Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

FTC Enforces Against Obscure Privacy Disclosures in New Consent Decree

Just a day before releasing its long-awaited draft privacy report, the FTC foreshadowed some of its findings relating to requirement of transparency in privacy notices.  It did so by entering into a consent agreement with EchoMetrix for inadequately disclosing that data collected using parental web-monitoring software would be included in a database sold to marketers. This settlement reinforces the FTC’s position, established last year in its settlement with Sears, that notices to consumers relating to material privacy practices cannot be “buried” in privacy policies, terms of use, or license agreements.

EchoMetrix sold a software program called Sentry Parental Controls (“Sentry”) to parents capable of monitoring and recording a child’s Internet activity. Among other data, the software captured website history, chat conversation, and instant messages. In 2009, EchoMetrix launched a new service, called The Pulse, which provided companies with the ability to access what consumers are saying or thinking by providing aggregate consumer opinions from user-generated social media websites. EchoMetrix incorporated data it captured through Sentry into the Pulse database.

The only disclosure EchoMetrix made about this potential use of Sentry data came in EchoMetrix’s Privacy Policy which was appended to the Sentry End User License Agreement (EULA). The statement read:

[Sentry] uses information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.

Users were required to “accept” these terms, but the above language was in the thirtieth paragraph of a policy that was contained in a small scroll box that a user was presented with when registering for the service. EchoMetrix also offered an opt-out for users, however what a user was opting out of was not clearly described in the Privacy Policy.

The FTC brought a complaint against EchoMetrix under Section 5 of the FTC Act, arguing that EchoMetrix’s failure to notify parents of the usage of their children’s data constituted a deceptive act or practice. In the settlement of this case, EchoMetrix agreed not to use the Sentry data for any purposes other than allowing Sentry users to access their accounts. EchoMetrix also agreed to destroy the Sentry information that had been transferred to The Pulse database. 

This settlement builds upon FTC’s 2009 settlement with Sears, in which Sears paid consumers to download an application that tracked their online browsing activity, including online transactions. The FTC alleged that Sears’ disclosure of these practices was not sufficient. The disclosure was buried in a lengthy user license agreement found in a scroll box that a user checked a box to “agree”.

Enforcement actions like those against Sears and EchoMetrix might become more common following the publication of the new draft privacy report. One of the major focal points of the new report is transparency of privacy practices. In fact, the report highlights the Sears case as an example of the limitation of the FTC’s previous approach to privacy, implying that the content and form of all notices are not equal in the minds of consumers and regulators.

It may not be enough merely to include an opaque description of a privacy practice in a privacy policy or user agreement. Rather, it is important to highlight the privacy issues that a consumer is likely to care about and make these data uses easy for a consumer to understand and make informed decisions. 

While the new FTC report does not offer any prescriptive advice on how privacy notices should look or how privacy practices should be communicated to consumers, the FTC’s recent enforcement actions make clear that information that a consumer would deem material when deciding whether to purchase or use a product or service must be clearly disclosed and cannot be buried in the middle of a policy that the consumer is unlikely to read.