On March 17, 2017, the Federal Trade Commission announced that Upromise, Inc., (“Upromise”) agreed to pay $500,000 to settle allegations (the “Settlement”) that it violated the terms of a 2012 consent order (the “2012 Order”) that required Upromise to provide notice to consumers regarding its data collection and use practices, and obtain third-party audits.

Upromise is a membership reward service that provides cash rebates for college savings accounts to members who purchase products and services from its partner merchants. The 2012 Order settled allegations that the company had used a web-browser toolbar to collect consumers’ personal information without providing adequate notice about the extent of the collection. Despite suggestions in the privacy notice that the toolbar would rarely collect personal information and that other security controls would be used to filter or protect such information, the FTC alleged that the toolbar collected extensive information—occasionally including credit card and Social Security numbers—and transmitted it over the Internet in clear text.

Following the 2012 Order, Upromise encouraged consumers to download a toolbar called “RewardU.” The complaint filed on behalf of the FTC by the Department of Justice alleged that the company violated the 2012 Order by failing to make clear and prominent disclosures about RewardU’s data collection and use practices, and not obtaining third-party assessments and certifications of the toolbar evaluating safeguards.

In addition to refraining from violations of the 2012 Order and paying a $500,000 civil penalty, the Settlement requires Upromise to take steps that include: (1) having a qualified third-party certify that Upromise adheres to disclosure and consent requirements prior to any future toolbar launch; (2) obtaining FTC approval of the scope and design of any such assessment; and (3) permanently expiring RewardU-related cookies it had placed and providing consumers with instructions on how to uninstall the toolbar and delete cookies.