Broken Privacy Promises from Upromise? FTC Settlement and Key Takeaways (Update)
Written by Jake Romero
According to the Federal Trade Commission, the most remarkable aspect of Upromise, an online college savings program, was not how much its users saved. Rather, it was how much they were giving away. The FTC has announced settlement regarding a complaint it had filed against Upromise, Inc. alleging that the corporation has violated the Federal Trade Commission Act (“FTC Act”). We have an analysis of the complaint and consent order and some key takeaways for businesses.
Upromise and the “TurboSaver Toolbar”
Since 2005, Upromise has operated a membership reward service that is designed to help its users create a savings account for future college tuition payments. Its users receive discounts and rebates on products they purchase from Upromise’s merchant and retail partners and the value of those discounts and rebates is then collected in a college savings account. As part of its service, Upromise offered its users the Upromise “TurboSaver Toolbar,” a software download which according to Upromise, would, among other things, highlight and identify Upromise partner companies in such user’s internet search results so that such users could more easily purchase products that would benefit his or her Upromise college savings account. Downloading the TurboSaver Toolbar may be considered a default setting for individuals signing up for an account, because the box to elect to receive the download would initially be checked for the user. In addition, an option modifying the TurboSaver Toolbar (described as “Enable Personalized Offers”) was also made available. The description of this feature provided that “[b]y enabling the Personalized Offers feature, information about the web sites you visit will be collected. This information is used to provide college savings opportunities tailored to you.” The description further provided that the TurboSaver Toolbar would help to ensure that the user received college savings when he or she shopped online.
UPDATE Upromise provided the following comment on January 20:
The TurboSaver toolbar always has been, and is, a completely optional part of opening a Upromise account and becoming a Upromise member. It is important to note that two years ago, we addressed this issue with the vendor’s software promptly after being made aware of it. Further, only a subset of the approximately 1% of our members, those who had TurboSaver installed on their computer and had the personalized offers enabled, could potentially have been affected.
The FTC alleged that after the personalized offers feature was enabled, extensive information was collected from the user and transmitted to Upromise, including the names of all websites visited, all links clicked by the user and information that users entered into certain web pages, such as usernames, passwords, search terms, credit card information, expiration dates, security codes and social security numbers. The FTC alleged that there was no way a user would be able to detect the extent of the data being collected by the Upromise software without special software and technical expertise.
Upromise’s data collection and transmission activities were subject to a Privacy Statement, a link to which was provided to users during the registration process. However, the FTC alleged that the Privacy Statement made a number of inaccurate and misleading statements with regard to the frequency and scope of Upromise’s data collection and the way in which the information was handled. First, the Privacy Statement claimed that personal information may be collected by the TurboSaver Toolbar “infrequently,” but that filters were in place to prevent the collection of certain financial data. The FTC found that not only was the data collection process running continuously on each user’s computer, the filters that were constructed to prevent the collection of heavily sensitive information were far too narrow to be effective. For example, a filter to prevent the collection of financial data would filter out information entered into a field marked “PIN” but would allow the same information to be collected if the field were named “personal ID” or “security code.”
Upromise also claimed that the information that was transmitted to Upromise from the user was automatically encrypted. A security researcher disclosed, however, that the data was transmitted in clear text, which would allow third parties to easily intercept and steal information being transmitted over a public network. The FTC alleged that this facilitation of identity theft and related harm constituted an unfair practice under the FTC Act. The complaint noted that Upromise created an unnecessary risk of unauthorized access to user information by (i) failing to use inexpensive and widely-available prevention measures; (ii) failing to provide guidance to and properly train its employees with access to user information and (iii) failing to employ security measures that would provide the protection that was assured in its Privacy Statement. “[T]aken together,” the FTC alleged, Upromise “failed to provide reasonable and appropriate security for consumer information collected and transmitted,” failed to disclose material facts to consumers and engaged in false, deceptive and misleading practices.
Settlement Terms
The FTC’s settlement with Upromise will require, among other things, that Upromise (i) accurately disclose and describe its data collection practices, (ii) provide instructions to its users with regard to uninstalling the TurboSaver Toolbar, (iii) cease making misrepresentations in its Privacy Statement about security measures used to protect personal information and (iv) implement a comprehensive information security program, to be audited biennially by an independent security assessment firm for the next 20 years.
Key Lessons from the Upromise Settlement
For companies that collect and/or transmit the personal data of users, there are a number of key aspects to be considered from the Upromise settlement. Some of the lessons from the settlement seem obvious; a company that collects personal data should not misrepresent the scope or frequency of data collection to its users. However, to ensure that best practices are being adhered to, the allegations made by the FTC in its complaint against Upromise should be considered apart from the egregious circumstances that were specific to this complaint. After all, the precise location of the line between, on one hand, a statement that is intended to give comfort to a user that will providing personally-identifiable information and, on the other, a statement that is materially misleading, will depend entirely on the surrounding facts and circumstances.
At a minimum, a company that engages in the collection and/or transmission of user data should:
- carefully review any published privacy statement or security policy to ensure that the representations made therein accurately reflect such company’s practices
- review any statements made on web pages or promotional materials that may give the user a false sense of security with regard to the handling of such user’s data
- test and review the application of any safety measures or information filters
- be diligent with regard to investigating and adopting security measures as they become generally available
- ensure that any description of such company’s data collection practices is written in plain-English style, and include an effective way for its users to obtain further information or communicate complaints
- ensure that all employees with access to personally-identifiable information have received sufficient training to follow necessary procedures
Link to all related Federal Trade Commission documents: here