FTC Consent Decree Targets Allegedly Deceptive Toolbar

By David Silverman The FTC has reached a settlement with UPromise, Inc., a membership reward service aimed at helping save for college, to resolve charges that company allegedly used a web-browser toolbar to collect consumers’ personal information, without adequately disclosing the extent of personal information collected. Under the settlement, UPromise must destroy all data it collected under the “Personalized Offers” feature of its “TubroSaver” toolbar, clearly disclose its data collection practices and obtain consent to collection of personal information from those using the toolbar before it is installed or re-enabled, and must further establish a comprehensive information security programing, requiring biennial independent security assessments, for the next 20 years. UPromise is a website that allows users to save money for college by getting rebates offered by partner merchants. As part of that website, UPromise offers a downloadable “TurboSaver Toolbar” that highlights UPromise partner merchants in search results, and allows users to get “personalized offers” based on websites visited. UPromise stated that it “automatically encrypts . . . sensitive information” and “infrequently” collected personal data “inadvertently,” and that any personally identifying data would be deleted prior to transmission. The FTC found that UPromise was not being truthful and filed a complaint alleging unfair or deceptive trade practices under Section 5(a) of the FTC Act. Specifically, the FTC found that the Toolbar was collecting the names of all websites visited by its users as well as information entered into web pages by those users, including user names, passwords, credit card numbers, social security numbers and other financial and/or sensitive data.  Furthermore, this data was transmitted in unencrypted, clear text that could be intercepted or viewed by third parties in a wifi environment. The FTC complaint has resulted in a proposed consent decree requiring UPromise to take the following steps, among others:

1. UPromise must disclose the types of information collected and how it will be used prior to consumer download or installation of the Toolbar or any software that records or transmits information about activity occurring on that computer;
2. UPromise must advise consumers who had previously downloaded the Toolbar of the types of information that may have been collected and how to disable or uninstall the Toolbar;
3. UPromise must destroy all the data it previously collected via the Toolbar;
4. UPromise cannot make any misrepresentations about security, privacy, confidentiality or the integrity of any information collected from consumers;
5. UPromise must maintain a comprehensive security program designed to protect the security, confidentiality and integrity of any information collected; and
6. UPromise must commission an independent audit of its security program every six months for the next 20 years.

The FTC is soliciting public comment on this proposed consent decree through Feb. 6, 2012, following which the FTC will decide whether to make the consent decree “final.”