Sears Settles FTC Charges Regarding Tracking Software

[security curmudgeon <jericho () attrition org>]

http://www.ftc.gov/opa/2009/06/sears.shtm

For Release: 06/04/2009
Sears Settles FTC Charges Regarding Tracking Software
Sears Failed to Disclose Adequately that Software Collected Consumers 
Sensitive Personal Information

Sears Holdings Management Corporation  owned by Sears, Roebuck and Company 
and Kmart Management Corporation  has agreed to settle Federal Trade 
Commission charges that it failed to disclose adequately the scope of 
consumers personal information it collected via a downloadable software 
application. According to the FTCs administrative complaint, Sears 
represented to consumers that the software would track their online 
browsing. The FTC charges that the software would also monitor consumers 
online secure sessions  including sessions on third parties Web sites  and 
collect information transmitted in those sessions, such as the contents of 
shopping carts, online bank statements, drug prescription records, video 
rental records, library borrowing histories, and the sender, recipient, 
subject, and size for web-based e-mails. The software would also track 
some computer activities that were not related to the Internet. The 
proposed settlement calls for Sears to stop collecting data from the 
consumers who downloaded the software and to destroy all data it had 
previously collected.

According to the FTCs complaint, Sears invited certain consumers visiting 
the sears.com and kmart.com Web sites to become members of the My SHC 
Community. Sears solicited these consumers to participate in exciting, 
engaging, and on-going interactions  always on your terms and always by 
your choice. Sears paid consumers $10 to participate. As part of this 
process, Sears asked consumers to download research software that it said 
would confidentially track their online browsing. Only in a lengthy user 
license agreement, available to consumers at the end of a multi-step 
registration process, did Sears disclose the full extent of the 
information the software tracked, according to the complaint. The 
complaint charges that Sears failure to adequately disclose the scope of 
the tracking softwares data collection was
deceptive and violates the FTC Act.

Under the proposed settlement, in addition to destroying information 
previously collected, if Sears advertises or disseminates any tracking 
software in the future, it must clearly and prominently disclose the types 
of data the software will monitor, record, or transmit. This disclosure 
must be made prior to installation and separate from any user license 
agreement. Sears must also disclose whether any of the data will be used 
by a third party.

The Commission vote to approve the administrative complaint and proposed 
settlement agreement was 4-0. The settlement contains standard reporting 
and record-keeping provisions to allow the agency to monitor compliance. 
The FTC will publish an announcement regarding the agreement in the 
Federal Register shortly. The agreement will be subject to public comment 
for 30 days, beginning today and continuing through July 6, 2009, after 
which the Commission will decide whether to make it final. To file a 
public comment, please click on the following hyperlink: 
http://www.ftc.gov/os/2009/06/0823099publiccomment.pdf and follow the 
instructions at that site.

NOTE: The Commission issues or files a complaint when it has reason to 
believe that the law has been or is being violated, and it appears to the 
Commission that a proceeding is in the public interest. The complaint is 
not a finding or ruling that the named parties have violated the law.

NOTE: A consent agreement is for settlement purposes only and does not 
constitute an admission of a law violation. When the Commission issues a 
consent order on a final basis, it carries the force of law with respect 
to future actions. Each violation of such an order may result in a civil 
penalty of $16,000.

Copies of the complaint, the proposed settlement agreement, and an 
analysis of the agreement to aid in public comment are available from both 
the FTCs Web site at http://www.ftc.gov, and the FTCs Consumer Response 
Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The 
Federal Trade Commission works for consumers to prevent fraudulent, 
deceptive, and unfair business practices and to provide information to 
help spot, stop, and avoid them. To file a complaint in English or 
Spanish, visit the FTCs online Complaint Assistant or call 1-877-FTC-HELP 
(1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a 
secure, online database available to more than 1,500 civil and criminal 
law enforcement agencies in the U.S. and abroad. The FTCs Web site 
provides free information on a variety of consumer topics.

Media Contact:
     Betsy Lordan
     Office of Public Affairs
     202-326-3707
Staff Contact:
     Rick Quaresima
     Bureau of Consumer Protection
     202-326-3130


(FTC File No. 0823099)
(Sears.wpd)
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

Get business, compliance, IT and security staff on the same page with
CREDANT Technologies: The Shortcut Guide to Understanding Data Protection
from Four Critical Perspectives. The eBook begins with considerations
important to executives and business leaders.
http://www.credant.com/campaigns/ebook-chpt-one-web.php