The FTC recently announced approval of the terms of a settlement with Sears Holding Corp. (which owns Sears and K-Mart stores) over charges that the company failed to "adequately disclose" that it was collecting personal information using a spyware program secretly installed on consumers' computers. Between 2007 and 2008, 15 of every 100 visitors to sears.com or kmart.com were presented with a pop-up window that offered the opportunity to "talk directly to a retailer" and become part of "a place where your voice is heard and your opinion matters, and what you want and need counts!" No mention was made that this "opportunity" also installed detailed tracking software on the user's computer. Customers who asked for more information were offered a $10 coupon in exchange for downloading – and keeping on their computer for at least one month – software from Sears or K-mart that would allow them to become "part of something new, something different[.]"
Consumers probably didn't realize that by "new" and "different," the advertisement meant "all-seeing" and "invasive." Indeed, this software monitored both online and offline behavior, peering into online secure sessions and culling information from consumers' email subject and recipients, online bank statements, drug prescription records, video rental records, and similar histories and accounts. Customers effectively (and blindly) sold their privacy by agreeing to a lengthy terms of service agreement that showed up at the end of a long registration process. The agreement was presented in a small "scroll box"; consumers could only see ten lines of the policy at a time and not until the 75th line could the user find any description of the invasive tracking.
The FTC found that the software's function was not fairly represented and that the "failure to disclose these factsâ€¦was, and is, a deceptive practice." As remedy, the FTC has required that "if Sears advertises or disseminates any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor, record, or transmit." Moreover, this disclosure must occur separately from any general terms of service or user license agreement and, if data will be accessed by a third party, must include a notification that data will be available to a third party. The FTC has also required that Sears Holding Management Corporation delete all data collected by the software. The settlement is significant for a number of reasons.
Notably, it reinforces a trend toward broader recognition by the FTC, Congress, and the courts alike that, as David Vladeck, director of the FTC's Bureau of Consumer Protection, recently told the New York Times, "the empirical evidence we're seeing is that disclosures on their own don't work, particularly disclosures that are long, they're written by lawyers, and they're written largely as a defense to liability cases. Maybe we're moving into a post-disclosure environment." Vladeck also remarked that given the "disclosures'" complexity, "I'm not sure that [so-called] consent really reflects a volitional, knowing act." In other words, clicking on a box that follows a long, abstruse policy cannot seriously stand in for authorization for companies to spy on secure online sessions and to collect such sensitive and personal information as email subject lines and recipients, drug prescription records and online bank statements. This current paradigm was also challenged recently by U.S. District Court Judge Sterling Johnson Jr., who ruled that simply posting a link to onerous terms and conditions on a website is not binding for the consumer. His reasoning? The evidence that any consumers actually read these policies is scant. This is an encouraging trend, and one that gives us reason to hope that frameworks that are stronger than "notice and choice" and that emphasize actual transparency, consumer control, and data minimization may soon replace these outdated – and often deceptive – practices.
To this end, the FTC's remedy – a separate notification process that clearly spells out the extent of tracking activities – is a step in the right direction. However, we hope to soon see a framework in which product procurement cannot be dependent on selling one's privacy. We would like to see the suggested notification supplanted by an opt-in screen, in which consumers are given the choice of opting in to behavioral monitoring, but for which such monitoring – particularly as intrusive as that implemented by Sears Management Holding Corporation – can neither be a necessary, nor a default, component of a download. The requirement that Sears Management Holding Corporation delete all collected data is also a step in the right direction, as it suggests recognition that simply ceasing data collection is insufficient. Sensitive, and potentially harmful, personal information was collected through the course of this ill-advised project and consumers are not protected until all of that information is destroyed. We applaud the FTC for calling out the deceptive practices of Sears Management Holding Corporation and for taking an important step to protect consumer privacy. Moreover, the FTC's settlement terms implicitly reference a number of important principles that we hope the FTC will continue to consider in future cases. But perhaps most significant, the FTC has said that consumers are harmed by privacy invasions in and of themselves. Companies have no right to surreptitiously spy on consumers – even if they are willing to pay consumers for the privilege.