FTC Approves Final Settlement with Consumer Tracking Firm
The Federal Trade Commission has adopted a proposed settlement with
Compete Inc., a company that develops software for tracking consumers
as they shop, browse and interact with different Web sites across the
Internet. As part of the Compete registration process, consumers
installed tracking software that "collected the names of all Web sites
visited; all links followed; advertisements displayed when Web sites
were visited; and information that consumers entered into some web
pages", even otherwise secure Web pages. Data collected including
credit card and financial account numbers, usernames, passwords, and
search terms.
The Commission's initial complaint alleged that Compete failed to adopt
reasonable data security practices and deceived consumers about the
amount of personal information collected by the toolbar and survey
panel. The FTC also charged Compete with deceptive practices for
falsely claiming that the retained data had been anonymized. The
settlement order requires Compete to obtain express consent from
consumers before collecting data. The company is similarly required to
delete or anonymize the data it has already collected and to provide
users with instructions for uninstallation of the Compete toolbar.
In November 2012 comments to the FTC, EPIC recommended that the agency
also require Compete to implement Fair Information Practices similar to
those contained in the Consumer Privacy Bill of Rights, and develop a
best-practices guide to de-identification techniques. The Consumer
Privacy Bill of Rights, published by the White House in February 2012,
sets out a comprehensive framework of consumer privacy protections.
EPIC's comments maintained that Compete's adherence to the Consumer
Privacy Bill of Rights would impose requirements on the company's
collection and use of personal social networking information, and
grant Compete users control over their data and the right to access
and amend their personal information. Additionally, Compete should
have been required to develop best-practices principles for de-
identification, thus providing "businesses and consumer groups
something more concrete against which to measure claims of de-
identification and anonymity."
While the FTC declined to adopt EPIC's recommendations, the
Commission acknowledged that, as EPIC had noted, the FTC's "chief
technologists have discussed some anonymization techniques as an aid to
industry. However, generally, the Commission does not provide specific
technical guidance in areas like this, which are constantly changing.
It is a company's responsibility to keep abreast of and select the
technology that it believes best meets its needs and requirements while
appropriately protecting consumer privacy."
FTC: Settlement with Compete Inc. (Feb. 20, 2013)
http://www.ftc.gov/o.../130222competedo.pdfFTC: Letter to EPIC re: Compete Inc. Settlement (Feb. 20, 2013)
http://www.ftc.gov/o...ompeteepicletter.pdfEPIC: Comments to FTC re: Compete Inc. (Nov. 19, 2012)
http://epic.org/priv...Comments-Compete.pdfThe White House: Consumer Privacy Bill of Rights (Feb. 2012)
http://www.whitehous...es/privacy-final.pdfEPIC: Federal Trade Commission
http://epic.org/privacy/internet/ftc/EPIC: Re-Identification
http://epic.org/priv...cy/reidentification/EPIC: Consumer Profiling
http://epic.org/priv...ofiling/default.html