Snapchat is getting a slap on the wrist from the Federal Trade Commission for allegedly deceptive marketing and a security breach earlier this year that compromised the data of 4.6 million of its users. The startup, which in the past has said that the photo messages people send on its service “disappear forever,” agreed to settle with the FTC over allegations that its app didn’t perform as advertised.
According to the FTC complaint, videos sent through Snapchat were easily accessible by the recipient by plugging a phone into a computer, even though such videos are supposed to disappear in seconds. The complaint also alleges that some iPhone users could take a screenshot of a photo they had received without alerting the sender that the screencap was taken. Snapchat also tracked geolocation information of Android users, a violation of its own privacy policy, according to the complaint.
More serious was the way Snapchat handled users’ phone numbers. According to the FTC, Snapchat accessed the names and phone numbers of its users’ friends without telling them on Apple devices until iOS 6 was introduced. Security lapses in Snapchat’s “Find Friends” feature led to people inadvertently sending snaps to strangers using numbers that didn’t belong to them. “Find Friends” security flaws also allowed attackers to compile a database of 4.6 million users’ names and phone numbers and post it online in January.
Snapchat, which has not formally admitted any wrongdoing, will be subject to a number of privacy requirements over the next 20 years. The company will have to be more transparent in explaining to users how their messages can be accessed, and it must launch a wide-ranging privacy program to ensure users’ data is protected. Snapchat will be subject to privacy reviews every two years to assess its compliance with the FTC’s rules. Violation of the agreement could result in fines of up to $16,000 per transgression.
In a blog post, Snapchat said that most of the issues the FTC has brought to light have already been addressed. “While we were focused on building, some things didn’t get the attention they could have,” the company wrote. “One of those was being more precise with how we communicated with the Snapchat community. Even before today’s consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description, and in-app just-in-time notifications.”
Today, Snapchat’s privacy policy is pretty clear about just how “ephemeral” the service is: “There may be ways to access messages while still in temporary storage on recipients’ devices or, forensically, even after they are deleted. You should not use Snapchat to send messages if you want to be certain that the recipient cannot keep a copy.”
Getting dinged by the FTC has become something of a rite of passage for social startups. Twitter and Facebook are currently serving similar 20-year sentences under the government agency’s watchful eye.
More Must-Reads from TIME
- Why Trump’s Message Worked on Latino Men
- What Trump’s Win Could Mean for Housing
- The 100 Must-Read Books of 2024
- Sleep Doctors Share the 1 Tip That’s Changed Their Lives
- Column: Let’s Bring Back Romance
- What It’s Like to Have Long COVID As a Kid
- FX’s Say Nothing Is the Must-Watch Political Thriller of 2024
- Merle Bombardieri Is Helping People Make the Baby Decision
Contact us at letters@time.com