The FTC’s Myspace Consent Order May Impact Use by Mobile App Developers of Unique IDs

On May 8th, the FTC released its proposed consent order in its investigation of Myspace.com, finding the social networking site misled users as to how it shared personal information with unaffiliated advertisers. Myspace promised users through its privacy policy that (1) it would not share personal information, such as name or email address, with unaffiliated advertisers without user consent, (2) its ad customization method did not give advertisers access to personal information or individually identify users, (3) the web browsing activity information it did share with advertisers was anonymized, and (4) it complied with the U.S.-EU Safe Harbor Framework.

Each Myspace user is assigned a unique and persistent numerical identifier, known as a “Friend ID,” which is closely tied to user accounts and associated personal information such as names and email addresses. In two periods between 2009 and 2011, Myspace shared Friend IDs with unaffiliated advertisers, allowing trivial identification of individual users’ names and web pages for users associated with those Friend IDs.

The FTC alleged that the sharing of Friend IDs misled users in violation of § 5(a) of the FTC Act. In the resulting consent order, Myspace agreed to the following:

  • a prohibition on future misrepresentations,
  • the establishment of a comprehensive privacy program,
  • independent assessments of its privacy programs for 20 years, and
  • reporting and compliance provisions.

While directed at Myspace, the FTC’s consent order should put mobile app developers and advertising networks on notice as they develop advertising programs that leverage unique user identifiers. Due primarily to privacy concerns, Apple recently began phasing out the use of unique UDIDs that allowed developers to individually identify a phone and track usage and user behavior for advertising purposes.

This change threatens advertising-supported apps because targeted ads are more valuable to advertisers and therefore generate more revenue for developers. App developers and advertising networks are attempting to develop a replacement identifier to persistently track users across applications, but as of yet no method has proven as reliable and consistent as the UDID.

The FTC’s consent order sends a clear message – indirectly disclosing personal information through unique identifiers is no different than disclosing personal information itself. For advertisers and app developers experimenting with developing UDID-replacement identifiers to track users, the Myspace consent order serves as a warning to pay close attention to information disclosed directly and indirectly and whether it matches privacy policy promises.

Todd Daubert

About Todd Daubert

Todd Daubert is a partner in Dentons' Washington, DC, office and chair of the Firm's Communications and Technology sectors. Todd has nearly two decades of experience advising companies that develop, integrate and deploy new technologies in transactional, regulatory, litigation and appellate matters. Leveraging a background in engineering, Todd crafts innovative solutions that help clients, from startups to global players, achieve their strategic objectives and minimize their risks, resulting in improved business results and profitability.

Full bio