FTC Settles With College Savings Provider Over Toolbar’s Alleged Insufficient Safeguards

The Federal Trade Commission brought an action against Upromise Inc., a company that provided services to consumers trying to save money for college, alleging that the "Turbosaver Toolbar" offered by the company deceptively collected and transmitted consumer personal information. Upromise's Turbosaver Toolbar allowed consumers to identify and select merchants from which the consumer could receive rebates which were then placed into the consumer's college savings account. The Turbosaver Toolbar incorporated a "personalized offers" feature that used consumer browsing information to provide targeted advertising to consumers through the browser. Upromise's privacy statement stated that the company: (1) implemented policies and practices designed to safeguard consumer information; (2) encrypted sensitive information during transmission; (3) that Upromise would use every commercially viable effort to purge their data base of any personally identifiable information; and (4) any personally identifiable information collected "inadvertently" would be removed before transmission. 

The FTC's complaint alleged that in practice Upromise's Turbosaver Toolbar collected consumer information such as usernames, passwords, search terms, including information from secure web pages like online banking websites. Furthermore, the FTC alleged that the Turbosaver Toolbar transmitted sensitive personal information such as credit card and financial account information, security codes, and social security numbers without encrypting the information, and as such the information could have been easily compromised if transmitted over unsecured networks. Finally, the FTC alleged that Upromise failed to use readily available, low-cost measures to prevent the unauthorized collection of consumer information, such as testing the Toolbar, and failed to protect consumer information consistent with its representations to consumers.

As part of its settlement, Upromise must destroy all data collected through the Turbosaver Toolbar's personalized offer feature. In addition, Upromise must provide consumers with clear and prominent disclosures regarding its privacy practices, separate from any user license agreement, and obtain the consumer's affirmative consent prior to installation of any similar product. Upromise will also be required to notify any current or previously affected consumers about the type of information collected, how to disable the personalized offers feature and how to uninstall the Turbosaver Toolbar.

TIP: Companies should take appropriate steps when transmitting information, particularly sensitive information. Privacy policies can discuss safeguard measures, but the safeguard measures mentioned should be an accurate reflection of the steps companies take.