The case
Background
From April 2007 until January 2008 SHMC offered about 15% of the visitors to its websites the opportunity to join the My SHC Community. Selected visitors saw a pop-up advertisement that asked "Ever wish you could talk directly to a retailer? Tell them about the products, services and offers that would really be right for you?" It then gave visitors a chance to join the "My SHC Community", "a dynamic and highly interactive on-line community... where your voice is heard and your opinion matters, and what you want and need counts!" If visitors agreed, they provided an email address and were sent a follow-up email with more details about the community. This email contained the first mention of a research software program that users were asked to download. The application would "confidentially track [] online browsing." This revelation was buried amongst a lot of other text describing more overt participation in the community such as:We'll ask you to journal your shopping and purchasing behavior. Again, this will be when you want and how you want to record it – always on your terms and always by your choice. We'll also collect information on your internet usage. Community engagements are always fun and always voluntary!Consumers received $10 in exchange for joining the "community" as long as they kept the application running for at least one month. Most of the content of the email focused upon direct participation in the online community, with only limited references to the application that would be collecting massive amounts of information. The Privacy Statement and End User License Agreement, provided more details, but only if users scrolled down 75 lines in a small text box that displayed ten lines of text at a time. The Agreement revealed that the application would be collecting detailed information about the computer that the application was installed on in addition to:
all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information. We may use the information that we monitor, such as name and address, for the purpose of better understanding your household demographics; however we make commercially viable efforts to automatically filter confidential personally identifiable information such as UserID, password, credit card numbers, and account numbers. Inadvertently, we may collect such information about our panelists; and when this happens, we make commercially viable efforts to purge our database of such information.The application basically captured all internet activity and only made token efforts to prevent the collection of passwords. Although the agreement said they did not examine the text of IMs or email messages, they did collect email header information. Once the application was installed there was almost no indication that it was running on a user's computer. The complaint noted the lack of system tray icon or other visible indication other than "srhc.exe" being listed as a running process in Windows Task Manager. The FTC concluded that although SMHC made some disclosures about the application and the information it collected, they "failed to disclose adequately." Because the application "monitor dnearly all of the Internet behavior that occurs on consumers' computers" including detailed transaction information with websites not affiliated with SMHC and then transmitted that information to SHMC remote servers, the minimal disclosures provided in the email and buried in the license agreement were inadequate. The FTC found that details about the information collected "would be material to consumers in deciding to install the software." As a result, SHMC's "failure to disclose these facts, in light of the representations made, was, and is, a deceptive practice."
Consent decree
SMHC consented to the FTC's order that they "clearly and prominently" disclose on a separate screen from the privacy policy or license agreement (1) "all of the types of data that the Tracking Application will monitor, record or transmit;" (2) "how the data may be used;" and (3) "whether the data may be used by a third party." They were also required to obtain opt-in consent from future users.''In the Matter of Sears Holdings Management Corporation'', Consent AgreementSignificance of the action
Departure from legal precedent
Although, section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) grants the FTC power to investigate and prevent deceptive trade practices, this decision came as a surprise to a number of legal observers. SMHC probably thought it was doing everything legally required to use its application to collect detailed information on consumers. Courts have frequently found that terms buried within licensee agreements are enforceable—even when the terms are in small print in text boxes like the ones in the SMHC case. Often referred to asFTC's online privacy agenda
The FTC has long worked to protectSee also
*Notes
External links