Those eight-second selfies are still floating around Snapchat, and the Federal Trade Commission has cracked down as part of its push for better mobile app privacy.

“The Snapchat settlement is part of the FTC’s ongoing campaign ‘to ensure that companies market their apps truthfully.’,” writes data and privacy security attorney Katherine Gasztonyi for InsidePrivacy.

SnapchatThe popular app settled with the FTC on six counts that they misrepresented how the app actually worked from 2012 to 2013. Snapchat marketed itself as being able to send videos and photos to other users that disappeared after a few seconds. Instead of selfies floating off to a great data graveyard, the FTC found that recipients could save snaps in a smartphone’s file directory, take a screenshot or save it via a third party app – and all without the sender knowing.

Gasztonyi explains that even though the FTC didn’t find Snapchat directly responsible for some of the privacy issues, they should have closed the loopholes that allowed them.

[FTC] Chairwoman [Edith] Ramirez … noted … that this count did not mean that the FTC was holding Snapchat liable for the actions of unrelated third parties, but that the FTC believes that a developer has an obligation to reform its privacy representations when it is on notice that third parties have widely marketed tools that undermine those representations.

Snapchat also settled over consumer complaints that they failed to verify phone numbers, which allowed snaps to be sent to complete strangers, and failed to secure their databases. Staying true to Snapchat’s cutesy style, they apologized on their blog.

While we were focused on building, some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community. This morning we entered into a consent decree with the FTC that addresses concerns raised by the commission. Even before today’s consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description, and in-app just-in-time notifications. And we continue to invest heavily in security and countermeasures to prevent abuse.

That’s a pretty lighthearted way of getting around the fact that as part of the settlement the app will be monitored by privacy professionals for the next 20 years and may have to pay $16,000 for each of the six FTC complaints.

For privacy and security observers, the settlement comes as little surprise since the FTC has been getting tough on how mobile apps handle personal data and general data leaks. Last year, the FTC released mobile app privacy guidelines that required developers to have a privacy policy and explicitly notify users before asking for personal information or sensitive data, according to Jennifer Archie of the Global Privacy & Security Compliance Law Blog:

The most meaningful disclosures are those which are connected to a user’s primary activity, in real time, the Staff acknowledges.  Policies should be available through links in readily available locations (pre- and post-download), but “just-in-time” disclosures, particularly for sensitive items such as location or collection of personal data from the phone (contacts, photos and the like), are an important compliment.  A disclosure is best made proximate in time and “place” to a user’s particular goal: whether it be making a purchase or uploading or viewing content or playing a game.

Also, an actual data breach isn’t needed to capture the FTC’s attention, like in the case of the Credit Karma and Fandango apps that settled with the federal agency for not taking reasonable security steps. The FTC is taking public comments on mobile security, but it’s unlikely that it will loosen privacy restrictions any time soon.