The FTC announced a consent decree and order on Monday settling the civil action that was commenced against W3 Innovations, LLC, and Justin Maples—the entity and person respectively behind the Broken Thumbs Apps brand—for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). Broken Thumbs Apps developed Apple Store Apps including Emily’s Girl World, Emily’s Dress Up, Emily’s Dress Up & Shop, and Emily’s Runway High Fashion, which were collectively reported to have more than 50,000 downloads. The FTC announcement indicated that this is the FTC’s first case involving mobile applications, or “apps.”
The FTC found that the apps at issue contained “subject matter, visual content, and language” that was directed at children under the age of 13, which directly implicated the COPPA requirements. The allegations in the complaint suggest that the FTC was most concerned with two aspects of the apps’ operation. First, the FTC took issue with the apps’ invitation for users to “e-mail Emily,” the fictional namesake of the apps, and the developer’s subsequent collection and maintenance of e-mail addresses from individuals who were likely to be children, even though those e-mail addresses were not publicly displayed. Second, the FTC called out the blog feature of several of the apps, which permitted users to submit comments (which could include personal information), and required users to provide a name when submitting a comment. The app developer was thus alleged to collect personal information from children under the age of 13, but it did not comply with the COPPA by: (i) providing required notices, including parental notices, about how such information was collected or used; or (ii) obtaining verifiable parental consent before collecting, using, or disclosing personal information about children.
In settling the action, the developers agreed to, among other things: (i) a civil penalty of $50,000; (ii) an obligation to promptly respond to FTC compliance monitoring inquiries and consenting to broad FTC investigatory powers; (iii) reporting obligations for three years on changes in the app developers’ address, employment status, name, or corporate structure and on the app developer’s practices and compliance with the COPPA; (v) detailed record keeping obligations for six years; (vi) a three year obligation to report the consent decree requirements to specified types of third party entities that the app developer deals with; and (vii) a mandatory requirement to delete all personal information that was collected without complying with the COPPA. The details of the consent decree provide a continuing set of compliance obligations, and failure to comply in any respect can subject the app developer to further penalties.
This FTC settlement comes several months after a hearing on the COPPA was held by the U.S. Senate Committee on Commerce, Science, and Transportation. This past spring, the chairman of that committee, Senator Jay Rockefeller, made inquiries of companies like Apple and Google to ascertain what efforts they undertake to verify that app developers comply with the COPPA. Significantly, this consent decree may foreshadow continuing FTC interest in COPPA compliance for mobile application developers and content providers.