FTC Signals Tougher Standard For Online Tracking Disclosures

Perhaps the most striking feature of the complaint is that the FTC acted against a company that had fully disclosed, and obtained consumers' agreement to, the tracking practices at issue. The essence of the complaint is not that those disclosures were absent, but that they should have been made sooner and given greater prominence.

Specifically, according to the FTC's complaint, SHMC enrolled consumers in a program that included installation on the consumers' computers of a monitoring application. The complaint alleged that the application would: “monitor nearly all of the Internet behavior that occurs on consumers' computers, including information exchanged between consumers and [W]eb sites other than those owned, operated, or affiliated with [SHMC], information provided in secure sessions when interacting with third-party [W]eb sites, shopping carts, and online accounts, and headers of [W]eb-based e-mail; track certain non-Internet-related activities taking place on those computers; and transmit nearly all of the monitored information ' to [SHMC]'s remote computer servers.” (FTC complaint at para. 13. A link to the document is available at www.ftc.gov/opa/2009/06/sears.shtm.)

Saying Hello with Pop-ups

SHMC introduced the program to consumers by serving pop-up ads on sears.com and kmart.com Web sites that invited consumers to join the “My SHC Community.” (FTC complaint at para. 5.) The initial invitation included no disclosures about the community's online tracking component. However, the follow-up e-mail invitation sent to consumers who furnished their e-mail addresses to SHMC specifically stated that participants would be asked to “download software” that “will confidentially track your online browsing.” (FTC complaint at para. 6.) This second invitation also disclosed that the community would “collect information about (the participant's)
[I]nternet usage.”

Consumers who clicked a “Join Today” button on this second invitation were taken to a landing page. (FTC complaint at para. 7.) Here, they had an opportunity to click on a second Join Today button, which took them to a registration page. The registration page included a scroll box with a Privacy Statement and End User License Agreement that exhaustively described the data-collection activities that would accompany membership in the community. (FTC complaint at para. 8.) The complaint does not allege that the disclosures made in this Privacy Statement and End User License Agreement were in any way incomplete.

No Immediate Download

SHMC's registration procedure also ensured that consumers did not download and install the online tracking application until they had had an opportunity to read the Privacy Statement and End User License Agreement. Consumers were required to check a box next to the following statement: “I am the authorized user of this computer and I have read, agree to, and have obtained the agreement of all computer users to the terms and conditions of the Privacy Statement and User License Agreement.” (FTC complaint at paragraph 9.) If consumers then clicked the Next button at the bottom of the registration page, they were taken to an installation page that explained how to download and install the application. (FTC complaint at para. 10.) Consumers then clicked another Next button to download the application, and clicked an Install or Yes button to install the application.

No Adequate Disclosure

According to the FTC's complaint, SHMC committed “unfair or deceptive acts or practices” by failing to adequately disclose the extent of the online tracking activities that would result from enrollment in the program. Specifically, the FTC appears to contend that detailed disclosures should have been provided before consumers encountered the Privacy Statement and End User License Agreement.

What the Agreement Requires

The proposed consent agreement would require disclosure of the entire functionality of the online tracking application “prior to the display of, and on a separate screen from, any final 'end user license agreement,' 'privacy policy,' 'terms of use' page, or similar document '.” (See, “Agreement Containing Consent Order,” File No. 082 3099, p. 4, at www.ftc.gov/opa/2009/06/sears.shtm.)

The consent agreement would also require an “express consent from the consumer to the download or installation of the Tracking Application and the collection of data by having the consumer indicate assent to those processes by clicking on a button or link that is not pre-selected as the default option and that is clearly labeled or otherwise clearly represented to convey that it will initiate those processes, or by taking a substantially similar action.” (“Agreement Containing Consent Order,” File No. 082 3099, at www.ftc.gov/opa/2009/06/sears.shtm.)

Extends Privacy-Practices
Disclosure Requirements

The commitments set out in the proposed consent agreement go well beyond existing law and previous FTC requirements for disclosure of privacy practices. Notably, court decisions concerning the related process of online contract-formation require only that consumers have fair notice of the existence of online contract terms and give clear consent to those terms. (See, e.g., Christopher Specht et al. v. Netscape Communications Corporation et al., 306 F.3d 17 (2d Cir. 2002).) The process adopted by SHMC appears to satisfy this standard. Similarly, the FTC's past guidance on disclosure of online privacy practices has urged only that online merchants should give clear and conspicuous notice of their information practices ' a policy that Internet services generally have satisfied by posting clear and complete privacy policies. (See, e.g., Privacy Online: Fair Information Practices in the Online Marketplace (FTC Report to Congress dated May 2000) p. 36, at www.ftc.gov.)

Drilling Down on Monitoring

The SHMC settlement suggests a more stringent standard for one class of privacy practices. Where online monitoring of consumers' Internet usage is concerned, the FTC apparently will require that detailed disclosures of those practices not only must be made, but must be made early and conspicuously, and that the tracking programs may be implemented only with the consumers' express consent. In fact, the complaint suggests that any advertisement or promotional statement concerning a service that will involve online tracking is deceptive unless it is accompanied by immediate, complete disclosure of the tracking process involved. Deferring those disclosures until the consumer is at the point of downloading or installing the tracking application apparently will be insufficient under the standard announced in the settlement.

The Proceeding in Context

Among other implications, the SHMC enforcement proceeding may be a step toward FTC regulation of behavioral advertising, which relies heavily on online tracking technologies. Beginning with a town hall meeting held in late 2007, the FTC has repeatedly announced its concern with “the tracking of consumers' online activities in order to deliver tailored advertising.” (See, FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising, p. 2, available at www.ftc.gov/os/2009/02/P085400behavadreport.pdf.)

Although the Commission has confined itself primarily to the adoption of voluntary guidelines to govern these practices, FTC Chairman Jon Leibowitz stated as recently as April of this year that online advertisers are approaching their “last clear chance” to avoid legislation or mandatory regulation (Leibowitz appears to have first used this expression in his “Concurring Statement” in the February 2009 Staff Report referred to earlier in this paragraph. He repeated the warning in a speech to the Reuters Global Financial Regulation Summit in Washington, DC on April 27 this year; see, “FTC Says Internet Firms Near 'Last Chance',” PC Magazine.com (Apr. 28, 2009).)

Although the SHMC proceeding may be the first round in a regulatory initiative aimed at behavioral advertising and related practices, that initiative might never reach the formal rulemaking stage. The FTC sometimes defines the kinds of practices it finds unacceptable not by writing rules, but by bringing individual enforcement proceedings and entering into settlement agreements that create a compliance framework for businesses that want to avoid becoming the target of similar proceedings. Notably, this is the approach the Commission has taken in its multi-year campaign against failures to secure customers' personal information against unauthorized access. The SHMC agreement was subject to public comment through July 6, 2009, after which the Commission will decide whether to make it final. Service providers that rely on tracking technologies should assess their policies and practices in light of the FTC's apparent determination to subject online tracking to more stringent enforcement.

On June 4, the Federal Trade Commission (“FTC”) announced a proposed consent agreement with Sears Holdings Management Corporation (“SHMC”) (see, Federal Trade Commission Press Release, “Sears Settles FTC Charges Regarding Tracking Software” (June 4, 2009), available at www.ftc.gov/opa/2009/06/sears.shtm).

The government makes note that the settlement is not final and does not include any finding of wrongdoing by SHMC, but that the working settlement sends a strong signal that the FTC will subject online tracking of consumer behavior to a stringent standard of disclosure. Company personnel ' and inside and outside counsel ' involved with addressing and fielding issues related to behavioral advertising or other online data-collection activities that are important to an enterprise's success should be aware of the proposed settlement, and should assess the prominence and completeness of the disclosures they make to consumers in light of the SHMC proceeding.

The FTC's Complaint Against SHMC

Perhaps the most striking feature of the complaint is that the FTC acted against a company that had fully disclosed, and obtained consumers' agreement to, the tracking practices at issue. The essence of the complaint is not that those disclosures were absent, but that they should have been made sooner and given greater prominence.

Specifically, according to the FTC's complaint, SHMC enrolled consumers in a program that included installation on the consumers' computers of a monitoring application. The complaint alleged that the application would: “monitor nearly all of the Internet behavior that occurs on consumers' computers, including information exchanged between consumers and [W]eb sites other than those owned, operated, or affiliated with [SHMC], information provided in secure sessions when interacting with third-party [W]eb sites, shopping carts, and online accounts, and headers of [W]eb-based e-mail; track certain non-Internet-related activities taking place on those computers; and transmit nearly all of the monitored information ' to [SHMC]'s remote computer servers.” (FTC complaint at para. 13. A link to the document is available at www.ftc.gov/opa/2009/06/sears.shtm.)

Saying Hello with Pop-ups

SHMC introduced the program to consumers by serving pop-up ads on sears.com and kmart.com Web sites that invited consumers to join the “My SHC Community.” (FTC complaint at para. 5.) The initial invitation included no disclosures about the community's online tracking component. However, the follow-up e-mail invitation sent to consumers who furnished their e-mail addresses to SHMC specifically stated that participants would be asked to “download software” that “will confidentially track your online browsing.” (FTC complaint at para. 6.) This second invitation also disclosed that the community would “collect information about (the participant's)
[I]nternet usage.”

Consumers who clicked a “Join Today” button on this second invitation were taken to a landing page. (FTC complaint at para. 7.) Here, they had an opportunity to click on a second Join Today button, which took them to a registration page. The registration page included a scroll box with a Privacy Statement and End User License Agreement that exhaustively described the data-collection activities that would accompany membership in the community. (FTC complaint at para. 8.) The complaint does not allege that the disclosures made in this Privacy Statement and End User License Agreement were in any way incomplete.

No Immediate Download

SHMC's registration procedure also ensured that consumers did not download and install the online tracking application until they had had an opportunity to read the Privacy Statement and End User License Agreement. Consumers were required to check a box next to the following statement: “I am the authorized user of this computer and I have read, agree to, and have obtained the agreement of all computer users to the terms and conditions of the Privacy Statement and User License Agreement.” (FTC complaint at paragraph 9.) If consumers then clicked the Next button at the bottom of the registration page, they were taken to an installation page that explained how to download and install the application. (FTC complaint at para. 10.) Consumers then clicked another Next button to download the application, and clicked an Install or Yes button to install the application.

No Adequate Disclosure

According to the FTC's complaint, SHMC committed “unfair or deceptive acts or practices” by failing to adequately disclose the extent of the online tracking activities that would result from enrollment in the program. Specifically, the FTC appears to contend that detailed disclosures should have been provided before consumers encountered the Privacy Statement and End User License Agreement.

What the Agreement Requires

The proposed consent agreement would require disclosure of the entire functionality of the online tracking application “prior to the display of, and on a separate screen from, any final 'end user license agreement,' 'privacy policy,' 'terms of use' page, or similar document '.” (See, “Agreement Containing Consent Order,” File No. 082 3099, p. 4, at www.ftc.gov/opa/2009/06/sears.shtm.)

The consent agreement would also require an “express consent from the consumer to the download or installation of the Tracking Application and the collection of data by having the consumer indicate assent to those processes by clicking on a button or link that is not pre-selected as the default option and that is clearly labeled or otherwise clearly represented to convey that it will initiate those processes, or by taking a substantially similar action.” (“Agreement Containing Consent Order,” File No. 082 3099, at www.ftc.gov/opa/2009/06/sears.shtm.)

Extends Privacy-Practices
Disclosure Requirements

The commitments set out in the proposed consent agreement go well beyond existing law and previous FTC requirements for disclosure of privacy practices. Notably, court decisions concerning the related process of online contract-formation require only that consumers have fair notice of the existence of online contract terms and give clear consent to those terms. (See, e.g., Christopher Specht et al. v. Netscape Communications Corporation et al., 306 F.3d 17 (2d Cir. 2002).) The process adopted by SHMC appears to satisfy this standard. Similarly, the FTC's past guidance on disclosure of online privacy practices has urged only that online merchants should give clear and conspicuous notice of their information practices ' a policy that Internet services generally have satisfied by posting clear and complete privacy policies. (See, e.g., Privacy Online: Fair Information Practices in the Online Marketplace (FTC Report to Congress dated May 2000) p. 36, at www.ftc.gov.)

Drilling Down on Monitoring

The SHMC settlement suggests a more stringent standard for one class of privacy practices. Where online monitoring of consumers' Internet usage is concerned, the FTC apparently will require that detailed disclosures of those practices not only must be made, but must be made early and conspicuously, and that the tracking programs may be implemented only with the consumers' express consent. In fact, the complaint suggests that any advertisement or promotional statement concerning a service that will involve online tracking is deceptive unless it is accompanied by immediate, complete disclosure of the tracking process involved. Deferring those disclosures until the consumer is at the point of downloading or installing the tracking application apparently will be insufficient under the standard announced in the settlement.

The Proceeding in Context

Among other implications, the SHMC enforcement proceeding may be a step toward FTC regulation of behavioral advertising, which relies heavily on online tracking technologies. Beginning with a town hall meeting held in late 2007, the FTC has repeatedly announced its concern with “the tracking of consumers' online activities in order to deliver tailored advertising.” (See, FTC Staff Report: Self-Regulatory Principles for Online Behavioral Advertising, p. 2, available at www.ftc.gov/os/2009/02/P085400behavadreport.pdf.)

Although the Commission has confined itself primarily to the adoption of voluntary guidelines to govern these practices, FTC Chairman Jon Leibowitz stated as recently as April of this year that online advertisers are approaching their “last clear chance” to avoid legislation or mandatory regulation (Leibowitz appears to have first used this expression in his “Concurring Statement” in the February 2009 Staff Report referred to earlier in this paragraph. He repeated the warning in a speech to the Reuters Global Financial Regulation Summit in Washington, DC on April 27 this year; see, “FTC Says Internet Firms Near 'Last Chance',” PC Magazine.com (Apr. 28, 2009).)

Although the SHMC proceeding may be the first round in a regulatory initiative aimed at behavioral advertising and related practices, that initiative might never reach the formal rulemaking stage. The FTC sometimes defines the kinds of practices it finds unacceptable not by writing rules, but by bringing individual enforcement proceedings and entering into settlement agreements that create a compliance framework for businesses that want to avoid becoming the target of similar proceedings. Notably, this is the approach the Commission has taken in its multi-year campaign against failures to secure customers' personal information against unauthorized access. The SHMC agreement was subject to public comment through July 6, 2009, after which the Commission will decide whether to make it final. Service providers that rely on tracking technologies should assess their policies and practices in light of the FTC's apparent determination to subject online tracking to more stringent enforcement.