The FTC announced today another settlement with a mobile app development company involving allegations of consumer deception. Interestingly, the complaint was against the company, Goldenshores Technologies, LLC, as well as the company's founder, Erik M. Geidl, individually. Additionally, the Consent Agreement, requires Mr. Geidl, individually, to notify the FTC in respect to any changes to his employment during the next 10 years. Clearly, the FTC is becoming much more serious about privacy compliance and consumer disclosures.


This action involves a popular mobile app called the "Brightest Flashlight Free" app, which consumers can use to turn their phone into a flashlight.  (According to the FTC Complaint, the app was ranked as one of the top free apps on Google Play as of May 2013.)

The FTC alleged that the app transmitted various data from a user's mobile device to third parties, including advertising networks. "The types of data transmitted include, among other things, the device's precise geolocation along with persistent device identifiers that can be used to track a user's location over time."[1]

The FTC found the following disclosures or lack of disclosures problematic:
  • While Goldenshores did include Google Play's general permission statements in pages promoting the app, it failed to explain "whether the application shares any information with third parties" [2]
  • The Privacy Policy failed to disclose that the app "transmits or allows the transmission of device data, including precise geolocation along with persistent device identifiers, to third parties, including advertising networks" [3]
  • Consumers are misled as to their choice to accept or decline the terms.
    • The app begins to transmit a user's precise geolocation and device identifiers immediately after it is installed.
    • But, the EULA appears after app installation. While users can "Refuse" to accept the EULA, the app is already operating and sharing their information.
A Few Highlights

- Action is against the the mobile app development company and the majority owner individually

- Information shared: geolocation of user and the user's device identifiers

- Information shared with: advertising network

- Problems:

1. Privacy Policy and EULA failed to fully disclose  that the consumer's geolocation and device identifiers were shared with an advertising network;

2. While the EULA suggested that consumers could opt-out of the data sharing, the software was installed prior to users having the ability to opt-out, which resulted in their information being shared regardless of whether or not they agreed to the terms

- The consent order was with the company and the owner, where the owner must report his job and responsibilities to the FTC for 10 years.

The FTC acknowledged that the Privacy Policy and the EULA together advised consumers that the app "may periodically collect, maintain, process, and use information from users' mobile devices to provide software updates, product support, and other services to users related to the Brightest Flashlight App, and to verify users' compliance with [the] EULA."[4] But, the failure to notify customers that their precise geolocation and device identifiers would be shared with third parties was "in light of the representation made, was, and is, a deceptive practice."[5]

Additionally, the representation that consumers could refuse to share their information "was, and is, false or misleading" because the app transmits the "device data as soon as the consumer launches the application and before they have chosen to accept or refuse the terms of the Brightest Flashlight EULA."[6]

The Problematic Privacy Policy Language:
Consent to Use of Data. Goldenshores Technologies and its subsidiaries and agents may collect, maintain, process and use diagnostic, technical and related information, including but not limited to information about your computer, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to you (if any) related to the Goldenshores Technologies Software, and to verify compliance with the terms of the License. Goldenshores Technologies may use this information, as long as it is in a form that does not personally identify you, to improve our products or to provide services or technologies to you.
(For complete terms of the Privacy Policy, see Exhibit B-1). This language was also incorporated into the EULA.

Excerpts from the Consent Order

In the Consent Order, the FTC explicitly stated the steps that Goldenshores and Geidl must take to remedy the deceptive behavior:
[Goldenshores and  Geidl] in connection with the advertising, promotion, offering for sale, sale, or dissemination of any mobile application that collects, transmits, or allows the transmission of geolocation information, in or affecting commerce, shall not collect, transmit, or allow the transmission of such information unless such application:
Clearly and prominently, immediately prior to the initial collection of or transmission of such information, and on a separate screen from, any final "end user license agreement," "privacy policy," "terms of use" page, or similar document, discloses to the consumer the following:
1. That such application collects, transmits, or allows the transmission of, geolocation information;

2. How geolocation information may be used;


3. Why such application is accessing geolocation information; and


4. The identity or specific categories of third parties that receive geolocation information directly or indirectly from such application; and

Obtains affirmative express consent from the consumer to the transmission of such information.
[W]ithin ten (10) days from the date of entry of this Order, shall delete all Covered Information relating to Affected Consumers that is within their possession, custody, or control and was collected at any time prior to the date of entry of this Order. [The FTC specifically defined Covered Information mean everything:]
"Covered Information" shall mean information from or about an individual consumer, including but not limited to:
(a) a first and last name;

(b) a home or other physical address, including street name and name of city or town;

(c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number;

(e) a Social Security number;

(f) a driver's license or other state-issued identification number;

(g) a financial institution account number;

(h) credit or debit card information;

(i) a persistent identifier, such as a customer number held in a "cookie," a static Internet Protocol ("IP") address, a mobile device ID, or processor serial number;

(j) precise geolocation data of an individual or mobile device, including but not limited to GPS-based, WiFi-based, or cell-based location information ("geolocation information");

(k) an authentication credential, such as a username and password; or

(l) any other communications or content stored on a consumer's mobile device.

Along with the relatively standard notification language the FTC has agreed to in previous consent agreements (i.e., company must notify is successors of this agreement, company must deliver a copy of this order to management, etc.), the document retention requirements, and the  20 year compliance period, this Consent Agreement also included the following:
IT IS FURTHER ORDERED that respondent Erik M. Geidl, for a period of ten (10) years after the date of issuance of this order, shall notify the Commission of the discontinuance of his current business or employment, or of his affiliation with any new business or employment. The notice shall include respondent's new business address and telephone number and a description of the nature of the business or employment and his duties and responsibilities. Unless otherwise directed by a representative of the Commission in writing, all notices required by this Part shall be emailed to Debrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580. The subject line must begin: In the Matter of Goldenshores Technologies, LLC, File No. 132-3087.
Take-a-Ways

There are a number of legal take-a-ways from the FTC's latest action.
  • Software developers and vendors must review their privacy policies. The FTC is serious about its enforcement efforts. These enforcement and consumer deception issues can be avoided with proper disclosures.
  • Err on the side of more disclosure over less disclosure. Yes, it is true that sometimes this makes the design of user interfaces more complicated and delays the install process. This is particularly true for mobile apps where the screen size adds additional limitations. But, it is better to err on the side of giving more information to consumers, unless, of course, your desire is to enter into a consent agreement with the FTC.
  • The consumer's choice to accept or reject the EULA or data sharing must be a 'true' choice. As such, disclosures need to be presented to the consumer either before the app is installed on the device
The Consent Agreement is subject to public comment for 30 days, beginning December 5, 2013 and continuing through January 6, 2014, after which the FTC Commission will decide whether to make the proposed consent order final.

-----------------
[1] In the Matter of Goldenshores Technologies, LLC, and Erik M. Geidl, FTC Complaint, FTC File No. 132 3087,  5 (Dec. 2013) [hereinafter FTC Complaint]. Documents available at https://www.ftc.gov/os/caselist/1323087/index.shtm.


[2] Id. at  7.

[3] Id. at  10.

[4] Id. at  15.

[5] Id.

[6] Id. at  17.

FTC's Press Release - https://www.ftc.gov/opa/2013/12/goldenshores.shtm.