FTC Settlement Provides Guidance Regarding an App’s Collection of Geolocation Data, When Data Collection and Sharing May Begin, and Privacy Representations in a License Agreement
A recent FTC settlement provides some illuminating guidance for app developers and publishers regarding the sharing of geolocation data, when an app may begin collecting and sharing data, and privacy representations made in a license agreement or similar document. In re Goldenshores Technologies, LLC. This settlement is the first to impose substantial conditions upon the collection of location data, including a disclosure as to why the information is being collected, and provides insight into the FTC’s view of how its guidance from its March 2012 report, Protecting Consumer Privacy in an Era of Rapid Change (“2012 Privacy Report”) and February 2013 report, Mobile Privacy Disclosures: Building Trust Through Transparency (“Mobile Privacy Report”), should be executed.
The FTC’s Allegations
Although the Android platform provided notice to users that the app requested “permissions” to access location information, the FTC alleged that notice did not indicate that the app would share the information with third parties. Additionally, the FTC alleged that the app required users to accept an EULA before being permitted to use the app – but the app transmitted device information even before the user accepted or refused the terms of the EULA.
Consent Agreement Terms
The FTC’s consent agreement with the app developer requires that the app developer, amongst other things:
- Delete all personal information about individual consumers that it collected from users of the app prior to the date of issuance of the order.
- Provide a copy of the order for five years to current and future principals, officers, directors, and managers; and to employees, agents, and representatives having responsibilities with respect to the subject matter of the Consent Order.
- Additionally, the app developer’s principal must provide the FTC with updates for ten years regarding changes regarding his business affiliation or employment.
Guidance from the Settlement
When considering the FTC’s allegations and the settlement terms, certain guidance for app developers and publishers may be distilled:
- An app platform’s disclosure of requested app permissions (such as access to location information) is not sufficient to disclose to the user that information accessed through those permissions would be shared with third parties, such as advertisers.
- If an app seeks a user’s express agreement to an EULA or similar document, the app must not begin collecting or sharing information until the user’s agreement is obtained. If information is collected or shared before the user’s agreement is obtained (e.g., while the user is viewing the EULA), the option to reject the agreement is “illusory.”
- The FTC may look to an app’s EULA for representations about information sharing – to the extent that representations are made about information sharing practices in that document, those representations must be accurate.