribution has overwhelmingly shifted from desktop to mobile apps, which are distributed through two main online marketplaces (Apple’s App Store and Google Play). These marketplaces control “the manner and form” of disclosures to consumers relating to apps and impose restrictions on the collection of information from consumers, in concert with the FTC’s goals. According to Sears, the desktop software that led to the 2009 FTC order “would be impermissible under the rules of the two dominant mobile app stores,” but the additional disclosure requirements imposed on Sears by the order are onerous given that the app stores have a “standardized workflow” to allow consumers to review the app provider’s data collection, use, and sharing policies before downloading the apps.
Second, Sears argues that modifying the 2009 FTC order is in the public interest. Sears argues that while the order was “intended to protect consumers from undisclosed and invasive tracking of consumers outside of” its software, the obligations it imposes upon Sears “are poorly adapted to today’s mobile app ecosystem.” Under the 2009 FTC order, a user of multiple Sears apps must read and consent to nearly identical disclosures in each of those apps, and “no other competitor uses a similarly disruptive approach to mobile app disclosures.” Similarly, modification of the order’s definition would reflect the commonplace practices of data collection and intra-app activity sharing in today’s marketplace. Sears’ mobile apps share data with remote servers to fulfill consumer requests and collect data to support app security. Such practices, the petition asserts, are consistent with the FTC’s 2012 privacy report.
Third, the petition argues that the requested modification is consistent with more recent FTC precedent and priorities. The petition cites two FTC orders from 2012 and 2013 that exempted the specific types of information collection enumerated above. Modifying the 2009 FTC order to exempt tracking that is “necessary for the basic operation of mobile apps” would be consistent with consumer expectations and recent FTC guidance and regulations. Indeed, the petition claims that modifying the definition of “tracking application” would leave intact the order’s “core continuing mandate—to provide notice to consumers when software applications engage in potentially invasive tracking.”
The petition will be subject to public comment through December 8, 2017. After that time, the Commission will decide whether to approve Sears’ petition to modify the definition of “tracking application” in the 2009 FTC order.