Under the proposed settlement, whose approval is pending a 30-day public comment period ending July 6, Sears must destroy information previously collected. Also, if Sears advertises or disseminates any tracking software in the future, it must clearly and prominently disclose the types of data the software will monitor, record, or transmit. This disclosure must be made prior to installation and separate from any user license agreement. Sears must also disclose whether any of the data will be used by a third party.
Experts say the settlement is a harbinger of tightening regulations. The FTC's "administrative complaint" said Sears had represented to consumers that its "My SHC Community" site would track only their "online browsing."
The FTC, however, said that the software on the site would also monitor consumers' online secure sessions, even on third-party sites, and collect info on shopping carts' contents, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject and size for Web-based emails.
Charles Kennedy, a cyberlaw attorney with Morrison & Foerster LLP and professor of law at Catholic University, says the settlement presages stricter control by the agency.
Sears used the information to track consumer purchases and preferences, and target advertising directly to individuals. While this marketing strategy is quite common in online retailing, the FTC argued that Sears went too far and monitored too much, while not providing enough warning of the practice to its customers.
Kennedy argues that "although the commission has confined itself primarily to the adoption of voluntary guidelines to govern [behavioral advertising], FTC Chairman Jon Leibowitz stated as recently as April of this year that online advertisers are approaching their 'last clear chance' to avoid legislation or mandatory regulation."
He says the FTC is sending "a strong signal that [it] will subject online tracking of consumer behavior to a stringent standard of disclosure. Firms that offer or rely upon behavioral advertising or other online data collection activities should be aware of the proposed settlement, and should assess the prominence and completeness of the disclosures they make to consumers in light of the proceeding." <
He calls "most striking" the fact that the FTC went after Sears even though the company "fully disclosed, and obtained consumers' agreement to, the tracking practices at issue. The essence of the complaint is not that those disclosures were absent, but that they should have been made sooner and given greater prominence," he says.
Kennedy says Sears Holdings' consumer registration procedure for its Web community included stopgaps from the point at which Sears invited consumers to the program via pop-up ads on Sears.com and Kmart.com.
While the initial invitation didn't mention tracking, a follow-up email invitation mentioned that enrollees would be asked to "download software" that "will confidentially track your online browsing" and garner information about Web usage. And "SHMC's registration procedure also ensured that consumers did not download and install the online tracking application until they had had an opportunity to read the Privacy Statement and End User License Agreement," he writes.
He says the Sears enforcement is a step toward FTC regulation of behavioral advertising, which relies on online tracking technologies. And he says those steps don't have to be taken through formal rulemaking. "Although the [Sears Holding] proceeding may be the first round in a regulatory initiative aimed at behavioral advertising and related practices ... the FTC sometimes defines the kinds of practices it finds unacceptable not by writing rules, but by bringing individual enforcement proceedings and entering into settlement agreements that create a compliance framework for businesses that want to avoid becoming the target of similar proceedings in the future."