February 17, 2012
FTC Reports That Many Mobile Apps May Not Be COPPA Compliant
On Thursday the Federal Trade Commission released a staff report titled, "Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing," in which the FTC criticized companies for failing to properly disclose to parents how the companies are collecting personal data through mobile applications ("apps") aimed at young children.
The results of the FTC's study follow the FTC's August 2011 settlement with W3 Innovations, which was the FTC's first enforcement action against a mobile app developer.
The FTC's Children's Online Privacy Protection Act (COPPA) Rule requires that website operators notify parents and obtain their "verifiable consent" before they collect, use, or disclose the personal information of children under 13. The COPPA Rule also requires that website operators post a privacy policy that is clear, understandable, and complete. Failure to obtain "verifiable parental consent" can expose a company to an FTC enforcement action and the potential for significant damages and unwelcome publicity.
The FTC surveyed approximately 1,000 apps designed for children and available through iTunes and the Android Marketplace by searching for the word "kid." According to the FTC, despite the warning provided by the W3 Innovations settlement, they found that the operators of those apps could be collecting location (via GPS), phone numbers, contact lists, call logs and other "unique identifiers," but that the apps do not make it easy for parents to figure out what's being collected, how the data is being used or to give consent to such collection and use.
"Companies that operate in the mobile marketplace provide great benefits, but they must step up to the plate and provide easily accessible, basic information so that parents can make informed decisions about the apps their kids use," FTC Chairman Jon Leibowitz said in a statement.
The FTC noted that the various app stores create their own age ratings and that these guidelines are often not consistent. The Staff Report recommends that app developers provide simple and short disclosures on how they collect and share information about users, including whether their apps connect to social media sites like Facebook. Connection to Facebook (or other social media sites) for some of these apps could be problematic, since the Facebook terms (and the terms of most other social media sites) specifically prohibit access if the user is under 13 precisely to avoid having to deal with the COPPA Rule.
The FTC also wants app developers to inform parents if apps targeted towards children contain ads. In some apps, ads and/or content that is inconsistent with the age rating is buried deep within the app and can be found only when a player reaches an advanced stage of the game.
The FTC Staff Report is particularly interesting in light of a report from the Wall Street Journal today asserting that "Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.'s Web browser on their iPhones and computers--tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked."
The FTC's evaluation of app privacy disclosures comes as the agency is evaluating the comments it received and finalizing updates to COPPA that were revealed in September 2011.
According to the Staff Report, the FTC is planning to conduct an additional review in the next six months to determine whether some of these mobile apps were violating the COPPA Rule. As currently drafted, the COPPA Rule creates the potential for violators to be fined up to $1,000 per violation (i.e., per child) - an amount that can add up very quickly for even a moderately popular app.
App developers targeting pre-teens and younger teens should carefully evaluate the data their apps collect, how that data is used and whether the developer's privacy policy is consistent with such collection and use.
The results of the FTC's study follow the FTC's August 2011 settlement with W3 Innovations, which was the FTC's first enforcement action against a mobile app developer.
The FTC's Children's Online Privacy Protection Act (COPPA) Rule requires that website operators notify parents and obtain their "verifiable consent" before they collect, use, or disclose the personal information of children under 13. The COPPA Rule also requires that website operators post a privacy policy that is clear, understandable, and complete. Failure to obtain "verifiable parental consent" can expose a company to an FTC enforcement action and the potential for significant damages and unwelcome publicity.
The FTC surveyed approximately 1,000 apps designed for children and available through iTunes and the Android Marketplace by searching for the word "kid." According to the FTC, despite the warning provided by the W3 Innovations settlement, they found that the operators of those apps could be collecting location (via GPS), phone numbers, contact lists, call logs and other "unique identifiers," but that the apps do not make it easy for parents to figure out what's being collected, how the data is being used or to give consent to such collection and use.
"Companies that operate in the mobile marketplace provide great benefits, but they must step up to the plate and provide easily accessible, basic information so that parents can make informed decisions about the apps their kids use," FTC Chairman Jon Leibowitz said in a statement.
The FTC noted that the various app stores create their own age ratings and that these guidelines are often not consistent. The Staff Report recommends that app developers provide simple and short disclosures on how they collect and share information about users, including whether their apps connect to social media sites like Facebook. Connection to Facebook (or other social media sites) for some of these apps could be problematic, since the Facebook terms (and the terms of most other social media sites) specifically prohibit access if the user is under 13 precisely to avoid having to deal with the COPPA Rule.
The FTC also wants app developers to inform parents if apps targeted towards children contain ads. In some apps, ads and/or content that is inconsistent with the age rating is buried deep within the app and can be found only when a player reaches an advanced stage of the game.
The FTC Staff Report is particularly interesting in light of a report from the Wall Street Journal today asserting that "Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.'s Web browser on their iPhones and computers--tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked."
The FTC's evaluation of app privacy disclosures comes as the agency is evaluating the comments it received and finalizing updates to COPPA that were revealed in September 2011.
According to the Staff Report, the FTC is planning to conduct an additional review in the next six months to determine whether some of these mobile apps were violating the COPPA Rule. As currently drafted, the COPPA Rule creates the potential for violators to be fined up to $1,000 per violation (i.e., per child) - an amount that can add up very quickly for even a moderately popular app.
App developers targeting pre-teens and younger teens should carefully evaluate the data their apps collect, how that data is used and whether the developer's privacy policy is consistent with such collection and use.
10 FAQs for the virtual world's layman
Overview of Legal Issues with Virtual Currencies
Virtual Worlds & Video Games Team