By now, you have probably heard about the FTC’s recent settlement with Snapchat, the popular mobile photo and video messaging service, over allegations that it deceived consumers with promises about the disappearing nature of messages sent through its service. It did not take long for major media outlets to cover the story, highlighting both consumer concerns over data privacy and the FTC’s willingness to publicly and aggressively pursue companies that misrepresent their data privacy policies.
For those unfamiliar with the Snapchat case, the FTC filed a complaint against Snapchat alleging that the company made multiple misrepresentations about its service that were at odds with the way the app actually worked. The FTC first charged that Snapchat deceived consumers by advertising that users could send “ephemeral” photo and video messages through its service, which would “disappear forever” after a maximum of ten seconds. The FTC alleged many ways a user could save a photo message permanently, including by taking a screenshot of the message, using third-party apps to circumvent the Snapchat timer, and accessing unencrypted Snapchat video snaps in a location outside the app’s “sandbox.”
The terms of the Snapchat settlement agreement show just how seriously the FTC is pursuing companies that misrepresent their data privacy policies. Snapchat is prohibited from misrepresenting the extent to which it protects the privacy, security, or confidentiality of users’ information, and is required to implement a comprehensive privacy data privacy program that will be monitored by an independent privacy professional for the next twenty years.
- Be transparent about your data practices. Explain what information your app collects from users or their devices and what you do with their data. If you share information with another company, tell your users and give them information about that company’s data practices.
- Keep user data secure.
- Collect only the data you need;
- Secure the data you keep by taking reasonable precautions against well-known security risks;
- Limit access to data on a need-to-know basis; and
- Safely dispose of data you no longer need.
Chris Olsen, assistant director of the F.T.C.’s division of privacy and identity protection, sent a clear warning to companies on Friday: “If you make promises about privacy, you must honor those promises or otherwise risk F.T.C. enforcement.” Companies that do not heed this warning may find themselves on the F.T.C.’s radar in a way they had never hoped for.