ControlScan, a company that consumers have relied on to certify the privacy and security of online retailers and other Web sites, has agreed to settle Federal Trade Commission charges that it misled consumers about how often it monitored the sites and the steps it took to verify their privacy and security practices. The settlements will bar future misrepresentations. The founder and former Chief Executive Officer has entered into a separate settlement that requires him to give up $102,000 in ill-gotten gains.
Third-party privacy and security certification programs like ControlScan are used by Web sites to assure visitors and customers that the site is secure and consumers can feel confident about providing personal and financial information. Certification companies provide privacy and security “seals” to convey that an independent party is auditing the practices of the site regularly to be sure its data is not vulnerable.
ControlScan offered a variety of privacy and security seals for display on Web sites. Consumers could click on the seals to discover exactly what assurances each seal conveyed. For example, the company’s Business Background Reviewed, Registered Member, and Privacy Protected seals conveyed that ControlScan had verified a Web site’s information-security practices. However, the FTC alleges that ControlScan provided these seals to a Web sites with “little or no verification” of their security protections. Similarly, the FTC alleges that the company provided its Privacy Protected and Privacy Reviewed seals to a Web sites with “little or no verification” of their privacy protections.
The FTC also charged that although ControlScan’s seals displayed a current date stamp, the company did not review any of the seal sites on a daily basis. In some instances, Web sites were reviewed only weekly, and in other instances, ControlScan did no ongoing review of a company’s fitness to continue displaying seals. The FTC charged that the defendants’ deceptive acts violated federal law.
The consent agreement settling the case with Richard Stanton, the founder and former CEO of ControlScan, bars him from misrepresenting the steps that are taken to verify a site’s privacy and security protections. He also is barred from misrepresenting the frequency of verification. The settlement requires that he give up $102,000 in ill-gotten gains.
The settlement with ControlScan bars the same misrepresentations and requires it to notify the Web sites that have displayed the seals of the Commission action and require them to take down the seals. Finally, a judgment of $750,000 is suspended, based on ControlScan’s inability to pay. Should the court find that the company misrepresented its financial condition, the entire amount will be payable immediately, less any amounts paid by Stanton.
The Commission vote to approve the settlements was 4-0. The FTC will publish an announcement regarding the agreement with Stanton in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through March 29, after which the Commission will decide whether to make it final. Comments should be addressed to the FTC, Office of the Secretary, Room H-135, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions. Comments also can be filed by clicking on the following hyperlink: https//public.commentworks.com/ftc/richardjstanton and following the instructions at that site.
The court settlement with ControlScan was filed in U. S. District Court for the District of Georgia.
Documents related to the case can be found at http://www.ftc.gov/os/caselist/0723165/index.shtm