Another Day, Another App Development Company - and its Founder! - Settle with the FTC

The FTC announced today another settlement with a mobile app development company involving allegations of consumer deception. Interestingly, the complaint was against the company, Goldenshores Technologies, LLC, as well as the company's founder, Erik M. Geidl, individually. Additionally, the Consent Agreement, requires Mr. Geidl, individually, to notify the FTC in respect to any changes to his employment during the next 10 years. Clearly, the FTC is becoming much more serious about privacy compliance and consumer disclosures.


This action involves a popular mobile app called the "Brightest Flashlight Free" app, which consumers can use to turn their phone into a flashlight.  (According to the FTC Complaint, the app was ranked as one of the top free apps on Google Play as of May 2013.)

The FTC alleged that the app transmitted various data from a user's mobile device to third parties, including advertising networks. "The types of data transmitted include, among other things, the device's precise geolocation along with persistent device identifiers that can be used to track a user's location over time."[1]

The FTC found the following disclosures or lack of disclosures problematic:
  • While Goldenshores did include Google Play's general permission statements in pages promoting the app, it failed to explain "whether the application shares any information with third parties" [2]
  • The Privacy Policy failed to disclose that the app "transmits or allows the transmission of device data, including precise geolocation along with persistent device identifiers, to third parties, including advertising networks" [3]
  • Consumers are misled as to their choice to accept or decline the terms.
    • The app begins to transmit a user's precise geolocation and device identifiers immediately after it is installed.
    • But, the EULA appears after app installation. While users can "Refuse" to accept the EULA, the app is already operating and sharing their information.
A Few Highlights

- Action is against the the mobile app development company and the majority owner individually

- Information shared: geolocation of user and the user's device identifiers

- Information shared with: advertising network

- Problems:

1. Privacy Policy and EULA failed to fully disclose  that the consumer's geolocation and device identifiers were shared with an advertising network;

2. While the EULA suggested that consumers could opt-out of the data sharing, the software was installed prior to users having the ability to opt-out, which resulted in their information being shared regardless of whether or not they agreed to the terms

- The consent order was with the company and the owner, where the owner must report his job and responsibilities to the FTC for 10 years.

The FTC acknowledged that the Privacy Policy and the EULA together advised consumers that the app "may periodically collect, maintain, process, and use information from users' mobile devices to provide software updates, product support, and other services to users related to the Brightest Flashlight App, and to verify users' compliance with [the] EULA."[4] But, the failure to notify customers that their precise geolocation and device identifiers would be shared with third parties was "in light of the representation made, was, and is, a deceptive practice."[5]

Additionally, the representation that consumers could refuse to share their information "was, and is, false or misleading" because the app transmits the "device data as soon as the consumer launches the application and before they have chosen to accept or refuse the terms of the Brightest Flashlight EULA."[6]

The Problematic Privacy Policy Language:
Consent to Use of Data. Goldenshores Technologies and its subsidiaries and agents may collect, maintain, process and use diagnostic, technical and related information, including but not limited to information about your computer, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you (if any) related to the Goldenshores Technologies Software, and to verify compliance with the terms of the License. Goldenshores Technologies may use this information, as long as it is in a form that does not personally identify you, to improve our products or to provide services or technologies to you.
(For complete terms of the Privacy Policy, see Exhibit B-1). This language was also incorporated into the EULA.

Excerpts from the Consent Order

In the Consent Order, the FTC explicitly stated the steps that Goldenshores and Geidl must take to remedy the deceptive behavior:
[Goldenshores and  Geidl] in connection with the advertising, promotion, offering for sale, sale, or dissemination of any mobile application that collects, transmits, or allows the transmission of geolocation information, in or affecting commerce, shall not collect, transmit, or allow the transmission of such information unless such application:
Clearly and prominently, immediately prior to the initial collection of or transmission of such information, and on a separate screen from, any final "end user license agreement," "privacy policy," "terms of use" page, or similar document, discloses to the consumer the following:
1. That such application collects, transmits, or allows the transmission of, geolocation information;

2. How geolocation information may be used;


3. Why such application is accessing geolocation information; and


4. The identity or specific categories of third parties that receive geolocation information directly or indirectly from such application; and

Obtains affirmative express consent from the consumer to the transmission of such information.
[W]ithin ten (10) days from the date of entry of this Order, shall delete all Covered Information relating to Affected Consumers that is within their possession, custody, or control and was collected at any time prior to the date of entry of this Order. [The FTC specifically defined Covered Information mean everything:]
"Covered Information" shall mean information from or about an individual consumer, including but not limited to:
(a) a first and last name;

(b) a home or other physical address, including street name and name of city or town;

(c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number;

(e) a Social Security number;

(f) a driver's license or other state-issued identification number;

(g) a financial institution account number;

(h) credit or debit card information;

(i) a persistent identifier, such as a customer number held in a "cookie," a static Internet Protocol ("IP") address, a mobile device ID, or processor serial number;

(j) precise geolocation data of an individual or mobile device, including but not limited to GPS-based, WiFi-based, or cell-based location information ("geolocation information");

(k) an authentication credential, such as a username and password; or

(l) any other communications or content stored on a consumer's mobile device.

Along with the relatively standard notification language the FTC has agreed to in previous consent agreements (i.e., company must notify is successors of this agreement, company must deliver a copy of this order to management, etc.), the document retention requirements, and the  20 year compliance period, this Consent Agreement also included the following:
IT IS FURTHER ORDERED that respondent Erik M. Geidl, for a period of ten (10) years after the date of issuance of this order, shall notify the Commission of the discontinuance of his current business or employment, or of his affiliation with any new business or employment. The notice shall include respondent's new business address and telephone number and a description of the nature of the business or employment and his duties and responsibilities. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In the Matter of Goldenshores Technologies, LLC, File No. 132-3087.
Take-a-Ways

There are a number of legal take-a-ways from the FTC's latest action.
  • Software developers and vendors must review their privacy policies. The FTC is serious about its enforcement efforts. These enforcement and consumer deception issues can be avoided with proper disclosures.
  • Err on the side of more disclosure over less disclosure. Yes, it is true that sometimes this makes the design of user interfaces more complicated and delays the install process. This is particularly true for mobile apps where the screen size adds additional limitations. But, it is better to err on the side of giving more information to consumers, unless, of course, your desire is to enter into a consent agreement with the FTC.
  • The consumer's choice to accept or reject the EULA or data sharing must be a 'true' choice. As such, disclosures need to be presented to the consumer either before the app is installed on the device
The Consent Agreement is subject to public comment for 30 days, beginning December 5, 2013 and continuing through January 6, 2014, after which the FTC Commission will decide whether to make the proposed consent order final.

-----------------
[1] In the Matter of Goldenshores Technologies, LLC, and Erik M. Geidl, FTC Complaint, FTC File No. 132 3087,  5 (Dec. 2013) [hereinafter FTC Complaint]. Documents available at https://www.ftc.gov/os/caselist/1323087/index.shtm.


[2] Id. at  7.

[3] Id. at  10.

[4] Id. at  15.

[5] Id.

[6] Id. at  17.

FTC's Press Release - https://www.ftc.gov/opa/2013/12/goldenshores.shtm.



November 2020
SuMoTuWeThFrSa
1234567
891011121314
15161718192021
22232425262728
2930

Blog Home  

Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing

6/8/15 Two California Privacy Bills to Watch in 2015

3/28/15 When Looking at Security, Consider Every Device

3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine

1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing

12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider

11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?

11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?

11/19/14 Wearables and the Challenge for Consumer Device Makers

10/28/14 A Few Telemedicine Resources

10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring

Blog Archives
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)

Blog Labels
Dental (1)
FCC (1)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Employment (1)
FAQ (6)
Meaningful Use (4)
EHR (2)
Privacy Litigation (3)
Identity Theft (1)
Security (1)
HIPAA (3)
Healthcare Fraud (1)
Marketing (1)
BYOD (2)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)
Privacy (4)
Telemedicine (7)