Recently, the Federal Trade Commission snapped at Snapchat over its privacy policy and representations made regarding the company’s mobile application. The FTC’s action has raised some eyebrows. But it has also raised awareness that promises made in a privacy policy matter. What did Snapchat do wrong and what are the key takeaways you should adopt for your own privacy policy best practices?
Extremely popular, particularly with teenagers, Snapchat essentially wrote privacy promise checks its users couldn’t cash. That’s the short answer. In addition to blanket statements about snaps sent the companies software had numerous “holes” that enabled tech-savvy users to layer on unauthorized apps to store “Snapchats” permanently, despite the company’s promise that Snapchats disappeared permanently shortly after receipt.
Unauthorized Use of Snapchats
For those without teenagers in the house, a “Snap” is a temporary video or picture sent via a mobile app that receivers generally can’t save locally (unless the owner gives permission to specific users or the message is made a “Life story” in Snapchat parlance). However, by using various third party applications and common screenshot features Snapchat users were able to either access unencrypted Snaps and store them permanently or simply capture the Snap image regardless of the owner’s wishes and contrary to Snapchat’s claims.
The FTC’s six count Complaint File No. 132 3078 details several areas where Snapchat or common mobile practices rendered its “temporary message” claim false, it failed to reasonably secure users personal information (leading to a well-publicized breach of 4.6 million users account information) and utilized a Find Friends interface that was deceptive in the information it collected. Additionally, Snapchat’s then applicable privacy policy essentially contained “Do Not Track” provisions yet the FTC’s Complaint stated in Count 3 Snapchat collected various types of data from Android users, such as geolocation and information from contact books, that would in fact enable tracking. Lastly, the FTC highlighted the company never sought nor received user consent for these and other actions. As result the FTC Complaint concluded Snapchat’s privacy policy, representations and practices (express or by implication) were ultimately deceptive acts or practices and therefore in violation of Sec 5(a) of the FTC Act.
The Proposed Settlement Agreement Takeaways
Not surprisingly, a proposed FTC Agreement Containing Consent Order (a/k/a “Settlement”), subject as always to the 30 days public notice and comment period, has resulted with a mix of the usual FTC settlement suspects. Among the items in the proposed Snapchat Settlement are that:
- Snapchat implement a “comprehensive privacy program” that addresses privacy risks and protects the privacy and confidentiality of user information and among other requirements designates specific employees to be accountable for the program;
- Snapchat no longer make deceptive or misleading claims in their policies, documents or practices with regards to security and privacy; and
- Submit to, the typical for such Consent Orders, biennial assessments and reports to the FTC by an Independent Privacy Professional for the next twenty years
Separately, Snapchat might have done well while designing its mobile apps and their associated FAQs and Privacy Policy to have noted the FTC’s own guidelines on creating mobile applications, which we’ve written about extensively. Among the FTC’s mobile recommendations: honest advertising, companies standing by their privacy policy and ensuring that user data remains secure. Add in Privacy by Design for good measure as well.
In response Snapchat has updated its apps and Privacy Policy, effective May 1, 2014, which now expressly states that “[o]nce all recipients have viewed a Snap, we automatically delete the Snap from our servers and our Services are programmed to delete the Snap from the Snapchat app on the recipients’ devices “but that “we also cannot prevent others from making copies of your messages (e.g., by taking a screenshot). “ Caveat Snapchatter, in other words.
In light of this recent Snapchat Settlement, companies or start-ups that do a “copy and paste” privacy policy or whose actual practices and app operation don’t match privacy policy provisions (and other marketing materials, such as FAQs) can expect the FTC to come knocking at their front door.
In future posts we will provide a “best practices primer” for Privacy Policies as well as checklist of top ten legal issues start-ups should consider, regardless of whether they are in the mobile app market or not.
