Snapchat Settlement Signals Greater FTC Scrutiny for Tech Start-Up Privacy Policies

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/snapchat-settlement-signals-greater-ftc-08164/?utm_source=LU_Emails


By now, you have probably heard about the FTC’s recent settlement with
Snapchat, the popular mobile photo and video messaging service, over
allegations that it deceived consumers with promises about the disappearing
nature of messages sent through its service. It did not take long for major
media outlets to cover the story, highlighting both consumer concerns over
data privacy and the FTC’s willingness to publicly and aggressively pursue
companies that misrepresent their data privacy policies.

For those unfamiliar with the Snapchat case, the FTC filed a complaint
against Snapchat alleging that the company made multiple misrepresentations
about its service that were at odds with the way the app actually worked.
The FTC first charged that Snapchat deceived consumers by advertising that
users could send “ephemeral” photo and video messages through its service,
which would “disappear forever” after a maximum of ten seconds. The FTC
alleged many ways a user could save a photo message permanently, including
by taking a screenshot of the message, using third-party apps to circumvent
the Snapchat timer, and accessing unencrypted Snapchat video snaps in a
location outside the app’s “sandbox.”

The FTC also charged Snapchat with misrepresenting to users in its privacy
policy that it does not “ask for, track, or access any location-specific
information from [a user’s] device at any time.” The FTC alleged that
Snapchat in fact transmitted users’ geolocation information from users of
its Android app, and collected all of the contact information in users’
mobile device address books without notice or consent through its “Find
Friends” feature. Finally, the FTC alleged that Snapchat failed to employ
“reasonable security measures” to protect personal information transmitted
in its “Find Friends” feature that made vulnerable 4.6 million user names
and phone numbers during a recent security breach.

The terms of the Snapchat settlement agreement show just how seriously the
FTC is pursuing companies that misrepresent their data privacy policies.
Snapchat is prohibited from misrepresenting the extent to which it protects
the privacy, security, or confidentiality of users’ information, and is
required to implement a comprehensive privacy data privacy program that
will be monitored by an independent privacy professional for the next
twenty years.

It is now clear that the days of copying and pasting stock language into a
privacy policy are over. Companies will be monitored to ensure their
privacy policies are comprehensive and actually followed. Serious
consequences may result if the company is found in breach of its own stated
privacy policies. The FTC has issued a number of best practices for mobile
apps that store consumer data, including:

1. Be transparent about your data practices. Explain what information your
app collects from users or their devices and what you do with their data.
If you share information with another company, tell your users and give
them information about that company’s data practices.
2. Honor your privacy promises. Remember that your privacy policy in itself
is a promise to consumers that you will actually guard their personal
information to the extent you state. Make sure the language is clear and
easy to read on a small screen.
3. Keep user data secure.

- Collect only the data you need;
- Secure the data you keep by taking reasonable precautions against
well-known security risks;
- Limit access to data on a need-to-know basis; and
- Safely dispose of data you no longer need.

Chris Olsen, assistant director of the F.T.C.’s division of privacy and
identity protection, sent a clear warning to companies on Friday: “If you
make promises about privacy, you must honor those promises or otherwise
risk F.T.C. enforcement.” Companies that do not heed this warning may find
themselves on the F.T.C.’s radar in a way they had never hoped for.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!