Privacy & Information Security Law Blog

On May 8, 2014, the Federal Trade Commission announced a proposed settlement with Snapchat, Inc. (“Snapchat”) stemming from allegations that the company’s privacy policy misrepresented its privacy and security practices, including how the Snapchat mobile app worked. Snapchat’s app supposedly allowed users to send and receive photo and video messages known as “snaps” that would “disappear forever” after a certain time period. The FTC alleged that, in fact, it was possible for recipients to save snaps indefinitely, regardless of the sender-designated expiration time.

According to the complaint filed by the FTC, Snapchat made several misrepresentations about certain features of its app and the information collected through the app, including the following:

• Snapchat portrayed its app as a “service for sending ‘disappearing’ photo and video messages” that required the sender to select a period of time (of a maximum of 10 seconds) within which the recipient could view the snap. The FTC’s complaint, however, indicates that there were several ways recipients could save and view snaps indefinitely, and that these methods were publicly available on the Internet at little or no cost. In addition, the FTC noted that although the flaw has been brought to Snapchat’s attention by a security researcher, Snapchat did nothing to mitigate the flaw for months.
• Snapchat represented in the FAQs published on its website that the company would notify the sender if a recipient took a screenshot of the sender’s snap. But the FTC noted that the screenshot detection mechanism could easily be circumvented, so some senders were not notified when screenshots were taken of their snaps.
• Snapchat allegedly collected information such as geolocation data and users’ contacts information contrary to representations the company made in its privacy policy.

The FTC also noted that numerous consumers complained that their phone numbers have been misused. According to the FTC, Snapchat failed to employ reasonable security measures to protect personal information from misuse and unauthorized disclosure by failing to verify phone numbers during the registration process.

The proposed settlement agreement prohibits Snapchat from misrepresenting the extent to which the company maintains the privacy, security and confidentiality of users’ information. As in other recent settlement agreements, Snapchat is required under the proposed settlement to implement a comprehensive privacy program subject to assessment by an independent privacy professional on a biennial basis for the next 20 years.

The FTC’s Business Center Blog post regarding Snapchat highlighted that “Snapchat is hardly the first company to get an early heads-up from a security researcher about a privacy hole in their product. Certainly, the preferred scenario is if glitches are spotted before you go to market. But the next best thing is to monitor what people are saying about your product and act ASAP if flaws come to light.”

The Snapchat case is part of an enforcement sweep by the Global Privacy Enforcement Network (“GPEN”), which is an international network of more than 40 privacy enforcement authorities, including the FTC.

Update: On December 31, 2014, the FTC approved the final settlement order with Snapchat.