Sears, the US retailer, has been ordered to delete all customer data it obtained through the use of on-line tracking software it installed on customer’s computers.
While the programme was an opt-in programme for which customers were paid US$10, the extent of the information captured was far beyond what customers might have considered “reasonable” and included data capture that a reasonable person might class as “questionable”. The Register tells us:
The FTC said that while customers had been warned that, once downloaded, software would track their browsing, it had in fact tracked browsing on third party websites, secure browsing including banking and transactions and even some non-internet computer activity.
“The FTC charged… that the software also monitored consumers’ online secure sessions – including sessions on third parties’ Web sites – and collected consumers’ personal information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web-based e-mails,” said an FTC statement.
Under EU law, there are protections for individuals as regards the nature of information that can be captured and how it should be captured. These rules are encapsulated in the Data Protection regulations that apply in all EU countries.
A key part of those principles and rules is that the “data subject” (the person to whom the data relates) needs to be given a clear and upfront statement of what information is being captured about them, why, what uses it will be put to, and who it may be shared with.
The FTC specifically criticised Sears for how they presented the information on what was being captured:
“Only in a lengthy user license agreement, available to consumers at the end of a multi-step registration process, did Sears disclose the full extent of the information the software tracked,” said an FTC statement. “The [FTC] complaint charged that Sears’s failure to adequately disclose the scope of the tracking software’s data collection was deceptive and violates the FTC Act.”
So, failing to take adequate care and attention in setting and meeting your customer’s expectations about how you will use their data can seriously jeopardise your ability to capitalise on your information assets. Furthermore it can result in reputational damage and other loss. Managing that expectation improves the quality of the data you have (e.g. customers won’t input spurious data, or you will be legally allowed to use it for other purposes) as well as meeting obligations for trust and transparency with how you manage your customer’s privacy through effective data protection.
In this case, the data gathered was fruit of a poisoned tree and Sears could not retain it or use it, negating the value of any investment they had made in the tracking programme.
Interestingly the FTC initated this case themselves, suggesting that US based Regulators may be taking data protection more seriously. Doubly interesting is the fact that the principles they are setting out are similar to EU regulations.