Article by Justine Gottshall
If there really was any remaining debate over whether the Children’s Online Privacy Protection Act (“COPPA”) applies in the mobile world, this should put it to rest.
W3 Innovations, LLC, doing business as Broken Thumbs Apps, along with the company president and owner Justin Maples, has paid $50,000 to settle an FTC complaint that certain mobile applications collected information from children without first obtaining parental consent.
The FTC alleged that the company’s apps (which include Emily’s Girl World, Emily’s Dress Up, Emily’s Dress Up & Shop, and Emily’s Runway High Fashion), were directed to children and that the applications therefore violated COPPA and the FTC’s COPPA Rule by collecting and disclosing personal information from children without their parents’ prior consent.
COPPA defines a child as someone younger than age 13 (e.g., 12 and younger).
This is the FTC’s first COPPA action involving mobile applications and in bringing it, the FTC is making clear that it expects companies to strictly follow COPPA in the mobile world just as they must for web sites.
The FTC complaint in fact specifically states that the “apps send and/or receive information over the Internet, and thus are online services directed to children pursuant to COPPA.”
It is also notable that the FTC held both the company and its president responsible and that the company involved is small.
The clear message: everyone must strictly comply with COPPA and the FTC will continue to aggressively enforce COPPA’s requirement (in most cases) for prior parental notice and consent before collecting personal information from children.
Here, the FTC alleges that the apps were specifically directed to children. Apparently W3 Innovations has offered for download numerous apps through Apple’s App store since 2009, which were available for the iPhone and the iPod touch.
In addition to the general content of the apps, the FTC noted that the games were listed in the "Games-Kids" section of Apple’s App Store.
The apps collected email addresses from tens of thousands of users and also allowed users to publicly post information on message boards.
The FTC complaint is based on the failure of the defendants to:
- (1) maintain or link to an online notice of their privacy practices,
- (2) provide direct notice to parents of those privacy practices, and
- (3) obtain verifiable consent from parents prior to collecting, using or disclosing children’s personal information.
In addition to imposing the $50,000 penalty, the settlement will bar the defendants from future violations of the COPPA Rule and require them to delete all personal information collected in violation of the Rule.
Thus, at a minimum, all companies that are in the mobile space and offer products or services directed at children (or where information is knowingly collected from children) should ensure they are providing the required disclosures -- which may present unique challenges for a mobile offering -- and obtaining parental consent as necessary.
Stay tuned: The FTC is currently reviewing its COPPA Rule and the most interesting could be yet to come.
COPPA applies to all online activities, including web sites and mobile applications. And, all companies, regardless of size, should make sure they are fully COPPA complaint.
Cross-posted from InfoLawGroup
Help Support Infosec Island by Tweeting and Stumbling our Articles - and join our LinkedIn Group HERE - Thanks!