The FTC is continuing its trend of enforcement actions against mobile application companies. Most recently, the FTC settled with Snapchat—yet another mobile application provider that allegedly failed to keep its word to consumers regarding data privacy and security. (Previously we discussed the FTC’s similar enforcement actions against Fandango and Credit Karma for broken promises about consumers’ data security here ). According to the FTC’s press release, “this case is part of a multi-national enforcement sweep on mobile app privacy by members of the Global Privacy Enforcement Network, a cross-border coalition of privacy enforcement authorities.
Snapchat is currently listed as one of the top 10 free applications on both the iTunes App Store and the Google Play store. The mobile application allows consumers to send and receive photo and video messages known as “snaps.” Before sending a snap, the sender must designate the number of seconds that the recipient will be allowed to view the snap. Snapchat markets the application as an “ephemeral” messaging application, having claimed that once the timer expires, the snap “disappears forever.” As an apparent security feature, the application contains a screenshot notification mechanism designed to notify a consumer if the recipient captures the snap with a screenshot.
In its complaint, FTC alleged that Snapchat made various false and misleading statements to its consumers regarding whether snaps truly disappeared forever, the effectiveness of the application’s screenshot notification mechanism, and other issues related to consumers’ data security and privacy. According to the FTC’s complaint, Snapchat did nothing for quite some time to protect against relatively easy and widely reported methods to both save snaps and circumvent the screenshot notification mechanism.
The FTC also alleged that Snapchat failed to use reasonable security measures to protect its consumers’ privacy and personally identifiable information. As a result, the FTC alleged that various preventable security gaps existed that, for example, allowed Snapchat accounts to be set up in someone else’s name and allowed hackers to compile a database of 4.6 million Snapchat usernames and associated mobile numbers.
Snapchat further promised that it did “not ask for, track, or access any location-specific information from [a consumers’] device.” The FTC alleged that this was also inaccurate. Android users of the application unknowingly transmitted Wi-Fi-and cell-based location information to Snapchat’s analytics tracking service provider.
In a statement on Snapchat’s blog regarding its settlement with the FTC, Snapchat admitted:
When we started building Snapchat, we were focused on developing a unique, fast, and fun way to communicate with photos. We learned a lot during those early days. One of the ways we learned was by making mistakes, acknowledging them, and fixing them.
After voting 5-0 to preliminarily approve this settlement, the FTC is now accepting comments from the public until June 9, 2014. After that time, and based upon the comments received, the Commission will decide to either finalize the consent order or withdraw its acceptance of the settlement.
For more analysis regarding the settlement, see the FTC’s blog here.