The terms of an FTC settlement apply just to that business, of course. But clued-in companies know there’s a lot that can be learned from someone else’s alleged misstep. The FTC’s law enforcement action against Upromise is no exception.
According to the complaint, the college savings membership program introduced a toolbar that collected users’ personal information without adequately disclosing the extent of what was going on. Under the terms of the proposed order, Upromise will notify users about how to uninstall the toolbars already on their computers, will get users’ OK before installing or re-enabling any toolbars, and will clearly disclose its data collection practices in the future. The settlement also bars misrepresentations about the privacy and security of people’s personal info, and requires Upromise to implement a comprehensive information security program, including every-other-year independent security assessments for the next 20 years.
What should this case and other recent law enforcement actions mean for your company?
Know before it’s a go. Before turning the key, you need to know how many horses you’ve got under the hood. In the same way, before rolling out new technology — like a toolbar or an app — make sure you’re clear on what information it collects. Better still, build data security decision-making, verification, and monitoring into the design process. It’s usually easier to get it right from the outset than to reverse-engineer a fix days before delivery or in response to a security “oops.”
Craft it carefully. Not too long ago marketers assumed the more info they gathered, the better — and if something was technologically feasible, full speed ahead. But the risk of a costly security breach or a troubling data glitch has taught savvy executives that that mindset is <Valley Girl voice> like sooooooo 20th Century </Valley Girl voice>. These days your policies should be the product of deliberate, well-rounded decision-making that carefully considers data security, information collection, disclosures to consumers, and other key factors.
Do tell. Generally speaking, the law gives companies flexibility in fashioning their data collection programs. But the best practice is to tell users what you collect, communicate it in words regular people will understand, and honor your stated policy.
Keep tabs on your service providers. According to the FTC’s complaint against Upromise, the company hired a service provider to develop the toolbar and personalized offers feature that raised data collection concerns. But under the FTC Act, companies may be liable for what others do on their behalf. As part of the soup-to-nuts info security program, the proposed order requires Upromise to take reasonable steps to “select and retain service providers capable of appropriately safeguarding personal information” and to include contract terms requiring service providers to “implement and maintain appropriate safeguards.” The order provision is legally binding only on Upromise, but it’s sound advice to consider next time you’re working with an outside company.