FTC Settles Two Privacy Cases
The FTC announced a settlement with a company that provides online shopping cart software and fulfillment to e-tailers, and that allegedly collected and sold personal information provided during the check-out process.
The FTC stated that “companies and service providers must make sure that their privacy policies are in sync,” and that merchants have an obligation to know what their service providers are doing with consumers’ personal information. This means that companies using service providers that have access to customers’ personal information should have agreements in place that ensure the service providers are complying with all relevant laws.
According to the FTC, CartManager International provides and processes the shopping cart and check-out pages that thousands of online merchants use, even though the web pages are branded to look like they are part of the merchants’ web sites. To complete the transactions, customers are required to provide personal information including name, address, email address, phone number, and credit card number. Although CartManager was aware that some merchants promised that customers’ personal information would not be shared, CartManager collected information provided by nearly a million customers and sold it to marketers. The FTC alleges that CartManager did not adequately inform consumers or merchants that it would collect and sell this information, and that it acted with the knowledge that selling the information was contrary to many merchants’ privacy policies.
The settlement requires that CartManager and the merchant’s privacy policies be consistent or, if they are not, because the merchant’s policy does not permit disclosure of personal information to third parties, then CartManager must post a clear and conspicuous notice to consumers on each of its pages that consumers are on the CartManager site and that personal information collected on the site will be disclosed to third parties. The result is that consumers will know when completing a transaction with a merchant online that the check-out page is controlled by an entity other than the merchant. In addition, merchants will have an obligation to know what their service providers are doing and will have to modify their own sites accordingly, or require their service providers to adhere to the merchant’s own privacy practices. The settlement order also bars the use of the personal data CartManager already collected, as well as future misrepresentations about the collection, use, or disclosure of personal information. The settlement also requires that CartManager give up the $9,101.63 it made selling the consumer information, and requires the company to keep records to allow the FTC to monitor its compliance.
The FTC also announced a settlement with Nationwide Mortgage over alleged violations of the Gramm Leach Bliley (GLB) Safeguards Rule and the GLB Privacy Rule. According to the FTC’s complaint, Nationwide Mortgage Group, Inc. failed to identify risks to sensitive customer information and implement safeguards to control these risks. Specifically, Nationwide failed to
- train employees on information security issues;
- oversee loan holders’ handling of customer information; and
- monitor its computer network for vulnerabilities.
The FTC also alleged that the company violated the GLB Privacy Rule by failing to provide required privacy notices to consumers explaining how their personal information is used or disclosed.
The proposed consent order requires the company to retain an independent professional to certify that its security program meets the standards mandated in the consent order within six months, and then once every other year for 10 years. The consent order also requires Nationwide to maintain certain records and allow the FTC to monitor the company’s compliance.
States Rush to Introduce Data Security Bills
In the aftermath of the data security breaches announced by ChoicePoint, LexisNexis, DSW Shoe Warehouse, Kaiser Permanente, and other companies, several states have introduced security breach notification bills. Most of the bills mirror California’s law which requires companies to notify customers if their unencrypted personal information has been the subject of a security breach. Arizona, Colorado, Georgia, Illinois, Indiana, Maryland, Michigan, Missouri, New Jersey, New York, Ohio, Rhode Island, Tennessee, Texas, Virginia, and Washington have all introduced bills, some of which seem likely to be enacted.
Federal law makers have also introduced several bills on data security including H.B. 1080 which would establish rules to regulate information brokers and S. 115 which would establish national standards for notifying customers of data security breaches.
FTC Staff Opinion Letter Regarding CAN-SPAM and Multiple Advertisers
The FTC recently issued an informal opinion letter on opt-out requirements when a commercial email contains ads from multiple sellers and is sent to someone who has provided affirmative consent to receive commercial email.
If certain conditions are met, the advertiser who obtained the affirmative consent from the person receiving the commercial email is considered the sender, and only the sender must provide an opt-out mechanism in the commercial email and honor an opt-out request. This means that in co-branded emails or other types of emails that contain ads from more than one seller, only one entity must provide the opportunity to opt-out and must honor any opt-out requests. However, all advertisers should make sure the sender is providing an opt-out, and the commercial email must still comply with the prohibitions against false and misleading transmission routes and subject lines.
In addition, the sender must provide a clear and conspicuous disclosure that when someone provides affirmative consent to receive commercial email from the sender, he or she may also receive commercial email that contains ads from other sellers.
Advertisers other than the sender should make sure the sender is complying with these requirements, by reviewing emails in which their ads appear, reviewing opt-ins to make sure the sender has provided the required disclosure, and/or entering into a contract with the sender to make sure the sender is fulfilling its obligations.
This client alert is a publication of Loeb & Loeb and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.
Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.