FTC Settlement with Photo Storage App Provides Cautionary Tale About the Importance of Complying with Your Own Privacy Policy
It is privacy policy 101 to say what you do and do what you say. Valuable lessons can be learned about this best practice from the proposed settlement announced between the Federal Trade Commission (FTC) and California-based photo app developer Everalbum, Inc. regarding its Ever app, a photo storage and organization application.
According to the 2017 FTC complaint, Everalbum launched a "Friends" feature in the Ever app that used facial recognition technology and allowed users to "tag" people by name. The feature was enabled by default at the time of launch, and there was no opt-out option for users.
In May 2018, Everalbum started presenting Ever app users in Texas, Illinois, Washington, and the European Union with the option to disable the facial recognition feature. The feature was auto disabled only for residents of those jurisdictions. In May 2019, Everalbum updated the Ever app with the same option and default opt-out setting for all users.
The problem, according to the FTC complaint, was that the Everalbum Help section of its website stated: "When face recognition is turned on, you are letting us know that it's ok for us to use the face embeddings of the people in your photos and videos, including you, and that you have the approval of everyone featured in your photos and videos" (emphasis added by the FTC).
The FTC alleged this disclosure was false or misleading because users who were located outside of Texas, Illinois, Washington, and the E.U. did not have the option to turn off the feature for more than a year after the Help article was published.
The FTC also took issue with Everalbum's privacy policy, which represented to users who deleted their accounts or requested that their information no longer be used that "we will try to delete your information as soon as possible upon request." The FTC alleged that Everalbum did not delete the information and instead retained photos and videos indefinitely. The FTC acknowledged that the service began deleting photos and videos of deactivated accounts in October 2019.
In a press release, the FTC stated that "[a]s part of the proposed settlement, Everalbum, Inc. must obtain consumers' express consent before using facial recognition technology on their photos and videos. The proposed order also requires the company to delete models and algorithms it developed by using the photos and videos uploaded by its users."