Yesterday, the FTC announced yet another privacy law enforcement action in the mobile arena. An Android mobile application developer has agreed to settle the Commission’s claims alleging that the application, which allows a device to be used as a flashlight, deceived consumers about how their precise geolocation information would be collected and shared with third parties.
THE FTC’S COMPLAINT
The Complaint also noted that the promotional pages for the App and the general “permissions” statements that appear for all Android applications do not reference the collection or use of data from users’ mobile devices.
The FTC next claimed that the company deceived consumers about their control over the collection and use of their device’s data. After installation of the Brightest Flashlight App, the App presented users with the company’s end-user license agreement. The license agreement allowed the company to collect and use device data. At the bottom of the license agreement, the App presented users with a choice to “Accept” or “Refuse” the terms of the agreement. The FTC alleged that the App began transmitting users’ device data before they could “Accept” or “Refuse” the agreement’s terms. Because consumers could not prevent the Brightest Flashlight App from collecting or using their device data, the FTC deemed the choice illusory.
The company’s presentation of an illusory choice formed the basis for the Complaint’s second “deception” claim under Section 5 of the FTC Act (Count II). Specifically, the FTC claimed that the company “represented, expressly or by implication, that consumers have the option to refuse the terms of the [application’s end-user license agreement], including those relating to the collection and use of device data.” Yet, the FTC alleged that consumers could not prevent the application from collecting or using their device’s data because “regardless of whether consumers accept or refuse the terms of the [agreement], the Brightest Flashlight App transmits, or causes the transmission of, device data as soon as the consumer launches the application.” The FTC deemed the acts and practices of the company “deceptive” in violation of the FTC Act.
Most of the settlement provisions apply to the company and the individual who served as the managing member of the limited liability company for 20 years, and a violation of such provisions could subject the company and the individual to civil penalties of up to $16,000. The core components of the settlement are set forth below.
The settlement prohibits the company or its agents from misrepresenting (1) the extent to which the company collects, uses, discloses, or shares personal information, and (2) “the extent to which users may exercise control over the collection, use, disclosure, or sharing of [personal information] collected from or about them, their computers or devices, or their online activities.”
Data Collection Injunction
The settlement prohibits the company or its agents from advertising or disseminating a mobile App that collects, transmits, or allows the transmission of geolocation information unless two requirements are met.
1. Comprehensive Geolocation Data Collection Disclosure. First, the App must disclose to the consumer (1) that the App collects, transmits, or allows the transmission of geolocation information, (2) how geolocation information may be used, (3) why the App is accessing geolocation information, and (4) the identity or specific categories of third parties that receive geolocation information directly or indirectly from the App. The company must display this disclosure:
- Clearly and prominently;
- Before the initial collection or transmission of geolocation information; and
2. Consumer Consent. Second, the App must obtain affirmative express consent (i.e., an opt in) from the consumer to transmit the consumer’s geolocation information.