“Don’t make promises that you don’t intend to keep” is an admonishment received by every child and delivered by every parent. This pithy maxim is equally applicable to consent orders entered into with regulatory authorities. Indeed, Upromise’s failure to abide by it is costing the company $500,000 in the form of a civil penalty from the Federal Trade Commission (FTC).
This is not the first time that Upromise’s “promises” to consumers has caught the attention of the FTC. In January 2012, we knew about the settlement and consent order that the FTC entered in to with Upromise, a membership reward service that allows consumers to earn cash-back rewards on certain purchases and direct those rewards to a college savings plan (2012 Consent Order). As part of its service, Upromise offered consumers its “TurboSaver Toolbar” designed to, among other things, highlight an identify Upromise partner companies in search results so that consumers could more easily purchase products that would generate Upromise rewards. Unbeknownst to consumers, however, the TurboSaver Toolbar also collected certain user data– including usernames, passwords, and credit card information.
The 2012 Consent Order with the FTC required Upromise to: (1) make “clear and prominent” disclosures about its toolbar’s data collection and use; and (2) obtain third-party assessments and certifications of the toolbar describing specific safeguards and their effectiveness in protecting consumers’ personal information. Following the 2012 Consent Order, Upromise introduced a new toolbar, called “RewardU.”
According to the FTC, however, Upromise’s RewardU toolbar failed to comply with both requirements of the 2012 Consent Order. First, the FTC contends that Upromise failed to adequately disclose the collection and use of user data by its RewardU toolbar. Instead, the disclosures were displayed only after a consumer clicked a link or scrolled down two full screens of text, to the second paragraph of a footnote-style paragraph. Second, the FTC asserts that Upromise failed to obtain the required third-party assessments of the RewardU toolbar. Instead, Upromise submitted assessments that evaluated other aspects of Upromise’s operations.
As a result, under a Stipulated Order announced on Friday, Upromise must pay a $500,000 civil penalty and meet a number of non-monetary conditions. As an initial matter, Upromise must permanently expire all RewardU-related cookies, “effectively notify” consumers to uninstall the toolbar and all associated cookies, and explain to consumers how to perform these actions. Further, before Upromise can launch a new toolbar, it must have a “a qualified, objective, independent third-party professional specializing in website design and user experience” certify that Upromise has adhered to the 2012 Consent Order’s disclosure and “express, affirmative” consumer consent requirements. In addition, Upromise must obtain the FTC’s advance written approval of any required assessment’s scope and design. Finally, Upromise must submit compliance reports to the FTC and submit to compliance monitoring.
In its Press Release announcing the $500,000 civil penalty, the FTC stated: “Upromise once again didn’t disclose to consumers the extent of its data collection, and failed to comply with the FTC’s order to get required privacy assessments … Companies must keep their privacy promises.”
The Upromise case makes clear that the FTC will be monitoring compliance with consent orders. Companies should be on notice that FTC consent orders are promises that must be kept.