FTC Modifies 2009 Order On ‘Tracking Applications’

Overbroad definition of ‘Tracking Application’ puts retailer at a competitive disadvantage

The Federal Trade Commission is seeking public comment on a petition by Sears Holding Management. The petition asks the Commission to reopen and modify a 2009 Order settling charges that Sears failed to adequately disclose the extent of data collected by an app it released as part of a market research program.

Specifically, the petitions requests the definition of ‘Tacking Application’ be modified to exclude operational/performance monitoring activities. Sears argues the 2009 definition is overbroad and sweeps in commonly accepted practices of managing configurations, debugging/performance monitoring, and general usage information. Sears argues the over-broad definition puts it at a competitive disadvantage at a time when transition to digital is a critical to a retailer’s success.

The Order (way back in aught-nine…)
Sears launched a desktop app as part of its ‘My SHC Community.’ Random visitors of sears.com and kmart.com were invited to participate in the program by installing the app. The initial contact was via browser pop-up.
Sears - popup

If interested, a user would enter his/her email address and receive an invitation with more detail, as well as a link to the formal registration process.
Sears - email

At registration, a user was required to tick a box to agree to a ‘Privacy Statement and User License Agreement’ (PSULA).
Sears - consent

Afterward, a user was directed to install the app. The app collected all web browsing activity, including shopping basket activities, completing online application forms, and checking online accounts, as well as transactions over secure sessions and text of secure pages (including online banking statements, video rental transactions, library borrowing histories, and online drug prescription records). Enticements included sweepstakes drawings every two months ($5,000, $2,500, and $1,000 prizes) as well as $10 for each individual who left the app installed for 30 days.

The FTC felt Sears failed to adequately disclose the level of data collection taking place. The Commission argued:

  • the initial pop-up never disclosed the need to install the app, nor did the privacy policy linked on that pop-up
  • the email invitation and PSULA failed to adequately disclose:
    • the app would run in the background at all times
    • the app would monitor nearly all internet behavior on a computer (transmitted in real time), including activities on websites other than those owned, operated, or affiliated with Sears

Additionally, the FTC was concerned that after installation, there was no visible indication the app was running.

Sears entered into a (20 year) consent decree, where it agreed to:

  • Clearly and prominently, and prior to the display of, and on a separate screen from, any final “end user license agreement,” “privacy policy,” “terms of use” page, or similar document, disclose:
    • (1) all the types of data that the Tracking Application will monitor, record, or transmit, including but not limited to whether the data may include information from the consumer’s interactions with a specific set of websites or from a broader range of Internet interaction, whether the data may include transactions or information exchanged between the consumer and third parties in secure sessions, interactions with shopping baskets, application forms, or online accounts, and whether the information may include personal financial or health information;
    • (2) how the data may be used
    • (3) whether the data may be used by a third party
  • Obtain express consent, through a button click or unchecked tick-box, before installing any ‘Tracking Application’
  • Notify existing users of the extent of tracking by the app, with instructions on how to uninstall
  • Cease data collection through the app
  • Destroy all data previously collected through the app

Sears states it has fully complied with the 2009 Order, despite the negative effects compliance has had on Sears’ competitiveness in the mobile space.

The Petition
The petition argues that in just the last eight years, the mobile landscape has radically altered the ways in which consumers interact with companies. Sears argues the Order did not (and could not have) anticipated the paradigm shift in software distribution that has taken place. “(P)rocesses mandated by the Order are a poor fit in a mobile app ecosystem where two dominant mobile app marketplaces (AppStore, Play) dictate how consumers download and install mobile apps and receive disclosures.” These marketplaces have their own rules that create tension and complicate compliance with the Order.

Sears also points out that in comparison to other app providers, who are not subject to the same constraints, the required disclosures imply that Sears’ data collection practices are more intrusive than otherwise equivalent apps. “(N)o other competitor uses a similarly disruptive approach to mobile app disclosures … (users) must read and consent to nearly identical disclosures multiple times … (a)nd by focusing on disclosures shown at the user’s first interaction with an app, the Order tacitly discourages other, potentially more useful, forms of disclosure, such as just-in-time notification.” As a result users are discouraged from completing installations or using Sears apps.

The petition further argues that in a connected world, consumers expect modern applications to stay up-to-date and communicate with remote servers to provide the requested services (e.g., complete a requested transaction, install a security patch or update). “The FTC has acknowledged previously the need for a distinction between the collection of information that is, for example, ‘need[ed] for a requested service or transaction’ and other, more invasive, forms of tracking.” “(S)uch ‘commonly accepted’ practices do not raise substantial privacy risks. The FTC’s seminal 2012 privacy report explains that companies need not obtain consumer consent where the company’s data collection and usage practices are ‘consistent with the context of the transaction or the company’s relationship with the consumer.’

Finally, the petition clarifies that the requested narrow modification would still leave key consumer protections in place, and are in fact already addressed by the modern mobile app ecosystem. “Specifically, both the Apple and Google app platforms require Sears and other app purveyors to follow restrictions on data collection and present consumers information regarding a mobile app’s data practices. The desktop software that led to the Complaint and subsequent Order would be impermissible not just under the Order but also under the rules of the two dominant mobile app stores.” The modification would also bring the 2009 Order into alignment with more recent decisions by the FTC, where the Commission found restrictions need not apply to activities related to quality of a site, services, or individual user experience.

Comments are Due 8 December 2017.
https://www.ftc.gov/news-events/press-releases/2017/11/ftc-seeks-public-comment-sears-holdings-management-corporation
jbho: seems like a reasonable request to me. Apart from the direct benefit to Sears, it will be helpful to have an opinion on the record as to what constitutes user tracking v. operational/performance monitoring. Especially since – as Sears states – most apps are already doing this kinda stuff anyway.

There are also similarities with existing DAA rules. The rules focus on (what some might consider more the more invasive) use of data in Interest Based Advertising, and provide leniency for activities related to Ad Delivery or Ad Reporting (i.e., operational/performance purposes). As for collection & use of data beyond one’s own O&O properties, the DAA has rules on how to handle multi-site / cross-app / cross-device data collection & use as well. Since the FTC seemed to embrace the DAA rules in it’s own commentary on cross-device, perhaps the Commission will take this opportunity to harmonize its former opinions with current industry standard.

With respect to the larger world-view, I think the request can be read to mirror the cookie consent exemptions under the ePrivacy Directive. Might not be a bad idea to consider the Article 29 Working Party’s Opinion 04/2012 on Cookie Consent Exemptions when drafting comments.

Of course, there is always the possibility that the FTC may level the playing field in the opposite direction, and require all software providers to follow the enhanced disclosures in the 2009 Order.


UPDATE: 28Feb2018 – order approving the petition to reopen and modify final order. The commission determined that changed conditions of fact warranted reopening the Order. The FTC agreed that the Android and Apple iOS app stores that only recently launched at the time of the Order have redefined the mobile marketplace, and that consumers now expect apps to collect and transmit many different types of data to support services and features of an apps. “In the context of mobile applications that engage in the types of information collection that consumers expect, the Commission believes that the notice and consent requirements contemplated by the Order are burdensome and counterproductive, both for consumers and Sears.” The commission’s own position has evolved to require affirmative consent only for sensitive information. Thus, the Order-mandated disclosures may confuse consumers, causing them to believe Sears apps collect, use, or share information in ways consumers may not want or expect.

The commission decided that the limited modifications to the Order, to exclude software that conducts the types of data collection that consumers would expect, should be granted. The definition of “Tracking Application” has been revised to read:

4. “Tracking Application” shall mean any software program or application disseminated by or on behalf of respondent, its subsidiaries or affiliated companies, that is capable of being installed on consumers’ computers and used by or on behalf of respondent to monitor, record, or transmit information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted from, or transmitted to the computers on which it is installed, unless the information monitored, recorded, or transmitted is limited solely to the following: (a) the configuration of the software program or application itself; (b) information regarding whether the software program or application is functioning as represented; or (c) information regarding consumers’ use of the program or application itself.

To allay the fears of commenters opposed to modifying the Order, the commission stated the “if Sears distributes software that monitors consumers’ activities across mobile applications, the modified Order would still require Sears to provide a clear and prominent notice and obtain consumers’ express consent.”

https://www.ftc.gov/system/files/documents/cases/c4264searsordergrantingpetition.pdf

Back to top

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: