Recently, the Maryland Attorney General’s Office announced that it reached a settlement with Snapchat, Inc. over alleged deceptive trade practices in violation of Maryland law and violations of federal laws that are intended to protect children’s online privacy. This is another reminder that state attorneys general’s offices will continue to be vigilant in addressing consumer privacy issues under both state and federal laws, when the federal laws permit state attorney general action.
Snapchat is a photo and video messaging app that allows users to take photos and videos, add text and drawings, and send them to selected contacts. The sent images are commonly referred to as “snaps” and users can set a time limit of up to ten seconds for how long the image will be visible to the contact. According to Snapchat, its app’s users were sending 700 million photos and videos per day in May 2014.
Maryland’s Attorney General asserted that Snapchat misled consumers when it represented that snaps are temporary and disappear after they are opened by a recipient. The Attorney General claimed that, in fact, the snaps could be copied or captured by recipients. Additionally, the Maryland Attorney General alleged that Snapchat collected and maintained the names and phone numbers from contact lists on consumers’ electronic devices, which was a practice that Snapchat had not always disclosed to consumers and to which consumers did not always consent. Lastly, the Attorney General alleged that Snapchat was aware that some users were under the age of 13, but it failed to comply with the federal Children’s Online Privacy Protection Act (“COPPA”), when it collected personal information from children without verifiable parental consent. COPPA has a provision that empowers state attorneys general to bring enforcement actions under the statute on behalf of residents of their states.
Snapchat agreed to pay the state of Maryland $100,000 to settle this case. Additionally, as part of its settlement, Snapchat agreed to not make false representations or material omissions in connection with its app. Furthermore, Snapchat is specifically enjoined from misrepresenting the temporary nature of the snaps and must disclose to users that recipients of snaps have the ability to copy the image they receive. Snapchat must also obtain affirmative consent from consumers before it collects and saves any contact information. In response to the COPPA allegations, Snapchat agreed to comply with COPPA for a period of ten years and to take specific steps to ensure that children under the age of 13 are not creating Snapchat accounts.
Snapchat has faced other actions as well. Last month, Snapchat reached a settlement with the Federal Trade Commission (“FTC”) on charges that it deceived consumers with promises about the disappearing nature of messages sent through the service. According to the FTC, Snapchat promised users that messages and images sent through the app would self-destruct and disappear in ten seconds or less despite there being ways for recipients to save the snaps. The FTC case also alleged that Snapchat told users that it did not collect information about their location when one version of the app did collect location information.
The FTC case did not include any accusation of violating COPPA, nor did it include any financial penalty. As part of the settlement, Snapchat agreed to implement privacy programs that will be subject to monitoring for 20 years and agreed not to misrepresent the confidentiality, privacy, and security of user information. Snapchat is also prohibited from misrepresenting how it maintains the privacy and confidentiality of user agreements.
On its official blog, Snapchat emphasized that its app does not retain users’ snaps and that both investigations largely revolved around how well users understood that recipients of their snaps could save their snaps. In response to the COPPA claims, Snapchat pointed out that its terms of service have always provided that the app is intended for users who are 13 years of age or older and has instituted controls to ensure it.
Mobile app companies need to be aware of the fact that they are being closely monitored by both the FTC and state attorneys general offices. In particular, any claim made by an app about consumer privacy may be scrutinized by regulators. Companies need to be prepared to justify their claims and must be forthcoming about any data that is collected from consumers. In other words: if you say you do something then you need to do it; if you say that you do not do something, do not do it. Your company does not want the FTC or a state attorney general “snapping” at your privacy practices.