In a significant action signaling the high risks involved in collecting personal information online, the FTC recently settled charges against the online membership program Upromise Inc. Upromise offers its members the opportunity to purchase products from certain partner merchants, receive cash rebates in return, then place those rebates into college savings accounts. In order to use the program, consumers download a toolbar onto their computers that highlights partner merchants in consumers’ search results so they may easily find companies that are part of the Upromise program.
In addition to the standard toolbar, Upromise offered its members option of activating a “personalized offers” feature that collected and transmitted information through a member’s browser (this is referred to by the FTC as the “Targeting Tool”). The information collected was subsequently used to provide targeted advertising to the member.
The FTC took issue with Upromise’s Targeting Tool, which it alleged collected scores of highly sensitive personal information from its members, including the websites they visited; their usernames and passwords; and, in some instances, information entered into forms on secure web pages such as credit card and account numbers, security codes and social security numbers. The FTC alleged that this information was collected, and in some instances, transmitted to a third party, without proper protections and safeguards.
Upromise’s privacy statement noted that the Toolbar might “infrequently” collect some personal information, but that any identifiable information would be removed. The FTC alleged that the filter Upromise purportedly used to avoid collecting certain sensitive data was too narrow and improperly structured, and that data collected as part of the Targeting Tool and then transmitted to a third party provider for analysis was sent over the internet in clear text, rather than encrypted text. Data transmitted in clear text is highly vulnerable to interception, particularly over unsecured networks such as those in coffee shops and other public spaces. The FTC also alleged that Upromise failed to test its security measures to ensure they functioned properly and provided adequate protections.
In its recent settlement with the FTC, Upromise agreed to take a variety of ongoing measures to ensure proper security of personal information and disclosures to consumers consistent with the level of security actually provided.
The FTC’s complaint and the Consent Order agreed to by Upromise highlight key lessons for companies that collect and utilize data entered by consumers over the Internet. Sensitive personal information should always be encrypted before transmitted via the Internet. Technology related to data collection and security should be tested and checked regularly and on an ongoing basis using a reliable, certified set of tools and measures. Privacy and security policies should be displayed to consumers in a clear and prominent way, and inform consumers of the risks involved with the provision of personal information either actively or passively by use of an Internet tool. And users should always be given an opportunity, clearly and affirmatively, to opt-out of the collection of their personal information or its transmission to third parties. The more sophisticated Internet technology becomes, the more important these lessons are.