Thoughts on the FTC’s SnapChat Settlement

This week I’m going to discuss the FTC privacy enforcement action that was announced yesterday against SnapChat.  It’s a cautionary tale for app developers who imply that their app has capabilities or safeguards that it does not actually have.  Just to be clear – the SnapChat action has nothing to do with the updated U.S. child privacy law we call COPPA2, the subject of many of my past blog posts. 

If you weren’t aware, on May 8, the FTC issued notice that SnapChat agreed to settle charges that they had deceptively promised to their users that the content sent using its app was “ephemeral” and would be deleted quickly when in fact there were several ways that a person receiving the data could capture the “snaps”. 

On the surface this sounds like a simple little issue – most people know you can take a screen shot of anything that’s on the iPhone screen at any time. But for the FTC it’s a big issue – SnapChat’s whole marketing effort was based on the promise that you could send someone a photo that would only be viewable for a few seconds.

When SnapChat was introduced, there were a number of stories published that pointed out this basic flaw. But despite that inconvenient truth, SnapChat was successful in getting users (>30 million MAU) and was even named “Best Mobile App” in the 2013 Tech Crunch “Crunchies” awards.

SnapChat was also successful in raising money – with a total of $123M invested by a squadron of top Silicon Valley VCs, with a reported valuation somewhere between $2 and $4 billion USD.  SnapChat was clearly on a great roll.

Then on Jan 1, 2014, the company experienced a massive breach of the private data of 4.6 million users, after being notified of the potential weakness 10 days before. Enter the FTC …

What’s to be learned here?

In the mobile app business, success can come rapidly in a way that is unlike any other business (think: Flappy Bird). The fact that nobody in the entire management team of the company or the VCs who funded it ever prioritized data privacy issues is the reason the company now faces the loss of trust from its users, a “black eye” in the press and 20-years of annual privacy audits. 

Apparently, SnapChat was able to negotiate big fines away in favor of the other punishments. But that doesn’t mean they are getting a “free pass”, as some have suggested. By admitting their transgressions under the consent decree, SnapChat could be open to individual or class action suits from aggrieved SnapChat users, possibly costing them far more in legal fees and judgments than a single FTC fine might.  

Although this case is not about COPPA2, I can think of many companies in the mobile game business who are riding a similar wave of massive success, but clearly have not taken any steps to protect the private data of children who play their games by complying with the Children’s Online Privacy Protection Act (COPPA).  As of this writing, COPPA2 has been in effect over 10 months. 

The SnapChat settlement proves that the FTC is willing to go after companies that play fast and loose with consumer privacy.  The FTC’s usual enforcement strategy is to pick a few high profile industry leaders who are in violation and “make an example of them” with bad press, annual privacy audits, and the possibility of big fines. That’s exactly what they have done with SnapChat.

Here’s my message to mobile game developers: The FTC is definitely going to enforce COPPA2. If you prefer that the press (and I) not be writing about your FTC woes a few months from now, take steps today to make your games COPPA2 compliant.

If you'd like to educate yourself on COPPA2, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://www.ftc.gov/tips-advice/business-center/complying-coppa-frequently-asked-questions .  Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here:

http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr312_main_02.tpl