Compete, Inc.; Analysis of Proposed Consent Order To Aid Public Comment, 65550-65552 [2012-26464]
Download as PDF
65550
Federal Register / Vol. 77, No. 209 / Monday, October 29, 2012 / Notices
Cost to the Government: $4,160.
Sharon A. Whitt,
Agency Clearance Officer.
[FR Doc. 2012–26508 Filed 10–26–12; 8:45 am]
BILLING CODE 6690–01–P
FEDERAL TRADE COMMISSION
[File No. 102 3155]
Compete, Inc.; Analysis of Proposed
Consent Order To Aid Public Comment
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
ACTION:
The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order—embodied in the consent
agreement—that would settle these
allegations.
DATES: Comments must be received on
or before November 19, 2012.
ADDRESSES: Interested parties may file a
comment at https://
ftcpublic.commentworks.com/ftc/
competeincconsent online or on paper,
by following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘Compete, Inc., File No.
102 3155’’ on your comment and file
your comment online at https://
ftcpublic.commentworks.com/ftc/
competeincconsent, by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail or deliver your comment to
the following address: Federal Trade
Commission, Office of the Secretary,
Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580.
FOR FURTHER INFORMATION CONTACT:
Ruth Yodaiken (202–326–2127), Jamie
Hine (202–326–2188), FTC, Bureau of
Consumer Protection, 600 Pennsylvania
Avenue NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant
to Section 6(f) of the Federal Trade
Commission Act, 15 U.S.C. 46(f), and
FTC Rule 2.34, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
rmajette on DSK2TPTVN1PROD with
SUMMARY:
VerDate Mar<15>2010
13:18 Oct 26, 2012
Jkt 229001
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for October 22, 2012), on
the World Wide Web, at https://
www.ftc.gov/os/actions.shtm. A paper
copy can be obtained from the FTC
Public Reference Room, Room 130–H,
600 Pennsylvania Avenue NW.,
Washington, DC 20580, either in person
or by calling (202) 326–2222.
You can file a comment online or on
paper. For the Commission to consider
your comment, we must receive it on or
before November 19, 2012. Write
‘‘Compete, Inc., File No. 102 3155’’ on
your comment. Your comment—
including your name and your state—
will be placed on the public record of
this proceeding, including, to the extent
practicable, on the public Commission
Web site, at https://www.ftc.gov/os/
publiccomments.shtm. As a matter of
discretion, the Commission tries to
remove individuals’ home contact
information from comments before
placing them on the Commission Web
site.
Because your comment will be made
public, you are solely responsible for
making sure that your comment does
not include any sensitive personal
information, like anyone’s Social
Security number, date of birth, driver’s
license number or other state
identification number or foreign country
equivalent, passport number, financial
account number, or credit or debit card
number. You are also solely responsible
for making sure that your comment does
not include any sensitive health
information, like medical records or
other individually identifiable health
information. In addition, do not include
any ‘‘[t]rade secret or any commercial or
financial information which * * * is
privileged or confidential,’’ as discussed
in Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include
competitively sensitive information
such as costs, sales statistics,
inventories, formulas, patterns, devices,
manufacturing processes, or customer
names.
If you want the Commission to give
your comment confidential treatment,
you must file it in paper form, with a
request for confidential treatment, and
you have to follow the procedure
explained in FTC Rule 4.9(c), 16 CFR
4.9(c).1 Your comment will be kept
1 In particular, the written request for confidential
treatment that accompanies the comment must
include the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record. See
FTC Rule 4.9(c), 16 CFR 4.9(c).
PO 00000
Frm 00020
Fmt 4703
Sfmt 4703
confidential only if the FTC General
Counsel, in his or her sole discretion,
grants your request in accordance with
the law and the public interest.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
competeincconsent by following the
instructions on the web-based form. If
this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘Compete, Inc., File No. 102
3155’’ on your comment and on the
envelope, and mail or deliver it to the
following address: Federal Trade
Commission, Office of the Secretary,
Room H–113 (Annex D), 600
Pennsylvania Avenue NW., Washington,
DC 20580. If possible, submit your
paper comment to the Commission by
courier or overnight service.
Visit the Commission Web site at
https://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before November 19, 2012. You can find
more information, including routine
uses permitted by the Privacy Act, in
the Commission’s privacy policy, at
https://www.ftc.gov/ftc/privacy.htm.
Analysis of Agreement Containing
Consent Order To Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, an
agreement containing a consent order
applicable to Compete, Inc.
(‘‘Compete’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
Compete develops software for
tracking consumers as they shop,
browse and interact with different Web
sites across the Internet. As alleged in
the Commission’s complaint, Compete
E:\FR\FM\29OCN1.SGM
29OCN1
rmajette on DSK2TPTVN1PROD with
Federal Register / Vol. 77, No. 209 / Monday, October 29, 2012 / Notices
offered one version of its tracking
software as the Compete Toolbar, which
would provide consumers with
information about Web sites as they
surfed the web, such as information
about the popularity of the Web sites
they visited. Separately, Compete
offered consumers membership in its
Consumer Input Panel: Consumers
could win rewards while participating
in surveys about products and services.
As part of the registration process for
the Consumer Input Panel, consumers
would install tracking software. In
addition, Compete licensed its tracking
software to third parties, such as
Upromise, Inc., which was the subject of
a recent FTC enforcement action. (See
Upromise, Inc.) https://www.ftc.gov/os/
caselist/1023116/index.shtm.
The Commission’s complaint involves
the advertising, marketing and operation
of tracking software. According to the
FTC complaint, while Compete
represented to consumers that the
various forms of software would collect
information about the Web sites
consumers visited, its failure to disclose
the full extent of data collected through
tracking software was deceptive. The
complaint alleges that Compete’s
tracking software collected the names of
all Web sites visited; all links followed;
advertisements displayed when Web
sites were visited; and information that
consumers entered into some web pages
(e.g., credit card and financial account
numbers, usernames, passwords, and
search terms), including secure web
pages.
According to the FTC complaint,
Compete misrepresented its privacy and
security practices, including that: (1) It
stripped all personal information out of
the data it collected before transmitting
it from consumers’ computers; and (2) it
employed reasonable and appropriate
measures to protect data gathered from
consumers from unauthorized access.
The complaint alleges that these claims
were false and thus violate Section 5 of
the FTC Act.
In addition, the FTC complaint alleges
that Compete engaged in a number of
practices that, taken together, failed to
provide reasonable and appropriate
security for the personal information it
collected and maintained. The
complaint alleges that, among other
things, Compete: (1) Transmitted
sensitive information from secure web
pages, such as financial account
numbers and security codes, in clear
readable text; (2) did not design and
implement reasonable safeguards to
control risks to consumer information;
and (3) did not use readily available,
low-cost measures to assess and address
the risk that its software would collect
VerDate Mar<15>2010
13:18 Oct 26, 2012
Jkt 229001
sensitive consumer information it was
not authorized to collect.
The complaint alleges that Compete’s
failure to employ reasonable and
appropriate measures to protect
consumer information—including credit
card and financial account numbers,
security codes and expiration dates, and
Social Security numbers—was unfair.
Tools for capturing data in transit, for
example over unsecured wireless
networks such as those often provided
in coffee shops and other public spaces,
are commonly available, making such
clear-text data vulnerable to
interception. The misuse of such
information—particularly financial
account information and Social Security
numbers—can facilitate identity theft
and related consumer harms.
The complaint alleges that after flaws
in Compete’s data collection practices
were revealed publicly in January 2010,
Compete upgraded its filters, added new
algorithms to screen out information
such as credit card numbers, and began
encrypting data in transit.
The proposed order contains
provisions designed to prevent Compete
from engaging in future practices similar
to those alleged in the complaint. For
purposes of the proposed consent order,
we call such tracking software a ‘‘Data
Collection Agent.’’ 2
Part I applies to collection and use of
data from any Data Collection Agent,
whether already downloaded or to be
downloaded in the future, and is
tailored to address distribution by both
Compete and third parties. Specifically
Parts I.A. and B. of the proposed order
apply to Data Collection Agents
installed after the date of service of the
order. Part I.A. prohibits Compete from
collecting data through a Data
Collection Agent unless a consumer has
given express affirmative consent to
such collection, after being provided
with a separate, clear and prominent
notice about all the types of information
that will be collected, as well as a
description of how the information is to
be used, including any sharing with
third parties. Part I.B. ensures these
same protections apply when a Data
2 ‘‘Data Collection Agent’’ is defined in the
proposed order as any software program, including
any application; created, licensed or distributed,
directly or through a Third Party, by respondent;
installed on consumers’ computers, whether as a
standalone product or as a feature of another
product; and used to record, or transmit
information about any activity occurring on that
computer, unless: (a) The activity involves
transmission of information related to the
configuration of the software program or
application itself; (b) the transmission is limited to
information about whether the program is
functioning as intended; or (c) the activity involves
a consumer’s interactions with respondent’s Web
sites and/or forms.
PO 00000
Frm 00021
Fmt 4703
Sfmt 4703
65551
Collection Agent is made available by a
third party, and requires that Compete
must either provide notice and obtain
consent, or require the third party to do
so and monitor the third party’s
compliance. In addition, Parts I.C. and
D. of the proposed order limit the
collection and use of data from
consumers who already have
downloaded a Data Collection Agent
(i.e., before the date of service of the
order) to aggregate and anonymous data,
absent notice and affirmative express
consent. Part I.E. requires Compete to
obtain express affirmative consent
before it can make any material changes
to its practices for collection or sharing
of personal information.
Part II.A. of the proposed order
requires Compete to provide corrective
notice to consumers who had previously
installed a Data Collection Agent.
Compete must inform consumers about
the categories of personal information
collected and transmitted by the
software, and how to uninstall it. Part
II.B. requires the company to provide for
two years phone and email support to
assist consumers who seek to disable or
uninstall a Data Collection Agent.
Part III of the proposed order requires
Compete to provide a copy of the order
to third parties with whom it has now,
or will have in the future, any
agreement in connection with any Data
Collection Agent made available by the
third party.
Part IV of the proposed order
prohibits the company from making any
misrepresentations about the extent to
which it maintains and protects the
security, privacy, confidentiality, or
integrity of any information collected
from or about consumers.
Part V of the proposed order requires
Compete to maintain a comprehensive
information security program that is
reasonably designed to protect the
security, confidentiality, and integrity of
information (whether in paper or
electronic format) about consumers. The
security program must contain
administrative, technical, and physical
safeguards appropriate to Compete’s
size and complexity, the nature and
scope of its activities, and the sensitivity
of the information. Specifically, the
proposed order requires Compete to:
• Designate an employee or
employees to coordinate and be
accountable for the information security
program;
• Identify material internal and
external risks to the security,
confidentiality, and integrity of personal
information that could result in the
unauthorized disclosure, misuse, loss,
alteration, destruction, or other
compromise of such information, and
E:\FR\FM\29OCN1.SGM
29OCN1
rmajette on DSK2TPTVN1PROD with
65552
Federal Register / Vol. 77, No. 209 / Monday, October 29, 2012 / Notices
assess the sufficiency of any safeguards
in place to control these risks;
• Design and implement reasonable
safeguards to control the risks identified
through risk assessment, and regularly
test or monitor the effectiveness of the
safeguards’ key controls, systems, and
procedures;
• Develop and use reasonable steps to
select and retain service providers
capable of appropriately safeguarding
personal information they receive from
Compete or obtain on behalf of
Compete, and require service providers
by contract to implement and maintain
appropriate safeguards; and
• Evaluate and adjust its information
security programs in light of the results
of testing and monitoring, any material
changes to operations or business
arrangements, or any other
circumstances that it knows or has
reason to know may have a material
impact on its information security
program.
Part VI of the proposed order requires
Compete to obtain within 180 days after
service of the order, and biennially
thereafter for 20 years, an assessment
and report from a qualified, objective,
independent third-party professional,
certifying, among other things, that: (1)
It has in place a security program that
provides protections that meet or exceed
the protections required by the
proposed order; and (2) its security
program is operating with sufficient
effectiveness to provide reasonable
assurance that the security,
confidentiality, and integrity of personal
information is protected and has so
operated throughout the reporting
period.
Part VII requires Compete to destroy
all consumer data collected by a Data
Collection Agent before February 2010.
Part VIII requires Compete to retain
documents relating to its compliance
with the order. Part IX requires that it
deliver copies of the order to persons
with responsibilities relating to the
subject matter of the order. Parts X, XI,
and XII of the proposed order are further
reporting and compliance provisions.
Part X ensures notification to the FTC of
changes in corporate status. Part XI
mandates that Compete submit a
compliance report to the FTC within 60
days, and periodically thereafter as
requested. Part XII provides that the
order will terminate after 20 years, with
certain exceptions.
The purpose of this analysis is to
facilitate public comment on the
proposed order. It is not intended to
constitute an official interpretation of
the proposed complaint or order or to
modify the proposed order’s terms in
any way.
VerDate Mar<15>2010
13:18 Oct 26, 2012
Jkt 229001
By direction of the Commission,
Commissioner Rosch abstaining.
Donald S. Clark,
Secretary.
Dated: October 19, 2012.
Daniel M. Tangherlini,
Acting Administrator.
[FR Doc. 2012–26464 Filed 10–26–12; 8:45 am]
BILLING CODE 6820–34–P
[FR Doc. 2012–26436 Filed 10–26–12; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
GENERAL SERVICES
ADMINISTRATION
[Notice-CPO–2012–01; Docket 2012–0002;
Sequence 21]
SES Performance Review Board
General Services
Administration.
ACTION: Notice.
AGENCY:
Notice is hereby given of the
appointment of new members to the
General Services Administration Senior
Executive Service Performance Review
Board. The Performance Review Board
assures consistency, stability, and
objectivity in the performance appraisal
process.
DATES: Effective Date: October 29, 2012.
FOR FURTHER INFORMATION CONTACT:
Anthony Costa, Chief People Officer,
Office of the Chief People Officer,
General Services Administration, 1275
First Street NE., Washington, DC 20002,
(202) 501–0398.
SUPPLEMENTARY INFORMATION: Section
4314(c)(1) through (5) of title 5 U.S.C.
requires each agency to establish, in
accordance with regulations prescribed
by the Office of Personnel Management,
one or more SES performance review
board(s). The board is responsible for
making recommendations to the
appointing and awarding authority on
the performance appraisal ratings and
performance awards for the Senior
Executive Service employees.
The following have been designated
as members of the Performance Review
Board of the General Services
Administration:
Susan F. Brita, Deputy Administrator—
Chair.
Anthony E. Costa, Chief People Officer.
Jiyoung C. Park, Associate
Administrator for Small Business
Utilization.
Sonny Hashmi, Deputy Chief
Information Officer.
Joanna Rosato, Regional Commissioner
for Public Buildings Service,
Northeast & Caribbean Region.
Linda C. Chero, Regional Commissioner
for Federal Acquisition Service, MidAtlantic Region.
Michael S. Gelber, Regional
Commissioner for Federal Acquisition
Service, Pacific Rim Region.
SUMMARY:
PO 00000
Frm 00022
Fmt 4703
Sfmt 4703
Centers for Disease Control and
Prevention
[30Day–13–12JM]
Agency Forms Undergoing Paperwork
Reduction Act Review
The Centers for Disease Control and
Prevention (CDC) publishes a list of
information collection requests under
review by the Office of Management and
Budget (OMB) in compliance with the
Paperwork Reduction Act (44 U.S.C.
Chapter 35). To request a copy of these
requests, call (404) 639–7570 or send an
email to omb@cdc.gov. Send written
comments to CDC Desk Officer, Office of
Management and Budget, Washington,
DC 20503 or by fax to (202) 395–5806.
Written comments should be received
within 30 days of this notice.
Proposed Project
Improving the Health and Safety of
the Diverse Workforce—New—National
Institute for Occupational Safety and
Health (NIOSH), Centers for Disease
Control and Prevention (CDC).
Background and Brief Description
Stress is one of the major causes of
diminished health, safety, and
productivity on the job (Jordan et al,
2003; Brunner, 2000). Increasing
medical care utilization costs, job
dissatisfaction, poor job performance,
and employee turnover are some of the
documented health, economic,
psychological, and behavioral
consequences of stress (Levi, 1996).
Because of their general concentration
in high-hazard and/or lower-status
occupations, some racial and ethnic
minority workers may be over-exposed
to workplace factors (e.g., high workload
and low job control) which have
traditionally linked to a variety of stressrelated health and safety problems. In
addition, racial and ethnic minorities
appear to be significantly more likely
than non-minorities to encounter
discrimination and other race-related
stressors in the workplace (e.g., Krieger
et al, 2006; Roberts et al, 2004).
Given a potentially greater stress
burden, racial and ethnic minority
workers may be at heightened risk for
the development of health and safety
problems associated with stress. On the
E:\FR\FM\29OCN1.SGM
29OCN1
Agencies
[Federal Register Volume 77, Number 209 (Monday, October 29, 2012)]
[Notices]
[Pages 65550-65552]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2012-26464]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 102 3155]
Compete, Inc.; Analysis of Proposed Consent Order To Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order--embodied in the consent
agreement--that would settle these allegations.
DATES: Comments must be received on or before November 19, 2012.
ADDRESSES: Interested parties may file a comment at https://ftcpublic.commentworks.com/ftc/competeincconsent online or on paper, by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``Compete, Inc., File
No. 102 3155'' on your comment and file your comment online at https://ftcpublic.commentworks.com/ftc/competeincconsent, by following the
instructions on the web-based form. If you prefer to file your comment
on paper, mail or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Room H-113 (Annex
D), 600 Pennsylvania Avenue NW., Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT: Ruth Yodaiken (202-326-2127), Jamie
Hine (202-326-2188), FTC, Bureau of Consumer Protection, 600
Pennsylvania Avenue NW., Washington, DC 20580.
SUPPLEMENTARY INFORMATION: Pursuant to Section 6(f) of the Federal
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34,
notice is hereby given that the above-captioned consent agreement
containing a consent order to cease and desist, having been filed with
and accepted, subject to final approval, by the Commission, has been
placed on the public record for a period of thirty (30) days. The
following Analysis to Aid Public Comment describes the terms of the
consent agreement, and the allegations in the complaint. An electronic
copy of the full text of the consent agreement package can be obtained
from the FTC Home Page (for October 22, 2012), on the World Wide Web,
at https://www.ftc.gov/os/actions.shtm. A paper copy can be obtained
from the FTC Public Reference Room, Room 130-H, 600 Pennsylvania Avenue
NW., Washington, DC 20580, either in person or by calling (202) 326-
2222.
You can file a comment online or on paper. For the Commission to
consider your comment, we must receive it on or before November 19,
2012. Write ``Compete, Inc., File No. 102 3155'' on your comment. Your
comment--including your name and your state--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the public Commission Web site, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to
remove individuals' home contact information from comments before
placing them on the Commission Web site.
Because your comment will be made public, you are solely
responsible for making sure that your comment does not include any
sensitive personal information, like anyone's Social Security number,
date of birth, driver's license number or other state identification
number or foreign country equivalent, passport number, financial
account number, or credit or debit card number. You are also solely
responsible for making sure that your comment does not include any
sensitive health information, like medical records or other
individually identifiable health information. In addition, do not
include any ``[t]rade secret or any commercial or financial information
which * * * is privileged or confidential,'' as discussed in Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR
4.10(a)(2). In particular, do not include competitively sensitive
information such as costs, sales statistics, inventories, formulas,
patterns, devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential
treatment, you must file it in paper form, with a request for
confidential treatment, and you have to follow the procedure explained
in FTC Rule 4.9(c), 16 CFR 4.9(c).\1\ Your comment will be kept
confidential only if the FTC General Counsel, in his or her sole
discretion, grants your request in accordance with the law and the
public interest.
---------------------------------------------------------------------------
\1\ In particular, the written request for confidential
treatment that accompanies the comment must include the factual and
legal basis for the request, and must identify the specific portions
of the comment to be withheld from the public record. See FTC Rule
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/competeincconsent by following the instructions on the web-based
form. If this Notice appears at https://www.regulations.gov/#!home, you
also may file a comment through that Web site.
If you file your comment on paper, write ``Compete, Inc., File No.
102 3155'' on your comment and on the envelope, and mail or deliver it
to the following address: Federal Trade Commission, Office of the
Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue NW.,
Washington, DC 20580. If possible, submit your paper comment to the
Commission by courier or overnight service.
Visit the Commission Web site at https://www.ftc.gov to read this
Notice and the news release describing it. The FTC Act and other laws
that the Commission administers permit the collection of public
comments to consider and use in this proceeding as appropriate. The
Commission will consider all timely and responsive public comments that
it receives on or before November 19, 2012. You can find more
information, including routine uses permitted by the Privacy Act, in
the Commission's privacy policy, at https://www.ftc.gov/ftc/privacy.htm.
Analysis of Agreement Containing Consent Order To Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, an agreement containing a consent order applicable to
Compete, Inc. (``Compete'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
Compete develops software for tracking consumers as they shop,
browse and interact with different Web sites across the Internet. As
alleged in the Commission's complaint, Compete
[[Page 65551]]
offered one version of its tracking software as the Compete Toolbar,
which would provide consumers with information about Web sites as they
surfed the web, such as information about the popularity of the Web
sites they visited. Separately, Compete offered consumers membership in
its Consumer Input Panel: Consumers could win rewards while
participating in surveys about products and services. As part of the
registration process for the Consumer Input Panel, consumers would
install tracking software. In addition, Compete licensed its tracking
software to third parties, such as Upromise, Inc., which was the
subject of a recent FTC enforcement action. (See Upromise, Inc.) https://www.ftc.gov/os/caselist/1023116/index.shtm.
The Commission's complaint involves the advertising, marketing and
operation of tracking software. According to the FTC complaint, while
Compete represented to consumers that the various forms of software
would collect information about the Web sites consumers visited, its
failure to disclose the full extent of data collected through tracking
software was deceptive. The complaint alleges that Compete's tracking
software collected the names of all Web sites visited; all links
followed; advertisements displayed when Web sites were visited; and
information that consumers entered into some web pages (e.g., credit
card and financial account numbers, usernames, passwords, and search
terms), including secure web pages.
According to the FTC complaint, Compete misrepresented its privacy
and security practices, including that: (1) It stripped all personal
information out of the data it collected before transmitting it from
consumers' computers; and (2) it employed reasonable and appropriate
measures to protect data gathered from consumers from unauthorized
access. The complaint alleges that these claims were false and thus
violate Section 5 of the FTC Act.
In addition, the FTC complaint alleges that Compete engaged in a
number of practices that, taken together, failed to provide reasonable
and appropriate security for the personal information it collected and
maintained. The complaint alleges that, among other things, Compete:
(1) Transmitted sensitive information from secure web pages, such as
financial account numbers and security codes, in clear readable text;
(2) did not design and implement reasonable safeguards to control risks
to consumer information; and (3) did not use readily available, low-
cost measures to assess and address the risk that its software would
collect sensitive consumer information it was not authorized to
collect.
The complaint alleges that Compete's failure to employ reasonable
and appropriate measures to protect consumer information--including
credit card and financial account numbers, security codes and
expiration dates, and Social Security numbers--was unfair. Tools for
capturing data in transit, for example over unsecured wireless networks
such as those often provided in coffee shops and other public spaces,
are commonly available, making such clear-text data vulnerable to
interception. The misuse of such information--particularly financial
account information and Social Security numbers--can facilitate
identity theft and related consumer harms.
The complaint alleges that after flaws in Compete's data collection
practices were revealed publicly in January 2010, Compete upgraded its
filters, added new algorithms to screen out information such as credit
card numbers, and began encrypting data in transit.
The proposed order contains provisions designed to prevent Compete
from engaging in future practices similar to those alleged in the
complaint. For purposes of the proposed consent order, we call such
tracking software a ``Data Collection Agent.'' \2\
---------------------------------------------------------------------------
\2\ ``Data Collection Agent'' is defined in the proposed order
as any software program, including any application; created,
licensed or distributed, directly or through a Third Party, by
respondent; installed on consumers' computers, whether as a
standalone product or as a feature of another product; and used to
record, or transmit information about any activity occurring on that
computer, unless: (a) The activity involves transmission of
information related to the configuration of the software program or
application itself; (b) the transmission is limited to information
about whether the program is functioning as intended; or (c) the
activity involves a consumer's interactions with respondent's Web
sites and/or forms.
---------------------------------------------------------------------------
Part I applies to collection and use of data from any Data
Collection Agent, whether already downloaded or to be downloaded in the
future, and is tailored to address distribution by both Compete and
third parties. Specifically Parts I.A. and B. of the proposed order
apply to Data Collection Agents installed after the date of service of
the order. Part I.A. prohibits Compete from collecting data through a
Data Collection Agent unless a consumer has given express affirmative
consent to such collection, after being provided with a separate, clear
and prominent notice about all the types of information that will be
collected, as well as a description of how the information is to be
used, including any sharing with third parties. Part I.B. ensures these
same protections apply when a Data Collection Agent is made available
by a third party, and requires that Compete must either provide notice
and obtain consent, or require the third party to do so and monitor the
third party's compliance. In addition, Parts I.C. and D. of the
proposed order limit the collection and use of data from consumers who
already have downloaded a Data Collection Agent (i.e., before the date
of service of the order) to aggregate and anonymous data, absent notice
and affirmative express consent. Part I.E. requires Compete to obtain
express affirmative consent before it can make any material changes to
its practices for collection or sharing of personal information.
Part II.A. of the proposed order requires Compete to provide
corrective notice to consumers who had previously installed a Data
Collection Agent. Compete must inform consumers about the categories of
personal information collected and transmitted by the software, and how
to uninstall it. Part II.B. requires the company to provide for two
years phone and email support to assist consumers who seek to disable
or uninstall a Data Collection Agent.
Part III of the proposed order requires Compete to provide a copy
of the order to third parties with whom it has now, or will have in the
future, any agreement in connection with any Data Collection Agent made
available by the third party.
Part IV of the proposed order prohibits the company from making any
misrepresentations about the extent to which it maintains and protects
the security, privacy, confidentiality, or integrity of any information
collected from or about consumers.
Part V of the proposed order requires Compete to maintain a
comprehensive information security program that is reasonably designed
to protect the security, confidentiality, and integrity of information
(whether in paper or electronic format) about consumers. The security
program must contain administrative, technical, and physical safeguards
appropriate to Compete's size and complexity, the nature and scope of
its activities, and the sensitivity of the information. Specifically,
the proposed order requires Compete to:
Designate an employee or employees to coordinate and be
accountable for the information security program;
Identify material internal and external risks to the
security, confidentiality, and integrity of personal information that
could result in the unauthorized disclosure, misuse, loss, alteration,
destruction, or other compromise of such information, and
[[Page 65552]]
assess the sufficiency of any safeguards in place to control these
risks;
Design and implement reasonable safeguards to control the
risks identified through risk assessment, and regularly test or monitor
the effectiveness of the safeguards' key controls, systems, and
procedures;
Develop and use reasonable steps to select and retain
service providers capable of appropriately safeguarding personal
information they receive from Compete or obtain on behalf of Compete,
and require service providers by contract to implement and maintain
appropriate safeguards; and
Evaluate and adjust its information security programs in
light of the results of testing and monitoring, any material changes to
operations or business arrangements, or any other circumstances that it
knows or has reason to know may have a material impact on its
information security program.
Part VI of the proposed order requires Compete to obtain within 180
days after service of the order, and biennially thereafter for 20
years, an assessment and report from a qualified, objective,
independent third-party professional, certifying, among other things,
that: (1) It has in place a security program that provides protections
that meet or exceed the protections required by the proposed order; and
(2) its security program is operating with sufficient effectiveness to
provide reasonable assurance that the security, confidentiality, and
integrity of personal information is protected and has so operated
throughout the reporting period.
Part VII requires Compete to destroy all consumer data collected by
a Data Collection Agent before February 2010.
Part VIII requires Compete to retain documents relating to its
compliance with the order. Part IX requires that it deliver copies of
the order to persons with responsibilities relating to the subject
matter of the order. Parts X, XI, and XII of the proposed order are
further reporting and compliance provisions. Part X ensures
notification to the FTC of changes in corporate status. Part XI
mandates that Compete submit a compliance report to the FTC within 60
days, and periodically thereafter as requested. Part XII provides that
the order will terminate after 20 years, with certain exceptions.
The purpose of this analysis is to facilitate public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed complaint or order or to modify the
proposed order's terms in any way.
By direction of the Commission, Commissioner Rosch abstaining.
Donald S. Clark,
Secretary.
[FR Doc. 2012-26464 Filed 10-26-12; 8:45 am]
BILLING CODE 6750-01-P