Of course, the terms of the FTC settlement apply only to that business. But companies in the know know that there’s a lot to be learned from others’ alleged missteps. The FTC’s enforcement action against Upromise is no exception.
According to the complaint, the College Savings Membership Program launched a toolbar that collected users’ personal information without fully disclosing the extent of what occurred. Under the terms of the proposed order, Upromise will notify users how to uninstall toolbars that are already on their computers, obtain user consent before installing or re-enabling any toolbars, and will clearly disclose its data collection practices in the future. The settlement also bans misrepresentations about the privacy and security of people’s personal information and requires Upromise to implement a comprehensive information security program, including independent security assessments every other year for the next 20 years.
What does this case and other recent enforcement actions mean for your company?
Know before you act. Before you turn the key, you need to know how many horses are under the hood. Likewise, before rolling out a new technology, such as a toolbar or app, make sure you know what information it collects. Even better, incorporate data security decisions, verification, and monitoring into the design process. It’s often easier to get it right from the start than to reverse-engineer a fix days before delivery or in response to a security “oops.”
Crafted with care. Not long ago, marketers believed that the more information they could gather, the better—if something was technically feasible, full steam ahead. But the risk of a costly security breach or disturbing data failure has made savvy executives realize that this mentality is like the Valley Girl of the 20th century. Today, your policies should be the product of thoughtful, comprehensive decisions that carefully consider data security, information collection, disclosure to consumers, and other key factors.
Must tell. Generally speaking, the law gives companies flexibility in developing data collection plans. However, the best practice is to tell users what you collect, communicate in language that ordinary people can understand, and adhere to your stated policies.
Pay close attention to your service provider. According to the FTC complaint against Upromise, the company hired a service provider to develop toolbars and personalized offers features, which raised data collection concerns. But under the Federal Trade Commission Act, companies may be held liable for things done on behalf of others. As part of a comprehensive information security program, the proposed order requires Upromise to take reasonable steps to “select and retain service providers that appropriately protect personal information” and include contracts requiring service providers to “implement and maintain appropriate service providers.” terms. Safety precautions. ” The terms of this order are only legally binding on Upromise, but it’s sound advice worth considering next time you’re working with an outside company.
