The Federal Trade Commission (FTC) announced on December 5, 2013, that Goldenshores Technologies, LLC and its managing member, Erik M. Geidl, agreed to a proposed settlement over claims that Goldenshores, through its “Brightest Flashlight Free” mobile application, violated Section 5(a) of the FTC Act prohibiting unfair or deceptive acts and practices affecting commerce by failing to disclose that the app transmitted user data, including precise geolocation information and persistent identifiers, to third parties such as advertising networks. Under the settlement, Goldenshores must provide just-in-time disclosures outside of the privacy policy and obtain affirmative express consent from users before collecting, using, or disclosing geolocation information. The settlement agreement (referred to here as “the order”) was subject to public comment through January 6, 2014. The FTC will now decide whether to reach a final settlement with Goldenshores.

Background

The “Brightest Flashlight Free” is a flashlight app that, according to the FTC, has been listed as a top free application in the Google Play application store and has been downloaded tens of millions of times. The core of the FTC’s complaint is that Goldenshores told users that the app would collect data from their mobile devices, but failed to tell them that the app also transmits such data to various third parties, including advertising networks. According to the FTC, the app transmitted precise geolocation information along with persistent device identifiers that could be used to track a user’s location over time—data that the FTC has long categorized as sensitive. The FTC also identified as a law violation the fact that the app gave the illusion of providing a choice regarding data collection, but continued to collect data regardless of the user’s selection.

FTC Complaint and Proposed Order

The FTC’s complaint asserts that Goldenshores told users in its privacy policy and end-user license agreement (EULA) that the app would collect certain user data, but both of those documents failed to disclose that the app would transmit precise geolocation information and persistent device identifiers to third parties. The failure to disclose this information was deceptive, according to the FTC. It is noteworthy that the FTC did not identify, as a basis for the complaint’s deception count, a specific misrepresentation that Goldenshores made to users. Rather, the complaint alleges that the failure to disclose that the app transmits data to third parties—in light of the fact that it told users the app itself would collect user data—is deceptive. The complaint also describes how the app purported to give users the option to “accept” or “refuse” the EULA by selecting the appropriate button, but the app collected information prior to the user making a selection and regardless of the user’s choice to accept or reject the EULA. The FTC asserts that creating the impression that users have the option to refuse the terms of the EULA, including terms regarding the collection and use of device data, when users cannot actually prevent the app from collecting their device data is false or misleading. As a part of the settlement, Goldenshores agreed not to collect or transmit geolocation information via mobile applications without clearly and prominently providing a just-in-time notice to users (i.e., immediately prior to the collection of such information, and separate from other documents such as end-user license agreements, privacy policies, and terms of use) and obtaining users’ affirmative express consent prior to the collection or transmission of such information. The just-in-time notice must disclose:

  1. that such application collects or transmits geolocation information;
  2. how geolocation information may be used;
  3. why such application is accessing geolocation information; and
  4. the identity or specific categories of third parties that receive geolocation information from such application.

Curiously, Goldenshores agreed to delete all information, including persistent identifiers, IP addresses, and precise geolocation data, that the app collected from users, despite the fact that the FTC did not allege that Goldenshores improperly collected such data. The order does not address the user data improperly sent to third parties. Goldenshores also agreed, as is customary in FTC orders, not to engage in future misrepresentations regarding the collection, use, or disclosure of user information.

Implications

The FTC has long supported the principle that companies should provide “just-in-time disclosures” to users and obtain their affirmative express consent before accessing precise geolocation information. The FTC called for such enhanced notice and consent in both its 2012 report on privacy, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Privacy Report) and its 2013 report on mobile privacy, Mobile Privacy Disclosures: Building Trust Through Transparency. Including this standard in the order continues an FTC trend of modeling order provisions after policy positions the FTC adopted in the Privacy Report. Complying with the order may require Goldenshores to make enhanced disclosures outside of the mobile device operating system permissions, because the operating system permissions may not accommodate the level of detail that the FTC has prescribed regarding the collection, use, and sharing of geolocation information. Consent orders are legally binding only on the respondent, and arguably this provision constitutes “fencing-in relief” (i.e., conduct prohibitions that exceed the conduct alleged to have violated the FTC Act, which the FTC asserts are necessary to ensure that respondents’ activities remain “fenced in” the confines of the law). As such, a company’s failure to follow this standard does not necessarily constitute a law violation. But FTC consent orders often have the consequence of setting precedent for industry.

The FTC’s complaint allegation regarding the collection and transmission of information prior to the time that users are given the opportunity to consent to those practices is particularly relevant to app developers. The initial user experience when an app is opened for the first time can be critical, as some users may elect to delete and never again download an app based on their first impressions. As a result, developers often are faced with the challenge of balancing the presentation of legal disclosures and choice mechanisms with their desire to create a user on-boarding experience that minimizes new-user attrition. This proposed settlement underscores the importance of providing disclosures and obtaining consent at the right time.