|The FTC announced today another settlement with a mobile app development company involving allegations of consumer deception. Interestingly, the complaint was against the company, Goldenshores Technologies, LLC, as well as the company's founder, Erik M. Geidl, individually. Additionally, the Consent Agreement, requires Mr. Geidl, individually, to notify the FTC in respect to any changes to his employment during the next 10 years. Clearly, the FTC is becoming much more serious about privacy compliance and consumer disclosures.
|This action involves a popular mobile app called the "Brightest Flashlight Free" app, which consumers can use to turn their phone into a flashlight. (According to the FTC Complaint, the app was ranked as one of the top free apps on Google Play as of May 2013.)|
The FTC alleged that the app transmitted various data from a user's mobile device to third parties, including advertising networks. "The types of data transmitted include, among other things, the device's precise geolocation along with persistent device identifiers that can be used to track a user's location over time."
The FTC found the following disclosures or lack of disclosures problematic:
- While Goldenshores did include Google Play's general permission statements in pages promoting the app, it failed to explain "whether the application shares any information with third parties" 
- Consumers are misled as to their choice to accept or decline the terms.
- The app begins to transmit a user's precise geolocation and device identifiers immediately after it is installed.
- But, the EULA appears after app installation. While users can "Refuse" to accept the EULA, the app is already operating and sharing their information.
|A Few Highlights|
- Action is against the the mobile app development company and the majority owner individually
- Information shared: geolocation of user and the user's device identifiers
- Information shared with: advertising network
2. While the EULA suggested that consumers could opt-out of the data sharing, the software was installed prior to users having the ability to opt-out, which resulted in their information being shared regardless of whether or not they agreed to the terms
- The consent order was with the company and the owner, where the owner must report his job and responsibilities to the FTC for 10 years.
[Goldenshores and Geidl] in connection with the advertising, promotion, offering for sale, sale, or dissemination of any mobile application that collects, transmits, or allows the transmission of geolocation information, in or affecting commerce, shall not collect, transmit, or allow the transmission of such information unless such application:
1. That such application collects, transmits, or allows the transmission of, geolocation information;
2. How geolocation information may be used;
3. Why such application is accessing geolocation information; and
4. The identity or specific categories of third parties that receive geolocation information directly or indirectly from such application; and
Obtains affirmative express consent from the consumer to the transmission of such information.
[W]ithin ten (10) days from the date of entry of this Order, shall delete all Covered Information relating to Affected Consumers that is within their possession, custody, or control and was collected at any time prior to the date of entry of this Order. [The FTC specifically defined Covered Information mean everything:]
Along with the relatively standard notification language the FTC has agreed to in previous consent agreements (i.e., company must notify is successors of this agreement, company must deliver a copy of this order to management, etc.), the document retention requirements, and the 20 year compliance period, this Consent Agreement also included the following:
"Covered Information" shall mean information from or about an individual consumer, including but not limited to:
(a) a first and last name;
(b) a home or other physical address, including street name and name of city or town;
(c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number;
(e) a Social Security number;
(f) a driver's license or other state-issued identification number;
(g) a financial institution account number;
(h) credit or debit card information;
(i) a persistent identifier, such as a customer number held in a "cookie," a static Internet Protocol ("IP") address, a mobile device ID, or processor serial number;
(j) precise geolocation data of an individual or mobile device, including but not limited to GPS-based, WiFi-based, or cell-based location information ("geolocation information");
(k) an authentication credential, such as a username and password; or
(l) any other communications or content stored on a consumer's mobile device.
IT IS FURTHER ORDERED that respondent Erik M. Geidl, for a period of ten (10) years after the date of issuance of this order, shall notify the Commission of the discontinuance of his current business or employment, or of his affiliation with any new business or employment. The notice shall include respondent's new business address and telephone number and a description of the nature of the business or employment and his duties and responsibilities. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In the Matter of Goldenshores Technologies, LLC, File No. 132-3087. Take-a-WaysThere are a number of legal take-a-ways from the FTC's latest action.
- Software developers and vendors must review their privacy policies. The FTC is serious about its enforcement efforts. These enforcement and consumer deception issues can be avoided with proper disclosures.
- Err on the side of more disclosure over less disclosure. Yes, it is true that sometimes this makes the design of user interfaces more complicated and delays the install process. This is particularly true for mobile apps where the screen size adds additional limitations. But, it is better to err on the side of giving more information to consumers, unless, of course, your desire is to enter into a consent agreement with the FTC.
The Consent Agreement is subject to public comment for 30 days, beginning December 5, 2013 and continuing through January 6, 2014, after which the FTC Commission will decide whether to make the proposed consent order final.
- The consumer's choice to accept or reject the EULA or data sharing must be a 'true' choice. As such, disclosures need to be presented to the consumer either before the app is installed on the device
 In the Matter of Goldenshores Technologies, LLC, and Erik M. Geidl, FTC Complaint, FTC File No. 132 3087, 5 (Dec. 2013) [hereinafter FTC Complaint]. Documents available at https://www.ftc.gov/os/caselist/1323087/index.shtm.
 Id. at 7.
 Id. at 10.
 Id. at 15.
 Id. at 17.
FTC's Press Release - https://www.ftc.gov/opa/2013/12/goldenshores.shtm.