Federal Trade Commission building/photo by Diego Radzinschi

The Federal Trade Commission is tasked with protecting consumers and competition, but it recently trekked into employment law with a decision that could reverberate across the employee-monitoring software industry. 

Last week the FTC heralded Retina-x Studios as the agency's first case against developers of "stalking" apps, which tracks a phone user's physical and online activity unbeknownst to the user. Retina-x marketed its app as a tool for employers to monitor employees and parents to track their children's online activity.

Along with implementing cybersecurity measures and other protocols, the FTC ordered Retina-x to obtain "an express written attestation" from every app purchaser confirming they will leverage Retina-x's app for a "legitimate and lawful purposes," including employee monitoring. For some, it's an unusual consent requirement placed on a software developer.

"[It's] a strange requirement," said John Ella, an employment law and employee privacy shareholder at Trepanier MacGillis Battina. "You don't usually see the technology company required to get consent from the employee." 

While the order isn't a regulation, law or court decision, it does suggest liability exposure for software companies, Ella said. "There may be liability for app developers and software developers as to how their products are used. The FTC's hook is how is it marketed and they got them on that, in terms of saying all your data is secured."

Indeed, the FTC complaint accused the Florida-based company of violating the Children's Privacy Protection Rule and the Federal Trade Commission Act because of allegedly inadequate data storage security.

Still, while the order only applies to Retina-x, the potential for expanded liability exposure could lead to other companies requiring users to confirm they'll obtain employee consent before downloading their app.

"Depending on how much awareness there is of this consent order … [the companies that employers buy from] will likely say, 'Look, in order to sell this to you we will need to have your attestation you will have written consent from your employees before this is used,'" said Jackson Lewis privacy, data and cybersecurity practice group leader Joseph Lazzarotti. 

He added, "The FTC may just make a practice that becomes how you do business in the marketplace. It will be harder to find products that don't have those best practices embedded in them."

However, Lazzarotti noted the FTC's order is unclear about the repercussions if an employer agrees to obtain worker consent but installs the software without employee authorization.  Such guidance would likely come from the U.S. Department of Labor, Lazzarotti noted.

To be sure, while the FTC brought its first "stalking apps" case, the agency noted that obtaining written consent is a best practice standard companies should always meet, Ella said. 

"It reiterates the fact that written consent is the only way for an employer to show there wasn't an expectation of privacy and that the employee knew, and it doesn't create a new standard, but reinforces consent."