Last week, online media outlets widely publicized the FTC's 20-year consent decree with the publisher of the "Brightest Flashlight Free" mobile app. The media focused most of its attention on Count II of the FTC's Complaint, which involved an "Accept or Refuse" EULA and the fact that even if an end-user clicks "Refuse," the app still collects and shares precise geo-location data and device identifiers. This means that companies have to be very careful about the order of the disclosures, giving consumers a choice (and the timing and effectiveness of that choice), and the timing of any data collection. The FTC claimed that Goldenshores Technologies presented consumers with a "false choice" stating that even before a consumer had a chance to accept the terms, the application was already collecting and sending information to third parties – including location and the unique device identifier.
There is no doubt the Count II should be closely read. However, the media reports we have seen have not highlighted the separate--and perhaps more important--claim by the FTC in Count I, which doesn't involve any "Accept or Refuse" aspect at all. Specifically, in Count I, the FTC found that the publisher of the Flashlight Free app had engaged in a deceptive practice in violation of Section 5 of the FTC Act merely by failing to disclose that geo-location, device identifiers, and other device information was shared with 3rd parties, including with advertisers.
This is by far the hardest line that the FTC has drawn in the mobile app area to date:
- The company did not collect personally identifiable information, yet the FTC still found that the company engaged in a deceptive practice under Section 5 of the FTC Act;
- Based on the FTC's Complaint, the failure to disclose the collection or sharing of device identifiers, geo-location, or other device information can be a deceptive practice, with nothing more;
- Companies cannot rely on Android platform permissions as adequate disclosure because the permissions don't disclose 3rd party sharing;
- The insufficiency of the Android permissions noted by the FTC necessarily means that companies cannot rely on the "just-in-time" notices in either Android or iOS because both sets of notices are silent as to 3rd party sharing; and
- It is extremely difficult for companies to comply, because the collection and sharing described by the FTC in the Complaint can only be detected at the technical level of the app's network traffic. See a description of our in-house testing lab for how we do this type of detection for our clients http://www.bna.com/ftc-cyberspace-ready-n17179880248/.
For the FTC's report of the Complaint and Settlement, see http://www.ftc.gov/opa/2013/12/goldenshores.shtm. See also http://www.business.ftc.gov/blog/2013/12/shedding-light-what-your-app-3-lessons-developers.