A web analytics company has agreed to settle Federal Trade Commission charges that it violated federal law by using its web-tracking software to collect personal data without disclosing the extent of the information being collected.
Compete Inc. allegedly failed to honor promises it made to protect the personal data. The settlement will require that Compete obtain consumers’ express consent before collecting any data from Compete software downloaded onto consumers’ computers, that the company delete or make anonymous the use of the consumer data it already has collected and that it provide directions to consumers for uninstalling its software.
Compete uses tracking software to collect data on the browsing behavior of millions of consumers, then uses the data to generate reports - which it sells to clients who want to improve their Web site traffic and sales.
According to the FTC, Compete got consumers to download its tracking software in several ways, including by urging them to join a “Consumer Input Panel” that was promoted using ads that pointed consumers to Compete’s Web site, www.consumerinput.com. Compete told consumers that by joining the “Panel” they could win rewards while sharing their opinions about products and services, the FTC alleged.
The company also allegedly promised that consumers who installed another type of its software - the Compete Toolbar (from compete.com) - could have “instant access” to data about the Web sites they visited.
Compete also licensed its web-tracking software to other companies, the FTC alleged. Upromise, which licensed Compete’s web-tracking software, settled similar FTC charges earlier this year.
Once installed, the Compete tracking component operated in the background, automatically collecting information about consumers’ online activity. It captured information consumers entered into Web sites, including consumers’ usernames, passwords, and search terms, and also some sensitive information such as credit card and financial account information, security codes and expiration dates, and Social Security Numbers, according to the FTC.
The FTC charged that several of Compete’s business practices were unfair or deceptive and violated the law. For example, the company failed to disclose to consumers that it would collect detailed information such as information they provided in making purchases, not just “the web pages you visit.”
The FTC additionally alleged that Compete made false and deceptive assurances to consumers that their personal information would be removed from the data it collected. The company made statements such as:
• “All data is stripped of personally identifiable information before it is transmitted to our servers;” and
• “We take reasonable security measures to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of personal information.”
Despite these assurances, the FTC charged that Compete failed to remove personal data before transmitting it; failed to provide reasonable and appropriate data security; transmitted sensitive information from secure Web sites in readable text; failed to design and implement reasonable safeguards to protect consumers’ data; and failed to use readily available measures to mitigate the risk to consumers’ data.
The settlement order requires Compete and its clients to fully disclose the information they collect and get consumers’ express consent before they collect consumers’ data in the future.
The settlement further bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years.
The FTC will publish a description of the consent agreement package in the Federal Register. The agreement will be subject to public comment for 30 days, beginning today and continuing through November 19, after which the FTC will decide whether to make the proposed consent order final.