By Eliana M. Alcivar and Andrew M. Baer
While you were getting a head start on your holiday shopping last December, you might have missed this press release issued by the Federal Trade Commission (FTC) concerning an enforcement action brought against the company behind the “Brightest Flashlight Free” mobile application. In case you needed more evidence that the FTC is serious about enforcing its most recent positions concerning privacy and unique mobile device identifiers and precise location data, here it is.
The company informed consumers that information collected by the Brightest Flashlight app would be used by the company, and went on to list some categories of information that the app could collect. Unfortunately, the company failed to mention that this information would be shared with third party advertising networks. This goes to show that you can get in trouble with the FTC not only for what you say, but also for what you don’t say (in legal parlance, “misrepresentation by omission”).
The FTC charged that the company also “deceived consumers by presenting them with an option to not share their information, even though it was shared automatically, rendering the option meaningless.”
Upon first use of the app, consumers were presented with the company’s End User License Agreement (EULA), which included information about the company’s data collection and use policies. Consumers were also presented with the option to accept or refuse the EULA. The problem is that as a technical matter, the app began collecting and sharing unique device identifiers and precise location data from the moment a consumer began using the app, and did not stop doing so until a consumer rejected the EULA. In the FTC’s view, consumers were thus presented with a “false choice.”
Important takeaways for app developers and distributors are as follows:
- Tell consumers whether you are sharing with third parties (such as ad networks) unique device identifiers and location data. The fact that the consumers’ names, social security numbers, addresses, etc. are not shared along with these data sets is of absolutely no consequence here.
- Where an opt-in mechanism is being used, backend developers should make sure their apps do not begin collecting or broadcasting unique device identifiers or location data until after the consumer officially agrees to the EULA and/or just-in-time geolocation disclosure, as applicable.