Snapchat’s recent settlement with the Federal Trade Commission (FTC) generally provides a comprehensive but not groundbreaking roadmap to the FTC’s privacy and data security expectations in the mobile environment under Section 5 of the FTC Act, with two very notable exceptions:

  1. It now appears that companies are required to follow researchers’ blogs and other writings to see if there are any privacy or data security vulnerabilities, and to act on any such information promptly; and
  2. It also appears that the FTC expects companies to be aware of all third parties who have technology that can interact with an app, and to make sure that when consumers engage in any such interaction, all of the company’s privacy and data security representations remain true. If the FTC continues down this path, it will create unsustainable new burdens on app developers, many of which have very few resources to begin with. Furthermore, if this is the new standard, there is no reason it should be limited to the app environment—analytically, this would lead to a rule of general application.

THE BASIC ALLEGED MISREPRESENTATION

The Snapchat app became very popular because of its branding as an “ephemeral” mobile messaging service. Among other things, the app promised its users and prominently represented—in its privacy policy and an FAQ, among other places—that the “snaps” (e.g., messages) users sent would “disappea[r] forever” after 10 seconds (or less). However, according to the FTC’s complaint, in addition to other problems with the app’s privacy and security features, it was much too easy to capture these supposedly ephemeral messages, making the company’s claims false and misleading in violation of Section 5. And since the company’s representations were not consistent with the app’s practices, now it’s the FTC that won’t be disappearing any time soon.
Continue Reading Snap Judgment: FTC Alleges Snapchat Did Not Keep Its Privacy and Security Promises, But Suggests Broad New Duty in the Process