An FTC settlement with a mobile app over its privacy disclosures alleged to be deceptive may seem to be run-of-the-mill. After all, the FTC has been settling cases for years with companies whose data collection and use practices are allegedly not consistent with the representations those companies make in their privacy policies.
But the FTC’s Complaint and Order with Goldenshores Technologies (“Goldenshores”), announced on December 5th, is a particularly noteworthy Section 5 case because the FTC’s theory is that the company’s alleged violation of Section 5 resulted not out of an affirmative representation regarding its app alleged to have been deceptive, but from an alleged material omission, and from an allegation that whatever disclosures there were did not rise to the required level of prominence because they were in the privacy policy and EULA only.
These types of allegations and policy determinations have heretofore been limited to spyware, and have crept into online behavioral advertising, but have generally not been part of FTC enforcement actions in other contexts. This case represents the FTC’s signal to industry that material facts, especially those involving sensitive data, and especially where the facts involve collection, use, or disclosure of data that may surprise ordinary users because it is out of context of the use of the service, must be disclosed not only in a privacy policy, but also outside the privacy policy, clearly and conspicuously, prior to collection of the data.
The App’s Collection and Use of “Sensitive Data”
Goldenshores is the developer of the immensely popular “Brightest Flashlight Free” flashlight app (the “app”) for Android devices. The FTC Complaint explains that the app can be downloaded from the Google Play application store, amongst other places. The gravamen of the FTC’s Complaint stems from the allegation that while the app is operating as a flashlight (using the phone’s screen and LED flash for the camera) it is also collecting and transmitting certain information from the mobile device to third parties including ad networks. This information includes precise geolocation information and persistent device identifiers that can be used to track a user’s location over time.
The app ran into two problems with these alleged data collection and use practices. First, the FTC alleged that it did not adequately disclose that information including geolocation and the persistent device identifiers would be collected and shared with third parties, such as advertising networks. Second, the app did not accurately represent consumers’ choices with regard to the collection, use and sharing of this information.
However, the Complaint does not start out by focusing on these collection and use practices, and the app’s disclosures relating to them. Instead—and not insignificantly—it starts by describing the app’s promotional page on the Google Play store. The Complaint notes that this page describes the flashlight app, but “does not make any statements relating to the collection or use of data from users’ mobile devices” (emphasis added). Similarly, the FTC notes that the general “permission” statements that appear for all Android applications provide notice about the collection of sensitive information, but not about any sharing of sensitive information. But these issues do not reappear in the FTC’s allegations regarding the actual violations of Section 5 of the FTC Act for deceptive practices. Thus, it seems safe to assume that the FTC cited the lack of notice prior to download about the use and sharing of sensitive information to signal to app developers and platforms that it expects to see such disclosures.
The App’s Disclosures Regarding Sensitive Data
The FTC’s allegations specifically focus on the disclosures made by the app in its privacy policy and end user license agreement (“EULA”). In short, the Complaint notes that while the app’s privacy policy discloses that the app collects information relating to “your computer,” it does not specifically disclose: (1) that sensitive information such as precise geolocation is collected; or (2) that it is transmitted to third parties. Based on this failure to disclose, the FTC alleged that the app violated Section 5 by materially misrepresenting the scope of its data collecting and sharing, specifically the collection and sharing of precise geolocation information and persistent device identifiers.
As for the EULA, the Complaint explains that after a user downloads and installs the app, the user is presented with a EULA that must be accepted to use the app. First, like the privacy policy, the FTC alleges that the EULA does not accurately and fully disclose the data and sharing practices of the app. Second, the FTC alleges that the EULA also misleads consumers by giving them the option to “refuse” its terms. As the Complaint puts it, “that choice is illusory.” The problem is that the app transmits device data including precise geolocation and the persistent identifier before the user accepts—or refuses—the terms of the EULA. As a result, the EULA misrepresented that consumers had the option to “refuse” the collection of this information, because “regardless of whether consumers accept or refuse the terms of the EULA, the Brightest Flashlight App transmits . . . device data as soon as the consumer launches the application…”
New Disclosures Required by the Settlement
For the most part, the Agreement and Consent Order is what we’ve come to expect from the FTC in Section 5 cases relating to data collection and use practices. Thus, for instance, Goldenshores and any apps it develops, including this Flashlight app, are barred from misrepresenting the manner in which information is collected, used, disclosed or shared.
What makes this Order unique, however, is the specificity the FTC provides with regard to the disclosures Goldenshores must make about the collection and use of precise geolocation information in its apps. The Order requires a notice that goes significantly beyond the typical boilerplate “just-in-time” opt-in notice that apps typically use to obtain consent for the collection of precise geolocation information. In this case, the separate out-of-policy just-in-time notice and opt-in consent that the app must provide prior to collecting precise geolocation information must include a disclosure that informs the user:
(1) That the application collects and transmits geolocation information;
(2) How this information may be used;
(3) Why the application is accessing geolocation information; and
(4) The identity or specific categories of third parties that receive geolocation information directly or indirectly from the app.
Conclusion
Thus, what looks at first to be a simple privacy policy FTC deception case is actually rather significant for three reasons. First, this is about the failure to disclose collection and use practices relating to “sensitive data,” which includes precise geolocation and the device’s unique identifier. Second, the FTC flagged the lack of disclosures about such collection and use practices in the app store prior to download. And third, the FTC gave very specific and detailed instructions to the app on how it must provide notice and choice about the collection of precise geo-location information, which could perhaps be an indication of where the FTC expects the entire industry to go in the near future.