By now, you have probably heard about the FTC’s recent settlement with Snapchat, the popular mobile photo and video messaging service, over allegations that it deceived consumers with promises about the disappearing nature of messages sent through its service.  It did not take long for major media outlets to cover the story, highlighting both consumer concerns over data privacy and the FTC’s willingness to publicly and aggressively pursue companies that misrepresent their data privacy policies.

For those unfamiliar with the Snapchat case, the FTC filed a complaint against Snapchat alleging that the company made multiple misrepresentations about its service that were at odds with the way the app actually worked.  The FTC first charged that Snapchat deceived consumers by advertising that users could send “ephemeral” photo and video messages through its service, which would “disappear forever” after a maximum of ten seconds.  The FTC alleged many ways a user could save a photo message permanently, including by taking a screenshot of the message, using third-party apps to circumvent the Snapchat timer, and accessing unencrypted Snapchat video snaps in a location outside the app’s “sandbox.”

Snapchat-1                         snapchat-2

The FTC also charged Snapchat with misrepresenting to users in its privacy policy that it does not “ask for, track, or access any location-specific information from [a user’s] device at any time.”  The FTC alleged that Snapchat in fact transmitted users’ geolocation information from users of its Android app, and collected all of the contact information in users’ mobile device address books without notice or consent through its “Find Friends” feature.  Finally, the FTC alleged that Snapchat failed to employ “reasonable security measures” to protect personal information transmitted in its “Find Friends” feature that made vulnerable 4.6 million user names and phone numbers during a recent security breach.

The terms of the Snapchat settlement agreement show just how seriously the FTC is pursuing companies that misrepresent their data privacy policies.  Snapchat is prohibited from misrepresenting the extent to which it protects the privacy, security, or confidentiality of users’ information, and is required to implement a comprehensive privacy data privacy program that will be monitored by an independent privacy professional for the next twenty years.

It is now clear that the days of copying and pasting stock language into a privacy policy are over.  Companies will be monitored to ensure their privacy policies are comprehensive and actually followed.  Serious consequences may result if the company is found in breach of its own stated privacy policies.  The FTC has issued a number of best practices for mobile apps that store consumer data, including:

  1. Be transparent about your data practices. Explain what information your app collects from users or their devices and what you do with their data. If you share information with another company, tell your users and give them information about that company’s data practices.
  2. Honor your privacy promises.  Remember that your privacy policy in itself is a promise to consumers that you will actually guard their personal information to the extent you state. Make sure the language is clear and easy to read on a small screen.
  3. Keep user data secure.
  • Collect only the data you need;
  • Secure the data you keep by taking reasonable precautions against well-known security risks;
  • Limit access to data on a need-to-know basis; and
  • Safely dispose of data you no longer need.

Chris Olsen, assistant director of the F.T.C.’s division of privacy and identity protection, sent a clear warning to companies on Friday: “If you make promises about privacy, you must honor those promises or otherwise risk F.T.C. enforcement.”  Companies that do not heed this warning may find themselves on the F.T.C.’s radar in a way they had never hoped for.