Web analytics company, Compete Inc., settled charges it violated federal law by using its web-tracking software that collected personal data without disclosing the extent of the information it was collecting.
Compete also failed to honor promises it made to protect the personal data it collected, according to other charges from the Federal Trade Commission (FTC).
Compete is a company that uses tracking software to collect data on the browsing behavior of millions of consumers, then uses the data to generate reports, which it sells to clients who want to improve their website traffic and sales.
The proposed settlement requires Compete obtain consumers’ express consent before collecting any data from Compete software downloaded onto consumers’ computers, that the company delete or anonymize the use of the consumer data it already collected, and it provide directions to consumers for uninstalling its software.
Compete got consumers to download its tracking software in several ways, including by urging them to join a “Consumer Input Panel” that was promoted using ads that pointed consumers to Compete’s website, www.consumerinput.com, according to the FTC. Compete told consumers by joining the “Panel” they could win rewards while sharing their opinions about products and services, the FTC said. The company also promised consumers who installed another type of its software — the Compete Toolbar (from compete.com) — could have “instant access” to data about the websites they visited.
Compete also licensed its web-tracking software to other companies, the FTC said. Upromise, which licensed Compete’s web-tracking software, settled similar FTC charges earlier this year.
Once installed, the Compete tracking component operated in the background, automatically collecting information about consumers’ online activity. It captured information consumers entered into websites, including consumers’ usernames, passwords, and search terms, and also some sensitive information such as credit card and financial account information, security codes and expiration dates, and Social Security Numbers, according to the FTC.
The FTC charged several of Compete’s business practices were unfair or deceptive and violated the law. For example, the company failed to disclose to consumers it would collect detailed information such as information they provided in making purchases, not just “the web pages you visit.”
In addition, the FTC said Compete made false and deceptive assurances to consumers the company would remove personal information from the data it collected.
Despite these assurances, the FTC charged Compete failed to remove personal data before transmitting it; failed to provide reasonable and appropriate data security; transmitted sensitive information from secure websites in readable text; failed to design and implement reasonable safeguards to protect consumers’ data; and failed to use readily available measures to mitigate the risk to consumers’ data.
The proposed settlement order requires Compete and its clients to fully disclose the information they collect and get consumers’ express consent before they collect consumers’ data in the future. In addition, the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years.