This domain name is for sale. Bid or buy now.



FTC Signals Tougher Standard
 for Online Tracking Disclosures

By Charles Kennedy

On June 4, 2009, the Federal Trade Commission announced a proposed consent agreement with Sears Holdings Management Corporation (“SHMC”). The settlement is not final and does not include any finding of wrongdoing by SHMC, but it sends a strong signal that the FTC will subject online tracking of consumer behavior to a stringent standard of disclosure. Firms that offer or rely upon behavioral advertising or other online data collection activities should be aware of the proposed settlement, and should assess the prominence and completeness of the disclosures they make to consumers in light of the SHMC proceeding.

The FTC’s Complaint Against SHMC: Perhaps the most striking feature of the complaint is that the FTC acted against a company that had fully disclosed, and obtained consumers’ agreement to, the tracking practices at issue. The essence of the complaint is not that those disclosures were absent, but that they should have been made sooner and given greater prominence.

Specifically, according to the FTC’s complaint, SHMC enrolled consumers in a program that included installation on the consumers’ computers of a monitoring application. The complaint alleged that the application “would:  monitor nearly all of the Internet behavior that occurs on consumers’ computers, including information exchanged between consumers and websites other than those owned, operated, or affiliated with (SHMC), information provided in secure sessions when interacting with third-party websites, shopping carts, and online accounts, and headers of web-based email;  track certain non-Internet-related activities taking place on those computers;  and transmit nearly all of the monitored respondent’s remote computer servers.

SHMC introduced the program to consumers by serving pop-up ads on and websites that invited consumers to join the “My SHC Community.” The initial invitation included no disclosures about the community’s online tracking component. However, the follow-up email invitation sent to consumers who furnished their email addresses to SHMC specifically stated that participants would be asked to “download software” that “will confidentially track your online browsing.” This second invitation also disclosed that the community would “collect information about (the participant’s) internet usage.”

Consumers who clicked a “Join Today” button on this second invitation were taken to a landing page. Here, they had an opportunity to click on a second “Join Today” button, which took them to a registration page. The registration page included a scroll box with a “Privacy Statement and End User License Agreement” that exhaustively described the data collection activities that would accompany membership in the community. The complaint does not allege that the disclosures made in this Privacy Statement and End User License Agreement were in any way incomplete.

SHMC’s registration procedure also ensured that consumers did not download and install the online tracking application until they had had an opportunity to read the Privacy Statement and End User License Agreement. Consumers were required to check a box next to the following statement:  “I am the authorized user of this computer and I have read, agree to, and have obtained the agreement of all computer users to the terms and conditions of the Privacy Statement and User License Agreement.” If consumers then clicked the “Next” button at the bottom of the registration page, they were taken to an installation page that explained how to download and install the application. Consumers then clicked another “Next” button to download the application, and clicked an “Install” or “Yes” button to install the application.

According to the FTC’s complaint, SHMC committed “unfair or deceptive acts or practices” by failing to adequately disclose the extent of the online tracking activities that would result from enrollment in the program.   Specifically, the FTC appears to contend that detailed disclosures should have been provided before consumers encountered the Privacy Statement and End User License Agreement.

The proposed consent agreement would require disclosure of the entire functionality of the online tracking application “prior to the display of, and on a separate screen from, any final ‘end user license agreement,’ ‘privacy policy,’ ‘terms of use’ page, or similar document . . .” The consent agreement would also require an “express consent from the consumer to the download or installation of the Tracking Application and the collection of data by having the consumer indicate assent to those processes by clicking on a button or link that is not pre-selected as the default option and that is clearly labeled or otherwise clearly represented to convey that it will initiate those processes, or by taking a substantially similar action.”

The commitments set out in the proposed consent agreement go well beyond existing law and previous FTC requirements for disclosure of privacy practices. Notably, court decisions concerning the related process of online contract formation require only that consumers have fair notice of the existence of online contract terms and give clear consent to those terms. The process adopted by SHMC appears to satisfy this standard. Similarly, the FTC’s past guidance on disclosure of online privacy practices has urged only that online merchants should give clear and conspicuous notice of their information practices – a policy that Internet services generally have satisfied by posting clear and complete privacy policies.

The SHMC settlement suggests a more stringent standard for one class of privacy practices. Where online monitoring of consumers’ Internet usage is concerned, the FTC apparently will require that detailed disclosures of those practices not only must be made, but must be made early and conspicuously; and that the tracking programs may be implemented only with the consumers’ express consent. In fact, the complaint suggests that any advertisement or promotional statement concerning a service that will involve online tracking is deceptive unless it is accompanied by immediate, complete disclosure of the tracking process involved. Deferring those disclosures until the consumer is at the point of downloading or installing the tracking application apparently will be insufficient under the standard announced in the settlement.

The Proceeding in Context: Among other implications, the SHMC enforcement proceeding may be a step toward FTC regulation of behavioral advertising, which relies heavily on online tracking technologies. Beginning with a town hall meeting held in late 2007, the FTC has repeatedly announced its concern with “the tracking of consumers’ online activities in order to deliver tailored advertising.”  Although the Commission has confined itself primarily to the adoption of voluntary guidelines to govern these practices, FTC Chairman Leibowitz stated as recently as April of this year that online advertisers are approaching their “last clear chance” to avoid legislation or mandatory regulation.

Although the SHMC proceeding may be the first round in a regulatory initiative aimed at behavioral advertising and related practices, that initiative might never reach the stage of formal rulemaking. The FTC sometimes defines the kinds of practices it finds unacceptable not by writing rules, but by bringing individual enforcement proceedings and entering into settlement agreements that create a compliance framework for businesses that want to avoid becoming the target of similar proceedings in the future. Notably, this is the approach the Commission has taken in its multi-year campaign against failures to secure customers’ personal information against unauthorized access. The SHMC agreement is subject to public comment through July 6, 2009, after which the Commission will decide whether to make it final.   Service providers that rely upon tracking technologies should assess their policies and practices in light of the FTC’s apparent determination to subject online tracking to more stringent enforcement.

Charles Kennedy, of counsel for Morrison & Foerster, focuses his practice on privacy, data protection, e-commerce, and telecommunications. He has represented major corporations in privacy and information security proceedings before the Federal Trade Commission. Mr. Kennedy also serves as adjunct professor of law at Catholic University of America, where he teaches cyberlaw and telecommunications regulation.

[Contact the author for permission to republish or reuse this article.]

Home      Recent Articles      Author Index      Topic Index      About Us
2005-2018 Peter DeHaan Publishing Inc   ▪   privacy statement