Business Blog
Collection and protection
The terms of an FTC settlement apply just to that business, of course. But clued-in companies know there’s a lot that can be learned from someone else’s alleged misstep. The FTC’s law enforcement action against Upromise is no exception.
According to the complaint, the college savings membership program introduced a toolbar that collected users’ personal information without adequately disclosing the extent of what was going on. Under the terms of the proposed order, Upromise will notify users about how to uninstall the toolbars already on their computers, will get users’ OK before installing or re-enabling any toolbars, and will clearly disclose its data collection practices in the future. The settlement also bars misrepresentations about the privacy and security of people’s personal info, and requires Upromise to implement a comprehensive information security program, including every-other-year independent security assessments for the next 20 years.
What should this case and other recent law enforcement actions mean for your company?
Know before it’s a go. Before turning the key, you need to know how many horses you’ve got under the hood. In the same way, before rolling out new technology — like a toolbar or an app — make sure you’re clear on what information it collects. Better still, build data security decision-making, verification, and monitoring into the design process. It’s usually easier to get it right from the outset than to reverse-engineer a fix days before delivery or in response to a security “oops.”
Craft it carefully. Not too long ago marketers assumed the more info they gathered, the better — and if something was technologically feasible, full speed ahead. But the risk of a costly security breach or a troubling data glitch has taught savvy executives that that mindset is <Valley Girl voice> like sooooooo 20th Century </Valley Girl voice>. These days your policies should be the product of deliberate, well-rounded decision-making that carefully considers data security, information collection, disclosures to consumers, and other key factors.
Do tell. Generally speaking, the law gives companies flexibility in fashioning their data collection programs. But the best practice is to tell users what you collect, communicate it in words regular people will understand, and honor your stated policy.
Keep tabs on your service providers. According to the FTC’s complaint against Upromise, the company hired a service provider to develop the toolbar and personalized offers feature that raised data collection concerns. But under the FTC Act, companies may be liable for what others do on their behalf. As part of the soup-to-nuts info security program, the proposed order requires Upromise to take reasonable steps to “select and retain service providers capable of appropriately safeguarding personal information” and to include contract terms requiring service providers to “implement and maintain appropriate safeguards.” The order provision is legally binding only on Upromise, but it’s sound advice to consider next time you’re working with an outside company.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.