Privacy & Information Security Law Blog

On June 4, 2009, the Federal Trade Commission (“FTC”) reported that Sears Holdings Management Corporation (“Sears”) agreed to enter into a settlement regarding the Commission’s allegations that the company violated Section 5 of the FTC Act in connection with a new online community application it had developed.  Participation in the community allowed Sears to track consumers’ online and, to some extent, offline activities.  The FTC’s action is notable as a potential precursor to future enforcement by the FTC in the areas of both transparency and tracking online behavior, the latter having been previously highlighted as an area of interest for the agency.  The settlement, discussed in more detail below, is notable in that its requirements make clear that substantial tracking of consumer behavior must be sufficiently transparent (not disclosed only in a lengthy privacy policy or agreement), consumers’ opt-in consent to such tracking must be obtained and, disclosures regarding the nature of the tracking must be made at a meaningfully early stage of the transaction.

The enforcement action began after Sears disseminated a “research” software application for consumers to download and install on their home computers in connection with the “My SHC Community” program.  According to the FTC, Sears represented to consumers that this software application, if downloaded and installed, would track consumers’ “online browsing” activities.  The FTC alleged that Sears failed to disclose to consumers that the application would (i) track nearly all of the consumers’ online behavior (including information provided in secure sessions with third-party websites, shopping carts and online accounts), (ii) track certain offline activity on the computer, and (iii) transmit most of the tracked information to Sears’ remote computer servers.  In its complaint, the FTC argued that these facts would be material to consumers when deciding whether to install the software, and Sears’ failure to disclose the information constituted a deceptive act in violation of Section 5 of the FTC Act.  The FTC acknowledged the application “functioned and transmitted information substantially as described in the [Privacy Statement and User License Agreement],” but noted that this disclosure was available only in the lengthy agreement provided near the end of the multi-step registration process.

As part of the proposed settlement, Sears has agreed to do the following:

• Disclose to consumers all of the types of data that will be tracked by any software program or application disseminated by or on behalf of Sears, its subsidiaries or affiliates, that is capable of being installed on consumers’ computers and is used to monitor, record or transmit information about activities occurring on those computers or data that may be stored on, created on, or transmitted to or from those computers.  Disclose how data collected by such an application may be used, and whether the data may be used by a third party.  In accordance with the settlement, this information must be provided to the consumer on a distinct page prior to the display of any privacy policy, terms of use or end user license agreement.
• Obtain express, opt-in consent from consumers to the download of any such application and the collection of data through use of a button or link that is not pre-selected and is clearly labeled.
• Provide notification within thirty days of approval of the settlement to consumers who previously installed such an application.  This notification must explain (i) that they installed a Sears’ tracking application, (ii) that the application collects and transmits data as described in the company’s “Privacy Statement & User License Agreement,” and (iii) how they may uninstall the application.  The notification must be prominently posted on the My SHC Community website for two years from approval of the settlement.
• Within three days of the approval of the settlement, discontinue collecting any data transmitted by such applications installed prior to approval of the settlement.
• Within five days of the approval of the settlement, destroy any information collected about consumers by Sears through the use of the application in all cases where the application was installed prior to approval of the settlement.