iapp-privacycore
OneTrust_Square Banner_300x250_DD_ROS_01_19
PrivacyTraining_ad300x250.Promo1-01

The U.S. Federal Trade Commission’s (FTC’s) most recent case arises from the ubiquitous mobile app—Snapchat, which allows individuals to send and receive photos and videos—known as “snaps.” In this case, the FTC alleged that Snapchat informed users that the sender could designate a period of time that the recipient will be allowed to view the snap. The FTC alleged that Snapchat markets the application as an “ephemeral messaging application,” which meant that the snap would disappear after the designated time. Specifically, the FTC alleged that Snapchat said it permits senders to “control how long your friends can view your message.”

The FTC pointed to a number of other representations allegedly made by Snapchat, including the following from the FAQ:

Is there any way to view an image after the time has expired?

No, snaps disappear after the timer runs out. …

The FTC alleged that despite this, several methods exist by which a recipient can use tools outside of the application to save both photo and video messages, allowing the recipient to access and view the photos or videos indefinitely. This included the fact that there was an alleged flaw that when a recipient received a video message, the application stored the video file in a location outside of the application’s “sandbox,” which permitted video files to be saved. Moreover, the FTC alleged that there were third-party software applications that also permitted video and pictures to be stored indefinitely. There were also allegations by the FTC that users could take screenshots in ways that the FTC felt were inconsistent with representations made by Snapchat.

The FTC also alleged that from June 2011 to February 2013, Snapchat stated in its privacy policy:

We do not ask for, track, or access any location-specific information from your device at any time while you are using the Snapchat application.

The FTC alleged that despite this, from October 2012 to February 2013, the Snapchat application on Android transmitted WiFi-based and cell-based location information from users’ mobile devices to its analytics tracking service provider.

There were also specific allegations regarding Snapchat’s allegedly deceptive “Find Friends User Interface.” Despite the way that the user interface looked, which was specifically focused on telephone number and statements that the only personal information Snapchat collected when the user chose to Find Friends was the mobile number that the user entered, the FTC alleged that when the user chooses to Find Friends, Snapchat collects not only the phone number a user enters, but also, without informing the user, the names and phone numbers of all the contacts in the user’s mobile device address book, and Snapchat did not provide notice of or receive user consent for this collection until September 2012. The FTC also alleged that Snapchat had made deceptive statements in their privacy policy regarding the nature and scope of the information collected in the Find Friends User Interface.

Another FTC allegation claims Snapchat did not properly secure the information in the Find Friends feature because, among other reasons, there was no verification that the person claiming to own a particular phone number actually did own the phone number. This had a number of consequences, according to the FTC, including the wrongful disclosure of PII, as well as other issues.

For example, consumers complained that they had sent snaps to accounts under the belief that they were communicating with a friend, when in fact they were not, resulting in the unintentional disclosure of photos containing personal information. In addition, consumers complained that accounts associated with their phone numbers had been used to send inappropriate or offensive snaps.

The FTC believed that Snapchat could have taken simple steps, including SMS verification, which could have prevented these issues. The FTC also alleged that other security failures in the API resulted in hackers obtaining PII regarding over 4,000,000 people.

The FTC also alleged that Snapchat had made a number of statements regarding data security, the total of which stated that Snapchat would take reasonable steps regarding information security, and these alleged issues demonstrated that, in fact, Snapchat had not taken reasonable steps.

The order requires Snapchat to create a comprehensive privacy program that must contain privacy controls and procedures appropriate to Snapchat’s size and complexity, the nature and scope of Snapchat’s activities and the sensitivity of the “covered information.” Specifically, the proposed order requires Snapchat to:

  • designate an employee or employees to coordinate and be accountable for the privacy program;
  • identify material internal and external risks that could result in Snapchat’s unauthorized collection, use, or disclosure of covered information, and asses the sufficiency of any safeguards in place to control these risks;
  • design and implement reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, and regularly test or monitor the effectiveness of the privacy controls, and procedures;
  • develop and use reasonable steps to select and retain service providers capable of maintaining security practices consistent with the order, and require service providers by contract to implement and maintain appropriate safeguards; and
  • evaluate and adjust its privacy program in light of the results of testing and monitoring, any material changes to operations or business arrangement, or any other circumstances that Snapchat knows or has reason to know may have a material impact on its privacy program.

One thing to note regarding these requirements is that “covered information” is defined in a way that is broader than companies may realize. Under this order, “Covered information” means “information from or about an individual consumer, including but not limited to (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an e-mail address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number; (e) a persistent identifier, such as a customer number held in a 'cookie,' a static Internet Protocol (IP) address, a mobile device ID, or processor serial number; (f) precise geo-location data of an individual or mobile device, including GPS-based, WiFi-based, or cell-based location information; (g) an authentication credential, such as a username or password, or (h) any communications or content that is transmitted or stored through respondent’s products or services.” This is not to say that all covered information must be addressed in the same way, but the program must be reasonable and at least address all of these different data elements.

There is also a third-party assessor requirement for the privacy program, which requires reporting for 20 years, as is typical. There are also records retention and other typical requirements under a privacy consent decree.

There are a number of important issues to consider when assessing this order:

First, it is clear that mobile is, and will continue to be, an important issue for the FTC, and one where compliance efforts will be targeted.

Second, as is true in the data security space, the FTC will attempt to hold companies accountable for the statements they make regarding privacy, including where companies say they are only collecting certain forms of information, when in fact they are collecting far more.

Third, data security in the mobile space is also part of this order, and it is important to note that the FTC closely examined the specific representations of Snapchat regarding data security, and also closely examined the conduct to Snapchat to determine if the FTC felt the statements were consistent with the conduct.

And fourth, getting a consent decree can be costly and interrupt your business—as the 20 year, third-party reporting obligation demonstrates.

For a more detailed discussion, please click here.

Written By

Andrew Serwin, CIPM, CIPP/C, CIPP/E, CIPP/G, CIPP/US

1 Comment

If you want to comment on this post, you need to login.

  • Tom Considine, CIPP/G May 15, 2014

    We should set the FTC on the NSA. 

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum returns to Washington, DC April 21, delivering renowned keynote speakers and a distinguished panel of legal and privacy experts.

Asia Privacy Forum 2017

The Forum returns to Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region. Call for Speakers open!

Privacy. Security. Risk. 2017

This year, we're bringing P.S.R. to San Diego. The Call for Speakers is now open. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

European policy debate, multi-level strategic thinking and thought-provoking discussion. The Call for Speakers is open until March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»