Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On December 5, 2013, the FTC agreed to settle a complaint lodged against Goldenshores Technologies, LLC (Goldenshores) alleging that the company deceived users by misrepresenting its practices when collecting and sharing the personal data of users through its popular Brightest Flashlight Free mobile application. The original complaint and proposed settlement, adopted 4-0 by FTC vote, each provide insight into the agency’s evolving expectations of how a company should provide notice to users about its data collection and use practices.
The Brightest Flashlight Free app allowed users to use their mobile devices as a flashlight by simultaneously activating all of the device’s light sources. According to the FTC, The app was listed as of May 2013 by the Google Play application store as a top free app available for download and was downloaded tens of millions of times. While running, the app also collected users’ personal information, including precise geolocation and unique device identifiers, and transmitted that data to third parties.
The FTC’s two-pronged complaint alleges that, In its privacy policy, Goldenshores told users that personal information collected by the Brightest Flashlight Free app would be used by the company for various internal purposes, but “failed to disclose or failed to adequately disclose” that the app transmitted that personal information to third parties (including advertising networks). Second, the complaint alleges that the app’s end-user license agreement (EULA) provided “illusory choice” to users by giving users the option to accept or reject the terms of the EULA while actually collecting and transmitting personal information even before the user has a chance to make the choice.
The proposed settlement agreement and consent order bars Goldenshores from misrepresenting its data collection, use, and disclosure practices and requires that the company adequately inform users of the extent to which users can control those practices related to their data. When geolocation information is collected, the proposed settlement also requires Goldenshores to provide “just-in-time” notice (meaning notice provided immediately prior to the initial collection of information and separate from any similar document) indicating how the information may be used and why, and requires Goldenshores to obtain “affirmative express consent” from its users within the just-in-time notice. The consent order also requires the company to delete any personal information collected via the Brightest Flashlight Free app prior to the settlement.
Charges that the company deceived users by not informing them that data collected by the app would be transmitted to third parties, in this case geolocation information and unique device identifiers, indicates the FTC’s intention to regulate not only the overt promises made by companies in their privacy policies but also omissions about the collection and disclosure of sensitive categories of information from privacy policies. According to the FTC, Goldenshores’ failure to disclose its data sharing practices within its privacy policy constituted an omission of a fact that would be “material to users in their decision to install the application,” a “deceptive practice” in violation of Section 5 of the FTC Act.
Focusing on Goldenshores’ handling of geolocation information, the terms of the settlement shed light on the FTC’s expectation that users will be provided notice “immediately prior to the initial collection or transmission of [geolocation] information.” Notably, the imposition of just-in-time disclosure requirements on Goldenshores, an app developer, expands on guidance supplied by the FTC’s 2013 staff report, Mobile Privacy Disclosures: Building Trust Through Transparency, which calls on app platforms to supply such just-in-time notice.
In addition to requiring Goldenshores to use just-in-time notice to obtain “affirmative express consent” from users before any geolocation information is collected or shared, the settlement also notably mandates exactly what information must be disclosed to users through just-in-time notice:
That such application collects, transmits, or allows the transmission of, geolocation information;
How geolocation information may be used;
Why such application is accessing geolocation information; and
The identity or specific categories of third parties that receive geolocation information directly or indirectly from such application.
Companies also should take notice of the FTC’s tacit expectation that privacy policies disclose to users the full range of a company’s data transmission practices. As evidenced by the FTC’s proposed settlement with Goldenshores, any lack of information about data transmission or sharing practices may be viewed as deceptive to users, particularly with respect to sensitive categories of information such as geolocation information. App developers in particular should take notice of the proposed expansion of just-in-time notice requirements from app platforms to app developers. In cases involving sensitive categories of information, especially where collection and use of the sensitive information may not be apparent in the context of the service, the FTC may expect those notices to include extensive information about how and why the information might be used by the company and others before soliciting consent.
To read the FTC blog post, click here
Special thanks to Julian Flamant for his substantial assistance in the preparation of this entry.
Authored by the HL Chronicle of Data Protection Team