The “Brightest Flashlight Free” is a flashlight app that, according to the FTC, has been listed as a top free application in the Google Play application store and has been downloaded tens of millions of times. The core of the FTC’s complaint is that Goldenshores told users that the app would collect data from their mobile devices, but failed to tell them that the app also transmits such data to various third parties, including advertising networks. According to the FTC, the app transmitted precise geolocation information along with persistent device identifiers that could be used to track a user’s location over time—data that the FTC has long categorized as sensitive. The FTC also identified as a law violation the fact that the app gave the illusion of providing a choice regarding data collection, but continued to collect data regardless of the user’s selection.
FTC Complaint and Proposed Order
- that such application collects or transmits geolocation information;
- how geolocation information may be used;
- why such application is accessing geolocation information; and
- the identity or specific categories of third parties that receive geolocation information from such application.
Curiously, Goldenshores agreed to delete all information, including persistent identifiers, IP addresses, and precise geolocation data, that the app collected from users, despite the fact that the FTC did not allege that Goldenshores improperly collected such data. The order does not address the user data improperly sent to third parties. Goldenshores also agreed, as is customary in FTC orders, not to engage in future misrepresentations regarding the collection, use, or disclosure of user information.
The FTC has long supported the principle that companies should provide “just-in-time disclosures” to users and obtain their affirmative express consent before accessing precise geolocation information. The FTC called for such enhanced notice and consent in both its 2012 report on privacy, Protecting Consumer Privacy in an Era of Rapid Change: Recommendations for Businesses and Policymakers (Privacy Report) and its 2013 report on mobile privacy, Mobile Privacy Disclosures: Building Trust Through Transparency. Including this standard in the order continues an FTC trend of modeling order provisions after policy positions the FTC adopted in the Privacy Report. Complying with the order may require Goldenshores to make enhanced disclosures outside of the mobile device operating system permissions, because the operating system permissions may not accommodate the level of detail that the FTC has prescribed regarding the collection, use, and sharing of geolocation information. Consent orders are legally binding only on the respondent, and arguably this provision constitutes “fencing-in relief” (i.e., conduct prohibitions that exceed the conduct alleged to have violated the FTC Act, which the FTC asserts are necessary to ensure that respondents’ activities remain “fenced in” the confines of the law). As such, a company’s failure to follow this standard does not necessarily constitute a law violation. But FTC consent orders often have the consequence of setting precedent for industry.
The FTC’s complaint allegation regarding the collection and transmission of information prior to the time that users are given the opportunity to consent to those practices is particularly relevant to app developers. The initial user experience when an app is opened for the first time can be critical, as some users may elect to delete and never again download an app based on their first impressions. As a result, developers often are faced with the challenge of balancing the presentation of legal disclosures and choice mechanisms with their desire to create a user on-boarding experience that minimizes new-user attrition. This proposed settlement underscores the importance of providing disclosures and obtaining consent at the right time.