Yesterday, the FTC announced yet another privacy law enforcement action in the mobile arena. An Android mobile application developer has agreed to settle the Commission’s claims alleging that the application, which allows a device to be used as a flashlight, deceived consumers about how their precise geolocation information would be collected and shared with third parties.

THE FTC’S COMPLAINT

Goldenshores Technologies, LLC advertises and distributes the “Brightest Flashlight Free” mobile application (“Brightest Flashlight App” or App) developed for Google’s Android operating system. One of the most popular Apps for Android devices, the Brightest Flashlight App activates all lights on mobile devices to provide outward-facing illumination. In this matter, the FTC claimed that, neither the company’s promotional material for the App, nor the company’s privacy policy and end-user agreement, disclosed that the App transmitted certain types of personal information to third parties, including third party advertising networks.  The FTC charged that this material omission deceived consumers about (1) the extent to which device data is transmitted, and  (2) the extent to which users can exercise control over the transmission of device data. The FTC deemed the company’s actions “deceptive” under Section 5 of the FTC Act.

Material Omission 

The FTC first claimed that the company deceived consumers about how their geolocation information would be shared with advertising networks and other third parties. The company provided a privacy policy on its promotional pages in the Google Play application store, its end-user license agreement, and on its website. The policy represented that the company may “collect, maintain, process, and use diagnostic, technical, and related information” to facilitate software updates, provide support, and verify compliance with the terms of its end-user license agreement. The FTC alleged that the company did not disclose that the Brightest Flashlight App transmits, or allows the transmission of, device data including precise geolocation data and persistent device identifiers to third parties, including third party advertising networks.

The Complaint also noted that the promotional pages for the App and the general “permissions” statements that appear for all Android applications do not reference the collection or use of data from users’ mobile devices.

The omissions in the privacy policy and end-user agreement formed the basis for the Complaint’s first “deception” claim under Section 5 of the FTC Act (Count I).  Specifically, the FTC alleged that the company “failed to disclose, or failed to adequately disclose that, when users run the Brightest Flashlight App, the App transmits, or allows the transmission of, their devices’ precise geolocation along with persistent device identifiers to various third parties, including third party advertising networks” and that such disclosure “would be material to users in their decision to install the application.” The FTC alleged that the failure to disclose, or adequately disclose, those facts “was, and is, a deceptive practice.”

Illusory Choice 

The FTC next claimed that the company deceived consumers about their control over the collection and use of their device’s data. After installation of the Brightest Flashlight App, the App presented users with the company’s end-user license agreement. The license agreement allowed the company to collect and use device data.  At the bottom of the license agreement, the App presented users with a choice to “Accept” or “Refuse” the terms of the agreement. The FTC alleged that the App began transmitting users’ device data before they could “Accept” or “Refuse” the agreement’s terms. Because consumers could not prevent the Brightest Flashlight App from collecting or using their device data, the FTC deemed the choice illusory.

The company’s presentation of an illusory choice formed the basis for the Complaint’s second “deception” claim under Section 5 of the FTC Act (Count II).  Specifically, the FTC claimed that the company “represented, expressly or by implication, that consumers have the option to refuse the terms of the [application’s end-user license agreement], including those relating to the collection and use of device data.” Yet, the FTC alleged that consumers could not prevent the application from collecting or using their device’s data because “regardless of whether consumers accept or refuse the terms of the [agreement], the Brightest Flashlight App transmits, or causes the transmission of, device data as soon as the consumer launches the application.” The FTC deemed the acts and practices of the company “deceptive” in violation of the FTC Act.

SETTLEMENT PROVISIONS

Most of the settlement provisions apply to the company and the individual who served as the managing member of the limited liability company for 20 years, and a violation of such provisions could subject the company and the individual to civil penalties of up to $16,000.  The core components of the settlement are set forth below.

Advertising Injunction

The settlement prohibits the company or its agents from misrepresenting (1) the extent to which the company collects, uses, discloses, or shares personal information, and (2) “the extent to which users may exercise control over the collection, use, disclosure, or sharing of [personal information] collected from or about them, their computers or devices, or their online activities.”

Data Collection Injunction

The settlement prohibits the company or its agents from advertising or disseminating a mobile App that collects, transmits, or allows the transmission of geolocation information unless two requirements are met.

  1. Comprehensive Geolocation Data Collection Disclosure. First, the App must disclose to the consumer (1) that the App collects, transmits, or allows the transmission of geolocation information, (2) how geolocation information may be used, (3) why the App is accessing geolocation information, and (4) the identity or specific categories of third parties that receive geolocation information directly or indirectly from the App. The company must display this disclosure:
  • Clearly and prominently;
  • Before the initial collection or transmission of geolocation information; and 
  • On a separate screen from any final end-user license agreement, privacy policy, terms of use, or similar document. 
  1. Consumer Consent. Second, the App must obtain affirmative express consent (i.e., an opt in) from the consumer to transmit the consumer’s geolocation information.

LESSONS LEARNED

This case serves as a reminder of the importance in determining exactly what information an App collects from the user, when such data collection occurs, with whom it is shared, and whether all representations made in the App’s advertising, the privacy policy, terms and conditions, user guide, etc. accurately reflect such data collection practices. The stakes are certainly high, given that the failure to engage in such due diligence before introducing the App to the marketplace can result in a 20 year settlement on both the App company and its individual owners.

Jalyce Mangum contributed to this post. Ms. Mangum is practicing under the supervision of principals of the firm who are members of the D.C. Bar