There has been an unfortunate trend of mobile apps failing to accurately disclose data collection practices, and the FTC has taken steps to seek enforcement actions against companies that make such misrepresentations that violate the FTC Act. In February, the Commission reached a consent order with Path, which had collected users’ address book data without notice. As we discussed at the time, the Path settlement provided a clear signal to developers that collecting user data absent notice and consent was an obvious violation of the FTC Act’s ban on deceptive trade practices. The Goldenshores case also emphasizes that neglecting to make statements in app privacy policies can be a deceptive act under the FTC Act – providing a clear signal to developers that they should be accurate in their disclosures and comprehensively describe what types of data an app collects.
Given how app stores and mobile platforms work, upfront disclosures regarding data collection, use, and retention are particularly important. When consumers browse through the Google Play store or Apple’s App Store, they see a description of the app, its services, and ratings and reviews. Google Play and the App Store also include links to privacy policies for each app, but because such policies are often long, legalistic, and difficult to comprehend, app users may not have much advance notice before installing an app of what data could be collected. While users can uninstall apps or modify permissions after installing them, in some instances that may be too late. According to the FTC’s complaint, the flashlight app presented users with a choice regarding acceptance of the license agreement, which allowed Goldenshores to collect and use data prior to being able to use the app. However, by the time users were presented with this choice, the app was already collecting, using, and transmitting data. Therefore, users who downloaded the app but did not to allow Goldenshores access to any data were presented with a false choice, as the app was already collecting and using data before the choice was even presented. Moreover, the license agreement, as discussed above, failed to disclose the collection and transmission of location data to Goldenshores and third parties.
Location data is one of the most sensitive pieces of information that a smartphone can collect, and when that data is collected and transmitted to unknown parties, there can be serious repercussions, whether commercial or governmental. The FTC’s enforcement agenda in this space is welcome as mobile technology continues to proliferate, and will hopefully encourage app developers to accurately disclose and seek consent for their data practices, and perhaps also lead to better disclosures and controls for users at the platform level. While iOS and Android both allow users some control over what individual apps can collect and transmit, clear, upfront disclosures – like the just-in-time notifications that the FTC required Goldenshores to adopt in its Flashlight app in the future – would provide users with a more effective ability to consent. By doing so, users would have better control and more awareness about what happens to their sensitive data.