FTC Settlement Provides Guidance Regarding an App’s Collection of Geolocation Data, When Data Collection and Sharing May Begin, and Privacy Representations in a License Agreement

A recent FTC settlement provides some illuminating guidance for app developers and publishers regarding the sharing of geolocation data, when an app may begin collecting and sharing data, and privacy representations made in a license agreement or similar document. In re Goldenshores Technologies, LLC. This settlement is the first to impose substantial conditions upon the collection of location data, including a disclosure as to why the information is being collected, and provides insight into the FTC’s view of how its guidance from its March 2012 report, Protecting Consumer Privacy in an Era of Rapid Change (“2012 Privacy Report”) and February 2013 report, Mobile Privacy Disclosures: Building Trust Through Transparency  (“Mobile Privacy Report”), should be executed.

The FTC’s Allegations

“Brightest Flashlight Free” is a popular, free, ad-supported app that turns on all lights on a mobile device, enabling the device to act as a flashlight. The FTC alleged that the app, when running, transmits, or could transmit, the device’s “precise geolocation along with persistent device identifiers that can be used to track a user’s location over time” to third parties, including advertisers. According to the FTC, neither the App’s privacy policy, nor its End User License Agreement (EULA) (which repeated statements included in the privacy policy) informed the user of, or permitted, this type of sharing. The FTC alleged that facts relating to the sharing of location data were material.

Although the Android platform provided notice to users that the app requested “permissions” to access location information, the FTC alleged that notice did not indicate that the app would share the information with third parties. Additionally, the FTC alleged that the app required users to accept an EULA before being permitted to use the app – but the app transmitted device information even before the user accepted or refused the terms of the EULA.

Consent Agreement Terms

The FTC’s consent agreement with the app developer requires that the app developer, amongst other things:

• Disclose clearly and prominently (defined to mean that the “disclosures are unavoidable”), immediately prior to the collection of or transmission of such information, and on a separate screen from any EULA, privacy policy, or similar document – that the app collects, transmits, or allows the transmission of, geolocation information; how geolocation information may be used; whysuch application is accessing geolocation information; and the identity or specific categories of third parties that receive geolocation information directly or indirectly from such application. The user’s “affirmative express consent” must also be obtained prior to the transmission of such information.Commentary: This requirement is consistent with the 2012 Privacy Report’s guidance that if location data “is collected and shared with third parties, entities should work to provide consumers with more prominent notice and choices about such practices” (2012 Privacy Report, at 33) and that a “prominent point” is “outside of the privacy policy.” (Id. at 39 n. 184.) The FTC also previously advised that “[i]f the app developer decides to share . . . geolocation data with a third party, the app developer should provide a just-in-time disclosure and obtain affirmative consent from users for that data sharing.” (Mobile Privacy Report, at 24.) Although the FTC suggested in the Mobile Privacy Report that “developers could provide information on the ‘value proposition,’ or why the app is accessing such [location] information,” this was presented as a mere suggestion in the FTC’s prior report – however, this settlement requires the suggestion to be implemented.

• Delete all personal information about individual consumers that it collected from users of the app prior to the date of issuance of the order.
• Maintain certain documents for five years from the date of preparation, including advertisements and promotional materials, terms of use, EULAs, FAQs, privacy policies, and other public documents related to data collection, use, disclosure, or sharing, opt out practices, and other mechanisms to limit or prevent the collection, use, disclosure, or sharing of data; complaints or inquiries related to the app, and responses to the complaints or inquiries; and documents sufficient to demonstrate compliance with each provision of the order.
• Provide a copy of the order for five years to current and future principals, officers, directors, and managers; and to employees, agents, and representatives having responsibilities with respect to the subject matter of the Consent Order.
• Additionally, the app developer’s principal must provide the FTC with updates for ten years regarding changes regarding his business affiliation or employment.

Guidance from the Settlement

When considering the FTC’s allegations and the settlement terms, certain guidance for app developers and publishers may be distilled:

• An app platform’s disclosure of requested app permissions (such as access to location information) is not sufficient to disclose to the user that information accessed through those permissions would be shared with third parties, such as advertisers.
• If an app seeks a user’s express agreement to an EULA or similar document, the app must not begin collecting or sharing information until the user’s agreement is obtained. If information is collected or shared before the user’s agreement is obtained (e.g., while the user is viewing the EULA), the option to reject the agreement is “illusory.”
• Nevertheless, even if an EULA is not presented to a user for acceptance, a user’s affirmative express consent should still be obtained prior to collecting and sharing sensitive location data, and the collection of such data must be prominently disclosed. The settlement provides insight as to the FTC’s view of an appropriate disclosure – an unavoidable disclosure (that is outside of an EULA, privacy policy, or similar document), immediately prior to the collection of or transmission of location information.
• The FTC may look to an app’s EULA for representations about information sharing – to the extent that representations are made about information sharing practices in that document, those representations must be accurate.