Compete is a company that uses tracking software to collect data on the browsing behavior of millions of consumers, then uses the data to generate reports, which it sells to clients who want to improve their website traffic and sales.
According to the FTC, Compete got consumers to download its tracking software in several ways, including by urging them to join a “Consumer Input Panel” that was promoted using ads that pointed consumers to Compete’s website.
Compete told consumers that by joining the “Panel” they could win rewards while sharing their opinions about products and services. The company also allegedly promised that consumers who installed another type of its software - the Compete Toolbar - could have “instant access” to data about the websites they visited.
Compete also licensed its web-tracking software to other companies. Upromise, which licensed Compete’s web-tracking software, settled similar FTC charges earlier this year.
Once installed, the Compete tracking component operated in the background, automatically collecting information about consumers’ online activity. It captured information consumers entered into websites, including consumers’ usernames, passwords, and search terms, and also some sensitive information such as credit card and financial account information, security codes and expiration dates, and Social Security Numbers.
The FTC charged that several of Compete’s business practices were unfair or deceptive and violated the law. For example, the company failed to disclose to consumers that it would collect detailed information such as information they provided in making purchases, not just “the web pages you visit.”
In addition, the FTC alleged that Compete made false and deceptive assurances to consumers that their personal information would be removed from the data it collected.
Despite these assurances, Compete failed to remove personal data before transmitting it; failed to provide reasonable and appropriate data security; transmitted sensitive information from secure websites in readable text; failed to design and implement reasonable safeguards to protect consumers’ data; and failed to use readily available measures to mitigate the risk to consumers’ data.
The proposed settlement order requires Compete and its clients to fully disclose the information they collect and get consumers’ express consent before they collect consumers’ data in the future, that the company delete or anonymize the use of the consumer data it already has collected, and that it provide directions to consumers for uninstalling its software.
In addition, the settlement bars misrepresentations about the company’s privacy and data security practices and requires that it implement a comprehensive information security program with independent third-party audits every two years for 20 years.
In the meantime, another online analytics firm has also agreed to settle a lawsuit that charged them with using a tool that would "resuscitate" cookies deleted by privacy-minded users in order to surreptitiously track their online behavior.
KISSmetrics, the developer and seller of the eponymous tool, has agreed to pay up to make the suit go away, but according to Wired, the the two plaintiffs will get only $5,000 each, while the rest of the money - more than half a million dollars - will go to their lawyers for legal fees.
The proposed settlement still has to be approved by the judge, but if it goes through, there's not much satisfaction to be had for the general public who might have been targeted by the tool. The settlement does not contain an admission of guilt from KISSmetrics, but just a promise that it will not track users without their permission in the future.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.