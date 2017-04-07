On March 17, 2017, the Federal Trade Commission (FTC)
announced that it had reached a $500,000 settlement with
Upromise, a membership reward service aimed at families saving for
college. The FTC had alleged that Upromise violated a 2012 FTC
consent order by failing to make required disclosures about its
data collection and use practices and not obtaining third-party
assessments as agreed. This settlement illustrates not only the
FTC's continued focus on online data privacy and security
issues, but also the Commission's interest in ensuring that
companies adhere to the terms of their settlement agreements.
Background and 2012 Order
Upromise offers a loyalty program that is free to join and
provides credit toward college savings plans, or toward paying down
student loans for members who make eligible purchases from partner
businesses.
In 2012, the FTC reached a
settlement with Upromise following charges that the company was
using its "TurboSaver" toolbar to collect consumers'
personal information without adequately disclosing the extent of
the collection, then transmitting that data over the internet in an
insecure manner. In the
2012 Order, Upromise agreed to (1) clearly disclose its toolbar
data collection practices, including the types of information
collected and how data was being used; (2) obtain affirmative
consent from users prior to collecting their data; and (3) notify
consumers who had previously downloaded the toolbar about the data
collection and provide instructions to disable the toolbar.
Upromise was also required to establish a comprehensive information
security program and obtain biennial third-party security
assessments for 20 years.
Complaint and Proposed Order
In its
March 2017 Complaint, the FTC alleged that following the 2012
Order, from March 2013 to January 2016, Upromise violated the terms
of the Order by failing to clearly disclose its data collection and
use practices to consumers who downloaded its RewardU toolbar.
Specifically, the FTC argued that Upromise's disclosures were
confusing to consumers and that its security assessment of the
toolbar was inadequate.
The
Stipulated Order prohibits Upromise from violating the 2012
Order and imposes a $500,000 civil penalty. Further, Upromise
must:
Obtain an evaluation and report from
a qualified, objective, independent third-party professional that
specializes in website design of its practices regarding informed
user consent to data collection and use, should it launch a future
version of the toolbar;
Obtain written approval from the FTC
of its security assessment's scope and design relating to the
future toolbar; and
Permanently expire any
RewardU-related cookies it previously placed, and notify all
consumers who downloaded the RewardU toolbar to uninstall the
toolbar with instructions on how to effect the removal and delete
associated cookies.
The Order also imposes additional compliance reporting,
recordkeeping, and monitoring requirements.
It's no secret that the FTC has become increasingly active
in scrutinizing how companies are collecting, using, and securing
consumer data online. This Order emphasizes that repeated
violations can result in significant penalties, and that the FTC is
keeping a watchful eye on companies it has previously called out
for alleged data protection failures.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
