Disappearing Messages Are Here to Stay: U.S. FTC and DOJ Announce New Guidance on Obligations to Preserve Ephemeral Messages

On January 26, 2024, the U.S. Federal Trade Commission (FTC) and Antitrust Division of the Department of Justice (DOJ) announced new guidance about parties’ obligations to preserve material generated using ephemeral messaging platforms (i.e., where messages automatically disappear or delete after a set time) and other collaborative platforms, such as Slack, Teams, and Signal, during investigations and litigation. According to parallel press releases, the two agencies are “updating language in their standard preservation letters and specifications for all second requests, voluntary access letters, and compulsory legal process, including grand jury subpoenas, to address the increased use of collaboration tools and ephemeral messaging platforms in the modern workplace.” While this change is currently limited to antitrust matters, it is another indicator of the seriousness with which enforcement authorities are taking preservation of communications from messaging applications and other collaborative tools.

The press releases explain that the language updates will “reinforce longstanding obligations requiring companies to preserve materials during the pendency of government investigations and litigation,” and “[f]ailure to produce such documents may result in obstruction of justice charges.” Charges for obstruction of justice for failing to preserve ephemeral messaging data would be consistent with prior cases brought by DOJ for preservation failures, which in at least one instance resulted in hundreds of thousands of dollars in fines and five months of prison time for individuals involved.

The updated guidance is the latest development in a trend of growing scrutiny and expectations for how companies collect and store communications data. In September 2022, the SEC announced $1.1 billion in penalties against 15 financial institutions for their failure to preserve “off-channel communications” in violation of the recordkeeping provisions of the Securities Exchange Act. A few months later, in March 2023, DOJ updated its Evaluation of Corporate Compliance Programs guidelines to, among other things, provide details regarding companies’ obligations to preserve ephemeral messaging data. These and other instances of action by U.S. and global regulators on ephemeral message preservation requirements are detailed in this April 2023 Sidley Update.

Also in March 2023, a federal judge in California sanctioned Google for failing to preserve chats despite representing to the court that it had taken “all appropriate steps” to preserve data that was potentially relevant to the litigation. Importantly, the Google sanctions arose in private litigation, not in the context of any government inquiry, thus representing additional potential risk of preservation failures related to ephemeral messages.

The FTC also released a revised model second request, which defines “Messaging Application” to include “platforms, whether for ephemeral or non-ephemeral messaging, for email, chats, instant messages, text messages, and other methods of group and individual communication (e.g., Teams, Slack).” DOJ has not released a similar preview of the precise language it intends to use or an indication of whether the language will mirror the FTC’s model second request. Regardless of the exact language, however, it is clear that these and other regulators are increasingly focused on ensuring that relevant data generated on collaborative and messaging platforms is preserved for potential collection in connection with future investigations and enforcement actions. In the meantime, organizations across industries should proactively and regularly evaluate their communications and data retention policies and compliance monitoring practices to mitigate future liability that could arise should the organization or any of its employees become subject to inquiries by DOJ, FTC, or another regulator, including by potentially retaining outside counsel to assist with

• assessing the organization’s communications risk profile, including but not limited to consideration of the nature and volume of data the organization generates using ephemeral messaging and other collaborative platforms, the baseline risk of regulatory enforcement activity, and the jurisdictions in which the organization and its employees operate
• developing and implementing holistic compliance program measures that are tailored to the organization’s specific needs, including communications and mobile device policies, employee trainings, preservation procedures, routine monitoring protocols, and escalation and disciplinary frameworks, to ensure compliance with ephemeral messaging and collaborative platform use policies
• evaluating whether to mandate use of corporate-issued mobile devices for business purposes rather than enabling bring-your-own-device programs in order to reduce the risk of off-channel communications and technologically limit the approved applications and platforms, including those for ephemeral messaging and collaboration, that employees can utilize for business communications
• evaluating and updating compliance and data retention policies to ensure that the organization is meeting its record preservation obligations both in the U.S. and in any other applicable jurisdictions while complying with applicable data privacy laws in each jurisdiction

As the legal and technology landscapes both continue to develop in this area, addressing related risks will be an important but potentially daunting task. We invite you to contact us with any questions you may have as you begin the process to evaluate your organization’s communication practices.