Why Sears Holdings is a critical FTC consent decree

The Sears consent decree dispels the notion, still common among some clients and some attorneys, that a privacy policy disclosure is a cure-all.

Sears released a consumer research app that paid consumers $10 to join an “online community” of Sears Holding Corporation shoppers. By joining, users could “regularly interact with My SHC Community members as well as employees of Sears Holdings Corporation through special online engagements . . . .” (Paragraph 6). Meanwhile, the app tracked everything users did online:

The tracked information included not only information about websites consumers visited and links that they clicked, but also the text of secure pages, such as online banking statements, video rental transactions, library borrowing histories, online drug prescription records, and select header fields that could show the sender, recipient, subject, and size of web-based email messages.

Paragraph 12 (emphasis added).

What makes this case interesting isn’t the fact that Sears released an invasive tracking app. It’s the fact that the FTC brought an enforcement action against Sears even though Sears disclosed, via its privacy policy, exactly what it was doing:

Internet usage information: Once you install our application, it monitors all of the Internet behavior that occurs on the computer on which you install the application, including both your normal web browsing and the activity that you undertake during secure sessions, such as filling a shopping basket, completing an application form or checking your online accounts, which may include personal financial or health information.

Paragraph 8 (emphasis added).

Nevertheless, the FTC stated that Sears’ “failure to disclose these facts, in light of the representations made, was, and is, a deceptive practice.”

And that’s why this case is so useful. Sears did disclose! It said that its program “monitors all of the Internet behavior that occurs on the computer on which you install the application . . . .” But that wasn’t enough in light of its insanely invasive application that was sucking up so much more data than it needed to.

Takeaways:

• Don’t make an insanely privacy-invasive application. Sears didn’t need all the data it collected.
• If you do really need that data, don’t rely on statements in the privacy policy to save you.

References

• Wikipedia article describing the facts and legal issue.
• Two good contemporaneous Ars Technica articles (here and here).