On December 5, 2013, the FTC agreed to settle a complaint lodged against Goldenshores Technologies, LLC (Goldenshores) alleging that the company deceived users by misrepresenting its practices when collecting and sharing the personal data of users through its popular Brightest Flashlight Free mobile application. The original complaint and proposed settlement, adopted 4-0 by FTC vote, each provide insight into the agency’s evolving expectations of how a company should provide notice to users about its data collection and use practices.
The Brightest Flashlight Free app allowed users to use their mobile devices as a flashlight by simultaneously activating all of the device’s light sources. According to the FTC, The app was listed as of May 2013 by the Google Play application store as a top free app available for download and was downloaded tens of millions of times. While running, the app also collected users’ personal information, including precise geolocation and unique device identifiers, and transmitted that data to third parties.
The proposed settlement agreement and consent order bars Goldenshores from misrepresenting its data collection, use, and disclosure practices and requires that the company adequately inform users of the extent to which users can control those practices related to their data. When geolocation information is collected, the proposed settlement also requires Goldenshores to provide “just-in-time” notice (meaning notice provided immediately prior to the initial collection of information and separate from any similar document) indicating how the information may be used and why, and requires Goldenshores to obtain “affirmative express consent” from its users within the just-in-time notice. The consent order also requires the company to delete any personal information collected via the Brightest Flashlight Free app prior to the settlement.
Focusing on Goldenshores’ handling of geolocation information, the terms of the settlement shed light on the FTC’s expectation that users will be provided notice “immediately prior to the initial collection or transmission of [geolocation] information.” Notably, the imposition of just-in-time disclosure requirements on Goldenshores, an app developer, expands on guidance supplied by the FTC’s 2013 staff report, Mobile Privacy Disclosures: Building Trust Through Transparency, which calls on app platforms to supply such just-in-time notice.
In addition to requiring Goldenshores to use just-in-time notice to obtain “affirmative express consent” from users before any geolocation information is collected or shared, the settlement also notably mandates exactly what information must be disclosed to users through just-in-time notice:
That such application collects, transmits, or allows the transmission of, geolocation information; How geolocation information may be used; Why such application is accessing geolocation information; and The identity or specific categories of third parties that receive geolocation information directly or indirectly from such application.
Companies also should take notice of the FTC’s tacit expectation that privacy policies disclose to users the full range of a company’s data transmission practices. As evidenced by the FTC’s proposed settlement with Goldenshores, any lack of information about data transmission or sharing practices may be viewed as deceptive to users, particularly with respect to sensitive categories of information such as geolocation information. App developers in particular should take notice of the proposed expansion of just-in-time notice requirements from app platforms to app developers. In cases involving sensitive categories of information, especially where collection and use of the sensitive information may not be apparent in the context of the service, the FTC may expect those notices to include extensive information about how and why the information might be used by the company and others before soliciting consent.
To read the FTC blog post, click here