In the Matter of Sears Holdings Management Corporation
Encyclopedia
In the middle of 2009 the Federal Trade Commission
filed a complaint against Sears Holdings Management Corporation (SHMC) for unfair or deceptive acts or practices affecting commerce. SHMC operates the sears.com and kmart.com retail websites for Sears Holdings Corporation
. As part of a marketing effort, some users of sears.com and kmart.com were invited to download an application developed for SHMC that ran in the background on users’ computers collecting information on nearly all internet activity. The tracking aspects of the program were only disclosed in legalese in the middle of the End User License Agreement. The FTC found this was insufficient disclosure given consumers expectations and the detailed information being collected. On September 9, 2009 the FTC approved a consent decree with SHMC requiring full disclosure of its activities and destruction of previously obtained information.
If visitors agreed, they provided an email address and were sent a follow-up email with more details about the community. This email contained the first mention of a research software program that users were asked to download. The application would “confidentially track [] online browsing." This revelation was buried amongst a lot of other text describing more overt participation in the community such as:
Consumers received $10 in exchange for joining the “community" as long as they kept the application running for at least one month. Most of the content of the email focused upon direct participation in the online community, with only limited references to the application that would be collecting massive amounts of information.
The Privacy Statement and End User License Agreement, provided more details, but only if users scrolled down 75 lines in a small text box that displayed ten lines of text at a time. The Agreement revealed that the application would be collecting detailed information about the computer that the application was installed on in addition to:
The application basically captured all internet activity and only made token efforts to prevent the collection of passwords. Although the agreement said they did not examine the text of IMs or email messages, they did collect email header information.
Once the application was installed there was almost no indication that it was running on a user’s computer. The complaint noted the lack of system tray icon or other visible indication other than “srhc.exe" being listed as a running process in Windows Task Manager.
The FTC concluded that although SMHC made some disclosures about the application and the information it collected, they “failed to disclose adequately." Because the application “monitor[ed] nearly all of the Internet behavior that occurs on consumers’ computers" including detailed transaction information with websites not affiliated with SMHC and then transmitted that information to SHMC remote servers, the minimal disclosures provided in the email and buried in the license agreement were inadequate. The FTC found that details about the information collected “would be material to consumers in deciding to install the software." As a result, SHMC’s “failure to disclose these facts, in light of the representations made, was, and is, a deceptive practice."
For existing users of the application, SMHC was required to contact and notify the users of what the application did and provide assistance in removing it. They further had to place a clear and prominent notice on the website. Finally, they had to destroy all of the data obtained from consumers prior to the consent decree.
agreements, in these cases courts have found that by clicking “I accept" users became legally bound by all of the terms of the licensee agreement even if they did not read them. Contractually, companies are usually free to create whatever terms they want as long as they are disclosed in legalese somewhere in the licensee agreement or terms of use. These cases are based upon the fiction that pervades contract law that by signing a contract or clicking “I accept" a party consents to all of the terms in the contract.
The FTC has indicated through this case that while this fiction may be adequate to form a contract, it is not adequate to avoid deceptive practices. Unread agreements do not relieve companies of their duty not to deceive consumers by omitting material terms. The ruling suggests that companies have a duty to appropriately set consumer expectations and they cannot rely upon the fiction that users have read license agreements. Rather, if a company’s application or websites collects information or behaves in ways that consumers would not expect, the company has a duty to inform the consumer of what the application or website does.
principles (FIPs). This set of principles focus upon requiring full disclosure of the data being collected so that users can make informed decisions about whether to participate. The application deployed by SMHC clearly violated these principles.
Presumably SMHC’s goal in collecting the massive amount of data was to be able to better market products to consumers. This type of profiling in order to advertise too is often referred to as behavioral advertising, which has received significant attention due to its privacy invasive nature. The Network Advertising Initiative
was launched to help manage public concern over this issue, which came to a head during the Facebook Beacon
scandal. Although the Beacon scandal did not result in FTC action, complaints were filed with the FTC and Facebook users brought a class action lawsuit. Since then, the FTC has issued behavioral advertising guidelines
and Congress has held hearings and is considering legislation on the subject.
Federal Trade Commission
The Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
filed a complaint against Sears Holdings Management Corporation (SHMC) for unfair or deceptive acts or practices affecting commerce. SHMC operates the sears.com and kmart.com retail websites for Sears Holdings Corporation
Sears Holdings Corporation
Sears Holdings Corporation is a retail conglomerate formed in 2005 by the merger of Sears, Roebuck and Co., of Hoffman Estates, Illinois, with Kmart Holdings Corporation, of Troy, Michigan...
. As part of a marketing effort, some users of sears.com and kmart.com were invited to download an application developed for SHMC that ran in the background on users’ computers collecting information on nearly all internet activity. The tracking aspects of the program were only disclosed in legalese in the middle of the End User License Agreement. The FTC found this was insufficient disclosure given consumers expectations and the detailed information being collected. On September 9, 2009 the FTC approved a consent decree with SHMC requiring full disclosure of its activities and destruction of previously obtained information.
Background
From April 2007 until January 2008 SHMC offered about 15% of the visitors to its websites the opportunity to join the My SHC Community. Selected visitors saw a pop-up add that asked “Ever wish you could talk directly to a retailer? Tell them about the products, services and offers that would really be right for you?" It then gave visitors a chance to join the “My SHC Community", “a dynamic and highly interactive on-line community... where your voice is heard and your opinion matters, and what you want and need counts!"If visitors agreed, they provided an email address and were sent a follow-up email with more details about the community. This email contained the first mention of a research software program that users were asked to download. The application would “confidentially track [] online browsing." This revelation was buried amongst a lot of other text describing more overt participation in the community such as:
We’ll ask you to journal your shopping and purchasing behavior. Again, this will be when you want and how you want to record it – always on your terms and always by your choice. We’ll also collect information on your internet usage. Community engagements are always fun and always voluntary!
Consumers received $10 in exchange for joining the “community" as long as they kept the application running for at least one month. Most of the content of the email focused upon direct participation in the online community, with only limited references to the application that would be collecting massive amounts of information.
The Privacy Statement and End User License Agreement, provided more details, but only if users scrolled down 75 lines in a small text box that displayed ten lines of text at a time. The Agreement revealed that the application would be collecting detailed information about the computer that the application was installed on in addition to:
all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information. We may use the information that we monitor, such as name and address, for the purpose of better understanding your household demographics; however we make commercially viable efforts to automatically filter confidential personally identifiable information such as UserID, password, credit card numbers, and account numbers. Inadvertently, we may collect such information about our panelists; and when this happens, we make commercially viable efforts to purge our database of such information.
The application basically captured all internet activity and only made token efforts to prevent the collection of passwords. Although the agreement said they did not examine the text of IMs or email messages, they did collect email header information.
Once the application was installed there was almost no indication that it was running on a user’s computer. The complaint noted the lack of system tray icon or other visible indication other than “srhc.exe" being listed as a running process in Windows Task Manager.
The FTC concluded that although SMHC made some disclosures about the application and the information it collected, they “failed to disclose adequately." Because the application “monitor[ed] nearly all of the Internet behavior that occurs on consumers’ computers" including detailed transaction information with websites not affiliated with SMHC and then transmitted that information to SHMC remote servers, the minimal disclosures provided in the email and buried in the license agreement were inadequate. The FTC found that details about the information collected “would be material to consumers in deciding to install the software." As a result, SHMC’s “failure to disclose these facts, in light of the representations made, was, and is, a deceptive practice."
Consent decree
SMHC consented to the FTC’s order that they “clearly and prominently" disclose on a separate screen from the privacy policy or license agreement (1) "all of the types of data that the Tracking Application will monitor, record or transmit;" (2) “how the data may be used;" and (3) "whether the data may be used by a third party." They were also required to obtain opt-in consent from future users.For existing users of the application, SMHC was required to contact and notify the users of what the application did and provide assistance in removing it. They further had to place a clear and prominent notice on the website. Finally, they had to destroy all of the data obtained from consumers prior to the consent decree.
Departure from legal precedent
Although, section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) grants the FTC power to investigate and prevent deceptive trade practices, this decision came as a surprise to a number of legal observes. SMHC probably thought it was doing everything it was legally required to use its application to collect detailed information on consumers. Courts have frequently found that terms buried within licensee agreements are enforceable—even when the terms are in small print in text boxes like the ones in the SMHC case. Often referred to as clickwrapClickwrap
A clickwrap agreement is a common type of agreement often used in connection with software licenses. Such forms of agreement are mostly found on the Internet, as part of the installation process of many software packages, or in other circumstances where agreement is sought using electronic media...
agreements, in these cases courts have found that by clicking “I accept" users became legally bound by all of the terms of the licensee agreement even if they did not read them. Contractually, companies are usually free to create whatever terms they want as long as they are disclosed in legalese somewhere in the licensee agreement or terms of use. These cases are based upon the fiction that pervades contract law that by signing a contract or clicking “I accept" a party consents to all of the terms in the contract.
The FTC has indicated through this case that while this fiction may be adequate to form a contract, it is not adequate to avoid deceptive practices. Unread agreements do not relieve companies of their duty not to deceive consumers by omitting material terms. The ruling suggests that companies have a duty to appropriately set consumer expectations and they cannot rely upon the fiction that users have read license agreements. Rather, if a company’s application or websites collects information or behaves in ways that consumers would not expect, the company has a duty to inform the consumer of what the application or website does.
FTC’s online privacy agenda
The FTC has long worked to protect consumer privacy in different arenas. Its goal is to “protect consumer’s personal information and to ensure that consumers have confidence to take advantage of the many benefits offered by the ever-changing marketplace." Although the goal may have remained constant, the means of accomplishing it have changed overtime as the marketplace changes. This decision is part of a broader FTC effort to protect consumer privacy online. An article released by the FTC stated their goal of making individuals responsible for the data they share on the internet, but this is premised on “transparency of privacy practices" by companies so that consumers can make informed decisions. This theory of privacy and the complaint and subsequent consent decree are based upon the FTC Fair Information PracticeFTC Fair Information Practice
The United States Federal Trade Commission's Fair Information Practice Principles are guidelines that represent widely-accepted concepts concerning fair information practice in an electronic marketplace.- Introduction :...
principles (FIPs). This set of principles focus upon requiring full disclosure of the data being collected so that users can make informed decisions about whether to participate. The application deployed by SMHC clearly violated these principles.
Presumably SMHC’s goal in collecting the massive amount of data was to be able to better market products to consumers. This type of profiling in order to advertise too is often referred to as behavioral advertising, which has received significant attention due to its privacy invasive nature. The Network Advertising Initiative
Network Advertising Initiative
The Network Advertising Initiative is an industry trade group formed in 1999 that develops self-regulatory standards for online advertising. Advertising networks created the organization in response to concerns from the Federal Trade Commission and consumer groups that online advertising —...
was launched to help manage public concern over this issue, which came to a head during the Facebook Beacon
Facebook Beacon
Beacon was a part of Facebook's advertisement system that sent data from external websites to Facebook, for the purpose of allowing targeted advertisements and allowing users to share their activities with their friends. Certain activities on partner sites were published to a user's News Feed....
scandal. Although the Beacon scandal did not result in FTC action, complaints were filed with the FTC and Facebook users brought a class action lawsuit. Since then, the FTC has issued behavioral advertising guidelines
FTC Regulation of Behavioral Advertising
The United States Federal Trade Commission has been involved in oversight of the behavioral targeting techniques used by online advertisers since the mid-1990s. These techniques, known initially as online profiling, and now known as behavioral targeting, are used to target online behavioral...
and Congress has held hearings and is considering legislation on the subject.
See also
- Federal Trade CommissionFederal Trade CommissionThe Federal Trade Commission is an independent agency of the United States government, established in 1914 by the Federal Trade Commission Act...
- FTC Fair Information Practices
- FTC regulation of behavioral advertisingFTC Regulation of Behavioral AdvertisingThe United States Federal Trade Commission has been involved in oversight of the behavioral targeting techniques used by online advertisers since the mid-1990s. These techniques, known initially as online profiling, and now known as behavioral targeting, are used to target online behavioral...