EchoMetrix sold a software program called Sentry Parental Controls (“Sentry”) to parents capable of monitoring and recording a child’s Internet activity. Among other data, the software captured website history, chat conversation, and instant messages. In 2009, EchoMetrix launched a new service, called The Pulse, which provided companies with the ability to access what consumers are saying or thinking by providing aggregate consumer opinions from user-generated social media websites. EchoMetrix incorporated data it captured through Sentry into the Pulse database.
[Sentry] uses information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.
The FTC brought a complaint against EchoMetrix under Section 5 of the FTC Act, arguing that EchoMetrix’s failure to notify parents of the usage of their children’s data constituted a deceptive act or practice. In the settlement of this case, EchoMetrix agreed not to use the Sentry data for any purposes other than allowing Sentry users to access their accounts. EchoMetrix also agreed to destroy the Sentry information that had been transferred to The Pulse database.
This settlement builds upon FTC’s 2009 settlement with Sears, in which Sears paid consumers to download an application that tracked their online browsing activity, including online transactions. The FTC alleged that Sears’ disclosure of these practices was not sufficient. The disclosure was buried in a lengthy user license agreement found in a scroll box that a user checked a box to “agree”.
Enforcement actions like those against Sears and EchoMetrix might become more common following the publication of the new draft privacy report. One of the major focal points of the new report is transparency of privacy practices. In fact, the report highlights the Sears case as an example of the limitation of the FTC’s previous approach to privacy, implying that the content and form of all notices are not equal in the minds of consumers and regulators.
While the new FTC report does not offer any prescriptive advice on how privacy notices should look or how privacy practices should be communicated to consumers, the FTC’s recent enforcement actions make clear that information that a consumer would deem material when deciding whether to purchase or use a product or service must be clearly disclosed and cannot be buried in the middle of a policy that the consumer is unlikely to read.