In may 2014, Snapchat got a warning from the Federal Trade Commission (FTC) for not being transparant enough towards it’s users.
Snapchat is an app that enables users to send photo or video messages to eachother that will only be shown for a maximum of 10 seconds. Apparently, these messages did not really dissapear. For instance, it was possible to recover the messages with certain tools. The FTC also discovered that Snapchat was collecting a lot more personal data than stated in their privacy policy. On top of that, Snapchat was not honest about the security measures they were taking.
The FTC came to a settlement with Snapchat. From now on, Snapchat needs to be transparent towards it’s users. They must also implement an extensive privacy program. This privacy program will be inspected annually by the supervisory authority for the next 20 years.
So what are the do’s and dont’s regarding collecting personal data?
For instance, you are not allowed to collect location data of your users without notifying them in advance.
So, as a controller of the data, you have the obligation to notify the people you collect data from. This duty will become even more strict once the European Data Protection Regulation is implemented.
What should be stated in a privacy policy? In short, it needs to explain what personal data is being collected and what for. The (current version of the) European Data Protection Regulation summarises what information the controller should give to the ones directly involved (the users):
- The identity and contactdetails of the controller (name, adress of the company and the privacy officer);
- The purpose(s) of the data processing (for instance: “we collect your data in order to process your order and to be able to send the products to you”) and the security measures taken;
- The period of time the personal data will be saved for;
- The rights of the users: they have the right of inspection and correction of their data, but also the right to have data removed or the right to file a complaint at the supervisory authority;
- Information about the recipients of the data (all third parties);
- In case of profiling this needs to be reported as well.
Snapchat actually got away with it this time, since they did not receive a fine. All companies offering their services within the EU will risk a fine as soon as the European Data Protection Regulation is at force. This fine can be up to € 100.000.000,-, or 5% of the annual turnover.
