The settlement, which the FTC said is the largest related to the CAN-SPAM Act, bars the companies from future violations.
The companies were charged with failing to safeguard customers' account information.
ValueClick, High-Speed Media and another subsidiary, E-Babylon, assured customers that their information would be encrypted in all transactions. The FTC said the companies either didn't make an effort to encrypt the information entirely or chose to use substandard and insecure encryption forms.
"The agency also charged that several of the companies' e-commerce websites were vulnerable to SQL injection, a commonly known form of hacker attack, contrary to claims that the companies implemented reasonable security measure," the FTC said.
The FTC said the companies also used several dishonest banner ads, pop-ups and emails that promised free gifts such as iPods, gift cards, Sony PlayStation 3 consoles, laptop computers and plasma TVs. After clicking through, users were prompted to sign up for third-party offers to receive their gifts. By not informing users that signing up for the offers would cost them money, the FTC said, ValueClick violated the CAN-SPAM Act and the FTC Act.
The FTC has ordered the companies to use a "comprehensive security program" with third-party evaluations until 2028 and stop misleading users about their use of encryption security measures.
The companies also must provide users a full list of requirements, pointing out that free gifts require expenditures on their part.
The FTC said the case is the 18th in which it has challenged a company's data security practices and the third case that targeted the use of deceptive promises since the CAN-SPAM Act was introduced in 2003.