Consumer Privacy Issues
The Federal Trade Commission’s Sears Holdings Enforcement Action – Developments in Online Behavioral Advertising, Privacy and Social Media
By Melissa Krasnow and Peter Skrief
In 2009, the FTC brought the enforcement action In the Matter of Sears Holdings Management Corporation, FTC File No. 082 3099. Sears Holdings Management Corporation (“Sears Holdings”) disseminated via the Internet a software application for consumers to install onto their computers (the “Application”) to participate in an online community. The “Privacy Statement and User License Agreement” (the “Agreement”) on the consumer registration page described the Application’s specific functions beginning at the 75th line, including how consumers could stop participating and remove the Application from their computers. The Agreement also included a reservation of right to continue to use information collected before a consumer’s “resignation.” Consumers needed to indicate through a blank checkbox next to a statement that they had read and agreed to the terms and conditions of the Agreement before installation. The Application functioned and transmitted information substantially as described in the Agreement when installed.
The FTC alleged that the following facts would be material to consumers in deciding to install the Application and the failure to disclose these facts, in light of the representations made, was a deceptive practice in violation of Section 5 of the Federal Trade Commission Act. The Application when installed would (i) monitor nearly all of the Internet behavior occurring on consumers’ computers, including (A) information exchanged between consumers and websites other than those owned, operated or affiliated with Sears Holdings, (B) information provided in secure sessions when interacting with third-party websites, shopping carts and online accounts and (C) headers of web-based email; (ii) track certain non-Internet related activities on those computers and (iii) transmit nearly all monitored information to the remote computer servers of Sears Holdings.
The FTC issued and approved a consent order in late 2009. This order is in effect for approximately 20 years. First, Sears Holdings must cease collecting any data transmitted, and destroy any information or data transmitted from a computer, by an Application installed before the order to any Sears Holdings computer server.
Second, Sears Holdings must notify affected consumers who downloaded and installed the Application on a computer in connection with the on-line community (i) that they have installed the Application on their computers (which collects and transmits to Sears Holdings and others the data described in the Agreement) and (ii) of how to uninstall the Application. Sears Holdings must provide prompt, toll-free, telephonic and electronic mail support to help affected consumers uninstall any Application. Notification must be made for two years by posting of a clear and prominent notice on the on-line community website. The order defines “clearly and prominent” with respect to text, video, audio and interactive media. For three years, Sears Holdings must notify affected consumers who complain or inquire about any Application.
Fourth, Sears Holdings must obtain express consent from the consumer to the download or installation of the Application and the collection of data by having the consumer indicate assent to those processes by clicking on a button or link that is (i) not pre-selected as the default option and (ii) clearly labeled or otherwise clearly represented to convey that it will initiate those processes or by taking a substantially similar action.
Finally, Sears Holdings must (i) file with the FTC written reports regarding the manner and form of its compliance with the order and (iii) maintain and upon request make available to the FTC copies of all documents relating to compliance with the order for four years.
According to FTC Chairman Jon Leibowitz at the FTC Privacy Roundtable in December 2009, “[t]he thrust of our case was that, while the extent of tracking was described in the [Agreement], that disclosure wasn’t sufficiently clear or prominent given the extent of the information tracked, which included online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. So consumers didn’t consent with an adequate understanding of the deal they were making.”
This enforcement action followed the FTC’s issuance of its Staff Report on Self-Regulatory Principles for Online Behavioral Advertising in 2009, which describes the following four Principles: (i) transparency and consumer control, (ii) affirmative express consent to (or prohibition against) using sensitive data for behavioral advertising, (iii) reasonable security and limited data retention for consumer data and (iv) affirmative express consent for material changes to existing privacy promises. The first and second Principles are relevant to the enforcement action. First, every website where data is collected for behavioral advertising should provide a clear, concise, consumer-friendly, and prominent statement that (A) data about consumers’ activities online is being collected at the site for use in providing advertising about products and services tailored to individual consumers’ interests and (B) consumers can choose whether or not to have their information collected for this purpose. The website should also provide consumers with a clear, easy-to-use, and accessible method for exercising this option. Second, companies should collect sensitive data for behavioral advertising only after they obtain affirmative express consent from the consumer to receive this advertising.