The FTC has approved the first-ever petition to reopen and modify a privacy-related consent order. The petition, filed by Sears Holdings Management Corporation, sought to amend the terms of Sears’ 2009 consent order (the “Order”), which settled allegations that Sears did not adequately disclose the extent to which desktop software it distributed collected information from consumers. After reviewing Sears’ petition and public comments, the Commission agreed with Sears that, as a result of changes in the mobile application marketplace, the Order’s requirements as applied to Sears’ mobile apps were “burdensome and counterproductive, both for consumers and Sears.” Hogan Lovells Partner Michelle Kisloff, Senior Associate Paul Otto, and Associate Joe Vladeck represented Sears in its petition.
The Order contains detailed notice and consent obligations that apply to Sears’ “Tracking Applications” – a broadly defined term that covered every form of software that Sears distributed to the public, including mobile software applications (“mobile apps”). The ecosystem for mobile apps was in its infancy when Sears and the FTC negotiated the Order. At that time, Sears, like many other retailers, was focused on creating versions of its websites that were optimized for mobile web browsers rather than on developing mobile apps. Nearly a decade later, Sears is in the midst of a transformation from a traditional “brick-and-mortar” retailer to a member-centric company that leverages digital commerce tools to support its stores, and mobile apps are integral to Sears’ strategy.
To support this transformation, Sears petitioned the FTC to amend the Order’s definition of “Tracking Application” to exclude software that only tracks information related to the configuration and operation of the program itself or information regarding consumers’ use of the program or application. In other words, Sears asked to exempt from the Order’s notice and consent requirements software that performs only “first party” tracking, arguing, among other things, that consumers expect this type of information collection in order to obtain the full functionality of mobile apps.
The Commission agreed. Recognizing that “today’s mobile applications typically require the collection and transmission of many types of data to support the services and features for which consumers have downloaded them,” the Commission agreed “that consumers expect this type of data collection” and that the Order’s notice and consent obligations for that information were “counterproductive because they are unnecessary.” The FTC also found these obligations harmed Sears. Some consumers “may take the request for express consent,” the FTC explained, “as a signal that the types of data collected by Sears apps are unusual, or are used or shared in unusual ways or for unusual purposes that the consumer may not want or expect.” The FTC also credited facts Sears presented showing that the mandated disclosures disrupted the initial consumer experience on Sears’ mobile apps, thus impairing Sears’ ability to compete on a level playing field with other retailers.
The decision offers important guidance on how the FTC views the mobile application marketplace and consumer expectations of data privacy in that rapidly-evolving space. Even more importantly, as the first of its kind, it shows that the FTC is willing to modify data privacy orders. FTC orders often last for 20 years — an eternity given the pace of technological change. The recent decision shows that the FTC is willing to revisit its decisions when changes in the marketplace or technology render compliance an undue disadvantage for the company under Order.