FTC alleges a common enterprise’s software misrepresented consumers’ sensitive browsing data
On February 22, the FTC released a complaint and decision against multiple software companies operating as a common enterprise for allegedly violating three counts of Section 5 of the FTC Act for (1) unfairly collecting consumers’ browsing information; (2) deceptively failing to disclose tracking of consumers; and (3) stating false representations on data aggregation and anonymization. From 2014 to 2020, the FTC alleged that the companies distributed software with several privacy claims including that the software would block cookies and prevent browser tracking without obtaining consumers’ consent and deceiving consumers about the true nature of their actions.
The FTC alleged the companies collected browser information through browser extensions and antivirus software. While the companies claimed that these extensions provided security and privacy services, the companies used the extensions to collect browser information from users including URLs of visited webpages, URLs of background resources (e.g., cookies or images pulled from other domains), consumers’ search queries, and cookie values. While the companies made claims about the privacy and security of their products, they failed to disclose to consumers that their browsing information was sold to third parties and misrepresented how the data was shared. This browsing information can comprise sensitive data, possibly revealing a consumer’s religious beliefs, health information, political ideology, location, finances, and “interests in prurient content.” The FTC noted that when the companies in 2019 asked software users to opt-in to collect browser information, less than 50% of consumers agreed.
Under the FTC’s Decision, the companies must pay $16.5 million in monetary relief. Additionally, the FTC enjoined the companies from licensing or selling any browsing data from branded products to third parties for advertising purposes, and the companies are required to (a) obtain consent from consumers before selling consumers’ browsing data from non-branded products for advertising; (b) delete consumer web browsing information and certain products or algorithms derived from that data; (c) notify consumers whose information was previously sold without their consent; and (d) implement a privacy program.