From April 2007 until January 2008, fifteen of every 100 visitors to the sears.com and kmart.com websites were presented with a pop-up where they were invited to join “My SHC Community”. The visitors were asked whether they would like to have their voice heard and provide information directly to retailers about products and services that would be right for them. The pop-up invited visitors to enter their e-mail address to receive followup information. If a consumer supplied their e-mail address, they subsequently received messages inviting them to complete a registration form and become a member of the “My SHC Community.” If they agreed to join the “community” for one month, they received a payment of $10. As part of the sign-up process, the consumer clicked on “Join today” and was directed to a registration page on the website.
To complete the registration, Sears asked the consumer to enter name, address, age, and e-mail address. In the website link to the Sears’ Privacy Statement and User License Agreement (“Terms”), language was included indicating that once the Sears application software is installed on the consumer’s computer, it monitors all of the consumer’s Internet behavior including personal financial and health information. This language did not appear until the 75th line. The Sears Internet Terms stated that the information would be used for demographic purposes and indicated that they would “make commercially viable efforts” to try to filter out credit card numbers and user IDs. The Terms went on to state that the consumer could stop participating at any time but Sears reserved the right to continue using the information collected.
The FTC and Sears have recently entered into a settlement agreement to resolve this situation which requires Sears to destroy all information obtained through the software. The settlement is open to public comment until July 6, 2009.
What can the average organization with an Internet presence learn from the Sears settlement? The following are some of the points:
- If a website utilizes a tracking application, the website terms must disclose the types of data being collected, how the data will be used, and whether the data may be used by third parties.
- Even if the website terms state how the collected information will be used, the website owner must also make sure that explanation of how data is collected is “clearly and prominently” displayed.
There is also additional news in the area of website privacy policies. The FTC has held town hall meetings for the last few years on the issue of on-line advertising. The question is whether website visitors must opt-in in order to receive advertisements or whether Internet users would be required to take action to opt-out from receiving on-line advertisements. There is a sense that the FTC realizes that consumers benefit from targeted ads but that the on-line advertising industry must provide a better mechanism for consumers to opt-out and an appropriate standard should be developed as to notice and consent requirements regarding data collection practices. The debate continues but, for now, it is important that each organization review data collection practices it employs on its website and verify that key facts regarding its data collection practices are not buried in the policy.