On May 8, 2014, the US Federal Trade Commission (FTC) proposed for public comment its draft complaint and consent with mobile messaging service Snapchat, best known for promoting its “ephemeral” photo messaging site. (See our previous posting here.)

The FTC’s complaint claimed that Snapchat violated federal law (Section 5 of the FTC Act) with the following 6 false or deceptive claims:

  1. Contrary to Snapchat’s claims, “a message may not disappear forever after the user-set time period expires” due to widely publicized third-party apps, and a security flaw Snapchat purportedly was aware of (from a security researcher) for 10 months before addressing;
  2. Contrary to Snapchat’s statements, “a sender may not be notified if the recipient takes a screenshot of a snap” due to widely-publicized circumventions;
  3. Contrary to a statement in Snapchat’s privacy policy that it did not request, track, or access geolocation data from a user’s device, for a 6-month period, “the Snapchat app on Android transmitted WiFi-based and cell-based location information from users”;
  4. Contrary to Snapchat’s implied representations, when a user selected “Find Friends,” Snapchat collected not only the phone number a user entered, but also the entire contents of all contacts in the user’s mobile device address book;
  5. Contrary to Snapchat’s privacy policy, Snapchat collected more information than e-mail, phone number and Facebook ID when a user selected “Find Friends”; and
  6. Contrary to Snapchat’s privacy policy claims that Snapchat took “reasonable measures” to help protect users’ information, Snapchat (a) did not verify phone numbers as actually belonging to the device being used by the individual despite “common and readily available methods” to do so, resulting in numerous consumer complaints that (i) customer messages were not reaching their intended recipients and (ii) messages were being sent from customer accounts without authorization; and (b) did not limit automated account creation or the number of “Find Friends” requests that could be made, which allowed attackers to compile a database of 4.6 million Snapchat user names and mobile numbers.

Under the proposed consent, Snapchat does not admit or deny any liability. If approved and to settle the matter, Snapchat would be:

  • Prohibited from misrepresenting its products and services and treatment of personal information, or their privacy and security; and
  • Required to implement a comprehensive privacy program that is subject to a third-party audit every 2 years for the next 20 years.

Note that the FTC has proposed a definition of “covered information” that includes not only name, address, e-mail address, or phone number, but also “a persistent identifier, such as a customer number held in a ‘cookie,’ a static Internet Protocol (“IP”) address, a mobile device ID, or processor serial number” or “precise geo-location data of an individual or mobile device, including GPS-based, WiFi-based or cell-based location information” or “an authentication credential, such as a user name or password” or “any communications or content that is transmitted or stored through [Snapchat’s] products or services.”

Does your company collect personal information from users of computers or mobile devices?  Do you have a process for responding to security researcher warnings?  How does your company respond to consumer complaints?  Does your company monitor third-party apps and commentary relating to your goods and services?  Does your privacy policy accurately reflect your practices?

Sue Ross (susan.ross@nortonrosefulbright.com / +1 212 318 3280) is a lawyer in Norton Rose Fulbright’s US intellectual property practice.