On January 26, 2024, the United States Federal Trade Commission (FTC) and the Antitrust Division of the Department of Justice (DOJ) jointly issued new guidance making clear that common collaboration tools and ephemeral messaging applications must be preserved in the same manner as traditional forms of communication and electronically stored information (ESI). Companies should now be on notice that failure to preserve short-lived communications can prompt federal enforcement agencies to seek criminal liability and civil sanctions for spoliation.1
The use of collaboration tools and instant messaging platforms—such as Slack, Jabber, Google Chat and Microsoft Teams—has become commonplace in the post-COVID business-world. Given the unique utility of these messaging platforms—where employees can speak quickly and candidly—the value of these communications from an investigative and a litigation standpoint is irreplaceable. However, many of these platforms come with “ephemeral” messaging capabilities, in which messages are automatically deleted within a short period of time. In many cases, these messages are irretrievably destroyed, which can present significant regulatory and legal risks for parties involved in active investigations and/or litigation.
In response to the growing use of these ephemeral messaging platforms, the FTC and DOJ announced that they would be “updating language in their standard preservation letters and specifications for all second requests, voluntary access letters, and compulsory legal process, including grand jury subpoenas, to address the increased use of collaboration tools and ephemeral messaging platforms in the modern workplace.” The press release explained that the new updates would “reinforce longstanding obligations requiring companies to preserve materials during the pendency of government investigations and litigation.” These obligations, the FTC and DOJ explained, “apply to new methods of collaboration and information sharing tools, even including tools that allow for messages to disappear via ephemeral messaging capabilities.” The FTC and DOJ warned that a party’s “[f]ailure to produce such documents may result in obstruction of justice charges.”
This announcement comes less than a year after the DOJ issued a statement in March 2023 that it would be making significant changes to its Evaluation of Corporate Compliance Programs (ECCP), which would now take into consideration the “corporation’s approach to the use of personal devices as well as various communications platforms and messaging applications, including those offering ephemeral messaging” and how these communications are conveyed and enforced from a policy standpoint. The ECCP is a key resource used by the DOJ for evaluating a “corporation’s compliance program” and determining the appropriate level of punishment, if any. In the latest version (last updated on March 2023), the ECCP refers to “ephemeral messaging” as one of the Risk Management factors for prosecutors to consider—specifically, whether “the use of personal devices or messaging applications—including ephemeral messaging applications—impaired in any way the organization’s compliance program or its ability to conduct internal investigations or respond to requests from prosecutors or civil enforcement or regulatory agencies.”2
The risks of using ephemeral messaging have also become apparent in civil litigation. In March 2023, the Northern District of California sanctioned Google in a civil antitrust lawsuit, for its failure to preserve ephemeral messages.3 Google had assured the Court that it “had ‘taken appropriate steps to preserve all evidence’”;4 however, it was later discovered that messages were typically deleted after 24 hours. Even after the litigation began, Google did not suspend the auto-deletion feature for its messaging platform.5 Similar sanctions were also sought by the Antitrust Division in its landmark search engine monopolization case against Google, and its CEO was later examined at trial on his recommendation to turn off the preservation function for certain chats.6 In light of this, at the 2023 ABA Antitrust Section Spring Meeting, several senior enforcers at the FTC and DOJ expressed their concern regarding the harm that ephemeral messages and the use of auto-delete functions in communications software have had on their investigations, and the need for potential criminal liability to deter such conduct.
Key Takeaways
The FTC and DOJ have made it clear that they are focused on data from collaboration tools and instant messaging platforms and expect organizations to take the appropriate steps to ensure data preservation. The failure to do so can have significant repercussions — in the criminal context, potential obstruction charges, and in the civil context, potential discovery sanctions.
In light of this, organizations should take a proactive approach to minimize the potential for legal or regulatory risks based on the use of ephemeral messaging applications. Below are a few actions to consider:
- Data Retention Policies: Review and assess data retention policies and procedures to ensure compliance with the prevailing FTC and DOJ guidelines, and related state and federal law. Policies should also be implemented that specifically address the use of electronic messaging applications—including the use of ephemeral messaging and prohibition of certain applications for business purposes.
- Legal Hold Protocol: A clear and concise protocol should be established that identifies relevant repositories of ESI, including messaging platforms, and immediately disables any auto-deletion or “history off” functions associated with those programs.
- Messaging Applications and Usage: Identify what devices and/or applications are regularly used for business purposes, and whether any such communication applications include “ephemeral messaging” capabilities. Organizations should also consider limiting the use of ephemeral messaging to key stakeholders within the company or to particular uses (i.e., logistics). Depending on the perceived risk and/or need, organizations may also consider alternative messaging applications that preserve communications.
- Employee Training and Auditing: Employee trainings, presentations and monitoring protocols should be developed that further ensure compliance with company policies and preservation obligations. Periodic auditing should also be considered to ensure compliance with policies.
There is no singular approach to addressing the risks presented by using ephemeral messaging and organizations should implement policies and procedures that best align with their particular needs and perceived risks. Manatt’s team—which includes veteran litigators and former federal prosecutors and leaders within DOJ—is experienced in developing policies and procedures to ensure the preservation of relevant ESI and can assist in implementing the appropriate protocol needed for your organization.
1 See FTC v. Noland, No. 20-cv-00047-PHX-DWL, 2021 WL 3857413, at *1, 10-15 (D. Az. Aug. 30, 2021) (granting FTC’s motion for spoliation sanctions and finding defendants’ “systematic efforts to conceal and destroy evidence are deeply troubling” after use of Signal app’s “auto-delete” function).
2 The Office of Inspector General for the United States Department of Health and Human Services recently issued compliance guidance that addresses the importance of preserving relevant data and documents. See Department of Health and Human Services, Office of Inspector General, General Compliance Program Guidance, at 60-61(Nov. 2023), available here.
3In re Google Play Store Antitrust Litigation, 664 F.Supp.3d 981 (N.D. Cal. 2023).
4Id. at 992.
5Id. at 982.
6 United States v. Google LLC, 1:20-cv-03010-APM, ECF No. 586 (D.D.C. Apr. 27, 2023) (DOJ and State AG plaintiffs sought spoliation sanctions and “further information about custodians’ history-off chat practices”).