Robin B. Campbell

The Federal Trade Commission (FTC) has been at it again, settling on December 31, 2014 with Snapchat over privacy and data security concerns stemming from its text and video mobile messaging services. The settlement is instructive for gauging the FTC’s enforcement priorities and illustrates the steep costs a company can face when the FTC alleges the company has engaged in deceptive or unfair trade practices.

Snapchat Security Concerns and Breach

Snapchat is a mobile messaging service that sends a photo or video to someone that lasts, by default, up to 10 seconds (called a “snap”) before it disappears from the recipient’s device. Although ostensibly intended to promote privacy by establishing a limited lifetime for certain communications before automatic deletion, concerns around Snapchat’s services and data collection practices have been grabbing attention for quite some time. As early as May 2013, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC alleging that Snapchat misrepresented the disappearing nature of data sent via its application. EPIC alleged that, contrary to Snapchat’s public claims that all snaps were disappearing, snaps could be stored on a recipient’s device and remain accessible outside the application.

In December 2013, Gibson Security published details regarding vulnerabilities in Snapchat’s platform that could lead to a data breach. The following month, a group named “SnapchatDB” hacked Snapchat and downloaded the usernames and phone numbers of up to 4.6 million users. It then publicly posted a database of Snapchat user information for anyone to download, according to GovInfoSecurity and the Washington Post.

FTC Intervention

The FTC announced its suit against Snapchat on May 8, 2014. The complaint details six counts of alleged deceptive acts or practices in violation of Section 5 of the Federal Trade Commission Act. Each count alleges that Snapchat’s representations to its users regarding how its service works, the data it collects, and the security measures it uses to protect user information were deceptive. The FTC included EPIC’s concerns regarding the indefinite availability of communications intended to be automatically deleted after a short period of time. It also incorporated new claims, alleging that, though Snapchat represented that senders would be notified if a recipient took a screenshot of a snap, certain devices and operating systems are able to create undetected screenshots. The FTC also alleged that Snapchat misrepresented precisely what user data it collected. For example, the FTC claimed that Snapchat transmitted geolocation information from Android users, despite claims in its privacy policy that it did not track or access such information, and collected iOS users’ contacts information from their address books without notice or consent.

On December 31, 2014, the FTC approved a final settlement that, consistent with other recent FTC settlements involving data security and privacy issues: (1) prohibits misrepresentations about Snapchat’s efforts to secure the privacy, security, or confidentiality of user information and (2) requires Snapchat to implement a comprehensive privacy program that will be monitored by an independent privacy professional for two decades. The program must be in writing, the independent privacy professional’s biennial assessments must be delivered to the FTC’s enforcement division, and the FTC’s order, detailing all of its requirements, must be delivered throughout the company.The FTC Chairwoman commented: “If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keeps those promises…Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

Compliance Costs

Though the settlement does not include a fine, the incident will certainly affect Snapchat’s bottom line and serves as a warning to other companies. First, the settlement (and other recent settlements) impose requirements that could be very costly. Second, a failure to comply with an FTC order could result in steep financial penalties. Finally, companies should not underestimate the public relations damage resulting from an FTC enforcement action alleging inadequate security and privacy controls. Indeed, Snapchat has been repeatedly and openly criticized for allegedly employing inadequate security measures and ignoring warnings of security vulnerabilities. Companies should take action to ensure their own privacy and security representations and controls are adequate and accurate to avoid similar enforcement actions.