Feds Finalize Deal with College Savings Service Upromise Over Privacy Violations

The U.S. Federal Trade Commission Tuesday finalized a deal with Upromise, a college savings service, to settle charges that it collected personal information from consumers without adequately disclosing the extent of the date that it was collecting.

The settlement [PDF] requires Upromise to:

• Destroy the data collected with its toolbar;
• Clearly disclose its data collection practices and obtain consumers’ consent before installing or re-enabling its toolbar;
• Notify consumers how to disable the data collection tool on their computers;
• Refrain from making misrepresentations about the extent to which the company maintains the privacy and security of consumers’ personal information; and
• Establish a comprehensive information security program and to obtain biennial independent security assessments for the next 20 years, a provision also found in the agency’s privacy settlements with Google and Facebook.

Background

In a statement, the FTC said that Upromise offers consumers a membership service that allows them to save money for college. When consumers buy goods or services from Upromise partner merchants, they receive rebates that are placed into consumers’ college saving accounts.

In its complaint against Upromise, the FTC alleged that to allow consumers to identify and select merchants that would provide rebates, Upromise’s website offered a “TurboSaver Toolbar” that would highlight partner merchants in consumers’ search results.

When downloading the toolbar, the complaint said, consumers saw a message that encouraged them to enable the “Personalized Offers” feature of the toolbar, which Upromise claimed would collect information about the websites they visited “to provide college savings opportunities tailored to you.”

The Charges

The FTC alleged that the “Personalized Offers” feature enabled, collected, and transmitted, in clear text, the names of all websites consumers visited and which links they clicked on, as well as information they entered into some web pages, such as search terms, user names, and passwords.

In some cases, the agency maintained, the information collected included credit card and financial account numbers, user names and passwords used to access secured websites, security codes and expiration dates, and any Social Security numbers consumers entered into the web pages.

According to the FTC, while Upromise’s toolbar was collecting and transmitting the data, its privacy statement claimed, “We understand the need for our customers’ personal information to remain secure and private and have implemented policies and procedures designed to safeguard your information.”

Upromise also said it was “proud of the innovations we have made to protect your data and personal identity,” and that “Upromise automatically encrypts your sensitive information in transit from your computer to ours”–which was inaccurate since the information was being transmitted in plain text, according to the FTC.

In addition, the privacy statement for the Turbosaver program stated that the Toolbar would collect and transmit information about websites consumers visited, and that “infrequently” the collection might “inadvertently” collect a “name, address, email address or similar information,” but that any personally identifying information would be removed before the data was transmitted.

According to the FTC complaint, Upromise’s failure to disclose the extent of information collected by the toolbar–as well as its claims that it encrypted consumer data and took reasonable measures to protect data from unauthorized access–were deceptive and violated federal law.

Upromise offers its college savings for free and has been hailed in the past as a 401(k) plan for college savings. It has hit some rough patches through the years, but has been able to sustain growth, even in lean years.

Follow freelance technology writer John P. Mello Jr. and Today@PCWorld on Twitter.