On May 10, the Federal Trade Commission (FTC) announced it had approved an order with General Workings, Inc., d/b/a “Vulcun,” settling charges that the company violated the Federal Trade Commission Act (FTC Act) when it replaced a popular web browser extension game with a program that force-installed apps on users’ devices without permission. While Vulcun’s actions may be an extreme case, the FTC’s settlement serves as a reminder to all technology developers to seek user consent before installing additional programs or altering access permissions on consumers’ devices.
The Commission specifically alleged that Vulcun engaged in unfair practices after it acquired the browser extension game Running Fred and, without notifying or obtaining consent from users, replaced it with Vulcun’s own browser extension, Weekly Android Apps. According to the FTC, Vulcun’s replacement extension “significantly disrupted” the functionality of users’ computers and mobile devices by repeatedly force-installing additional apps on Android devices without permission, approving default Android permissions associated with the force-installed apps without users’ knowledge, and opening additional windows and tabs on users’ computers.
Perhaps most importantly, the FTC also cited the possibility that the access permissions of the force-installed apps could have allowed Vulcun access to users’ private, sensitive information on affected mobile devices – such as contact information, photos, location, and persistent device identifiers – as grounds for its unfair practice charge against the company.
The 20-year consent order will require Vulcun to, among other things: inform consumers about any material changes to its products or services, what information will be accessed, and how it will be used; obtain users’ “express affirmative consent” before installing or materially changing its products or services; display built-in permissions notices; and delete all consumer information previously obtained.
Privacy regulators like the FTC often advise companies to say what they mean and mean what they say to consumers when it comes to their data collection and privacy practices. This includes being upfront about what information they collect from consumers, how much access an installed program or app will have on users’ devices, and the general functionality of their products. Indeed, app developers have gotten into hot water with the FTC in the past for not notifying users about their data collection and disclosure practices, failing to abide by stated privacy policies, and misrepresenting their data retention and geolocation tracking practices.
App developers should:
- Obtain consent before installing programs or altering content on a user’s device. Installing products onto a device or radically altering the content and function of an already-installed program without the consumer’s consent may be seen as an unfair practice by the FTC.
- Fully disclose device access and data collection practices and get user consent. Other app developers have been taken to task by the FTC for failing to fully inform consumers about what information they will collect and disclose to third parties. For instance, in the case of Goldenshores Technologies, the FTC alleged the company collected users’ information at installation of its app before users had the chance to consent, and misled consumers about the app’s geolocation tracking and third-party disclosures.
- Review your advertisements carefully. The Commission also alleged that Vulcun engaged in deceptive practices by advertising and promoting that Weekly Android Apps had been installed by over 200,000 users and received high ratings from over 2,300 reviewers – statistics that applied to Running Fred and not Vulcun’s replacement product.
- Be aware: M&As and bankruptcies don’t nullify prior privacy promises. Privacy regulators have made clear that meaning what you say to customers about privacy doesn’t end when someone else purchases your business. In Facebook’s acquisition of WhatsApp, for instance, the FTC advised both companies that Facebook had to honor the more stringent privacy protections that WhatsApp had made to its users before the companies announced their merger, and either obtain user consent or allow users to stop using WhatsApp’s service before changing WhatsApp’s data collection and use policies.
Similarly, in RadioShack’s bankruptcy proceedings, both the FTC and several state attorneys general expressed concern over the proposed sale of customer information, noting that RadioShack had made extensive privacy promises to protect and refrain from selling customer information. The FTC advised the supervising federal bankruptcy court to impose specific conditions on the sale to protect customers’ data.
Consequently, a buyer acquiring another business or its assets should expect to abide by the prior privacy promises the acquired company made to its consumers, and seek affirmative consent before using those consumers’ data in materially different ways.