To settle FTC charges of deceptive advertising, ValueClick (and its subsidiaries—we’ll just use ValueClick, for short) agreed to pay $2.9 million. In addition to the civil penalty, among other things, ValueClick agreed to conspicuously disclose costs and obligations associated with “free” products. ValueClick is also precluded from making any deceptive claims about the security of a consumer’s information collected by its websites. The FTC charged that ValueClick attracted web traffic using deceptive e-mails, online banner ads and pop-ups claiming individuals were eligible for “free” gifts, but instead were required to plow through and participate in tiresome and potentially expensive third-party offers in order to receive the “free” products. With respect to the security of consumer information, ValueClick’s privacy policies represented that customer information was encrypted—but that either there was no encryption, or a non-standard, insecure form of encryption was used. The proposed order would require ValueClick have a comprehensive security program and obtain independent thirdparty assessments of their programs for 20 years. This is not the first time the FTC has brought an enforcement action against “lead generating” companies, and certainly among a string of cases relating to the data security and information security practices of companies handling non-public consumer information.