Privacy & Information Security Law Blog

On January 5, 2012, the Federal Trade Commission announced a proposed settlement with Upromise, Inc., a membership reward service that gives cash rebates for college savings accounts to members who purchase products and services from its partner merchants. The FTC alleged that the “Personalized Offers” feature on the Upromise TurboSaver Toolbar (1) collected far more information about users’ browsing behavior than was disclosed at the time of installation, and (2) contrary to representations in the company’s privacy notice, transmitted that information, which included data such as Social Security numbers and financial account numbers, in clear text.

According to the complaint, Upromise offered consumers a web browser toolbar that highlighted Upromise partner companies in consumers’ search results. The toolbar incorporated a “Personalized Offers” feature that, when enabled, collected and transmitted information through the consumer’s browser then used the browsing information to provide targeted advertising. At the time, consumers were offered the option to activate the Personalized Offers feature during the download process, Upromise provided the following description of how information would be collected and used: “By enabling the Personalized Offers feature, information about the web sites you visit will be collected. This information is used to provide college savings opportunities tailored to you.”

Once the Personalized Offers feature was activated, the toolbar collected the names of all websites visited, all links clicked, and information entered on certain websites, such as usernames, passwords and search terms. For a while, the toolbar was configured to include consumers’ interactions with forms on secure web pages, such as those operated by banks.

The Upromise privacy notice stated that the toolbar might “infrequently” collect some personal information, but that a filter would “remove any personally identifiable information” prior to transmission. It also stated that “every commercially viable effort” would be made “to purge their databases of any personally identifiable information.” According to the FTC, however, the filter was ineffective, and the toolbar transmitted the information it gathered – including in some cases credit card and financial account numbers, and Social Security numbers entered into web pages, including secure web pages – over the Internet in clear text.

The complaint identified four alleged violations of the FTC Act:

1. Upromise told consumers that it would collect and transmit some information about their browsing activities but failed to explain how extensive the collection and transmission would be;
2. Upromise falsely promised users that the information it transmitted would be encrypted;
3. Upromise falsely represented, expressly or by implication, that it employs reasonable and appropriate measures to protect data obtained from consumers from unauthorized access; and
4. separate from any misrepresentation, Upromise’s failure to employ reasonable and appropriate measures to protect consumer information caused or was likely to cause substantial injury to consumers that is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers.

The proposed consent order requires Upromise to destroy the data it collected through the Personalized Offers feature, to provide clear and prominent disclosures to consumers and receive their affirmative consent before installing any similar product, to provider certain information to current users of Personalized Offers (including how to disable and uninstall the feature), to establish and maintain a comprehensive information security program and to obtain biennial, independent, third-party audits for 20 years.

Update: On April 3, 2012, the FTC approved the settlement order with Upromise.