The objective seemed innocent enough.
Sears and Kmart wanted to better understand customer habits in order to serve their audience.
Unfortunately, something went terribly wrong in the execution.
The retail giants (both part of the same holding group) offered to pay website visitors $10 each to relinquish Internet browsing histories under the guise of a marketing survey. The idea was that they could take that data, and analyze shopping patterns.
Unfortunately, the data revealed far more information about consumers than Sears and Kmart needed, and a lot more than consumers knew they were giving up.
You see, the
"research" involved installing software (essentially spyware) on consumer's computers. It transmitted the complete contents of a browsing
session, even secure sessions to the folks at Sears and Kmart.
This meant that Sears/Kmart would have access to the contents of shopping
carts, online bank statements, drug prescription records, video rental
records, library borrowing histories, and the sender, recipient,
subject, and size for web-based e-mails.
Talk about TMI (too much information).
Once this activity was discover, In walks the Federal Trade Commission, who, after an investigation, found that the two businesses, both owned by Sears Holding Management, hadn't adequately disclosed their data-collection program's scope and ordering them to destroy all the data they collected.
They essentially said that Sears and Kmart buried the information that would have told consumers that they'd be spied on, way too deep in a user agreement.
According to Ars Technica, under the settlement with the FTC, Sears has now agreed to destroy all data gained from the experiment and stop collecting data from any software still running in the wild. In addition, if it wants to do any tracking in the future, the company has committed to "clearly and prominently disclose the types of data the software will monitor, record, or transmit. This disclosure must be made prior to installation and separate from any user license agreement. Sears must also disclose whether any of the data will be used by a third party."