On June 4, 2009, the Federal Trade Commission (FTC) announced a settlement with Sears Holdings Management Corporation (SHMC) – owned by Sears, Roebuck and Company and Kmart Management Corporation – over allegations that the company failed adequately to disclose the scope of information it collected about consumers by means of a downloadable software application.
According to the FTC complaint, from approximately April 2007 to January 2008, SHMC used pop-up messages to invite consumers visiting sears.com and kmart.com web sites to become members of "My SHC Community." Consumers who accepted the invitation and provided their e-mail addresses would then receive an e-mail inviting them to join the "online community," in exchange
for downloading a tracking application to their computers for at least one month. Consumers who retained the application for that time period would receive $10 in compensation.
SHMC disclosed in paragraph four, sentence three of the invitation e-mail that the downloaded application would "confidentially track [consumers'] online browsing." Consumers who accepted the e-mail invitation were directed to a landing page, where they were asked to re-confirm their intent to join.
as well as information transmitted in those sessions, such as the contents of shopping carts, online banking statements, video rental transactions, library borrowing histories, online drug prescription records, and select header fields that show the sender, recipient, subject, and size of web-based e-mail messages.
and was therefore deceptive and in violation of Section 5(a) of the FTC Act.
The proposed settlement agreement requires SHMC to stop collecting data from any tracking application within three days and to destroy all data collected by any tracking application within five days. SHMC is also required to notify all consumers that installed the tracking application to inform them what the
application does and how to uninstall it.
Additionally, the agreement requires that, going forward, SHMC:
- obtain express consent from the consumer to download or install a tracking application and collect consumer data.
The agreement imposes a four-year record-keeping requirement and requires the company to furnish, on request, all documents related to complaints, inquiries, terms and conditions, or advertisements associated with any tracking application to the FTC. The proposed settlement agreement will be subject to public comment for 30 days, through July 6, 2009.
Kelley Drye & Warren's Information Security and Privacy practice
is a leader in advising clients on privacy and information security issues and has been at the forefront of developments in this growing area of the law. Our attorneys regularly counsel clients regarding all aspects of privacy and data security compliance, including
drafting and amending privacy and information security policies, advising clients on interpreting their own policies, crafting data security programs for clients, performing privacy and/or data security audits of existing business practices, drafting agreements with third parties regarding their obligations in connection with handling clients' customer data, and
representing clients in connection with federal and state regulator privacy investigations regarding their privacy and data security practices.