FTC Settles with Upromise on Charges of Deceptive Consumer Data Collection | Practical Law

FTC Settles with Upromise on Charges of Deceptive Consumer Data Collection | Practical Law

The FTC has reached an agreement on a proposed consent order with Upromise, Inc. on charges that it deceptively collected consumers' personal information and failed to protect that information in the manner stated in its privacy policy. As part of the settlement, Upromise, Inc. agrees to clearly disclose its data protection practices and establish an information security program to be audited periodically by a third party for the next 20 years.

FTC Settles with Upromise on Charges of Deceptive Consumer Data Collection

Practical Law Legal Update 7-517-1564 (Approx. 3 pages)

FTC Settles with Upromise on Charges of Deceptive Consumer Data Collection

by PLC Intellectual Property & Technology
Published on 09 Jan 2012USA (National/Federal)
The FTC has reached an agreement on a proposed consent order with Upromise, Inc. on charges that it deceptively collected consumers' personal information and failed to protect that information in the manner stated in its privacy policy. As part of the settlement, Upromise, Inc. agrees to clearly disclose its data protection practices and establish an information security program to be audited periodically by a third party for the next 20 years.
On January 5, 2012, the FTC issued a press release announcing an Agreement Containing Consent Order for its charges against Upromise, Inc., a company that offers a service where members can save money for college by receiving rebates that go into a savings account when purchasing goods or services from Upromise's partners.
To identify partner merchants, Upromise offered a toolbar highlighting partner merchants in a member's search results. When downloading the toolbar, customers were encouraged to enable the "Personalized Offers" feature to collect information to provide college saving opportunities tailored specifically for the user.
The Personalized Offers feature collected and transmitted information about the member's website history and other personal information, including:
  • User names and passwords for secured websites.
  • Credit card numbers.
  • Security codes and expiration dates.
  • Social security numbers.
According to the FTC, Upromise's privacy statement failed to disclose the extent of the information it collected and this failure, as well as false claims of data protection, were deceptive and violated federal law. The agency also charged that Upromise's failure to take reasonable and appropriate data protection measures was an unfair practice.
The proposed settlement requires Upromise to:
  • Destroy all data collected through the Personalized Offers feature.
  • Provide clear and prominent disclosures to consumers.
  • Make these disclosures before installation and separate from any user license agreement.
  • Receive consent from all consumers before installing Personalized Offers or any similar product.
  • Notify members who had the Personalized Offer featured enabled as to the information that was collected.
  • Provide instructions on how to disable the Personalized Offer feature and toolbar.
  • Establish a comprehensive information security program that is to be audited by a third party every other year for the next 20 years.
This settlement shows that the FTC continues to be active in monitoring companies to ensure that they live up to their privacy and data security promises. Companies should ensure that their privacy statements accurately represent their data collection practices and that they adopt reasonable measures to protect users' personal information or they may face an investigation by the FTC.