If you have a child and are saving for their college fund, chances are you’ve heard of the company Upromise. Upromise is a company that offers consumers a membership service that allows them to save money for college. When consumers make a purchase or buy a service from a Upromise partner merchant they then receive rebates that are placed into the consumers’ college saving accounts. It’s actually a great program that I have personal experience with. Sadly, Upromise has been catching some bad press lately with the Federal Trade Commission (FTC) as their “TurboSaver Toolbar” feature deceptively collected consumers’ personal information.
In its complaint against Upromise, the FTC alleged that to allow consumers to identify and select merchants that would provide rebates, Upromise’s website offered a “TurboSaver Toolbar” download that would highlight partner merchants in consumers’ search results. When downloading the toolbar, consumers saw a message that encouraged them to enable the “Personalized Offers” feature of the Toolbar, which Upromise allegedly claimed would collect information about the websites they visited “to provide college savings opportunities tailored to you.”
The FTC alleges the Toolbar with the “Personalized Offers” feature enabled collected and transmitted, in clear text, the names of all websites consumers visited and which links they clicked on, as well as information they entered into some webpages, such as search terms, user names, and passwords. In some cases, the information collected included credit card and financial account numbers, user names and passwords used to access secured websites, security codes and expiration dates, and any Social Security numbers consumers entered into the webpages. The Toolbar transmitted consumers’ information without encryption.
According to the FTC, while Upromise’s toolbar was collecting and transmitting the data, its privacy statement claimed, “We understand the need for our customers’ personal information to remain secure and private and have implemented policies and procedures designed to safeguard your information.” Upromise also said it was “proud of the innovations we have made to protect your data and personal identity,” and that “Upromise automatically encrypts your sensitive information in transit from your computer to ours.”
Do You Have a Question You'd Like Steve to Answer? Click Here.
The Upromise TurboSaver Privacy Statement allegedly stated that the Toolbar would collect and transmit information about websites consumers visited, and that “infrequently” the collection might “inadvertently” collect a “name, address, email address or similar information,” but that any personally identifying information would be removed before the data was transmitted.
According to the FTC complaint, Upromise’s failure to disclose the extent of information collected by the Toolbar, and its claims that it encrypted consumer data and took reasonable measures to protect data from unauthorized access, were deceptive and violated federal law. The FTC also charged that Upromise’s failure to take reasonable and appropriate measures to protect consumers’ data was an unfair practice.
Upromise has agreed to settle FTC charges and will be barred from its allegedly deceptive practice of using a web-browser toolbar to collect consumers’ personal information without adequately disclosing the extent of the information it is collecting.
The settlement with Upromise Inc. is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security. The settlement order will require Upromise to clearly disclose its data collection practices and obtain consumers’ consent before installing or re-enabling any such toolbar products, and to notify consumers how to uninstall the toolbars already on their computers. The settlement also will bar misrepresentations about the extent to which the company maintains the privacy and security of consumers’ personal information, and require the company to establish a comprehensive information security program and to obtain biennial independent security assessments for the next 20 years.
The proposed settlement order requires Upromise to destroy the data collected through the Personalized Offers feature of the Toolbar, and to provide clear and prominent disclosures to consumers and receive their affirmative consent before installing any similar product. The disclosures must be made prior to installation and be separate from any user license agreement. The company also must notify consumers who had the Personalized Offer feature enabled, informing them as to the type of information collected, and how to disable the feature and uninstall the Toolbar.
The settlement order also prohibits Upromise from misrepresenting privacy and security practices and requires the company to establish and maintain a comprehensive information security program and to obtain biennial, independent, third-party audits for 20 years – Source.
While I endorse the Upromise service for college saving I must tip my metaphorical cap to the FTC for catching this and standing up for the protection of consumers’ personal information.
If you have been scammed and would like to file a scam report, please click here.