1
132 3078
UNITED STATES OF AMERICA
FEDERAL TRADE COMMISSION
COMMISSIONERS: Edith Ramirez, Chairwoman
Julie Brill
Maureen K. Ohlhausen
Joshua D. Wright
Terrell McSweeny
_________________________________________
)
In the Matter of )
) DOCKET No. C-4501
Snapchat, Inc. )
) DECISION AND ORDER
)
__________________________________________ )
The Federal Trade Commission (“Commission” or “FTC”), having initiated an
investigation of certain acts and practices of the respondent named in the caption hereof, and the
respondent having been furnished thereafter with a copy of a draft complaint that the Bureau of
Consumer Protection proposed to present to the Commission for its consideration and which, if
issued by the Commission, would charge respondent with violations of the Federal Trade
Commission Act (“FTC Act”), 15 U.S.C. § 45 et seq.;
The respondent, its attorney, and counsel for the Commission having thereafter executed
an Agreement Containing Consent Order (“Consent Agreement”), which includes: a statement
by respondent that it neither admits nor denies any of the allegations in the draft complaint,
except as specifically stated in the Consent Agreement, and, only for purposes of this action,
admits the facts necessary to establish jurisdiction; and waivers and other provisions as required
by the Commission’s Rules; and
The Commission having thereafter considered the matter and having determined that it
had reason to believe that the respondent has violated the FTC Act, and that a complaint should
issue stating its charges in that respect, and having thereupon accepted the executed consent
agreement and placed such agreement on the public record for a period of thirty (30) days for the
receipt and consideration of public comments, now in further conformity with the procedure
prescribed in Commission Rule 2.34, 16 C.F.R. § 2.34, the Commission hereby issues its
complaint, makes the following jurisdictional findings, and enters the following Order:
1. Respondent Snapchat, Inc. (“Snapchat”), the successor corporation to Toyopa Group
LLC, is a Delaware corporation with its principal office or place of business at 63 Market
Street, Venice, California 90291.
2
2. The Federal Trade Commission has jurisdiction of the subject matter of this proceeding
and of the respondent, and the proceeding is in the public interest.
ORDER
DEFINITIONS
For purposes of this order, the following definitions shall apply:
1. Unless otherwise specified, “respondent” shall mean Snapchat, Inc. and its successors
and assigns.
2. “Commerce” shall mean as defined in Section 4 of the Federal Trade Commission Act,
15 U.S.C. § 44.
3. “Covered information” shall mean information from or about an individual consumer,
including but not limited to (a) a first and last name; (b) a home or other physical address,
including street name and name of city or town; (c) an email address or other online
contact information, such as an instant messaging user identifier or a screen name; (d) a
telephone number; (e) a persistent identifier, such as a customer number held in a
“cookie,” a static Internet Protocol (“IP”) address, a mobile device ID, or processor serial
number; (f) precise geo-location data of an individual or mobile device, including GPS-
based, Wi-Fi-based, or cell-based location information; (g) an authentication credential,
such as a username or password; or (h) any communications or content that is transmitted
or stored through respondent’s products or services.
4. “Computer” shall mean any desktop, laptop computer, tablet, handheld device, telephone,
or other electronic product or device that has a platform on which to download, install, or
run any software program, code, script, or other content and to play any digital audio,
visual, or audiovisual content.
I.
IT IS ORDERED that respondent and its officers, agents, representatives, and
employees, directly or indirectly, shall not misrepresent in any manner, expressly or by
implication, in or affecting commerce, the extent to which respondent or its products or services
maintain and protect the privacy, security, or confidentiality of any covered information,
including but not limited to: (1) the extent to which a message is deleted after being viewed by
the recipient; (2) the extent to which respondent or its products or services are capable of
detecting or notifying the sender when a recipient has captured a screenshot of, or otherwise
saved, a message; (3) the categories of covered information collected; or (4) the steps taken to
protect against misuse or unauthorized disclosure of covered information.
3
II.
IT IS FURTHER ORDERED that respondent, in or affecting commerce, shall, no later
than the date of service of this order, establish and implement, and thereafter maintain, a
comprehensive privacy program that is reasonably designed to: (1) address privacy risks related
to the development and management of new and existing products and services for consumers,
and (2) protect the privacy and confidentiality of covered information, whether collected by
respondent or input into, stored on, captured with, or accessed through a computer using
respondent’s products or services. Such program, the content and implementation of which must
be fully documented in writing, shall contain privacy controls and procedures appropriate to
respondent’s size and complexity, the nature and scope of respondent’s activities, and the
sensitivity of the covered information, including:
A. the designation of an employee or employees to coordinate and be
accountable for the privacy program;
B. the identification of reasonably foreseeable, material risks, both internal and
external, that could result in the respondent’s unauthorized collection, use, or
disclosure of covered information, and assessment of the sufficiency of any
safeguards in place to control these risks. At a minimum, this privacy risk
assessment should include consideration of risks in each area of relevant
operation, including, but not limited to: (1) employee training and
management, including training on the requirements of this order; and (2)
product design, development and research;
C. the design and implementation of reasonable privacy controls and procedures
to address the risks identified through the privacy risk assessment, and regular
testing or monitoring of the effectiveness of the privacy controls and
procedures;
D. the development and use of reasonable steps to select and retain service
providers capable of maintaining security practices consistent with this order,
and requiring service providers by contract to implement and maintain
appropriate safeguards;
E. the evaluation and adjustment of respondent’s privacy program in light of the
results of the testing and monitoring required by subpart C, any material
changes to respondent’s operations or business arrangements, or any other
circumstances that respondent knows, or has reason to know, may have a
material impact on the effectiveness of its privacy program.
III.
IT IS FURTHER ORDERED that, in connection with its compliance with Part II of this
order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from
4
a qualified, objective, independent third-party professional, who uses procedures and standards
generally accepted in the profession. A person qualified to prepare such Assessments shall have
a minimum of three (3) years of experience in the field of privacy and data protection. All
persons selected to conduct such assessments and prepare such reports shall be approved by the
Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade
Commission, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The reporting period
for the Assessments shall cover: (1) the first one hundred eighty (180) days after service of the
order for the initial Assessment; and (2) each two (2) year period thereafter for twenty (20) years
after service of the order for the biennial Assessments. Each Assessment shall:
A. set forth the specific privacy controls that respondent has implemented and
maintained during the reporting period;
B. explain how such privacy controls are appropriate to respondent’s size and
complexity, the nature and scope of respondent’s activities, and the sensitivity
of the covered information;
C. explain how the safeguards that have been implemented meet or exceed the
protections required by Part II of this order; and
D. certify that the privacy controls are operating with sufficient effectiveness to
provide reasonable assurance to protect the privacy of covered information
and that the controls have so operated throughout the reporting period.
Each Assessment shall be prepared and completed within sixty (60) days after the end of the
reporting period to which the Assessment applies. Respondent shall provide the initial
Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal
Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been
prepared. All subsequent biennial Assessments shall be retained by respondent until the order is
terminated and provided to the Associate Director of Enforcement within ten (10) days of
request. Unless otherwise directed by a representative of the Commission, the initial
Assessment, and any subsequent Assessments requested, shall be emailed to DEbrief@ftc.gov or
sent by overnight courier (not the U.S. Postal Service) to: Associate Director for Enforcement,
Bureau of Consumer Protection, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580 with the subject line In the Matter of Snapchat, Inc., FTC File No.
1323078.
IV.
IT IS FURTHER ORDERED that respondent shall maintain and upon request
make available to the Federal Trade Commission for inspection and copying, unless respondent
asserts a valid legal privilege, a print or electronic copy of:
A. for a period of five (5) years from the date of preparation or dissemination, whichever
is later, statements disseminated to consumers that describe the extent to which
5
respondent maintains and protects the privacy, security and confidentiality of any
covered information, including, but not limited to, any statement related to a change
in any website or service controlled by respondent that relates to the privacy, security,
and confidentiality of covered information, with all materials relied upon in making
or disseminating such statements;
B. for a period of five (5) years from the date received, all consumer complaints directed
at respondent, or forwarded to respondent by a third party, that relate to the conduct
prohibited by this order and any responses to such complaints;
C. for a period of five (5) years from the date received, any documents, whether
prepared by or on behalf of respondent that contradict, qualify, or call into question
respondent’s compliance with this order; and
D. for a period of five (5) years after the date of preparation of each Assessment required
under Part III of this order, all materials relied upon to prepare the Assessment,
whether prepared by or on behalf of respondent including but not limited to all plans,
reports, studies, reviews, audits, audit trails, policies, training materials, and
assessments, for the compliance period covered by such Assessment.
V.
IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all
current and future subsidiaries, current and future principals, officers, directors, and managers,
and to all current and future employees, agents, and representatives having responsibilities
relating to the subject matter of this order. Respondent shall deliver this order to such current
subsidiaries and personnel within thirty (30) days after service of this order, and to such future
subsidiaries and personnel within thirty (30) days after the person assumes such position or
responsibilities. For any business entity resulting from any change in structure set forth in Part
VI, delivery shall be at least ten (10) days prior to the change in structure. Respondent must
secure a signed and dated statement acknowledging receipt of this order, within thirty (30) days
of delivery, from all persons receiving a copy of the order pursuant to this section.
VI.
IT IS FURTHER ORDERED that respondent shall notify the Commission at least
thirty (30) days prior to any change in the corporation(s) that may affect compliance obligations
arising under this order, including, but not limited to: a dissolution, assignment, sale, merger, or
other action that would result in the emergence of a successor corporation; the creation or
dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this
order; the proposed filing of a bankruptcy petition; or a change in the corporate name or address.
Provided, however, that, with respect to any proposed change in the corporation(s) about which
respondent learns fewer than thirty (30) days prior to the date such action is to take place,
respondent shall notify the Commission as soon as is practicable after obtaining such knowledge.
Unless otherwise directed by a representative of the Commission, all notices required by this Part
6
shall be emailed to DEbrief@ftc.gov or sent by overnight courier (not the U.S. Postal Service)
to: Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade
Commission, 600 Pennsylvania Avenue NW, Washington, DC 20580 with the subject line In
the Matter of Snapchat, Inc., FTC File No. 1323078.
VII.
IT IS FURTHER ORDERED that respondent within ninety (90) days after the date of
service of this order, shall file with the Commission a true and accurate report, in writing, setting
forth in detail the manner and form of its compliance with this order. Within ten (10) days of
receipt of written notice from a representative of the Commission, it shall submit an additional
true and accurate written report.
VIII.
This order will terminate on December 23, 2034, or twenty (20) years from the most
recent date that the United States or the Commission files a complaint (with or without an
accompanying consent decree) in federal court alleging any violation of the order, whichever
comes later; provided, however, that the filing of such a complaint will not affect the duration of:
A. any Part in this order that terminates in fewer than twenty (20) years;
B. this order’s application to any respondent that is not named as a defendant in such
complaint; and
C. this order if such complaint is filed after the order has terminated pursuant to this
Part.
Provided, further, that if such complaint is dismissed or a federal court rules that respondent did
not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld
on appeal, then the order as to such respondent will terminate according to this Part as though the
complaint had never been filed, except that the order will not terminate between the date such
complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date
such dismissal or ruling is upheld on appeal.
By the Commission.
Janice Podoll Frankle
Acting Secretary
SEAL
ISSUED: December 23, 2014