The Federal Trade Commission (FTC) recently granted a petition by Sears Holding Management requesting that the FTC reopen and modify a 2009 FTC order settling charges that Sears failed to disclose adequately the scope of consumers’ personal information it collected via a downloadable software app.
Sears’ 2009 Order
On August 31, 2009, the FTC entered a final order in In the Matter of Sears Holdings Management Corporation after determining that from approximately April 2007 to January 2008, Sears disseminated a desktop software application through its websites that collected sensitive information, such as online bank statements, drug prescription records, and video rental records, yet Sears failed to disclose the scope of the application’s data collection. Among other things, the order required Sears to disseminate all future “tracking applications” in a specified manner, including by making certain disclosures and obtaining express opt-in consent using processes stipulated by the order, for a 20-year term.
Sears’ October 2017 petition requested “modest changes that would align the order with the commission’s more recent consent orders, reports, and guidance materials, which include carve-outs for certain commonly accepted practices.” Specifically, Sears requested that the FTC modify the definition of “tracking application” as follows (proposed addition in underlined text):
“Tracking Application” shall mean any software program or application disseminated by or on behalf of respondent, its subsidiaries or affiliated companies, that is capable of being installed on consumers’ computers and used by or on behalf of respondent to monitor, record, or transmit information about activities occurring on computers on which it is installed, or about data that is stored on, created on, transmitted from, or transmitted to the computers on which it is installed, unless the information monitored, recorded, or transmitted is limited solely to the following: (a) the configuration of the software program or application itself; (b) information regarding whether the program or application is functioning as represented; or (c) information regarding consumers’ use of the program or application itself.
Sears argued that its requested order modification was necessary on the grounds of: (1) changed circumstances, because the definition of “tracking application” has become impracticable and forbids intra-application activities that are now consistent with both consumer expectations and FTC guidance; and (2) the public interest, because the order’s current definition unnecessarily restricts Sears’ ability to compete in the mobile application marketplace.
The FTC’s Response
In March 2018, the FTC approved Sears’ petition and scaled back the order as proposed by Sears, stating that changed conditions of fact required that the order be reopened. Among other things, the commission added exceptions to the definition of “Tracking Application” that exclude software that tracks only the configuration of the software program or application itself; information regarding whether the software program or application is functioning as represented; or information regarding consumers’ use of the program or application itself. In its order granting the petition, the FTC stated that “in the context of mobile applications that engage in the types of information collection that consumers expect, the Commission believes that the notice and consent requirements contemplated by the Order are burdensome and counterproductive, for both consumers and Sears.”
Historically, modifications of consumer protection orders are not as common as those in the antitrust space, and this is the first instance of the FTC modifying a privacy-related consent order. Sears’ petition, however, may pave the way for more privacy and data security petitions that address burdens to competition. The FTC’s focus on economic harm in the privacy and security space also may signal a willingness to consider petitions, like Sears’, that demonstrate a real economic harm to consumers and industry.