Should the Federal Trade Commission revise its 2009 settlement with Sears involving the company’s data security practices?
In an administrative complaint, the FTC alleged that Sears Holdings Management Corp. failed to adequately disclose the scope of personal information it collected from customers via a downloadable software application. Sears represented to consumers that the company would pay consumers $10 to download “research” software that would track their “online browsing.”
But the FTC said the company failed to disclose that the technology actually monitored and collected data from all their Internet activity, including information from third parties’ websites such as the contents of shopping carts, bank statements, video rental records, and the sender, recipient and subject for emails.
To settle the charges, Sears entered into a Consent Order that required the company to “clearly and prominently disclose the types of data the software will monitor, record, or transmit,” prior to installation of the software and separate from any user license agreement. The 20-year Order also mandated that Sears disclose whether any of the data will be used by a third party.
Eight years later, Sears has requested that the FTC modify the Order, arguing that it “puts Sears out of step with current market practices without a corresponding benefit in combatting threats to consumer privacy,” according to the company’s petition. “In addition, the competitive burdens imposed by the Order’s overly broad definition of ‘Tracking Application’ are heavy, and significantly disadvantage Sears in the marketplace.”
The Order defined “Tracking Application” as “any software program or application disseminated by or on behalf of respondent, its subsidiaries or affiliated companies, that is capable of being installed on consumers’ computers and used by or on behalf of respondent to monitor, record, or transmit information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted from, or transmitted to the computers on which it is installed.”
This definition made sense in 2009, Sears acknowledged, but in today’s world, all of Sears’ mobile apps—and almost any software application—meet this definition. In the modern mobile app ecosystem, consumers know and understand that tracking occurs within an app to provide various features and benefits—tracking items in a shopping cart to complete a transaction in a mobile shopping app, for example.
The collection and disclosure requirements of today’s app stores also render the Order “obsolete and impractical,” Sears added, because consumers can be made aware of tracking practices prior to download and installation. Further, the requirements of the Consent Order go above and beyond more recent FTC consent orders, which include carve-outs for certain commonly accepted data collection practices, the company wrote.
Abiding by the terms of the Order is causing Sears “significant hardship,” the national retailer told the FTC, particularly in its efforts to transform the company from a brick-and-mortar storefront to a retailer that is embracing mobile connectivity, social networks, social media and Internet commerce.
Based on both the changed circumstances since the Order was entered and the public interest, Sears proposed modifying the definition of “Tracking Application” to tack the following language on at the end: “unless the information monitored, recorded, or transmitted is limited solely to the following: (a) the configuration of the software program or application itself; (b) information regarding whether the program or application is functioning as represented; or (c) information regarding consumers’ use of the program or application itself.”
To read the petition from Sears, click here.
Why it matters: Sears argued that the suggested modification would not threaten consumers’ privacy interests and would bring the Order into alignment with recent and comparable FTC orders on data security. “There is little appreciable public benefit in requiring Sears to disclose that Sears’ mobile apps engage in commonly accepted forms of data collection, and any such benefit is outweighed by the Order’s hindrance on Sears’ competitiveness in the mobile app ecosystem,” the company told the FTC. “Sears’ users are inconvenienced, not enlightened, by such disclosures.” The FTC will decide whether to approve the petition at the end of a 30-day comment period, which expires on Dec. 8.