Organizations of all sizes and involved in a wide range of activities now routinely make software applications ("apps"), social media and website services, and other digital media content available for use by their employees and customers. Your organization is likely already distributing or otherwise encouraging employees and customers to use these online materials and services. It is important to recognize that, in many contexts, your organization will be held responsible for breaches of information privacy and other negative effects that result from customer use of apps and other digital materials that your organizations provides.
Recently, the Federal Trade Commission (FTC) took action against the "Brightest Flashlight Free" app, one of the most popular available consumer apps. The app enables users of Android devices to use those devices as flashlights. It was distributed at no charge and was used by millions of consumers.
The FTC determined that the flashlight app collected and shared geographic location information associated with all users of the app. That information was shared with commercial advertising networks and other third parties. Collection and sharing of this information enabled advertisers to target and distribute ads more efficiently. The FTC concluded that consumers did not receive effective notice that the app was collecting and sharing their geo-location information. Absent such notice, consumers were unable to make informed decisions regarding use of the app and protection of their personal information.
The FTC held the distributor of the flashlight app legally responsible for the breach of consumer information privacy. The distributor of the app was held accountable even though it did not directly benefit from the location tracking.
The company that distributed the flashlight app did not create the app. It did not request that the location tracking capability be incorporated into the app, nor did it access any of the collected consumer information. The distributor was also apparently unaware that the information was being collected and shared with advertisers.
The FTC's action with respect to the flashlight app puts all organizations on notice that if they participate in the distribution of apps that in some way mislead consumers, they can be held legally accountable for the deceptive conduct. This legal responsibility for the consequences of apps use can be present even if the party involved did not knowingly participate in or benefit from the deception.
The flashlight app case underscores the need to manage the functional capabilities and uses of apps and other software-based products and services carefully. When your organization uses, distributes or promotes apps and other software-based services, it is essential that effective due diligence review of those software systems is conducted in advance.
Your organization must understand all of the capabilities of apps and other software that it distributes to customers or encourages customers to use, even when those software products are developed by other parties. In particular, organizations should identify all information which the software collects from consumers, all parties who will have access to that information, all uses for which the information will be applied, all security measures to be applied for protection of the information, and all notices and remedial actions to be taken in the event of information security breaches.
Each organization should make sure that it has all appropriate contracts and other enforceable legal arrangements in place to ensure that all commitments associated with the customer information will be satisfied. This effective management of apps and other software systems is particularly challenging in the current environment where software is routinely developed by outside parties and accessed on a shared, informal basis.
It is particularly important to understand functions and operations that are embedded in apps and other software. For example, many apps now routinely incorporate connections with advertising networks which ensure that information is collected from users of the apps and shared with multiple advertisers. Before distributing or recommending use of any apps, your organization must identify all parties, including advertising networks, who will have access to information collected from apps users.
Organizations must ensure that the information collection and sharing operations of apps they help to distribute comply with the organization's stated information privacy and security policies and practices. In order to ensure such compliance, each organization must have a thorough understanding of the operations, functions, and capabilities of all of the apps and other software systems it distributes.
Businesses have both legal and professional responsibilities to their customers. The FTC has indicated that it will hold organizations legally responsible when apps distributed by those organizations mislead consumers. It is also reasonable to assume that consumers expect businesses to use due care when distributing apps and other software. Businesses and other organizations that encourage their customers to use specific apps and other software products will be held responsible for all negative experiences resulting from that use by those consumers. Careful use of apps and other software is essential both to reduce the risk of legal liability and to effectively meet the evolving commercial expectations of customers.