• by Wendy Davis  @wendyndavis, January 5, 2012

Rebate company Upromise has agreed to settle privacy charges by destroying data collected about 150,000 Web users between 2005 and 2010, the Federal Trade Commission said Thursday. Upromise also agreed that it will clearly disclose its data collection practices, and will tell users how to remove its toolbar.

Upromise offers consumers rebates when they shop at particular merchants; the company places those rebates in a college savings fund. Starting in 2005, Upromise offered users a downloadable toolbar that told them when they were at a site of a participating merchant.

The toolbar also had a “personalized offers” setting that collected detailed information about sites visited by users in order to serve them with ads, the FTC alleged in a complaint made public on Thursday.

Among other information, toolbars with the personalized offers setting turned on initially collected names of sites visited, search queries, usernames and passwords. Starting in 2009, the toolbar began collecting data that users entered at banking and shopping sites, according to the FTC. Overall, more than 150,000 users enabled the personalized offers setting, the FTC alleges.

Upromise's privacy policy said the company might infrequently collect personal information, but that such data would be filtered out before it was transmitted to the company. But the FTC took issue with the filter, which it described as “too narrow and improperly structured.” One flaw in the filter is that it would prevent the collection of personal identification numbers if the site used the field name 'PIN,' but not if the field name was “personal ID” or “security code,” the FTC said.

The FTC also said in its complaint that the toolbar transmitted sensitive information like credit card numbers in “clear text” -- even though clear-text data can be intercepted when transmitted over public WiFi connections.

The FTC said in its complaint that Upromise stopped collection information through the toolbar on Jan. 21, 2010, after a researcher reported the potential security issues. Though the complaint doesn't mention him by name, the FTC is apparently referring to Harvard professor Ben Edelman, who detailed how Upromise “tracks users' behavior in excruciating detail.”

Upromise did not admit to wrongdoing as part of the settlement.