Software Disclosed Children's Info to Marketers

Monday, December 06, 2010

David Navetta


Article by Boris Segalis

On November 30, 2010, the Federal Trade Commission announced a settlement with EchoMetrix, Inc. with respect to charges that the company failed to adequately disclose its privacy practices.

EchoMetrix sells software that allows parents to monitor their children’s online activities.

The FTC alleged that the company engaged in a deceptive act or practice in violation of Section 5 of the FTC Act by failing to inform parents that the information the software collected about their children would be disclosed to third parties for marketing purposes.

The FTC alleged in its complaint that the only disclosure EchoMetrix made to parents about this practice was a “vague” statement approximately 30 paragraphs into a multi-page end user license agreement (“EULA”).

According to the FTC, the specific language stated that the company used “information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.”

To find the relevant text, however, a user was required to click on a “Support” tab on the company’s website, then a “Policies” tab, then choose “Privacy Policy” or “Software EULA” (and scroll down to the Privacy Policy appended to the EULA).

To find the specific disclosure in the text, a user was required to scroll down approximately 30 paragraphs from the beginning of the EULA. The initially viewable area of the scroll box showed about nine lines of text.

The FTC alleged that this disclosure failed to inform users adequately of the existence of the company’s marketing database and that information collected by the monitoring software would be shared with third parties through the database.

Accordingly, the FTC alleged that parents were unaware that their children’s computer activity, obtained in connection with the operation of the monitoring software, would be disclosed to marketers.

To settle the FTC’s charges, EchoMetrix agreed not to use or share the information the company had obtained through its monitoring software for any purpose other than allowing registered users – parents – to access their accounts.

The settlement order also requires the company to destroy the information in its marketing database that was collected through the monitoring software.

The settlement also contains reporting and record-keeping provisions to allow the FTC to monitor the company’s compliance with the settlement order, including:

  • For a period of four years, notify the FTC of any changes in the company’s structure that may affect compliance obligations arising under the settlement;
  • For a period of four years, provide annual written reports to the FTC setting forth in detail the manner and form in which the company has complied and is complying with the terms of the settlement; and
  • For a period of seven years, retain various company documents regarding the company’s monitoring product and the marketing database. 

In announcing the settlement, David Vladedk, the Director of the FTC’s Bureau of Consumer Protection, reiterated that “[c]ompanies need to make clear disclosures about how they… use and share personal information they collect online – even more so when that information relates to children.”

Mr. Vladeck observed that “[i]n this case – because selling children’s information to marketers is completely contrary to the purpose of the parental monitoring software used to collect it – EchoMetrix agreed to an order that simply prohibits the company from using or sharing [information obtained through the monitoring software] for other purposes.”

The important lesson from this enforcement action is that privacy practices and privacy notices should be transparent to users and fair.

The FTC previously has taken enforcement action in connection with privacy practices that were arguably inconsistent with consumers' expectations and  were not conspicuously disclosed to consumers. This action suggests that the FTC views inadequate disclosures of privacy practices as an ongoing compliance issue.

Cross-posted from InfoLawGroup

Possibly Related Articles:
Legal Privacy Software Marketing FTC
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.