Sears Settles with FTC on Information Tracking
FTC entered into a settlement agreement with Sears in June related to its failure to provide adequate notice to its customers during the sign up process for an information collection software. This settlement highlights the need to create accurate highlight notices for privacy policies.
Sears mentioned on its marketing material that the software would confidentially track online browsing. However, the FTC charged that the software allowed Sears to monitor consumer’s online sessions including shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails. FTC appears to be concerned that Sears’ “Privacy Statement and User License Agreement” did not discuss the full scale of the data mining until the 75th line of the agreement. The agreement stated:
Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information.
Therefore, the FTC argued, burying the scope of this information collection activity in the 75th line of legal agreement did not adequately disclose the fact that the consumer was allowing the tracking for all of his internet activity. This, the FTC concluded, was a deceptive practice under section 5 of the FTC act.
In hindsight, Sears probably did not need all of the data that it gather in the first place. The competitive advantage that Sears may gain in collecting and processing such sensitive financial and health data is likely to be outweighed by the disadvantages in maintaining the confidentiality of such sensitive information and the public relations problems that follow its disclosure. Even if Sears could in fact use this data, installation of software that practically works like a commercial key logger likely requires specific and unambiguous consent.