Another company has settled charges today with the Federal Trade Commission over violations of the CAN-SPAM Act, netting the FTC another $2.9 million in civil penalties. Online advertiser ValueClick and its subsidiaries were charged with using deceptive e-mails, banner ads, and pop-ups to drive traffic, as well as a failure to secure customers' financial information. The settlement is the largest in CAN-SPAM's five-year history, says the FTC, and bars the companies from any further violations.

ValueClick and subsidiary Hi-Speed Media's e-mails and online banners promised free gifts like iPods, gift cards, PS3s, laptops, and plasma TVs, among other things. But when unsuspecting users clicked through, they were greeted with a number of third-party offers that they were required to sign up for before receiving their "free" gifts. It was ValueClick's failure to disclose that users must first sign up for other offers (ones that cost them money) before collecting the prize that was a violation of the 2003 CAN-SPAM Act and the FTC Act.

But the violations go much further than just misleading to customers about free prizes. ValueClick, High-Speed Media, and another subsidiary, E-Babylon, also claimed to secure customers' financial information by encrypting all transactions and other stored info. This, of course, was a complete lie—the FTC said that they either failed to encrypt information at all, or chose to use non-standard and insecure forms of encryption. "The agency also charged that several of the companies’ e-commerce Web sites were vulnerable to SQL injection, a commonly known form of hacker attack, contrary to claims that the companies implemented reasonable security measure," said the FTC.

In addition to the cash settlement, the companies can no longer misrepresent their use of encryption or any other security measures, no matter what those measures may be. The FTC has also required companies to maintain a "comprehensive security program" (complete with third-party assessments) until 2028, and for the companies to conspicuously disclose that users must first spend money in order to qualify for free gifts, with a full list of obligations. The FTC says that this is the 18th case in which it has challenged companies' data security practices, and only the third case that targeted the use of deceptive promises since CAN-SPAM was first introduced in 2003.