Skip Page Banner  
Skip Navigation

Online Membership Service Settles FTC Charges That Browser Toolbar Deceptively Collected Consumers' Personal Information

Friday, February 10, 2012
Upromise, Inc.; Analysis of Proposed Consent Order to Aid Public Comment, 77 Fed. Reg. 2543 (Jan. 18, 2012) The Federal Trade Commission ("FTC") published a proposed consent agreement with Upromise, Inc. over charges that the company did not follow its own privacy policy when it collected its customers' personal information, violating of Section 5 of the FTC Act, 15 U.S.C. § 45(a). The FTC claimed that the service did not adequately disclose its information gathering practices and failed to assess the risk if it would collect personal information without authorization.

Membership Toolbar Collected Personal Information

According to the FTC, Upromise is a membership reward service in which members receive rebates when making online purchases from merchants who participate in the Upromise program. Members were required to download and install the Upromise TurboSaver Toolbar ("Toolbar") in their web browsers. Among other things, the Toolbar modified the user's Internet browser to highlight Upromise merchants in consumers' search results. The Toolbar, which was developed by a third-party service provider, had an optional "Personalized Offers" feature, which collected and transmitted information through the browser for analysis by the service provider. The FTC's complaint was based on the use of the Toolbar to gather information about their members' online behavior and to target advertising to the user.

FTC Claimed Tools Had Inadequate Privacy Protection

Upromise told its customers that the modified version of the Toolbar, called the "Targeting Tool," gathered information about the websites that consumers visited. The FTC's complaint alleged that Upromise failed to disclose the full extent of data collected through the software. The FTC claimed that the Targeting Tool collected information including: the names of all web sites visited; all links clicked; usernames, passwords, and search terms; financial account numbers, and Social Security numbers, all without the consumers' knowledge. According to the complaint, the feature was enabled on at least 150,000 computers. Upromise privacy and security statements also claimed that personal information might occasionally be collected by the feature, but a filter would remove it before transmission. According to the FTC, the filter was ineffective. For example, it blocked the entry of data in a field named "PIN," but not in one named "security code." Upromise also stated that personal information was encrypted before transmission, but the information was transmitted in clear text, according to the FTC. The policies further stated that Upromise had implemented procedures to safeguard personal information, and those procedures had been inspected by industry specialists. Based on these alleged inconsistencies, the FTC claimed that Upromise misrepresented its privacy and security practices, including falsely stating that consumers' data would be encrypted. The complaint alleged the inaccurate privacy assurances were constituted false and deceptive practices in violations of federal law.

FTC Claimed Company Failed to Use Readily Available Measures to Address Risks

According to the FTC, Upromise "failed to use readily available, low-cost measures to assess and address the risk that the Targeting Tool would collect such sensitive consumer information it was not authorized to collect." FTC Complaint

To view additional stories from Bloomberg Law® request a demo now