An FTC settlement with a mobile app over its privacy disclosures alleged to be deceptive may seem to be run-of-the-mill. After all, the FTC has been settling cases for years with companies whose data collection and use practices are allegedly not consistent with the representations those companies make in their privacy policies.
THE APP’S COLLECTION AND USE OF “SENSITIVE DATA”
Goldenshores is the developer of the immensely popular “Brightest Flashlight Free” flashlight app (the “app”) for Android devices. The FTC Complaint explains that the app can be downloaded from the Google Play application store, amongst other places. The gravamen of the FTC’s Complaint stems from the allegation that while the app is operating as a flashlight (using the phone’s screen and LED flash for the camera) it is also collecting and transmitting certain information from the mobile device to third parties including ad networks. This information includes precise geolocation information and persistent device identifiers that can be used to track a user’s location over time.
The app ran into two problems with these alleged data collection and use practices. First, the FTC alleged that it did not adequately disclose that information including geolocation and the persistent device identifiers would be collected and shared with third parties, such as advertising networks. Second, the app did not accurately represent consumers’ choices with regard to the collection, use and sharing of this information.
However, the Complaint does not start out by focusing on these collection and use practices, and the app’s disclosures relating to them. Instead—and not insignificantly—it starts by describing the app’s promotional page on the Google Play store. The Complaint notes that this page describes the flashlight app, but “does not make any statements relating to the collection or use of data from users’ mobile devices” (emphasis added). Similarly, the FTC notes that the general “permission” statements that appear for all Android applications provide notice about the collection of sensitive information, but not about any sharing of sensitive information. But these issues do not reappear in the FTC’s allegations regarding the actual violations of Section 5 of the FTC Act for deceptive practices. Thus, it seems safe to assume that the FTC cited the lack of notice prior to download about the use and sharing of sensitive information to signal to app developers and platforms that it expects to see such disclosures.
THE APP’S DISCLOSURES REGARDING SENSITIVE DATA
- that sensitive information such as precise geolocation is collected; or
- that it is transmitted to third parties. Based on this failure to disclose, the FTC alleged that the app violated Section 5 by materially misrepresenting the scope of its data collecting and sharing, specifically the collection and sharing of precise geolocation information and persistent device identifiers.
NEW DISCLOSURES REQUIRED BY THE SETTLEMENT
For the most part, the Agreement and Consent Order is what we’ve come to expect from the FTC in Section 5 cases relating to data collection and use practices. Thus, for instance, Goldenshores and any apps it develops, including this Flashlight app, are barred from misrepresenting the manner in which information is collected, used, disclosed or shared.
What makes this Order unique, however, is the specificity the FTC provides with regard to the disclosures Goldenshores must make about the collection and use of precise geolocation information in its apps. The Order requires a notice that goes significantly beyond the typical boilerplate “just-in-time” opt-in notice that apps typically use to obtain consent for the collection of precise geolocation information. In this case, the separate out-of-policy just-in-time notice and opt-in consent that the app must provide prior to collecting precise geolocation information must include a disclosure that informs the user:
- That the application collects and transmits geolocation information;
- How this information may be used;
- Why the application is accessing geolocation information; and
- The identity or specific categories of third parties that receive geolocation information directly or indirectly from the app.