Jan 15

SHEDDING LIGHT ON THE IMPORTANCE OF HAVING AN ACCURATE PRIVACY POLICY

Tags: ,

Brightest Flashlight2Goldenshores Technologies, LLC developed The Brightest Flashlight Free app, which allowed users to use their mobile devices as a flashlight by simultaneously activating all of the device’s
light sources. According to the FTC, this app was downloaded millions (tens of millions, actually) of times.  At the same time it was lighting up the user’s world, The Brightest Flashlight Free app was enlightening third parties to the user’s personal information, including precise geolocation and unique device identifiers. As described by the FTC:

While running, however, the application also transmits, or allows the transmission of, data from the mobile device to various third parties, including advertising networks. The types of data transmitted include, among other things, the device’s precise geolocation along with persistent device identifiers that can be used to track a user’s location over time.

All of which would be fine and dandy if the app had appropriately disclosed to users what it was doing, but the FTC says it didn’t – and filed a complaint against Goldenshores. According to the FTC’s complaint, Goldenshores told users in its privacy policy that personal information collected by the Brightest Flashlight Free app would be used by the company for various internal purposes, but “failed to disclose or failed to adequately disclose” that the app transmitted that personal information to third parties, including advertising networks.

The FTC’s complaint also alleges that the app’s end-user license agreement (EULA) provided “illusory choice” to users by giving users the option of accepting or rejecting the terms of the EULA while the app was actually collecting and transmitting personal information even before the user had a chance to make the choice.

Goldenshores entered into a settlement agreement with the FTC that requires it to delete any personal information collected via the Brightest Flashlight Free app prior to the settlement and prohibits it from further misrepresentations regarding the use of personal information. It also requires Goldenshores to adequately inform users of the extent to which users can control its collection, use, and Goldenshoresdisclosure practices relating to their data.  In addition, Goldenshores must provide “just-in-time” notice (i.e., notice provided immediately prior to the initial collection of  information and separate from any similar document) indicating how the information may be used and why, and requires Goldenshores to obtain “affirmative express consent” from its users within the just-in-time notice when geolocation information is collected.

The settlement agreement also mandates exactly what information must be disclosed to users through the just-in-time notice, including:

  1. That the app collects, transmits, or allows the transmission of, geolocation information;
  2. How  geolocation information may be used;
  3. Why the app is accessing geolocation information; and
  4. The identity or specific categories of third parties that receive geolocation information directly or indirectly from the app.

Finally, under the settlement agreement, Goldenshores will have the FTC watching it more closely for at least 10 years. Under the terms of the settlement agreement, Goldenshores is required to report various of its activities to the FTC and keep its records open to FTC scrutiny.  Having a regulator breathing down your neck is no fun – it is time consuming and stressful at best and can be very financially costly at worst.

In this case, the FTC seemed particularly distrustful of the company’s handling of geolocation information, but other personal information could be treated similarly in the right case. Indeed, this case may signpost the FTC’s enforcement priorities, which appear to include an expectation that a company’s privacy policy disclose the full range of a company’s data transmission practices, including not only overt promises about use of private information, but also omissions about the collection and disclosure of personal information from privacy policies.

All of which is to say, it is important to have accurate privacy policies, as discussed in greater detail in this post regarding current requirements for an online privacy policy.

fine printCovering my bases: There is no legal advice contained in this post. Legal advice entails applying the law to specific facts. I don’t know what your facts are and any resemblance to them here is purely coincidental. Instead, this post is meant to provide general information, which may or may not be complete and accurate. If you need legal guidance, please feel free to contact me using the contact information on my firm’s web site – www.westbendlaw.com.