On October 22, 2012, the Federal Trade Commission announced a proposed settlement agreement with Compete, Inc. (“Compete”), an online market research company that collects clickstream data from consumers to generate and sell analytical reports about consumer behavior on the Internet.

In its complaint against Compete, the FTC alleged that since January 2006, Compete used two data collection software products, Compete Toolbar and Consumer Input Panel, to collect data about consumers. In addition, Compete received data from third parties to whom it licensed its data collection software for their use. According to the complaint, the FTC maintained that, in connection with its products, Compete made false and deceptive assurances to consumers that (1) personal information would be removed or filtered from the data collected and (2) the company employed “reasonable and appropriate” security measures to protect the data. The FTC claimed that “[i]n fact, Compete collected more than browsing behavior or addresses of web pages. It collected extensive information about consumers’ online activities and transmitted the information in clear readable text to Compete’s servers. The data collected included information about all websites visited, all links followed, and the advertisements displayed when the consumer was on a given web page.” The FTC further alleged that Compete also collected information consumers communicated on secure web pages, including credit card numbers, security codes and expiration dates, financial account numbers, usernames, passwords, search terms and Social Security numbers.

The proposed settlement requires Compete to clearly and prominently disclose to consumers all types of information that will be collected and used, and to obtain the consumers’ express, affirmative consent to the data collection and use. The settlement also requires Compete to (1) delete or anonymize the personal data it had previously collected from consumers through its software, (2) notify affected consumers of the presence of the relevant Compete software, (3) provide instructions for permanently disabling or uninstalling the Compete software and (4) establish and maintain a comprehensive information security program subject to biennial, independent, third-party audits for 20 years.