In re Sears Holdings Management Corp.

In the middle of 2009 the Federal Trade Commission filed a complaint against Sears Holdings Management Corporation (SHMC) for unfair or deceptive acts or practices affecting commerce. SHMC operates the sears.com and kmart.com retail websites for Sears Holdings Corporation. As part of a marketing effort, some users of sears.com and kmart.com were invited to download an application developed for SHMC that ran in the background on users' computers collecting information on nearly all internet activity. The tracking aspects of the program were only disclosed in legalese in the middle of the End User License Agreement. The FTC found this was insufficient disclosure given consumers expectations and the detailed information being collected. On September 9, 2009 the FTC approved a consent decree with SHMC requiring full disclosure of its activities and destruction of previously obtained information.

Background
From April 2007 until January 2008 SHMC offered about 15% of the visitors to its websites the opportunity to join the My SHC Community. Selected visitors saw a pop-up advertisement that asked "Ever wish you could talk directly to a retailer? Tell them about the products, services and offers that would really be right for you?" It then gave visitors a chance to join the "My SHC Community", "a dynamic and highly interactive on-line community... where your voice is heard and your opinion matters, and what you want and need counts!"

If visitors agreed, they provided an email address and were sent a follow-up email with more details about the community. This email contained the first mention of a research software program that users were asked to download. The application would "confidentially track [] online browsing." This revelation was buried amongst a lot of other text describing more overt participation in the community such as:

"We'll ask you to journal your shopping and purchasing behavior. Again, this will be when you want and how you want to record it – always on your terms and always by your choice. We'll also collect information on your internet usage. Community engagements are always fun and always voluntary!"

Consumers received $10 in exchange for joining the "community" as long as they kept the application running for at least one month. Most of the content of the email focused upon direct participation in the online community, with only limited references to the application that would be collecting massive amounts of information.

The Privacy Statement and End User License Agreement, provided more details, but only if users scrolled down 75 lines in a small text box that displayed ten lines of text at a time. The Agreement revealed that the application would be collecting detailed information about the computer that the application was installed on in addition to:

"all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information. We may use the information that we monitor, such as name and address, for the purpose of better understanding your household demographics; however we make commercially viable efforts to automatically filter confidential personally identifiable information such as UserID, password, credit card numbers, and account numbers. Inadvertently, we may collect such information about our panelists; and when this happens, we make commercially viable efforts to purge our database of such information."

The application basically captured all internet activity and only made token efforts to prevent the collection of passwords. Although the agreement said they did not examine the text of IMs or email messages, they did collect email header information.

Once the application was installed there was almost no indication that it was running on a user's computer. The complaint noted the lack of system tray icon or other visible indication other than "srhc.exe" being listed as a running process in Windows Task Manager. The FTC concluded that although SMHC made some disclosures about the application and the information it collected, they "failed to disclose adequately." Because the application "monitor[ed] nearly all of the Internet behavior that occurs on consumers' computers" including detailed transaction information with websites not affiliated with SMHC and then transmitted that information to SHMC remote servers, the minimal disclosures provided in the email and buried in the license agreement were inadequate. The FTC found that details about the information collected "would be material to consumers in deciding to install the software." As a result, SHMC's "failure to disclose these facts, in light of the representations made, was, and is, a deceptive practice."

Consent decree
SMHC consented to the FTC's order that they "clearly and prominently" disclose on a separate screen from the privacy policy or license agreement (1) "all of the types of data that the Tracking Application will monitor, record or transmit;" (2) "how the data may be used;" and (3) "whether the data may be used by a third party." They were also required to obtain opt-in consent from future users.

For existing users of the application, SMHC was required to contact and notify the users of what the application did and provide assistance in removing it. They further had to place a clear and prominent notice on the website. Finally, they had to destroy all of the data obtained from consumers prior to the consent decree.

Departure from legal precedent
Although, section 5 of the Federal Trade Commission Act (15 U.S.C. § 45) grants the FTC power to investigate and prevent deceptive trade practices, this decision came as a surprise to a number of legal observers. SMHC probably thought it was doing everything legally required to use its application to collect detailed information on consumers. Courts have frequently found that terms buried within licensee agreements are enforceable—even when the terms are in small print in text boxes like the ones in the SMHC case. Often referred to as clickwrap agreements, in these cases courts have found that by clicking "I accept" users became legally bound by all of the terms of the licensee agreement even if they did not read them. Contractually, companies are usually free to create whatever terms they want as long as they are disclosed in legalese somewhere in the licensee agreement or terms of use. The FTC has indicated through this case that while this fiction may be adequate to form a contract, it is not adequate to avoid deceptive practices. Unread agreements do not relieve companies of their duty not to deceive consumers by omitting material terms. The ruling suggests that companies have a duty to appropriately set consumer expectations and they cannot rely upon the fiction that users have read license agreements. Rather, if a company's application or website collects information or behaves in ways that consumers would not expect, the company has a duty to inform the consumer of what the application or website does.

FTC's online privacy agenda
The FTC has long worked to protect consumer privacy in different arenas. Its goal is to "protect consumers' personal information and to ensure that consumers have confidence to take advantage of the many benefits offered by the ever-changing marketplace." Although the goal may have remained constant, the means of accomplishing it have changed over time as the marketplace changes. This decision is part of a broader FTC effort to protect consumer privacy online. An article released by the FTC stated their goal of making individuals responsible for the data they share on the internet, but this is premised on "transparency of privacy practices" by companies so that consumers can make informed decisions. This theory of privacy and the complaint and subsequent consent decree are based upon the FTC Fair Information Practice principles (FIPs). This set of principles focus upon requiring full disclosure of the data being collected so that users can make informed decisions about whether to participate. The application deployed by SMHC clearly violated these principles.

Presumably SMHC's goal in collecting the massive amount of data was to be able to better market products to consumers. This type of profiling in order to advertise is often referred to as behavioral advertising, which has received significant attention due to its privacy invasive nature. The Network Advertising Initiative was launched to help manage public concern over this issue, which came to a head during the Facebook Beacon scandal. Although the Beacon scandal did not result in FTC action, complaints were filed with the FTC and Facebook users brought a class action lawsuit. Since then, the FTC has issued behavioral advertising guidelines and Congress has held hearings and is considering legislation on the subject.