The Federal Trade Commission and Compete have finalized a settlement calling for the company to either delete or "anonymize" a trove of data collected from Web users prior to February 2010.
Compete also agreed to undergo biennial privacy audits for the next 20 years and to obtain consumers' opt-in consent before collecting data from them in the future.
The settlement, which was proposed last year and finalized on Thursday, resolves an FTC complaint stemming from Compete's distribution of software, including a toolbar that offered users the chance to learn about the Web sites they visited. Compete told users that the toolbar would gather some information from them, but didn't reveal the extent of the data it would collect -- including credit card numbers, security codes, expiration dates and Social Security numbers.
The FTC alleged that Compete deceived users by failing to fully inform them about all of the data that would be gathered. Compete also allegedly failed to fulfill a promise to users that it would filter out sensitive data and "personally identifiable information" before transmitting the material to its servers.
The advocacy group Electronic Privacy Information Center unsuccessfully asked the FTC to impose more stringent terms on Compete. EPIC said in comments filed in November that Compete should be required to fair information principles in the future. Those principles broadly provide that companies can't collect data for one purpose and then use it for another one. The principles also provide that companies can't retain data indefinitely.
The FTC rejected that request. The commission said in a letter to EPIC, made public on Monday, that settlement agreements can't impose obligations that aren't "reasonably related" to the allegations.
EPIC also asked the FTC to issue guidelines about the best way to anonymize data.
"Given the problems associated with certain de-identification techniques, and the falsity of claiming that pseudonyms and aggregation necessarily render data anonymous, the Commission should issue a best practices guide to de-identification," EPIC said in its comments.
But the FTC declined to do so, writing that it doesn't "provide specific technical guidance in areas like this, which are constantly changing." The FTC added: "It is a company’s responsibility to keep abreast of and select the technology that it believes best meets its needs and requirements while appropriately protecting consumer privacy."
Compete revised its filters and also stopped distributing its toolbar in January 2010, after a report was published outlining problems with the company's data collection. Upromise, a company that licensed Compete's software, agreed to settle FTC charges last year.