On October 22, the Federal Trade Commission announced that it had settled charges with Compete, Inc., a web analytics company that uses tracking software to collect data on consumers’ online browsing behavior. As explained in greater detail below, the FTC alleged that Compete had engaged in deceptive practices, in violation of Section 5 of the FTC Act, by misrepresenting the extent of its data collection practices and failing to honor its data de-personalization and other data security promises. The FTC further charged that the company’s failure to have reasonable data security practices in place was unfair, also in violation of Section 5. The proposed consent order would, among other things, require Compete to provide consumers with notice, outside of its privacy policy, of the types of data it collects and obtain their express consent to such collection.

The allegations

The FTC alleged that:

  • Compete failed to disclose to consumers the full extent of the information that the software would collect from them. According to the complaint, Compete induced consumers to download its tracking software in various ways, including by encouraging them to: join a “Consumer Input Panel” that would reward them for sharing their opinions about products and services, or install the Compete Toolbar, which would give them “instant access” to data about the websites they visited. Compete generally described the software as collecting “the web pages you visit,” “the sites, products and services you interact with” and “the addresses of the web pages you visit online.” In fact, the FTC alleged, the software collected far more than browsing behavior or web page addresses, including information about consumers’ interactions with websites visitedsuch as usernames, passwords, search terms and other information submittedas well as sensitive personal information, such as Social Security numbers and payment card information. According to the FTC, the company’s failure to disclose the true extent of the data collection was deceptive, in violation of Section 5 of the FTC Act.
  • Compete misrepresented that it would strip all personal information out of the data collected. According to the FTC, the company made unqualified promises in its privacy policy about its filtering of the personal information it collected. Specifically, it allegedly stated, “All data is stripped of personally identifiable information before it is transmitted to our servers. Our data collection techniques have been designed to purge personally identifiable information wherever we find it.” The company apparently attempted to keep these promises, but, in the FTC’s view, its measures were inadequate because its filters were too narrow and improperly structured, and it failed to use a simple, commonly used algorithm to filter out credit card numbers. According to the FTC, the company’s de-personalization promises were therefore deceptive.
  • Compete misrepresented that it used reasonable measures to protect consumers’ data from unauthorized access. Moreover, its failure to have such measures in place was unfair. According to the FTC, although the company promised consumers that it would protect their personal information, it failed to take basic steps to do so. For instance, Compete allegedly transmitted sensitive personal information from secure web pages over the Internet in clear text and did not use readily available and low-cost tools to address the risk that the software would collect sensitive information that it was not authorized to collect. The FTC also charged that the company’s failure to use reasonable and appropriate security measures was unfair, in addition to being deceptive, because such failure “caused or was likely to cause substantial injury to consumers that was not offset by countervailing benefits to consumers or competition and was not reasonably avoidable by consumers.”

The proposed relief

The FTC’s proposed consent order with Compete contains the ban, customary in deception cases, on future misrepresentations about the company’s privacy and data security practices. Consistent with other recent data security settlements, the proposed order would also require Compete to implement a comprehensive information security program with independent third-party audits every two years for 20 years.

In addition, the order would require the company to provide consumers with robust, out-of-policy notice of the types of data its software collects and obtain their express consent to such collection. The proposed order is specific: Compete must clearly and prominently, prior to the display of and on a separate screen from any privacy policy, end-user license agreement, terms of use or similar document, fully disclose the information it collects. Moreover, the proposed order provides that the notice must disclose, to the extent applicable, that the company will collect the following categories of data, as well as how it will use and disclose such data: completed and/or incomplete consumer transactions; communications in forms, online accounts, web-based e-mail accounts or search engine pages, and whether the information collected includes personal, financial or health information. These obligations apply both when Compete interacts directly with consumers, as well as when its clients use the Compete software to collect data from consumers.           

Why does this action matter?

The action against Compete is a continuation of a line of FTC cases involving allegedly surreptitious online data collection—beginning years ago with the FTC’s spyware cases and most recently its action against Upromise, Inc., a company that licensed the Compete software. The Compete action is noteworthy because it demonstrates that:

  • The FTC continues to be serious about ensuring that consumers have all of the information they need to make informed decisions about how their data may be collected and used. In the FTC’s view, a failure to disclose material information collection, use and/or disclosure practices is deceptive. A practice is “material” if it would affect the consumer’s decision to engage with the company. Here, the FTC took the position that the collection of a wide variety of information submitted online—including sensitive personal information and not just the promised URLs—is material to consumers.
  • The FTC believes that certain disclosures are sufficiently material to warrant clear and conspicuous disclosure at a meaningful point in time, outside of a company’s privacy policy. In recent years, the FTC has encouraged industry to provide consumers with this type of “just in time” notice. It recently reiterated this position in its proposed revisions to its rule implementing the Children’s Online Privacy Protection Act, stating that it urges industry “to provide consumers with notice and choice about information practices at the point consumers enter personal data or before accepting a product or service.” The proposed order against Compete provides for such notice. Moreover, it goes so far as to specify certain categories of information that must be addressed in the notice.
  • The FTC will remain vigilant in holding companies to their privacy and data security promises. For years, the FTC has brought deception charges against companies that allegedly failed to comply with their own representations—typically made in a privacy policy—about their information collection, use, disclosure and/or security practices. The action against Compete indicates that it continues to take this issue seriously.
  • The FTC continues to believe that a company’s failure to have reasonable measures in place to protect personal information is unfair, even if the company makes no data security promises and even, it appears, absent a breach. The FTC has brought a number of unfairness cases against companies that allegedly had inadequate data security practices in place—typically following a publicized breach. Its complaint against Compete mentioned no breach but nonetheless charged the company with unfairness, on the grounds that its “failure to employ reasonable and appropriate measures to protect consumer information—including credit card and financial account numbers, security codes and expiration dates and Social Security numbers—caused or was likely to cause substantial injury to consumers that was not offset by countervailing benefits to consumers or competition and was not reasonably avoidable by consumers.”
  • The FTC continues to use a robust template for privacy and data security orders. If the case against Compete is any indication, the FTC will continue to impose onerous injunctive relief on companies that do not abide by their own privacy and data security promises, including the obligation—even where no breach has been alleged—to obtain an independent data security audit every other year for 20 years.


Written By

Julie O'Neill


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»