WSGR ALERT

FTC Settlement with Sears Signals Increased Enforcement Risks for Privacy Missteps

June 15, 2009

On June 4, 2009, the Federal Trade Commission (FTC) announced a proposed administrative settlement that signals that material disclosures regarding privacy made only in a privacy policy, end-user license agreement, terms-of-service agreement, or similar document may not provide adequate notice to consumers. The matter involved a software application distributed on behalf of Sears Holding Corporation (SHMC) that allegedly collected personal information, including sensitive personal information, without proper disclosure to users.

SHMC had disclosed the scope of the information tracked by the application, but did so in the middle of a lengthy user license agreement provided to consumers at the end of a multi-step registration process. The FTC's complaint charged that SHMC's failure to adequately disclose the scope of the application's data collection, in light of SHMC's representation that the application would track consumers' "online browsing," was deceptive and in violation of the FTC Act.

This alert discusses the FTC's complaint, its proposed settlement, and the implications for companies offering software and services entailing the collection of personal information from consumers.

Background

SHMC operates the Sears.com and Kmart.com websites and handles Sears' and Kmart's marketing operations. Between April 2007 and January 2008, certain visitors to Sears.com and Kmart.com were asked to participate in the "My SHC Community" program by SHMC. The company offered to pay participants $10 to download and install a "research" application that would confidentially track the participants' online browsing.

When installed, the application operated in the background at all times on consumers' computers, tracked information relating to online and offline activity on their computers, and transmitted that information to servers maintained on SHMC's behalf. The information tracked included:

  • websites visited;
  • items placed in shopping baskets;
  • business transacted during secure sessions;
  • completion of online application forms;
  • online account activity; and
  • use of Web-based email and instant-messaging services, through the use of select header information.

Notably, each of these tracking activities was disclosed within the "Privacy Statement and User License Agreement" displayed on the registration page. SHMC disclosed the agreement in a scroll box that displayed approximately 10 lines of text at a time.

Neither the initial pop-up advertisement for the program nor the email message delivered to those consumers who indicated interest in the program had disclosed the breadth of data collection occurring through the downloaded application. The initial pop-up message made no mention of the tracking application. The follow-up email disclosed only that the user's online browsing would be tracked with the application, and that users would be able to learn more about the application during the registration process for the My SHC Community program.

The FTC's Complaint and Settlement

The FTC alleged that SHMC, expressly or by implication, had represented to consumers that the software application would only track consumers' online browsing. SHMC had, according to the complaint, failed to disclose adequately that the application would track vast amounts of information, including information provided in secure browsing sessions, certain non-Internet-related activities taking place on the computer, and information exchanged between the consumer and third parties, and would transmit nearly all of that information to remote servers operated on SHMC's behalf.

The FTC alleged that these facts would be material to consumers in deciding whether to install the software, and that SHMC's failure to disclose those facts was, in light of the representations made to consumers, deceptive. Under Section 5 of the FTC Act, a failure to disclose information about a product or service is deceptive if it is likely to mislead and the omitted information is "material." The FTC Act gives the FTC broad and flexible authority to determine whether commercial practices are deceptive.

In its proposed settlement with SHMC, the FTC required, among various other things, that SHMC do the following before asking consumers to download or install any future tracking applications: clearly and prominently disclose the type of information that will be collected, how it will be used, and whether it will be disclosed to third parties. The company also must obtain express consent before enabling download or installation of any similar software.

Implications

The settlement represents the latest in a series of legal developments in which regulators and plaintiffs have challenged the adequacy of notice and consent disclosures in the context of browser data collection. It also provides the latest indication of what the FTC deems adequate for providing notice to consumers and obtaining their consent where underlying privacy concerns may be present.

The FTC's requirement that SHMC provide conspicuous disclosure to consumers of the extent of the data collection performed by its tracking software, separate from general privacy statements, is consistent with the guidance given by the FTC in its principles for the self-regulation of online behavioral advertising. As discussed in Wilson Sonsini Goodrich & Rosati's alert on that topic,1 the FTC encouraged companies to design creative, effective disclosure mechanisms, separate from their privacy policies, that would provide meaningful notice to consumers of the collection and use of information for online behavioral advertising.

The FTC's settlement with SHMC continues the trend toward encouraging innovative, conspicuous means of explaining to consumers how they are being watched online and how they can choose not to be observed. This trend creates pressure on businesses that rely on advertising and data collection to improve privacy policies, terms of use, and similar agreements. In particular, the FTC's action indicates that it is willing to find a deceptive practice where advertising copy or other documentation made available to consumers provides, expressly or impliedly, information that is inconsistent with disclosures found only in a privacy statement or similar document. A byproduct of the settlement is the renewed importance of adequate review of marketing and advertising claims, including support by counsel, to ensure that privacy and related legal disclosures are harmonized with other statements that the FTC would conclude consumers might rely upon.

Companies offering software or services that may involve the collection of sensitive information may consider the SHMC settlement a warning and guide to review how they communicate with consumers, particularly with respect to privacy issues.

Wilson Sonsini Goodrich & Rosati's attorneys routinely advise clients on compliance with the FTC's consumer-protection initiatives, including its actions to prevent unfair and deceptive acts regarding the privacy and security of consumers' personal information. The firm also assists companies with all aspects of risk management associated with the collection, use, and disclosure of information online. If you have questions in these areas, please contact Lydia Parnes at lparnes@wsgr.com or (202) 973-8801; Gerry Stegmaier at gstegmaier@wsgr.com or (202) 973-8809; or Matt Staples at mstaples@wsgr.com or (206) 883-2583.



1 Wilson Sonsini Goodrich & Rosati's alert on the FTC's revised principles for the self-regulation of online behavioral advertising is available at http://www.wsgr.com/wsgr/Display.aspx?SectionName=publications/PDFSearch/clientalert_behavioral_advertising.htm.