Skip to Content

Privacy & Data

Goldenshores Case Demonstrates Flaws in Current Mobile Privacy Practices

Earlier this month, the FTC announced a settlement with Goldenshores Technologies, the developer behind Brightest Flashlight Free, a popular flashlight app for Android. The app allows the user to keep the camera flash and screen illuminated so that it functions like a flashlight. Pretty useful, but there was one small problem: the app also transmitted the phone’s geolocation and device identifier to third parties without notice to users in the privacy policy or the app’s promotional pages.

There has been an unfortunate trend of mobile apps failing to accurately disclose data collection practices, and the FTC has taken steps to seek enforcement actions against companies that make such misrepresentations that violate the FTC Act. In February, the Commission reached a consent order with Path, which had collected users’ address book data without notice. As we discussed at the time, the Path settlement provided a clear signal to developers that collecting user data absent notice and consent was an obvious violation of the FTC Act’s ban on deceptive trade practices. The Goldenshores case also emphasizes that neglecting to make statements in app privacy policies can be a deceptive act under the FTC Act – providing a clear signal to developers that they should be accurate in their disclosures and comprehensively describe what types of data an app collects.

Given how app stores and mobile platforms work, upfront disclosures regarding data collection, use, and retention are particularly important. When consumers browse through the Google Play store or Apple’s App Store, they see a description of the app, its services, and ratings and reviews. Google Play and the App Store also include links to privacy policies for each app, but because such policies are often long, legalistic, and difficult to comprehend, app users may not have much advance notice before installing an app of what data could be collected. While users can uninstall apps or modify permissions after installing them, in some instances that may be too late. According to the FTC’s complaint, the flashlight app presented users with a choice regarding acceptance of the license agreement, which allowed Goldenshores to collect and use data prior to being able to use the app. However, by the time users were presented with this choice, the app was already collecting, using, and transmitting data. Therefore, users who downloaded the app but did not to allow Goldenshores access to any data were presented with a false choice, as the app was already collecting and using data before the choice was even presented. Moreover, the license agreement, as discussed above, failed to disclose the collection and transmission of location data to Goldenshores and third parties.

Location data is one of the most sensitive pieces of information that a smartphone can collect, and when that data is collected and transmitted to unknown parties, there can be serious repercussions, whether commercial or governmental. The FTC’s enforcement agenda in this space is welcome as mobile technology continues to proliferate, and will hopefully encourage app developers to accurately disclose and seek consent for their data practices, and perhaps also lead to better disclosures and controls for users at the platform level. While iOS and Android both allow users some control over what individual apps can collect and transmit, clear, upfront disclosures – like the just-in-time notifications that the FTC required Goldenshores to adopt in its Flashlight app in the future – would provide users with a more effective ability to consent. By doing so, users would have better control and more awareness about what happens to their sensitive data.

It remains an open issue regarding what data practices need to be disclosed, and where – whether in an app, at the platform, in a privacy policy, or some combination thereof. That will be an issue for the FTC and developers to determine going forward, and different types of data will require different disclosures. In some instances, companies may not need to be explicit about what specifically they do – for example, when using data to promote security and stability in their products. However, the Goldenshores case demonstrates that the current status quo is far too opaque and fails to provide users with sufficient information to make real choices about how their information is collected and used.