From the FTC:
A web analytics company has agreed to settle Federal Trade Commission charges that it violated federal law by using its web-tracking software that collected personal data without disclosing the extent of the information that it was collecting. The company, Compete Inc., also allegedly failed to honor promises it made to protect the personal data it collected.
Compete is a company that uses tracking software to collect data on the browsing behavior of millions of consumers, then uses the data to generate reports, which it sells to clients who want to improve their website traffic and sales.
The proposed settlement will require that Compete obtain consumers’ express consent before collecting any data from Compete software downloaded onto consumers’ computers, that the company delete or anonymize the use of the consumer data it already has collected, and that it provide directions to consumers for uninstalling its software.
According to the FTC, Compete got consumers to download its tracking software in several ways, including by urging them to join a “Consumer Input Panel” that was promoted using ads that pointed consumers to Compete’s website, www.consumerinput.com. Compete told consumers that by joining the “Panel” they could win rewards while sharing their opinions about products and services, the FTC alleged. The company also allegedly promised that consumers who installed another type of its software– the Compete Toolbar (from compete.com)– could have “instant access” to data about the websites they visited.
Compete also licensed its web-tracking software to other companies, the FTC alleged. Upromise, which licensed Compete’s web-tracking software, settled similar FTC charges earlier this year.
Once installed, the Compete tracking component operated in the background, automatically collecting information about consumers’ online activity. It captured information consumers entered into websites, including consumers’ usernames, passwords, and search terms, and also some sensitive information such as credit card and financial account information, security codes and expiration dates, and Social Security Numbers, according to the FTC.
The FTC charged that several of Compete’s business practices were unfair or deceptive and violated the law. For example, the company failed to disclose to consumers that it would collect detailed information such as information they provided in making purchases, not just “the web pages you visit.”
In addition, the FTC alleged that Compete made false and deceptive assurances to consumers that their personal information would be removed from the data it collected. The company made statements such as:
- “All data is stripped of personally identifiable information before it is transmitted to our servers;” and
- “We take reasonable security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of personal information.”
Despite these assurances, the FTC charged that Compete failed to remove personal data before transmitting it; failed to provide reasonable and appropriate data security; transmitted sensitive information from secure websites in readable text; failed to design and implement reasonable safeguards to protect consumers’ data; and failed to use readily available measures to mitigate the risk to consumers’ data.
The proposed settlement order requires Compete and its clients to fully disclose the information they collect and get consumers’ express consent before they collect consumers’ data in the future. In addition, the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years.
The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0-1, with Commissioner J. Thomas Rosch abstaining. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through November 19, 2012, after which the Commission will decide whether to make the proposed consent order final. Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” sectionhttps://ftcpublic.commentworks.com/ftc/competeincconsent. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.