On October 30, 2017, Sears Holding Management Corporation (“Sears”) petitioned the Federal Trade Commission (“FTC”) to reopen and modify the settlement to which they agreed in 2009. At that time, Sears agreed to a consent order to resolve the FTC’s complaint that Sears allegedly did not adequately disclose the scope of its collection of “online browsing” data collected from users of Sears’ desktop software application. This landmark enforcement action was one of the FTC’s first uses of its section 5 authority to regulate privacy-related disclosures and the tracking of users’ online activity.
With Sears’ petition, a company under a privacy-related consent order has for the first time asked the FTC to scale back the breadth of the order’s applicability because of changes in technology, consumer expectations, and the marketplace.
Changes in Mobile App Ecosystem and Consumer Expectations. In its petition, Sears argued that the current online marketplace demonstrates that the consent order is too broad and “does not align with today’s mobile application ecosystem and consumer expectations.” Sears explained that the consent order requires handling consumer notices in its mobile applications in a way different from other companies’ industry-standard mobile apps, and the order’s prescriptive manner does not fit with how consumers obtain mobile applications through app stores. According to Sears, more recent FTC orders recognized exceptions to certain consumer notices for normal functioning of mobile applications that are expected by consumers, e.g., notices related to application configurations, crash monitoring, and usage activity. Sears seeks an order more in-line with the new FTC orders that include the exceptions.
Impact on Competition. In addition, Sears argued that complying with the consent order imposed “heavy” competitive burdens that “significantly disadvantaged Sears in the marketplace.” The company explained that providing consumers with mobile applications is integral to its transformation from a brick-and-mortar retailer to the online marketplace.
The FTC will review the petition and public comments it receives to decide whether to reopen and modify Sears’ consent order. The FTC will base its decision on whether “changed conditions of law or fact” or “the public interest” requires such requested action.
Implications. The Sears petition highlights two serious consequences for companies that agree to settle privacy and data protection cases with the FTC.
First, many of the FTC’s privacy orders require companies to comply with them for 20 years. Many companies will not be doing business in 20 years, particularly given the disruption from online commerce and communications. Even large Fortune 500 companies significantly change in a decade. For example, Sears’ market capitalization was almost $9 billion at one point in 2009, while its current market cap is below $600 million. Not only do companies change, but the marketplace does as well. A second serious consequence from FTC consent orders is that they include prescriptive requirements that may have become obsolete, given changes in the market. Sears argues that consumer-notice industry practices have diverged from the consumer-notice requirements described in the FTC consent order, to the point where the FTC-required practices harm Sears’ ability to compete in the marketplace. The FTC’s prescriptive requirements may have become outdated in less than 10 years. If the FTC does not modify the consent order, Sears will need to continue to comply with the arguably antiquated requirements for another 12 years.
The Sears petition should serve as a wake-up call to companies. Once under order, a company may need to comply for 20 years with rigid and detailed requirements set by the FTC that could seriously affect (and restrict) how a company does business. Therefore, companies should regularly review their privacy and data protection practices to help ensure they meet regulatory requirements and industry best practices.