Aaron’s, a national Rent-to-Own retail store with approximately 1,300 corporate locations and 700 franchised locations, recently reached a consent agreement (pdf) with the Federal Trade Commission (“FTC”) respecting its privacy practices. Specifically, the FTC had filed a complaint against Aaron’s for violation of section 5 of the FTC Act, 15 U.S.C. section 45(a).
The FTC’s complaint (pdf) challenged Aaron’s use of privacy-invasive software installed on computers rented to customers. Aaron’s installed the software on computers rented at company stores and, according to the FTC, “knowingly assisted” and encouraged its franchisees to utilize the software. The software has two modes. In the first mode, the software surreptitiously captured private, confidential and personal information about customers. Aaron’s and its franchisees used this information to assist in collecting past-due accounts and recovering computers after default.
In the second mode, called “Detective Mode”, the software could log keystrokes, capture screen shots and activate a computer’s webcam. According to the FTC, Detective Mode even collected sensitive information through the use of fake software registration notices. Another feature of Detective Mode allowed stores to track the physical location of rented computers using Wi-Fi hotspot information. Interestingly, the FTC’s complaint states that at least one franchisee was “uncomfortable with the ability to see the customer through the webcam”. The webcams were allegedly used to capture images of not just customers but their families, children and guests.
Important to the FTC’s complaint and the consent agreement, all of the information collected by the software was routed to stores—including stores owned and operated by franchisees—through Aaron’s corporate computers. Aaron’s was aware of the large volume of sensitive information being collected because its own IT professionals found the information reported to be “very intrusive” and because it was sued, along with a franchisee, in May 2011 by a customer for state and federal privacy violations. Nonetheless, the program did not formally end until December 2011, and Aaron’s received the last batch of information collected by the program in 2012.
The FTC believes that Aaron’s actions caused “actual consumer harm”. The consent order prohibits Aaron’s from using monitoring technology on computers and from receiving, storing or communicating information collected from customers. It further prevents the use of geophysical location tracking software without notifying and obtaining prior consent from consumers for its use. Even then, Aaron’s must notify a user before activating tracking software unless it has a reasonable basis to believe a computer has been stolen and a police report filed. Similarly, Aaron’s may use monitoring or geotracking software for purposes of providing customer support, but only where the customer has affirmatively consented to its use. Finally, all information already collected must be destroyed. A compliance report must be filed within 60 days, and the order will remain in place for 20 years.
Importantly, the provisions of the consent order make it explicitly applicable to franchisees, and require Aaron’s to oversee and monitor its franchisees’ compliance with the “core constraints” imposed by the consent order. Aaron’s must monitor its franchisees’ compliance with those constraints on at least an annual basis. If it discovers any violation, it must take immediate action to correct the franchisee’s practices. Additionally, if the franchisee does not change practices, Aaron’s must terminate that franchisee.
This FTC action and the consent decree are going to be costly for Aaron’s and its franchisees. Moreover, as we have written before, it demonstrates that the FTC is going to remain hyper-vigilant regarding computer and data privacy even in the absence of new mandates from a divided Congress.
The case offers important lessons for all of us respecting online privacy and data collection. First, when it comes to data collection, use common sense. The franchisee who felt uncomfortable viewing his customers on the webcam was clearly onto something. If it doesn’t seem right: don’t do it. Second, disclose the existence of the software to customers. The FTC seemed to be particularly bothered by the fact that even the existence of the software was “surreptitiously” concealed from the customer. Finally, be explicit about what you are collecting, and make sure it fits legitimate business goals. The FTC recognized that stolen computers and computer operational assistance were legitimate and appropriate uses of the software if disclosed. Moreover, while not an issue in this case, I would expect little difficulty with explicit advance notice to a consumer that a rented computer could be geotracked and/or shut down remotely if payments were not timely made.
Bottom line: think about the appropriate use of monitoring and tracking software before deploying it, and tailor the software to legitimate, disclosed needs.