FTC: Mobile Apps Not Exempt From Children's Privacy Regs
"App publishers that disregard COPPA, regardless of the communication methodology, do so at their own risk, and W3 makes it clear -- though it should have already been so -- that apps that interact with the World Wide Web or use Internet Protocol are without question covered," said Alan Friel, a partner with Wildman, Harrold, Allen & Dixon.
Sep 16, 2011 5:00 AM PT
Federal regulations designed to protect children's privacy cover the burgeoning mobile apps business as well as other online vehicles accessible through laptops or desktops. In fact, providers of mobile apps need to pay attention to the privacy impact not only of services offered specifically to children, but also those targeting the broader community that are nevertheless accessible to children.
In an enforcement case it revealed on Aug. 12, the Federal Trade Commission asserted that the Children's Online Privacy Protection Act (COPPA) covers mobile app offerings.
The enforcement action involved a complaint against a publisher of electronic games. The FTC alleged that W3 Innovations, through its Broken Thumbs Apps unit, developed and distributed mobile apps for the iPhone and iPod touch that allowed users to play games and share information online.
Several of the apps were directed to children and were listed in the Games-Kids section of Apple's App Store. There were more than 50,000 downloads of those apps, the FTC said. They allowed children to play classic games, such as "Cootie Catcher" and "Truth or Dare," and to create virtual models and design outfits.
In the W3 Innovations case, the apps developed by the company encouraged children to email their comments and submit blogs to a company-generated site via email, such as "shout-outs" to friends and requests for advice.
The publisher collected and maintained more than 30,000 email addresses, the FTC alleged.
In addition, the defendants allowed children to publicly post comments, including personal information, on message boards, according to the agency.
Impact Goes Beyond Kids' Apps
Because the company's interactive apps send and receive information via the Internet, they are online services covered by COPPA, the FTC said.
"The FTC's COPPA rule requires parental notice and consent before collecting children's personal information online, whether through a website or a mobile app," said agency chairman Jon Leibowitz.
"Companies must give parents the opportunity to make smart choices when it comes to their children's sharing of information on smartphones," said Leibowitz.
"W3 is the first FTC case directly applying COPPA to mobile apps," Alan Friel, a partner with Wildman, Harrold, Allen & Dixon, told TechNewsWorld.
"That said, app publishers that disregard COPPA, regardless of the communication methodology, do so at their own risk, and W3 makes it clear -- though it should have already been so -- that apps that interact with the World Wide Web or use Internet Protocol are without question covered," Friel said.
"The W3 case was focused on information about children and is generally applicable to all mobile app providers insofar as they collect information about children," Mark MacCarthy, vice president of public policy at the Software and Information Industry Association, told TechNewsWorld.
"W3 is important not just for kid's app publishers," noted Friel. "Websites that target adults, not children, have ended up paying seven-figure settlements for violating COPPA where they knowingly collected personal information from children under 13 without verified parental consent."
A common mistake occurs when age is collected at registration but those indicating they are under 13 are still allowed to register.
"All app publishers, particularly those that allow users to create profiles, need to take heed of W3," said Friel.
Congress Aware of Issue
The W3 case caught the attention of key lawmakers.
"Mobile apps can be great tools for kids to learn and have fun, but parents should never have to worry that their child's personal information is being collected or violated," said Sen. Amy Klobuchar, D-Minn.
"As the House author of COPPA," said Rep. Edward Markey, D-Mass., "I am pleased that the FTC pursued and brought charges against a mobile applications developer that was collecting and disclosing personal information about children under 13 in apparent violation of COPPA. Since COPPA was signed into law in 1998, children increasingly connect to the Internet on the go, using an array of mobile apps and new services that did not exist when the law was enacted."
While the FTC's action was based on existing law, Markey and Rep. Joe Barton, R-Texas, jointly introduced legislation last May that would provide a specific statutory basis for including mobile apps under COPPA. The bill would amend COPPA to include the term "mobile applications" within the definition of "operator."
The bill, titled the "Do Not Track Kids Act of 2011," emphasizes protection associated with geo-location information but also says that within COPPA such terms as "online," "online service," "online application," "mobile application," and "directed to children" shall have the meanings given them by the FTC.
Without admitting to the allegations, W3 settled the case with the FTC, consenting to pay a US$50,000 penalty. The settlement also bars the company from future violations of the COPPA rule and requires the publisher to delete all personal information collected in violation of the FTC's rules.
W3's Broken Thumbs unit was "very surprised" by the FTC's action. Broken Thumbs "provided users with a means of interacting with one another and with our customer service department, which required the collection and retention of users' email addresses," the company explained in a statement provided to TechNewsWorld by Barry Reingold, an attorney with Perkins Coie.
Broken Thumbs "did not ask for or collect information about the age of our users because there was no technical or functional need for this information," and its "sole purpose in collecting email data was to improve the user experience with our apps," it said. The company contended that no email address was ever used for marketing purposes or sold to another firm.
"As soon as the FTC informed us of its specific concerns -- and long before entry of the settlement order -- we took corrective action," the company said. "Any violations were inadvertent."