On February 5, the FTC announced a proposed settlement with technology company General Workings, Inc., d/b/a Vulcun, stemming from charges that Vulcun had violated the FTC Act by installing mobile apps on consumers’ devices without notice or consent and by making subsequent misrepresentations about its products. According to the FTC, Vulcun’s alleged misconduct occurred in two steps. First, Vulcun acquired control of a consumer’s web browser extension Running Fred, a popular game with more than 200,000 users. Second, without notice, Vulcun replaced Running Fred on users’ browsers with a different browser extension called Weekly Android Apps.
According to the complaint, the mobile apps installed by Vulcun, could, through the execution of various malicious codes on user devices, access a user’s contacts, photos, location, and persistent device identifiers, as well as other sensitive information, such as financial and health information. The FTC asserted that Vulcun’s actions endangered consumers’ privacy, constituting an unfair practice, while also disrupting the functionality of their devices. Under the FTC’s proposed settlement order, Vulcun would be required to disclose to consumers clearly and conspicuously the types of information that a mobile app will access and how that information will be used. In addition, Vulcun would be required to display permission notifications to users and obtain express affirmative consent prior to installation of or any substantial modification to a mobile app. The order would also prohibit Vulcun from misrepresenting key information to consumers about its mobile apps, including whether they have received endorsements from third parties and to what extent users’ information will be collected and shared.
The Vulcun settlement comes on the heels of the FTC’s PrivacyCon, which featured presentations and commentary exploring a broad array of consumer privacy issues, including those arising from consumers’ increased use of mobile devices and other emerging technologies. From PrivacyCon to its “Start with Security” initiative and the recent appointment of a Chief Privacy Officer, the FTC appears committed to better understanding and policing risks posed to consumers through the use of new technologies. To this end, although the FTC is concerned with positioning consumers to make informed choices to protect their privacy, the FTC’s action against Vulcun indicates that it is also inclined to protect consumers by regulating the conduct of technology developers and limiting the functionality of their products –– perhaps irrespective of the existence of actual consumer harm. Because new technologies proliferate rapidly, but corresponding consumer expectations and privacy preferences evolve more slowly, expect the FTC to focus more of its attention on regulating the actions and representations of technology companies –– rather than, for example, on implementing rules aimed at enhancing or tailoring consumer notice in the context of emerging technologies or imposing other regulatory requirements aimed at reducing the likelihood consumer harm in this area.