When Is a Privacy Policy Deceptive?

The Federal Trade Commission ("FTC") and others groups may at times conduct reviews of website terms and privacy policies. Recently the FTC brought a complaint against Sears Holdings Management Corporation ("Sears"), which is owned by Sears Roebuck and Company and Kmart Management Corporation, regarding the content of their privacy policy and the information gathered from consumers through the Sears website.

From April 2007 until January 2008, fifteen of every 100 visitors to the sears.com and kmart.com websites were presented with a pop-up where they were invited to join "My SHC Community". The visitors were asked whether they would like to have their voice heard and provide information directly to retailers about products and services that would be right for them. The pop-up invited visitors to enter their e-mail address to receive followup information. If a consumer supplied their e-mail address, they subsequently received messages inviting them to complete a registration form and become a member of the "My SHC Community." If they agreed to join the "community" for one month, they received a payment of $10. As part of the sign-up process, the consumer clicked on "Join today" and was directed to a registration page on the website.

To complete the registration, Sears asked the consumer to enter name, address, age, and e-mail address. In the website link to the Sears' Privacy Statement and User License Agreement ("Terms"), language was included indicating that once the Sears application software is installed on the consumer's computer, it monitors all of the consumer's Internet behavior including personal financial and health information. This language did not appear until the 75th line. The Sears Internet Terms stated that the information would be used for demographic purposes and indicated that they would "make commercially viable efforts" to try to filter out credit card numbers and user IDs. The Terms went on to state that the consumer could stop participating at any time but Sears reserved the right to continue using the information collected.

By the time the consumer completed this registration process, Sears had installed its software on the consumer's computer to track all of the Internet activities of each consumer who registered. As it turns out, this information collecting process was very far reaching including text of secure pages such as on-line bank statements, video rentals, library borrowing history, and on-line drug prescription records. The FTC stated in its complaint that Sears implied in its Terms that it was tracking "on-line browsing" when, in fact, its software was doing much more and Sears did not adequately describe in its Terms what the software application was actually doing. The FTC stated the information Sears provided as part of the privacy policy disclosures that Sears did make were made in such a way as to constitute unfair and deceptive practices.

The FTC and Sears have recently entered into a settlement agreement to resolve this situation which requires Sears to destroy all information obtained through the software. The settlement is open to public comment until July 6, 2009.

What can the average organization with an Internet presence learn from the Sears settlement? The following are some of the points:

1. If a website utilizes a tracking application, the website terms must disclose the types of data being collected, how the data will be used, and whether the data may be used by third parties.
2. Even if the website terms state how the collected information will be used, the website owner must also make sure that explanation of how data is collected is "clearly and prominently" displayed.

There is also a concern as to whether the settlement may extend beyond tracking software. Both website owners and consumers want to be able to rely on the privacy policies included on websites. Consumers want to know how and where information provided will be used. Website owners want to be able to use information collected from visitors to the site understanding that they may not include information where visitors have opted-out. Based upon the Sears settlement there are concerns that the results may undermine the ability of companies and consumers to rely on a website privacy policy. Sears felt that it did, in fact, disclose what its application software did. The FTC argued that the disclosure was not sufficient.

There is also additional news in the area of website privacy policies. The FTC has held town hall meetings for the last few years on the issue of on-line advertising. The question is whether website visitors must opt-in in order to receive advertisements or whether Internet users would be required to take action to opt-out from receiving on-line advertisements. There is a sense that the FTC realizes that consumers benefit from targeted ads but that the on-line advertising industry must provide a better mechanism for consumers to opt-out and an appropriate standard should be developed as to notice and consent requirements regarding data collection practices. The debate continues but, for now, it is important that each organization review data collection practices it employs on its website and verify that key facts regarding its data collection practices are not buried in the policy.