Yesterday, the FTC announced that it has settled charges against Upromise, Inc., a company that enables consumers to receive rebates when shopping at partner merchants.  (The rebates are placed in college savings accounts—hence Upromise’s name.)  According to the Commission’s complaint, Upromise offered online users a toolbar feature, which, when downloaded, would highlight Upromise’s partners in search engine results.  The toolbar feature also enabled users to choose to receive tailored advertising.  In connection with this aspect of the toolbar, the FTC alleged that Upromise (through an unnamed service provider) collected the names of all websites a user visited and all links clicked, as well as information that users entered into some webpages (which, in some cases, included credit card and financial account numbers, security codes, expirations dates and Social Security numbers). 

The Commission charged that the scope and frequency of the data collection was much broader than Upromise represented in its privacy statement.  The FTC contended that despite using a filter intended to limit the collection of PII, Upromise sometimes collected sensitive information, such as PIN numbers and security codes.  Finally, the FTC alleged that Upromise collected this information by causing the user’s browser to transmit it in clear text, which left it vulnerable to interception—particularly when users were connected to the Internet through unsecured wireless networks.  The FTC stated that by engaging in these practices, Upromise failed to adequately disclose the extent of its data collection and also “failed to provide reasonable and appropriate security for [the] consumer information” that was collected. 

Notably, the Commission described these alleged shortcomings in terms of Upromise’s failure to integrate privacy protections into the design and implementation of the toolbar feature (i.e., its failure to sufficiently adhere to the principle of “privacy by design,” which the Commission described in its December 2010 preliminary staff report).  For example, the complaint faulted Upromise for not testing the ad-tailoring feature or monitoring its collection of information after implementation to ensure that the collection was consistent with Upromise’s policies.  The complaint also alleged that Upromise had failed to ensure that employees responsible for creating and operating the feature received adequate training about security risks and Upromise’s privacy and security policies.  Similarly, the Commission alleged that Upromise did not take appropriate steps to ensure that its service provider implemented the feature in a manner that was consistent with Upromise’s policies and the contractual provisions designed to protect consumer information. 

As in recent FTC settlements involving privacy and data security issues, the Upromise consent decree (among other things) would require the company to implement privacy by design in the form of a comprehensive information security program and obtain third-party audits for 20 years.