Virtual World Law Blog

The growing use of mobile applications has created great opportunities for all types of businesses. Many companies have leveraged apps to enhance their reach and interactions with customers and potential customers. But with these growing opportunities comes some legal pitfalls. Many companies are not focusing on the vast array of legal issues that relate to what their apps do. The FTC and other government agencies are becoming more active in policing these activities.

In a recent pronouncement, the FTC has warned marketers that certain apps may violate the Fair Credit Reporting Act. The FTC warned the apps marketers that, if they have reason to believe the background reports they provide are being used for employment screening, housing, credit, or other similar purposes, they must comply with the Act.

According to the announcement, "If you have reason to believe that your background reports are being used for employment or other FCRA purposes, you and your customers who are using your reports for such purposes must comply with the FCRA."
 
The FCRA is designed to protect the privacy of consumer report information and ensure that the information supplied by consumer reporting agencies is accurate. Consumer reports are communications that include information on an individual's character, reputation, or personal characteristics and are used or expected to be used for purposes such as employment, housing or credit.
The companies that received the letters are Everify, Inc., marketer of the Police Records app, InfoPay, Inc., marketer of the Criminal Pages app, and Intelligator, Inc., marketer of Background Checks, Criminal Records Search, Investigate and Locate Anyone, and People Search and Investigator apps. According to the letters, the agency has made no determination whether the companies are violating the FCRA, but encourages them to review their apps and their policies and procedures to be sure they comply with the FCRA.

In light of the FTC, FDA, FCC and other government agency's increased activity in monitoring mobile apps and other social media usage, it is strongly advisable that you submit all of you apps and social media plans to a qualified attorney to review for potential compliance issues.

On Thursday the Federal Trade Commission released a staff report titled, "Mobile Apps for Kids: Current Privacy Disclosures Are Disappointing," in which the FTC criticized companies for failing to properly disclose to parents how the companies are collecting personal data through mobile applications ("apps") aimed at young children.

The results of the FTC's study follow the FTC's August 2011 settlement with W3 Innovations, which was the FTC's first enforcement action against a mobile app developer.

The FTC's Children's Online Privacy Protection Act (COPPA) Rule requires that website operators notify parents and obtain their "verifiable consent" before they collect, use, or disclose the personal information of children under 13.  The COPPA Rule also requires that website operators post a privacy policy that is clear, understandable, and complete. Failure to obtain "verifiable parental consent" can expose a company to an FTC enforcement action and the potential for significant damages and unwelcome publicity.

The FTC surveyed approximately 1,000 apps designed for children and available through iTunes and the Android Marketplace by searching for the word "kid." According to the FTC, despite the warning provided by the W3 Innovations settlement, they found that the operators of those apps could be collecting location (via GPS), phone numbers, contact lists, call logs and other "unique identifiers," but that the apps do not make it easy for parents to figure out what's being collected, how the data is being used or to give consent to such collection and use.

"Companies that operate in the mobile marketplace provide great benefits, but they must step up to the plate and provide easily accessible, basic information so that parents can make informed decisions about the apps their kids use," FTC Chairman Jon Leibowitz said in a statement.

The FTC noted that the various app stores create their own age ratings and that these guidelines are often not consistent.  The Staff Report recommends that app developers provide simple and short disclosures on how they collect and share information about users, including whether their apps connect to social media sites like Facebook.  Connection to Facebook (or other social media sites) for some of these apps could be problematic, since the Facebook terms (and the terms of most other social media sites) specifically prohibit access if the user is under 13 precisely to avoid having to deal with the COPPA Rule.  

The FTC also wants app developers to inform parents if apps targeted towards children contain ads.  In some apps, ads and/or content that is inconsistent with the age rating is buried deep within the app and can be found only when a player reaches an advanced stage of the game.   

The FTC Staff Report is particularly interesting in light of a report from the Wall Street Journal today asserting that "Google Inc. and other advertising companies have been bypassing the privacy settings of millions of people using Apple Inc.'s Web browser on their iPhones and computers--tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked."

The FTC's evaluation of app privacy disclosures comes as the agency is evaluating the comments it received and finalizing updates to COPPA that were revealed in September 2011.

According to the Staff Report, the FTC is planning to conduct an additional review in the next six months to determine whether some of these mobile apps were violating the COPPA Rule.  As currently drafted, the COPPA Rule creates the potential for violators to be fined up to $1,000 per violation (i.e., per child) - an amount that can add up very quickly for even a moderately popular app.  

App developers targeting pre-teens and younger teens should carefully evaluate the data their apps collect, how that data is used and whether the developer's privacy policy is consistent with such collection and use.