Upromise collected consumers’ personal data without notification, FTC says

Federal Trade Commission says membership-rewards program Upromise collected consumers’ personal data without providing proper disclosure or security measures.

Upromise, which joins retailers to reward program members who purchase products by placing rebates in their college savings accounts, no longer is allowed to use its “TurboSaver toolbar” download option that provided a “personalized offer.” Without encrypting the data or notifying consumers, Upromise used the Personalized Offer feature to collect and transmit members’ personal financial information, passwords and social-security numbers that were entered in other websites, FTC says.

Upromise members who downloaded the TurboSaver toolbar, which highlighted Upromise’s participating merchants in search-engine results, could chose to receive personalized offers, or rebate opportunities that were tailored to members based on the websites that they visited.

The company notified consumers that it collected information about the websites the consumers visited, but it claimed that it “automatically encrypts sensitive information” when it’s transmitted to Upromise and that personal, identifying information would be removed.

FTC ordered Upromise to destroy all of the personal data that it had collected from the TurboSaver toolbar’s personalized-offers feature, and ordered it to give consumers clear disclosures about the information that it collects. Upromise also must notify all of the members that used the personalized-offers feature and provide instructions on how to disable the feature.