In re Sears Holdings Management Corp.
In mid-2009 the Federal Trade Commission (FTC) filed a complaint against Sears Holdings Management Corporation (SHMC), which runs sears.com and kmart.com. The FTC said SHMC used deceptive practices related to a software program that ran in the background on some users’ computers and tracked almost all of their internet activity. The tracking details were buried in a lengthy End User License Agreement and not clearly disclosed to users.
Separately, from April 2007 to January 2008 SHMC invited about 15% of website visitors to join the My SHC Community. Those visitors saw a pop-up offering to join an online community and, if they joined, provided an email address to receive more details. The follow-up email introduced a software program that would confidentially track online browsing. Participants were paid $10 if they kept the program running for at least one month. The email focused on community participation, with only a small mention of the software.
The Privacy Statement and the End User License Agreement contained more details, but they were buried in the text and required extensive scrolling. The program would collect detailed information about the computer and all online activity, including during secure sessions, and transmit it to SHMC servers. It could include some sensitive data, such as passwords, though SHMC said it would try to filter out personally identifying information. The software ran with little visible indication on the user’s screen—only a process name appeared in the Windows Task Manager.
The FTC concluded that SHMC’s disclosures were inadequate and that the program was deceptive. SHMC agreed to a consent decree requiring clear, prominent disclosures on a separate screen (not buried in the privacy policy or license agreement) detailing (1) what data the tracking program monitors, records, or transmits; (2) how the data will be used; and (3) whether third parties may access the data. SHMC also had to obtain opt-in consent from future users, notify and assist existing users in removing the software, place a clear notice on the website, and destroy all data collected before the decree.
This case shows that terms tucked away in license agreements can’t shield a company from accusations of deception. It reflects the FTC’s ongoing effort to protect online privacy and require transparency so consumers can make informed choices about the data they share.
This page was last edited on 2 February 2026, at 12:50 (CET).