Upromise agreed to settle with the Federal Trade Commission (FTC) over charges that the Sallie Mae-owned rewards program collected consumers’ personal information “without adequately disclosing the extent of the information it is collecting,” the federal agency said on Jan. 5.
Upromise collected consumers’ personal information via its TurboSaver Toolbar, a browser add-on for Upromise members that augments search results with savings offers from participating retailers, according to the FTC. The organization alleged that, when the toolbar’s “Personalized Offers” feature was enabled, Upromise collected data related to consumers’ browsing behavior, such as names of sites visited, links clicked, search queries, user names and passwords.
“In some cases, the information collected included credit card and financial account numbers, user names and passwords used to access secured websites, security codes and expiration dates, and any Social Security numbers consumers entered into the webpages,” the FTC said in a statement.
The FTC noted that the information was transmitted without encryption, violating the toolbar’s privacy statement which states that “all information collected in connection with the Personalized Offers” feature is transmitted using encryption.
“Upromise’s failure to disclose the extent of information collected by the toolbar, and its claims that it encrypted consumer data and took reasonable measures to protect data from unauthorized access, were deceptive and violated federal law. The FTC also charged that Upromise’s failure to take reasonable and appropriate measures to protect consumers’ data was an unfair practice,” the FTC said in its complaint.
Upromise emailed the following statement to Direct Marketing News: “Two years ago, we learned that an issue with a vendor’s software created the potential for inadvertent data access that could have affected approximately one percent of our members. Our members’ privacy is extremely important to us, and we took immediate action to resolve the issue. There was no evidence of any misuse of data. We have fully cooperated with the FTC and have addressed their concerns.”
Per the settlement agreement, Upromise is required to “clearly disclose its data collection practices,” receive consumer consent before installing or reactivating the toolbar and inform consumers how to uninstall the toolbar. Upromise must also destroy data collected through the “Personalized Offers” feature and notify consumers who had enabled the feature about the type of information collected and how to disable it.
Upromisemust create a comprehensive security program to be audited by an independent agency every two years for the next 20 years.