April 2, 2014 -

The Brightest Flashlight: Shining a Light on The FTC’s Privacy Law Enforcement Policies

By Eliana M. Alcivar and Andrew M. Baer

While you were getting a head start on your holiday shopping last December, you might have missed this press release issued by the Federal Trade Commission (FTC) concerning an enforcement action brought against the company behind the “Brightest Flashlight Free” mobile application. In case you needed more evidence that the FTC is serious about enforcing its most recent positions concerning privacy and unique mobile device identifiers and precise location data, here it is.

According to the FTC’s press release, “the company’s privacy policy deceptively failed to disclose that the app transmitted users’ precise location and unique device identifier to third parties, including advertising networks.”

The company informed consumers that information collected by the Brightest Flashlight app would be used by the company, and went on to list some categories of information that the app could collect. Unfortunately, the company failed to mention that this information would be shared with third party advertising networks. This goes to show that you can get in trouble with the FTC not only for what you say, but also for what you don’t say (in legal parlance, “misrepresentation by omission”).

The FTC charged that the company also “deceived consumers by presenting them with an option to not share their information, even though it was shared automatically, rendering the option meaningless.”

Upon first use of the app, consumers were presented with the company’s End User License Agreement (EULA), which included information about the company’s data collection and use policies. Consumers were also presented with the option to accept or refuse the EULA. The problem is that as a technical matter, the app began collecting and sharing unique device identifiers and precise location data from the moment a consumer began using the app, and did not stop doing so until a consumer rejected the EULA. In the FTC’s view, consumers were thus presented with a “false choice.”

Important takeaways for app developers and distributors are as follows:

  • When preparing a privacy policy or EULA for a mobile app, be sure to take into consideration whether unique device identifiers or precise geolocation data are being collected. We’re all used to a world in which names, social security numbers, and financial account information are considered protected as personally identifiable information, but under the FTC’s most recent guidances, other categories of information are to be protected as well, even if they are not personally identifiable in the traditional sense. For example, the FTC considers precise geolocation data “sensitive” even when it is linked with a device rather than a name. App developers must be clear with consumers concerning what sensitive information is being collected.
  • Use a “just in time” notification and opt-in mechanism prior to collecting or disclosing to third parties your users’ geolocation data. That is, it’s not enough to bury this information in your privacy policy or EULA. Tell consumers in a separate disclosure just as you’re about to collect geolocation data for the first time. Tell them why it’s being collected, how the information is being used, and the identity of third parties with whom you intend to directly or indirectly share geolocation information. The added detail is especially important to include if a consumer would find it surprising to learn that your app is collecting and broadcasting their geolocation data. We don’t have to go far to find a good example – an app which has as its entire apparent function to provide a source of light is a really good case in point, and perhaps one reason why the FTC chose to make an example out of its distributor.
  • Tell consumers whether you are sharing with third parties (such as ad networks) unique device identifiers and location data. The fact that the consumers’ names, social security numbers, addresses, etc. are not shared along with these data sets is of absolutely no consequence here.
  • Where an opt-in mechanism is being used, backend developers should make sure their apps do not begin collecting or broadcasting unique device identifiers or location data until after the consumer officially agrees to the EULA and/or just-in-time geolocation disclosure, as applicable.