August 16, 2017

August 16, 2017

Subscribe to Latest Legal News and Analysis

August 15, 2017

Subscribe to Latest Legal News and Analysis

August 14, 2017

Subscribe to Latest Legal News and Analysis

More Broken Privacy Promises from Upromise: Key Takeaways From Upromise’s Latest Settlement with FTC

“Don’t make promises that you don’t intend to keep” is an admonishment received by every child and delivered by every parent. This pithy maxim is equally applicable to consent orders entered into with regulatory authorities. Indeed, Upromise’s failure to abide by it is costing the company $500,000 in the form of a civil penalty from the Federal Trade Commission (FTC).

This is not the first time that Upromise’s “promises” to consumers has caught the attention of the FTC.  In January 2012, we knew about the settlement and consent order that the FTC entered in to with Upromise, a membership reward service that allows consumers to earn cash-back rewards on certain purchases and direct those rewards to a college savings plan (2012 Consent Order). As part of its service, Upromise offered consumers its “TurboSaver Toolbar” designed to, among other things, highlight an identify Upromise partner companies in search results so that consumers could more easily purchase products that would generate Upromise rewards. Unbeknownst to consumers, however, the TurboSaver Toolbar also collected certain user data– including usernames, passwords, and credit card information.

The 2012 Consent Order with the FTC required Upromise to: (1) make “clear and prominent” disclosures about its toolbar’s data collection and use; and (2) obtain third-party assessments and certifications of the toolbar describing specific safeguards and their effectiveness in protecting consumers’ personal information. Following the 2012 Consent Order, Upromise introduced a new toolbar, called “RewardU.”

According to the FTC, however, Upromise’s RewardU toolbar failed to comply with both requirements of the 2012 Consent Order. First, the FTC contends that Upromise failed to adequately disclose the collection and use of user data by its RewardU toolbar. Instead, the disclosures were displayed only after a consumer clicked a link or scrolled down two full screens of text, to the second paragraph of a footnote-style paragraph. Second, the FTC asserts that Upromise failed to obtain the required third-party assessments of the RewardU toolbar. Instead, Upromise submitted assessments that evaluated other aspects of Upromise’s operations.

As a result, under a Stipulated Order announced on Friday, Upromise must pay a $500,000 civil penalty and meet a number of non-monetary conditions. As an initial matter, Upromise must permanently expire all RewardU-related cookies, “effectively notify” consumers to uninstall the toolbar and all associated cookies, and explain to consumers how to perform these actions. Further, before Upromise can launch a new toolbar, it must have a “a qualified, objective, independent third-party professional specializing in website design and user experience” certify that Upromise has adhered to the 2012 Consent Order’s disclosure and “express, affirmative” consumer consent requirements. In addition, Upromise must obtain the FTC’s advance written approval of any required assessment’s scope and design. Finally, Upromise must submit compliance reports to the FTC and submit to compliance monitoring.

In its Press Release announcing the $500,000 civil penalty, the FTC stated: “Upromise once again didn’t disclose to consumers the extent of its data collection, and failed to comply with the FTC’s order to get required privacy assessments … Companies must keep their privacy promises.”

The Upromise case makes clear that the FTC will be monitoring compliance with consent orders. Companies should be on notice that FTC consent orders are promises that must be kept.

©1994-2017 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Wynter Lavier Deagle, Mintz Levin, Commercial Litigation, Government Contracts

Wynter is a seasoned trial lawyer whose practice encompasses a wide range of litigation matters including commercial litigation, government contracts, fiduciary duties, corporate compliance and internal investigations. Wynter has helped numerous companies, particularly in the technology, life sciences, financial and professional services sectors, craft business solutions to a variety of complex legal problems including business fraud, misappropriation of trade secrets, breaches of fiduciary duty and contract matters. Wynter has an aggressive but practical approach to...

Cynthia Larose, Privacy, Security, Attorney, Mintz Levin, Law Firm, electronic transactions lawyer

Cynthia is Chair of the firm’s Privacy & Security Practice and a Certified Information Privacy Professional (CIPP).  She represents companies in information, communications, and technology, including e-commerce and other electronic transactions. She counsels clients through all stages of the “corporate lifecycle,” from start-ups through mid- and later-stage financings to IPO, and has broad experience in technology and business law, including online contracting issues, licensing, domain name issues, software development, and complex outsourcing transactions.

Cynthia has extensive experience in privacy, data security, and information management matters, including state, federal, and international laws and regulations on the use and transfer of information, behavioral advertising, data security breach compliance and incident response, data breach incident response planning, as well as data transfers in the context of mergers and acquisitions and technology transactions.

She conducts privacy audits and risk assessments to determine data and transaction flow and to assess privacy practices, and assists with drafting and implementation of privacy policies and information security policies and procedures and monitoring of privacy “best practices” across all levels of the enterprise.

She is a frequent speaker on privacy issues at conferences and media appearances and presents privacy awareness and compliance training seminars to client companies.