Upromise Agrees to Settle FTC Allegations that it Failed to Meet Promises in its Privacy Policy

Published: Jan. 17, 2012

Last Updated: Oct. 05, 2020

On January 5, the FTC announced that Upromise, Inc., a rewards plan service which offers a browser-based “TurboSaver Toolbar” aimed at families trying to save money for college, agreed to a proposed administrative consent order following FTC allegations that the company unfairly and deceptively collected, maintained, and disclosed users’ personal information in violation of the promises made in the company’s privacy policy and Section 5 of the FTC Act.

Specifically, the FTC’s administrative complaint, released publicly on the same day as the consent order, alleged that Upromise violated the FTC Act by:  (1) failing to encrypt personal information it collected, despite representing in its privacy policy that it did so; (2) not disclosing the extent to which the toolbar collected personal information about users as they surfed the web; and (3) not taking reasonable and appropriate security measures to protect users’ data, such as employee training on data protection issues.

According to the complaint, Upromise’s toolbar, which users could download for free, flagged Upromise partner merchants in users’ search engine results, allowing users to make purchases through merchants that offered cash rebates that could be deposited into users’ college savings accounts.  During the toolbar download process, users were presented with a pop-up message urging them to enable the “Personalized Offers” feature, which Upromise indicated would collect information about the websites users visited in order to provide users with tailored offers.  The FTC emphasized that in some instances, the checkbox indicating a user’s consent to enable the Personalized Offers feature was already pre-checked.

The complaint further alleged that although Upromise’s privacy policy represented to users that the toolbar would only “infrequently” collect limited personal information, such as names and email addresses, instead, when the Personalized Offers feature was enabled, the toolbar collected a broad range of information about users, such as links clicked, websites visited, search terms used, usernames and passwords entered on third-party websites, and sometimes even sensitive data, such as credit card and other financial account information, security codes, and Social Security numbers.  The privacy policy also stated that Upromise used a “proprietary rules engine” filer to limit the personal information collected through the toolbar.  However, the FTC noted that the filter was designed too narrowly in that while it would block the collection of information from websites where certain trigger words (such as “PIN number”) were used, it would still collect information from websites where synonymous trigger words were used (such as “personal ID” or “security code”).

Upromise’s privacy policy also stated that it would remove any personal information it collected before transmitting it to participating merchants and other third parties, and that it encrypted all personal information.  However, the FTC found that Upromise instead transmitted personal information to third parties via the web in clear text, a format that is especially vulnerable to interception when sent over unsecured wireless networks.  The FTC also emphasized that despite the existence of low-cost data security solutions, Upromise did not use such programs and did not provide adequate data security guidance and training to its employees.

Under the proposed consent order, Upromise has agreed to give clear notice of its data collection and use practices separate and apart from any End User License Agreement, obtain user consent before installing or re-enabling any such toolbar products, inform users how to fully delete any toolbars already installed on their computers, destroy all personal information it previously collected from users in violation of its privacy policy, implement a comprehensive information security program, and submit to biennial, independent privacy and security auditing and reporting requirements for 20 years.  Upromise will also be subject to civil fines of up to $16,000 each for any future violations of the consent order.

The FTC vote to issue the administrative complaint and accept the consent was 4-0.  The FTC is accepting public comments on the proposed consent order through February 6.

The settlement emphasizes that the FTC will continue its trend of holding websites accountable for not providing transparent disclosures to consumers about their privacy practices and for not living up to the promises made in their privacy policies.  The settlement also highlights that the FTC will continue to closely monitor companies’ data security programs, particularly when sensitive information is involved, and will expect companies that collect and maintain personal information to have adequate data security mechanisms in place, especially given the growing availability of low-cost security solutions.