The Federal Trade Commission has settled a case against web analytics firm Compete over allegations that the latter collected personal data from millions of users without disclosing the extent of information being harvested.
Such business practices were "unfair or deceptive and violated the law", the US consumer watchdog charged.
The FTC (pdf) had alleged that Compete illegally collected consumer data via a toolbar and a "consumer input panel" that enticed users to provided opinions on companies' products and services in return for rewards.
While Compete told consumers that the data collection was limited and anonymous, the FTC alleged that the company gathered extensive information about people's online activites, and transmitted everything in clear text to its servers.
Furthermore, Compete was also alleged to have captured personal information entered on SSL-secured web pages, such as credit card and social security numbers, user names, passwords and search terms, and did not adequately filter out data that identified users.
The data capture took place in the background with no way for consumers to discover how much was gathered, the FTC alleged.
Special software and technical expertise was required for finding out the extent of the data harvesting, the watchdog claimed.
Compete also licensed its software to third parties such as Upromise, which settled similar privacy violation charges with the FTC earlier this year.
Compete admits its privacy filters prior to February 2010 "may not have sufficiently prevented the transmission to Compete of certain personally identifiable and sensitive information communicated on secure web pages" but said the collection thereof was inadvertent and that the software has been improved since.
The inadvertently collected personal data has also been removed from Compete's databases, the company said.
From now on, Compete and clients licensing its software must fully disclose the data collected as part of the settlement with FTC.
The company must also seek consumers' express consent before collecting their data, cease misrepresenting its privacy and data security practises.
To ensure compliance with the FTC settlement, Compete has agreed implement a comprehensive information security programme and will undergo two-yearly independent audits for the next 20 years.