According to the complaint, Upromise’s toolbar, which users could download for free, flagged Upromise partner merchants in users’ search engine results, allowing users to make purchases through merchants that offered cash rebates that could be deposited into users’ college savings accounts. During the toolbar download process, users were presented with a pop-up message urging them to enable the “Personalized Offers” feature, which Upromise indicated would collect information about the websites users visited in order to provide users with tailored offers. The FTC emphasized that in some instances, the checkbox indicating a user’s consent to enable the Personalized Offers feature was already pre-checked.
The FTC vote to issue the administrative complaint and accept the consent was 4-0. The FTC is accepting public comments on the proposed consent order through February 6.
The settlement emphasizes that the FTC will continue its trend of holding websites accountable for not providing transparent disclosures to consumers about their privacy practices and for not living up to the promises made in their privacy policies. The settlement also highlights that the FTC will continue to closely monitor companies’ data security programs, particularly when sensitive information is involved, and will expect companies that collect and maintain personal information to have adequate data security mechanisms in place, especially given the growing availability of low-cost security solutions.