Another Day, Another App Development Company - and its Founder! - Settle with the FTC
The FTC announced today another settlement with a mobile app development company involving allegations of consumer deception. Interestingly, the complaint was against the company, Goldenshores Technologies, LLC, as well as the company's founder, Erik M. Geidl, individually. Additionally, the Consent Agreement, requires Mr. Geidl, individually, to notify the FTC in respect to any changes to his employment during the next 10 years. Clearly, the FTC is becoming much more serious about privacy compliance and consumer disclosures.
|This action involves a popular mobile app called the "Brightest Flashlight Free" app, which consumers can use to turn their phone into a flashlight. (According to the FTC Complaint, the app was ranked as one of the top free apps on Google Play as of May 2013.)|
The FTC alleged that the app transmitted various data from a user's mobile device to third parties, including advertising networks. "The types of data transmitted include, among other things, the device's precise geolocation along with persistent device identifiers that can be used to track a user's location over time."
The FTC found the following disclosures or lack of disclosures problematic:
- While Goldenshores did include Google Play's general permission statements in pages promoting the app, it failed to explain "whether the application shares any information with third parties" 
- Consumers are misled as to their choice to accept or decline the terms.
- The app begins to transmit a user's precise geolocation and device identifiers immediately after it is installed.
- But, the EULA appears after app installation. While users can "Refuse" to accept the EULA, the app is already operating and sharing their information.
|A Few Highlights|
- Action is against the the mobile app development company and the majority owner individually
- Information shared: geolocation of user and the user's device identifiers
- Information shared with: advertising network
2. While the EULA suggested that consumers could opt-out of the data sharing, the software was installed prior to users having the ability to opt-out, which resulted in their information being shared regardless of whether or not they agreed to the terms
- The consent order was with the company and the owner, where the owner must report his job and responsibilities to the FTC for 10 years.
[Goldenshores and Geidl] in connection with the advertising, promotion, offering for sale, sale, or dissemination of any mobile application that collects, transmits, or allows the transmission of geolocation information, in or affecting commerce, shall not collect, transmit, or allow the transmission of such information unless such application:
1. That such application collects, transmits, or allows the transmission of, geolocation information;
2. How geolocation information may be used;
3. Why such application is accessing geolocation information; and
4. The identity or specific categories of third parties that receive geolocation information directly or indirectly from such application; and
Obtains affirmative express consent from the consumer to the transmission of such information.
[W]ithin ten (10) days from the date of entry of this Order, shall delete all Covered Information relating to Affected Consumers that is within their possession, custody, or control and was collected at any time prior to the date of entry of this Order. [The FTC specifically defined Covered Information mean everything:]
Along with the relatively standard notification language the FTC has agreed to in previous consent agreements (i.e., company must notify is successors of this agreement, company must deliver a copy of this order to management, etc.), the document retention requirements, and the 20 year compliance period, this Consent Agreement also included the following:
"Covered Information" shall mean information from or about an individual consumer, including but not limited to:
(a) a first and last name;
(b) a home or other physical address, including street name and name of city or town;
(c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number;
(e) a Social Security number;
(f) a driver's license or other state-issued identification number;
(g) a financial institution account number;
(h) credit or debit card information;
(i) a persistent identifier, such as a customer number held in a "cookie," a static Internet Protocol ("IP") address, a mobile device ID, or processor serial number;
(j) precise geolocation data of an individual or mobile device, including but not limited to GPS-based, WiFi-based, or cell-based location information ("geolocation information");
(k) an authentication credential, such as a username and password; or
(l) any other communications or content stored on a consumer's mobile device.
IT IS FURTHER ORDERED that respondent Erik M. Geidl, for a period of ten (10) years after the date of issuance of this order, shall notify the Commission of the discontinuance of his current business or employment, or of his affiliation with any new business or employment. The notice shall include respondent's new business address and telephone number and a description of the nature of the business or employment and his duties and responsibilities. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In the Matter of Goldenshores Technologies, LLC, File No. 132-3087. Take-a-WaysThere are a number of legal take-a-ways from the FTC's latest action.
- Software developers and vendors must review their privacy policies. The FTC is serious about its enforcement efforts. These enforcement and consumer deception issues can be avoided with proper disclosures.
- Err on the side of more disclosure over less disclosure. Yes, it is true that sometimes this makes the design of user interfaces more complicated and delays the install process. This is particularly true for mobile apps where the screen size adds additional limitations. But, it is better to err on the side of giving more information to consumers, unless, of course, your desire is to enter into a consent agreement with the FTC.
The Consent Agreement is subject to public comment for 30 days, beginning December 5, 2013 and continuing through January 6, 2014, after which the FTC Commission will decide whether to make the proposed consent order final.
- The consumer's choice to accept or reject the EULA or data sharing must be a 'true' choice. As such, disclosures need to be presented to the consumer either before the app is installed on the device
 In the Matter of Goldenshores Technologies, LLC, and Erik M. Geidl, FTC Complaint, FTC File No. 132 3087, 5 (Dec. 2013) [hereinafter FTC Complaint]. Documents available at https://www.ftc.gov/os/caselist/1323087/index.shtm.
 Id. at 7.
 Id. at 10.
 Id. at 15.
 Id. at 17.
FTC's Press Release - https://www.ftc.gov/opa/2013/12/goldenshores.shtm.
Newest Blog Entries
7/23/15 Hospital Settles with OCR for $ 218,400 Over Cloud-Based File Sharing
6/8/15 Two California Privacy Bills to Watch in 2015
3/28/15 When Looking at Security, Consider Every Device
3/9/15 Alabama Board of Optometry Makes Final a Rule on Telemedicine
1/25/15 Indiana Court of Appeals Upholds $1.44 Million Jury Verdict Against Walgreen Co. in a Privacy Breach Case; Denies Rehearing
12/9/14 Malware Leads to a $150,000 OCR Settlement with a Behavioral Health Provider
11/30/14 Can a Board of Medicine Use the State’s Prescription Drug Database in Investigating Physician Actions?
11/29/14 Under the Florida Telemedicine Rule, Can a Physical be Conducted by Telemedicine?
11/19/14 Wearables and the Challenge for Consumer Device Makers
10/28/14 A Few Telemedicine Resources
10/27/14 FCC: The Newest Regulator to Throw its Hat into the Data Privacy and Security Ring
April 2014 (6)
February 2014 (4)
May 2014 (6)
November 2014 (3)
July 2014 (1)
June 2015 (1)
November 2013 (3)
September 2014 (1)
December 2014 (1)
January 2015 (1)
June 2014 (3)
December 2013 (5)
March 2015 (2)
October 2013 (9)
July 2015 (1)
October 2014 (2)
March 2014 (3)
August 2014 (4)
January 2014 (4)
Financial Services (1)
Mobile Apps (2)
Medical Marijuana (1)
Meaningful Use (4)
Privacy Litigation (3)
Identity Theft (1)
Healthcare Fraud (1)
Social Media (2)
Mobile Apps FDA (2)
Data Breach (10)
Big Data (3)
Healthcare Competition (1)