FTC Approves Final Order Requiring Snapchat to Implement a Stronger Privacy Policy

The Federal Trade Commission (FTC) recently approved a final order settling charges against Snapchat, Inc. (Snapchat), the developer of a mobile application that allows users to exchange impermanent photographs, referred to by Snapchat as “snaps” (the “FTC order”).

When Snapchat was launched in May 2012, users were sending approximately twenty-five snap images per second.  By November 2013, that figure surged to nearly four hundred million snaps per day, and continues to grow.  Many attribute Snapchat’s immense popularity to the intuitive user interface, the scarcity effect tied to the vanishing snaps, and Snapchat’s promise that images and video sent through the application would be irretrievably destroyed and not digitally archived after viewing.

In May 2013, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC alleging that Snapchat deceptively mislead consumers to believe that snaps would be destroyed within seconds of viewing when, in fact, they are stored on users’ phones in a relatively accessible form and can be easily captured by way of “screen-shotting” the image.  EPIC further claimed that Snapchat failed to establish and enforce security measures to protect user data.

The FTC order settles EPIC’s allegations and forbids Snapchat from misrepresenting (1) the extent to which a snap is deleted after being viewed; (2) the extent to which Snapchat is capable of detecting or notifying senders when a recipient has saved a snap; and (3) the steps taken by Snapchat to protect against misuse of user information.

The final order also directs Snapchat to implement a privacy program that will be monitored for the next twenty years.  Additionally, Snapchat agreed to revise its privacy policy to address privacy risks and to protect the confidentiality of information about its users, including names, addresses, online contact information, telephone numbers, IP addresses, geo-location, usernames, and passwords.  The revised Snapchat privacy policy now provides that Snapchat “can’t guarantee that messages will be deleted within a specific timeframe” and that, even after a snap is deleted from Snapchat’s server, it “may remain in backup for a limited period of time.”  Snapchat also now warns that, “there may be ways to access messages while still in temporary storage on recipients’ devices or, forensically, even after they are deleted.”

The final order furthers the FTC’s recent efforts to ensure that companies in the post smart phone era describe mobile applications truthfully and uphold privacy promises to end users.  The approval of the final order could well inspire other applications like Slingshot (Facebook’s answer to Snapchat), and Whisper and Secret (applications that allow users to make anonymous confessions) that promise anonymity and privacy to reassess the way in which current privacy policies are drafted and enforced.

Image courtesy of Wikimedia Commons