The U.S. Federal Trade Commission’s (FTC’s) most recent case arises from the ubiquitous mobile app—Snapchat, which allows individuals to send and receive photos and videos—known as “snaps.” In this case, the FTC alleged that Snapchat informed users that the sender could designate a period of time that the recipient will be allowed to view the snap. The FTC alleged that Snapchat markets the application as an “ephemeral messaging application,” which meant that the snap would disappear after the designated time. Specifically, the FTC alleged that Snapchat said it permits senders to “control how long your friends can view your message.”

The FTC pointed to a number of other representations allegedly made by Snapchat, including the following from the FAQ:

Is there any way to view an image after the time has expired?

No, snaps disappear after the timer runs out. …

The FTC alleged that despite this, several methods exist by which a recipient can use tools outside of the application to save both photo and video messages, allowing the recipient to access and view the photos or videos indefinitely. This included the fact that there was an alleged flaw that when a recipient received a video message, the application stored the video file in a location outside of the application’s “sandbox,” which permitted video files to be saved. Moreover, the FTC alleged that there were third-party software applications that also permitted video and pictures to be stored indefinitely. There were also allegations by the FTC that users could take screenshots in ways that the FTC felt were inconsistent with representations made by Snapchat.

The FTC also alleged that from June 2011 to February 2013, Snapchat stated in its privacy policy:

We do not ask for, track, or access any location-specific information from your device at any time while you are using the Snapchat application.

The FTC alleged that despite this, from October 2012 to February 2013, the Snapchat application on Android transmitted WiFi-based and cell-based location information from users’ mobile devices to its analytics tracking service provider.

There were also specific allegations regarding Snapchat’s allegedly deceptive “Find Friends User Interface.” Despite the way that the user interface looked, which was specifically focused on telephone number and statements that the only personal information Snapchat collected when the user chose to Find Friends was the mobile number that the user entered, the FTC alleged that when the user chooses to Find Friends, Snapchat collects not only the phone number a user enters, but also, without informing the user, the names and phone numbers of all the contacts in the user’s mobile device address book, and Snapchat did not provide notice of or receive user consent for this collection until September 2012. The FTC also alleged that Snapchat had made deceptive statements in their privacy policy regarding the nature and scope of the information collected in the Find Friends User Interface.

Another FTC allegation claims Snapchat did not properly secure the information in the Find Friends feature because, among other reasons, there was no verification that the person claiming to own a particular phone number actually did own the phone number. This had a number of consequences, according to the FTC, including the wrongful disclosure of PII, as well as other issues.

For example, consumers complained that they had sent snaps to accounts under the belief that they were communicating with a friend, when in fact they were not, resulting in the unintentional disclosure of photos containing personal information. In addition, consumers complained that accounts associated with their phone numbers had been used to send inappropriate or offensive snaps.

The FTC believed that Snapchat could have taken simple steps, including SMS verification, which could have prevented these issues. The FTC also alleged that other security failures in the API resulted in hackers obtaining PII regarding over 4,000,000 people.

The FTC also alleged that Snapchat had made a number of statements regarding data security, the total of which stated that Snapchat would take reasonable steps regarding information security, and these alleged issues demonstrated that, in fact, Snapchat had not taken reasonable steps.

The order requires Snapchat to create a comprehensive privacy program that must contain privacy controls and procedures appropriate to Snapchat’s size and complexity, the nature and scope of Snapchat’s activities and the sensitivity of the “covered information.” Specifically, the proposed order requires Snapchat to:

• designate an employee or employees to coordinate and be accountable for the privacy program;
• identify material internal and external risks that could result in Snapchat’s unauthorized collection, use, or disclosure of covered information, and asses the sufficiency of any safeguards in place to control these risks;
• design and implement reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, and regularly test or monitor the effectiveness of the privacy controls, and procedures;
• develop and use reasonable steps to select and retain service providers capable of maintaining security practices consistent with the order, and require service providers by contract to implement and maintain appropriate safeguards; and
• evaluate and adjust its privacy program in light of the results of testing and monitoring, any material changes to operations or business arrangement, or any other circumstances that Snapchat knows or has reason to know may have a material impact on its privacy program.

One thing to note regarding these requirements is that “covered information” is defined in a way that is broader than companies may realize. Under this order, “Covered information” means “information from or about an individual consumer, including but not limited to (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an e-mail address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number; (e) a persistent identifier, such as a customer number held in a 'cookie,' a static Internet Protocol (IP) address, a mobile device ID, or processor serial number; (f) precise geo-location data of an individual or mobile device, including GPS-based, WiFi-based, or cell-based location information; (g) an authentication credential, such as a username or password, or (h) any communications or content that is transmitted or stored through respondent’s products or services.” This is not to say that all covered information must be addressed in the same way, but the program must be reasonable and at least address all of these different data elements.

There is also a third-party assessor requirement for the privacy program, which requires reporting for 20 years, as is typical. There are also records retention and other typical requirements under a privacy consent decree.

There are a number of important issues to consider when assessing this order:

First, it is clear that mobile is, and will continue to be, an important issue for the FTC, and one where compliance efforts will be targeted.

Second, as is true in the data security space, the FTC will attempt to hold companies accountable for the statements they make regarding privacy, including where companies say they are only collecting certain forms of information, when in fact they are collecting far more.

Third, data security in the mobile space is also part of this order, and it is important to note that the FTC closely examined the specific representations of Snapchat regarding data security, and also closely examined the conduct to Snapchat to determine if the FTC felt the statements were consistent with the conduct.

And fourth, getting a consent decree can be costly and interrupt your business—as the 20 year, third-party reporting obligation demonstrates.

For a more detailed discussion, please click here.