FTC May Revisit 2009 Sears Data Collection Order
On November 8, 2017, the Federal Trade Commission (FTC or Commission) announced that it would accept public comment on a petition by Sears Holding Management (Sears) to reopen and modify a 2009 settlement Order finding that Sears inadequately disclosed the scope of personal information collected through its online application. The decision could provide insight into the Commission’s enforcement priorities as Internet-of-Things (IoT) devices—and the wealth of data those devices collect—become increasingly ubiquitous.
In its original complaint, the FTC determined that Sears’s desktop application inadequately disclosed the scope of its data collection practices between 2007 and 2008. When installed, the application ran in the background on consumers’ computers and transmitted collected information to company servers. The information included most of the Internet behavior that occurred on those computers, including:
- Web browsing;
- Shopping baskets;
- Business transactions;
- Online application forms; and
- Use of web-based email and instant messaging services.
The application’s privacy statement and user license agreement described how the collected information was transmitted, used, and maintained. The FTC found that the agreement limited collected information to “online browsing” data, when in fact the application transmitted, in real time, tracked information that included the text of secure pages.
The FTC found that Sears’s inadequate disclosure amounted to unfair or deceptive acts or practices under Section 5(a) of the Federal Trade Commission Act. The FTC and Sears settled the complaint, and the Commission issued the Order that Sears now seeks to reopen and modify.
Under the Order, a “tracking application” means “any software program or application” capable of monitoring, recording, or transmitting “information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted from, or transmitted to the computers on which it is installed.”
In its petition, Sears argues that dramatic changes in mobile technology since 2009 merit a reconsideration of the Order. Sears requests that the Commission modify the Order to update its definition of “tracking application” to allow the collection of monitoring, recording, or transmitting information to configure the application; to analyze whether the app is functioning properly; and to determine if the information addresses consumer use of the application.
Sears argues that the current definition applies to “nearly all software on all platforms, including those that bear little relation to the desktop software” addressed in the Order. It argues that the Order’s mandates do not align with today’s mobile application ecosystem and consumer expectations, which have changed dramatically since 2009. Sears is particularly concerned about the Order’s impact on its own mobile applications, which are central to the company’s strategic priorities.
The dispute illustrates the tension between consumer privacy and the necessity of data collection to remain commercially competitive in the digital age. This tension will only become more pronounced as new IoT devices enter the marketplace, and the Commission’s ruling on the petition could provide valuable insight into how it balances these priorities.
The Commission welcomes public comment as it considers Sears’s petition. Comments are due December 8, 2017 and can be filed here.