In March, the Federal Trade Commission (FTC) announced that Upromise, Inc., agreed to pay $500,000 to settle claims that it violated the terms of a 2012 consent order that required it to provide notice to consumers on its data collection and use practices, and to have third-party audits.
Upromise is a membership reward service that offers rebates for college savings accounts to members who buy things from its partner merchants. The 2012 order settled allegations that Upromise had used a web-browser toolbar to collect users’ personal information without providing notice of the extent of that collection. A privacy note said the toolbar would rarely collect personal information, but the FTC says the site collected extensive sensitive data, including credit card and Social Security numbers, and transmitted it over the Internet in clear text.
After the 2012 order, Upromise urged consumers to download a toolbar called “RewardU.” The Department of Justice filed a complaint on behalf of the FTC that said Upromise violated the 2012 order by not making clear and prominent disclosures about RewardU’s data gathering and data use tactics, and by not getting third-party audits of the toolbar.
In addition to the half-million-dollar civil penalty, Upromise must take steps to having a third-party certify that the company follows disclosure and consent requirements before any future toolbar launch; must get FTC approval of the scope and design of any such audit; and must permanently terminate RewardU-related cookies.