Blog: Chronicle of Data Protection | 04 November 2013

FTC Settles Case Against "Rent-to-Own" Franchisor that Guided Franchisees' Use of Spyware

On October 22, the FTC announced a settlement with national “rent-to-own” retailer Aaron’s, Inc. on charges that it knowingly assisted its franchisees in tacitly collecting images and information about their customers.  Specifically, the FTC alleges that Aaron’s “played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including taking webcam pictures of them in their homes.”  Aaron’s is a national “rent-to-own” retailer of consumer electronics, residential furniture, and household appliances that allows companies to rent products with an option to purchase them. According to the FTC complaint, between 2009 and January 2012 some of Aaron’s franchisees licensed a software product known as "PC Rental Agent" and installed it on computers rented to consumers.  This product enabled the installation of an add-on, Detective Mode, that allowed user activities to be monitored through, among other things, logging keystrokes, capturing screenshots, and using the computer's webcam.  They were also able to track the physical location of rented computers.  According to the FTC, all of this was done without notifying consumers, and as a result consumers’ personal, medical and financial information was put at risk for unauthorized access. The FTC brought an enforcement action against Aaron’s, a franchisor, even though alleged violations were committed by its franchisees, because according to the FTC Aaron’s provided the franchisees with the “technical capacity to access and use” the software.  To use and activate Detective Mode, Aaron's required that franchisees obtain corporate email accounts provided by Aaron’s.  Emails were routed through Aaron’s corporate headquarters and stored on servers owned, controlled and maintained by Aaron’s.  According to the FTC, Aaron's senior corporate management noted as early as 2010 that “data and information gathered by Detective Mode could be highly intrusive and invaded consumers' privacy.”  The FTC also claims that Aaron's IT personnel were aware that company server space was being used to store Detective Mode emails and  what data those emails contained, and that Aaron's provided franchisees with instructions on how to install and use the software. The proposed settlement requires Aaron's, for twenty years, to:

• Cease using monitoring technology to gather, store, or communicate data or information on the consumer from any rented computer, with two exceptions: (1) if the consumer, after receiving notice, consents to the data collection, or (2) the information is necessary to provide technical assistance.
• Not use geophysical location tracking technology unless notice is given and consent obtained from consumers at the time of rental.
• Destroy any improperly collected data and requiring franchisees to do the same.
• Transmit all properly collected data only in an encrypted format.
• Conduct annual monitoring and oversight of franchisees to make sure they are in compliance with the consent order requirements.
• Terminate any franchise agreements with franchisees that do not satisfy these requirements.

In September 2012, the FTC settled similar allegations against Aaron’s and several other companies for improperly using the same software involved in the current case.  In that case, Aaron's was one of eight companies accused of using Detective Mode, which secretly monitored consumers and also showed users fake "software registration" screens designed to gather personal information. The latest enforcement contains similar allegations to the previous one, but the FTC has not insited on any civil penalties for the repeated offense.  However, as one of our earlier posts indicated, the FTC continues to be interested in enforcing security standards for surreptitious monitoring.  In a statement issued by the FTC, Jessica Rich, director of the FTC's Bureau of Consumer Protection, noted that "consumers have a right to rent computers free of cyber-spying and to know when and how they are being tracked by a company.  By enabling their franchisees to use this invasive software, Aaron's facilitated a violation of many consumers' privacy." As has been the case with other FTC investigations, Aaron's has also had to face civil litigation based on similar allegations.  In 2011, consumers filed a class action lawsuit, Byrd v. Aaron's, against the company for unauthorized electronic surveillance via a rented laptop.  The complaint alleged that Aaron's, along with other parties, concealed the fact that they were able to "remotely access, intercept and monitory customers' private, personal electronic communications, information, screen shots, keystrokes or images."  The court is currently considering defense motions to dismiss the case. Adnan Zulfiqar, an associate in our Washington, DC office, contributed to this post