FTC’s EchoMetrix settlement: EULA-ppreciate this guidance on privacy disclosures

Parents are understandably concerned about keeping their kids safe online.  That’s why many moms and dads paid $3.99 a month for Sentry Parental Controls, software sold by EchoMetrix, Inc.  Once Sentry is installed on a computer, buyers can log into their online account to monitor activity on that computer, including web history, online chats, and password-protected IMs.

So far, so good.  But that wasn’t the only product marketed by EchoMetrix.

Cut to June 2009 when EchoMetrix launched Pulse, a web-based market research software program that the company said would analyze consumer opinion from blogs, chats, IMs, and other social media.  EchoMetrix advertised Pulse as a way for marketers to find out what consumers are saying “in their own words – the moment they say it.” Companies that bought Pulse could search the database and retrieve excerpts from actual IMs, chats, and forums.

That’s where the stories intersect – because until November 2009, EchoMetrix included in its Pulse database purportedly anonymized information about children gleaned from its other product, Sentry Parental Controls software.

In a recent lawsuit, the FTC charged that EchoMetrix’s failure to adequately inform parents using its Sentry software that information collected about their kids would be fed into its Pulse database and disclosed to third-party marketers was a deceptive trade practice.

According to the FTC, the only potential inkling Sentry buyers had that information might be disclosed to third parties was a vague statement in the Sentry end user licensing agreement (EULA):  “[Sentry] uses information for the following general purposes: to customize the advertising and content you see, fulfill your requests for products and services, improve our services, contact you, conduct research, and provide anonymous reporting for internal and external clients.”

But just finding this information on EchoMetrix’s website required the online equivalent of a compass, a divining rod, and a trail of breadcrumbs.  Buyers had to click on a SUPPORT tab, then a POLICIES tab, then choose PRIVACY POLICY or SOFTWARE EULA and scroll down to the Privacy Policy appended to the EULA.  To locate this information from the small box buyers filled out when they registered, they had to scroll down about 30 paragraphs from the beginning of the EULA.  Buyers who persevered this far could opt out of the “collection process” by entering the login email address from their accounts – but just what the “collection process” entailed wasn’t described.

According to the settlement filed in federal court in New York, EchoMetrix can’t use or share the information it got through its Sentry program – or any similar program – for any purpose other than allowing registered users to access their accounts.  The company also has to destroy the information it transferred from Sentry to its Pulse database.

Looking for more about the FTC and consumer privacy?  Read Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Business and Policymakers, a preliminary staff report issued on December 1st.

0 Comments

| Commenting Policy

Leave A Comment

Don't use this blog to report fraud or deceptive practices. To file a complaint with the Federal Trade Commission, please use the FTC Complaint Assistant.

PRIVACY ACT STATEMENT: It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act and the Federal Information Security Management Act authorize this information collection for purposes of managing online comments. Comments and user names are part of our public records system, and user names are also part of our computer user records system. We may routinely use these records as described in our Privacy Act system notices. For more information on how we handle information that we collect, please read our privacy policy.