How Aaron's erred: What your business should take from the latest spycam case

Remember the cases the FTC announced last year against a software developer and rent-to-own stores that secretly monitored people in their homes?  Unbeknownst to consumers, computers came installed with a program called PC Rental Agent.  When the software was in “Detective Mode,” companies could remotely activate the camera — meaning they were surreptitiously snapping, transmitting, and storing pictures of anything in the range of the webcam. Well, the other shoe dropped today in the form of a settlement with national rent-to-own company Aaron’s, Inc.  If your business is considering the use of tracking or monitoring technology in your products, this case merits a close look.

The FTC's complaint recounts some disturbing details.  We’ll spare you from having to ask, but yes, the cameras captured images of family interactions, people changing their clothes, and other activities intended to remain private. The upshot:  Consumers were injured by the unwarranted invasion into the peaceful enjoyment of their homes.

But that's not all.  The lawsuit also alleges that the software tracked users’ physical location and their login credentials for social media, financial sites, etc., all without their knowledge or consent.  The FTC says that placed people’s personal, medical, and financial information at risk for unauthorized access.

How was franchisor Aaron’s involved?  According to the complaint, among the companies that used the software were Aaron’s franchisees. The FTC says Aaron's knew about the invasive features, but went ahead and allowed franchisees to use it without telling customers.  If franchisees had problems installing the software, Aaron’s was right there to lend a hand.  Aaron’s also stored data collected by the software for its franchisees and served as the go-between to transmit messages between them.  Thus, the complaint alleges that Aaron’s knowingly played a direct and vital role in the franchisees’ actions challenged as illegal in the earlier lawsuits.

To settle the case, Aaron’s has agreed not to use monitoring technology that captures screenshots or keystrokes or activates the camera or microphone on a consumer’s computer, except to provide tech support the person asks for.  In addition, the order includes some noteworthy notice and consent provisions.  Specifically, at the time of rental, Aaron’s will have to give consumers clear notice about any location tracking technology installed on rented products — laptops, for sure, but other gear as well — and get their express consent.  And there's more:  Aaron’s also has to clearly notify consumers at the time the tracking technology is activated.  (There’s an exception for when consumers report a product as lost or stolen.)

The proposed order includes provisions to make sure Aaron’s doesn’t benefit from the activities challenged in the lawsuit.  Aaron’s can’t use any information it got through improper means in the collection of a debt, money, or property related to a rent-to-own transaction.  The company also has to destroy any data that was improperly collected.  To improve security from here on in, if Aaron’s collects location or tracking data in a lawful manner, any transmission of that information has to be done securely.

There are provisions of particular interest to franchisors, franchisees, and others that do business using similar arrangements.  Under the order, Aaron’s must conduct annual monitoring and oversight of its franchisees, hold them to the requirements that apply to Aaron’s and its corporate stores, and sever ties with any franchisee that doesn’t live up to those requirements.

What messages can your company take from the Aaron’s case?

  1. Technologies that track or monitor consumers can raise privacy and security eyebrows.  Consider whether you've incorporated appropriate notice and consent safeguards.
     
  2. Just because the technology can doesn’t always mean the business should.  Before a company employs technology that raises privacy concerns, shouldn’t someone somewhere be asking the question “Do we really want to be secretly taking pictures of our customers in their homes, tracking them without consent, or [insert the next potentially invasive tech development here]?”  Chances are that companies that encourage those frank in-house discussions are less likely to find themselves in the law enforcement soup.
     
  3. Liability under the FTC Act is broad.  A case in point:  The FTC lawsuits challenged the roles of the software developer, two of that company's corporate officers, multiple retailers that used the software, and Aaron’s.  Given who may be on the hook for violations, it’s a mistake to assume legal compliance is someone else’s responsibility.   

Comments on the proposed settlement are due by November 21, 2013.

 

2 Comments

>> Leave a Comment | Comment Policy

Privacy issues of this nature apply to a multitude of alternative financial products. Case in point? Car title loans. GPS devices are installed by lenders on collateralized vehicles unbeknownst to consumers. Starter interrupt devices as well. Imagine a consumer attempting to take her child to the hospital at 5:00 A.M. and the lender has scheduled a "non-start condition" for non-payment via an internet enabled device.

How can anyone know that information they had was really destroyed? How many customers were invaded? Why were customers not notified? I feel sick.

Leave A Comment

Don't use this blog to report fraud or deceptive practices. To file a complaint with the Federal Trade Commission, please use the FTC Complaint Assistant.

PRIVACY ACT STATEMENT: It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act and the Federal Information Security Management Act authorize this information collection for purposes of managing online comments. Comments and user names are part of our public records system, and user names are also part of our computer user records system. We may routinely use these records as described in our Privacy Act system notices. For more information on how we handle information that we collect, please read our privacy policy.