Last Thursday, the Federal Trade Commission (FTC) announced that messaging app Snapchat agreed to settle charges that it deceived consumers with promises about the disappearing nature of messages sent through the app. The FTC case also alleged that the company deceived consumers over the amount of personal data the app collected, and the security measures taken to protect that data from misuse and unauthorized disclosure. The case alleged that Snapchat’s failure to secure its Find Friends feature resulted in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.
Snapchat became popular among teenagers and college students by promising users that the photos and videos they send via the app will “disappear forever” seconds after they’re opened. Security and privacy advocates have repeatedly warned, however, that that’s not always true. According to the FTC complaint, Snapchat made several other misrepresentations to users, including: (i) that the app’s structure – which was supposed to delete any video sent – actually allowed such videos to be accessible when a recipient’s phone was connected to a computer; (ii) that the company misrepresented its data collection practices by transmitting geolocation information of users, despite its privacy policy saying that the app does not collect such information; and (iii) that the app deceptively represented to users that the sender would be notified if a recipient took a screenshot of a message sent via the app. In fact, the FTC said that there was a very easy work-around method to allow recipients to screen shot messages without notifying the sender. To settle these charges, Snapchat agreed to implement a privacy program that will be monitored by an outside privacy expert for the next 20 years.
Interestingly, in the case of Snapchat, the alleged misrepresentations were not made in the company’s privacy policy, but in its product description pages on iTunes and Google Play, and on a series of FAQs on its website. Privacy has now become a key selling point for many businesses – Snapchat actively advertised that its messages would “disappear forever” after they were read. Just as is the case with any advertising or marketing claim, if companies are going to use privacy as a selling point, they will need to ensure that those claims can be substantiated. In the context of privacy, this means that claims about how consumer data is collected, used, shared, and protected must match up with actual practices.