FTC Approves Children's Online Privacy Compliance Program

By Jenny Paul

The Federal Trade Commission has approved a new safe harbor program, called the iKeepSafe Safe Harbor Program, that websites and other online services may use to comply with its Children’s Online Privacy Protection Act rule. 

COPPA regulates the collection and use by website operators and application developers of personal information from children under the age of 13.  COPPA also requires website operators and application developers to obtain parental consent before collecting a child’s personal information.  The COPPA rule allows industry groups or others to submit self-regulatory guidelines to the FTC for approval as a safe harbor program.  Operators and developers who choose to be regulated under an approved safe harbor program will be deemed to be in compliance with COPPA if the operators and developers comply with the approved program’s guidelines.

A potential safe harbor program must demonstrate it can ensure that the website operators and app developers subject to its program provide similar or greater protections to children than the safeguards in the COPPA rule.  The program must also demonstrate that it possesses an effective mandatory mechanism to assess the operators’ and developers’ compliance with its program guidelines and has disciplinary actions that will be taken if non-compliance occurs.  The FTC determined that iKeepSafe met all of the above criteria.  The FTC noted that iKeepSafe and its compliance partner, Playwell, have many years of experience in the children’s privacy sphere.

The Center for Digital Democracy opposed iKeepSafe’s application, saying the applicant wrongly used “permissive standards” instead of COPPA’s mandatory requirements.  In approving iKeepSafe’s application, the FTC noted that the company modified its application and inserted mandatory language in its application in response to the concerns of commenters.


COPPA Parental Consent Expanded by FTC

By Debbie Wong* and Nickolas Milonas

The Federal Trade Commission recently expanded the options for obtaining verifiable parental consent (“VPC”) under recent revisions to the Children’s Online Privacy Protection Act.  COPPA requires covered websites and online services to obtain verifiable parental consent before collecting information on children under 13.  The VPC method must be reasonably calculated to ensure that the person giving consent is the child’s parent.  While the rule enumerates several acceptable methods for obtaining parental consent, changes to the rule that took effect last July allow for FTC approval of new VPC methods.  As we previously reported, the FTC has already approved and rejected new VPC methods under the revised rule.

The FTC’s revised guidance on obtaining VPC includes three main clarifications.  First, the FTC will now include the collection of parent’s payment card information as a potential VPC method.  Although obtaining a 16-digit credit or debit card number alone would not satisfy COPPA’s VPC requirement, the FTC explained that there may be circumstances in which the collection of payment information would suffice in conjunction with other safeguards.  For example, the card number could be supplemented with security questions that only a parent could answer.

Second, the FTC will allow a developer of a child-related app to use a third party, such as an app store, to obtain VPC.  The developer, however, must ensure that COPPA requirements are met.  For example, requiring an app store account number or password is insufficient for obtaining parental consent without other indicia of reliability, like authentication questions.  In addition, the developer must provide parents with direct notice that outlines its information collection practices.

Last, the FTC clarified that in instances where a third party, like an app store, obtains VPC on behalf of app developers, the third party is not an “operator” under COPPA and therefore would not be liable if it fails to investigate the privacy practices of the developers for whom it obtains consent.  However, such third party may still be liable under the FTC Act if it misrepresents its level of oversight for child-related apps.  

The FTC revisions were praised by app developer trade associations as “a major win for innovation and privacy” because the revisions help clarify COPPA and remove obstacles that can discourage developers from creating educational apps for children. 

*Debbie Wong is a summer associate in K&L Gates’ Washington, DC office and contributed to this post.

FTC Approves First New Method for Verifying Parental Consent under COPPA

By Nickolas Milonas

The Federal Trade Commission recently approved a new method for verifying parental consent under a revised rule of the Children's Online Privacy Protection Act.  COPPA requires websites and online services geared toward children to get parental consent before collecting information on children under 13.  While the rule enumerates acceptable methods for gaining parental consent (such as verification via Social Security number), changes to the rule that took effect July 1 allow for FTC approval of new VPC methods.  

Imperium LLC’s approved VPC method uses a knowledge-based authentication system that verifies a parent's identity by asking a series of personal security questions, similar to a bank or other financial institutions.  The method is the first of its kind to be approved under the COPPA rule.  As we reported in November, AssertID proposed a social-media based VPC method.  The FTC, however, subsequently denied AssertID’s application due to the potential for circumvention by false social media accounts.

The FTC noted that identify verification via knowledge-based authentication is “well-established and has been adequately utilized and refined in the marketplace to demonstrate that it is sufficiently reliable to verify that individuals are parents authorized to consent to the collection of children’s personal information.”  The FTC also stated that such authentication, when used under COPPA, must contain dynamic, multiple-choice questions with a low probability for guessing correctly and of sufficient difficulty that a child in the household could not reasonably ascertain the answers.

FTC Says Parental Consent Proposal From AssertID Fails to Meet COPPA Rule

By Jenny Paul and Marc Martin 

A parental consent method proposed by AssertID does not meet the criteria for approval set forth in a revised Children’s Online Privacy Protection Act rule,
the Federal Trade Commission recently determined.

Under the COPPA rule, covered online sites and services must obtain verifiable parental consent before collecting personal information from children under 13.  While the rule enumerates acceptable methods for gaining parental consent, changes to the rule that took effect July 1 opened the door for FTC approval of unenumerated VPC methods.

AssertID was among the first of companies to react to the stricter revised rule, even as commenters predicted that companies would
struggle to comply with the revisions.  AssertID, which develops privacy and identity-verification solutions, submitted for FTC approval an unenumerated method called ConsentID.  ConsentID would facilitate verification by asking a parent’s “friends” on a social network to verify the identity of the consenting parent and the existence of the parent-child relationship — so-called social-graph verification. 

The FTC denied AssertID’s application by a
4-0 vote, finding that the company had failed to provide sufficient evidence that ConsentID was reasonably calculated to ensure that the person providing consent is actually the child’s parent.  In doing so, the FTC determined that there is not yet adequate research or market testing which demonstrates the reliability of the social-graph verification method.  It expressed concern that users can easily fabricate Facebook profiles, noting that Facebook itself estimates it has about 83 million fake accounts, and that children under 13 may falsify their age information to establish social media accounts that could appear to the software to be credible.

While AssertID’s effort to create a new verification solution to manage compliance in a stricter COPPA environment was unsuccessful, the company still
plans to offer an automated VPC service that relies on verification methods the FTC has already approved.  

FTC's Online Privacy Rules for Children Clarified

By Nickolas Milonas and Marc Martin

The Federal Trade Commission recently released guidance on its December 2012 updates to the Children’s Online Privacy Protection Act (COPPA).  COPPA regulates the collection and use by website operators and application developers of personal information from children under the age of 13.  COPPA also requires website operators and application developers to obtain parental consent before collecting a child’s personal information.  The guidance touches upon several issues, including geolocation data; services directed towards children vs. mixed-audience services; parental access to children’s personal information; and disclosure of information to third parties.

As we previously reported, the December changes to the COPPA regulations are scheduled to take effect this July and contain definitional changes; expand the scope of permitted operations to include the collection of certain personal information through the use of persistent identifies; clarify the use of age screens for content targeting a broad audience vs. content specifically targeting children; heighten parental notification requirements; and implement more-stringent requirements regarding the retention and disposal of personal information.

In advance of the FTC’s guidance, industry groups voiced concerns that the complex changes could deter innovation and asked the FTC to delay implementation until 2014 to ensure compliance.  However, privacy groups advocated rejecting any delays, stating that the changes are necessary to protect children and companies have had plenty of lead time to revise their policies and products.

Updated (5/6/13): In a letter to representatives of the advertising, application, and e-business industries, the FTC confirmed that it will not delay implementation of the new COPPA rules scheduled to take effect this July. The FTC stated that all stakeholders were afforded a sufficient opportunity to raise their concerns with the new rules but did not present any facts to warrant delaying implementation.

Data Privacy Update: FTC Releases Mobile Privacy Report and Settles Action against Path; Facebook to Identify Tracking Advertisements

By Nickolas Milonas, Marc Martin, and David Tallman

In a trio of recent data privacy developments, the FTC published mobile data policy recommendations, Path settled an FTC action regarding allegedly unlawful data collection, and Facebook will now tell users which ads are tracking their online activity.

The FTC recently released a staff report calling on mobile services to make their data policies more transparent and accessible to consumers. The report makes recommendations for mobile platform providers, application developers, advertising networks, and other key players in a rapidly expanding marketplace. The recommendations focus on providing consumers clear and timely disclosures about what consumer data is collected and how that data may be used. The report results in part from a May 2012 FTC workshop in which representatives from the industry, academia, and consumer privacy groups examined privacy risks and disclosures on mobile devices. 

Noting the expansive growth of services offered on mobile platforms, the report recognizes unique privacy concerns rooted in the “unprecedented amounts of data collection” possible from a single mobile device. The report also notes consumers are increasingly concerned about their privacy on mobile devices, stating “less than one-third of Americans feel they are in control” of their mobile personal data. 

With those concerns in mind, the report offers recommendations to improve mobile privacy disclosures. These recommendations are consistent with the broad principles previously articulated in the FTC’s prior March 2012 Privacy Report, which generally called upon companies handling consumer data to adhere to the core principles of “privacy by design,” simplified consumer choice, and greater transparency. The staff report elaborates on these general principles by providing guidance to address the unique challenges presented in the mobile environment (e.g., limited screen space, the centrality of platform and operating system providers, etc.) Among other recommendations, the report suggests: 

  • Developing privacy best practices and uniform, short-form disclosures;
  • Providing just-in-time disclosures to consumers requiring affirmative consent before allowing apps to access sensitive content like geolocation, contacts, or photos;
  • Developing a one-stop “dashboard” to review content accessed by apps; and
  • Offering a “Do Not Track” mechanism on smartphones to prevent third-parting tracking at the operating system level.

On the heels of the staff report, the FTC also announced a law enforcement action against Path, a mobile-only social network accused of collecting user data without consent. Through its social networking service, Path’s app allows users to upload and share content, including photos, comments, location data, and even the names of songs that the user plays. Among other allegations, the FTC claimed that the Path application automatically collected and stored personal information from users’ mobile device address books without the users’ consent (including names, addresses, phone numbers, email addresses, Facebook and Twitter usernames, and dates of birth). The agency also alleged that Path violated the Children’s Online Privacy Protection Act by collecting personal information from approximately 3,000 children under the age of 13 without parental consent. Path settled with the FTC on the same day that the agency filed its action. Path agreed to pay $800,000 in fines, delete all information for users under 13, and submit a comprehensive privacy plan with updates/assessments every other year for the next 20 years. 

Finally, Facebook recently announced it will alert users to advertisements that are based on or track browsing history. When users are logged in to their Facebook account and hover over ads with their mouse, a new pop-up icon will alert users if they are being tracked. The feature is the product of an agreement between Facebook and the Council of Better Business Bureaus, and users are still able to opt out of brand-specific ads, as well as ad tracking altogether.

These developments highlight the continuing regulatory focus on online privacy issues, particularly in connection with social media and mobile applications.

FTC's Revised Internet Privacy Rules for Children (COPPA) Published in Federal Register

By J. Bradford Currier, Marc Martin, and David Tallman

Providers of online services, websites, and applications directed at children will need to reexamine their policies regarding the collection of information from children in light of new privacy rules issued by the Federal Trade Commission and recently published in the Federal Register. The rules impose new obligations under the Children’s Online Privacy Protection Act (“COPPA”), which generally requires online services and websites to notify parents and obtain parental consent before collecting, using, or disclosing personal information from children under 13 years of age. The revised regulations were announced late last month and represent the result of more than a year-long examination of COPPA by the FTC that produced hundreds of comments from stakeholders. The COPPA revisions are just the latest step for the FTC regarding children’s privacy, which has been the focus of increased enforcement action and staff reports over recent years.

The new regulations revise the COPPA rules in five key areas:

(1) Definition Changes: The new rules expand the definition of online “operators” subject to COPPA to include child-directed sites or services that use third parties, such as plug-ins or advertising networks, to collect personal information from children. However, the FTC clarified that this change is not intended to extend liability to platforms that merely offer access to child-directed apps (such as online application storefronts). In addition, the definition of “personal information” for which parental consent must be obtained now will include location information, as well as photos, videos, and audio files that contain a child’s image or voice.

(2) Permitted Operations: The new rules permit the collection of a child’s personal information through the use of “persistent identifiers,” which recognize users over time and across different websites, for the sole purpose of supporting the online service’s internal operations (e.g., contextual advertising, frequency capping, legal compliance, site analysis, and network communications). Such information, however, cannot be used to contact a specific user, amass a profile on that person, or for any other purpose. Operators also may allow children to participate in interactive communities without parental consent, so long as they take reasonable measures to delete a child’s personal information before it is made public.

(3) “Age Screens”: The new rules distinguish between online services and websites whose primary target audience is children and those directed to a broader audience. While online services and websites whose primary target audience is children must continue to presume that all of their users are children subject to COPPA, the online services and websites directed to a broader audience may implement procedures to “age screen” users and obtain consent only for users who self-identify as under 13 years of age.

(4) Parental Notice and Consent: The new rules amend the parental notice provisions to require concise and timely notices to parents and access to operators’ privacy policies. Specifically, the notice to parents should clearly explain: (i) the types of personal information to be collected; (ii) that the parent’s consent is required for the collection of such information; and (iii) how to provide consent. The parental notice must also include a hyperlink to the operator’s privacy policy. The revised rules add several new methods for operators to obtain parental consent, including: (i) electronic scans of signed parental consent forms; (ii) videoconferencing; (iii) government-issued identification; and (iv) alternative payment systems (such as credit or debit cards), if they meet certain criteria. The FTC also established a voluntary 120-day notice and comment process so parties can seek approval of particular parental consent methods.

(5) Increased Security Measures: The new rules require websites and services to take reasonable steps to ensure that children’s personal information is released only to service providers and third parties capable of maintaining the confidentiality, security, and integrity of such information. The new rules allow the retention of children’s personal information only for as long as reasonably necessary to provide the service and also require operators to securely dispose of the information.

The revised COPPA regulations have drawn a mixed reaction. Some stakeholders have praised the FTC for striking an appropriate balance between privacy and innovation, while others have suggested that increased compliance costs will lead to a decline in online service and mobile application development. Either way, the new rules reaffirm the importance of COPPA compliance and children’s privacy issues to online services.

The revised COPPA rules will take effect on July 1, 2013.

FTC Report Investigates Mobile Apps for Kids

By Samuel Castic

Federal Trade Commission staff recently released a report titled “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” which contained the FTC’s most recent mobile app investigative findings that build upon its report from February of this year. The February report contained four key recommendations, which we summarized in a prior post.

This new report expanded on the FTC’s prior investigation by reviewing mobile app features and comparing them to disclosures made concerning the apps. The FTC found that many apps shared kids’ information with third parties without disclosing such practices to parents. Specifically:

1.      Most apps failed to disclose information collection or sharing practices before the apps were downloaded;

2.      Many apps failed to disclose that they contained advertising content or that the app shared privacy data with third-party advertising networks (including device IDs, geolocation information, and phone numbers);

3.      Some apps failed to disclose that they allowed in-app purchases;

4.      Some apps failed to disclose that they contained social media integrations that allow users to communicate with members of social networks; and

5.      Some app disclosures included false information. For example, certain apps expressly stated that user information would not be shared or that the apps did not contain advertising, when that was not the case.

The FTC has taken the position that mobile apps are online services for purposes of the Children’s Online Privacy Protection Act (“COPPA”), which prohibits the online collection of personal information concerning children under age 13, except in certain circumstances. As we have noted in prior posts, this area is fraught with risk and legal exposure. Indeed, the report indicates that the FTC staff plans to launch “multiple nonpublic investigations” to determine whether certain players in the mobile app space have violated COPPA or engaged in unfair acts or deceptive practices in violation of the FTC Act.

The report concludes by urging the mobile app industry to carry out the recommendations from the FTC’s recent privacy report—most notably, to:

1.      Incorporate privacy protections into the design of mobile products and services;

2.      Offer parents easy-to-understand choices about data collection and sharing through kids’ apps; and

3.      Provide greater transparency about how data is collected, used, and shared through kids’ apps.

Stay tuned in the upcoming weeks as the FTC is expected to announce new COPPA regulations that could impose further compliance challenges for mobile apps.

FTC Releases Mobile App Privacy and Advertising Guide

By J. Bradford Currier, Marc Martin, and Samuel R. Castic

Developers of mobile applications are urged to adopt truthful advertising practices and build in basic privacy principles into their products under guidance recently issued by the Federal Trade Commission. The guidance is aimed at providing mobile app start-ups and independent developers with marketing recommendations designed to ensure compliance with federal consumer protection regulations. The guidance follows recent actions by the Federal Communications Commission, the White House, states, private stakeholders, and the FTC itself to establish mobile privacy codes of conduct and safeguard consumer information. The FTC guidance focuses on two key regulatory compliance areas for mobile app developers: (1) truthful advertising and (2) consumer privacy.

(1)        Truthful Advertising – The guidance recommends that mobile app developers always “[t]ell the truth about what your app can do.” The FTC cautions mobile app developers that anything a developer tells a prospective buyer or user about their app can constitute an advertisement subject to the FTC’s prohibitions on false or misleading claims. As a result, mobile app developers are encouraged to carefully consider the promises made concerning their apps on websites, in app stores, or within the app itself. Specifically, the guidance reminds mobile app developers that any claim that an app can provide health, safety, or performance benefits must be supported by “competent and reliable” scientific evidence. The FTC notes that it has taken enforcement action against mobile app developers for suggesting that their apps could treat medical conditions and recommends app developers review the FTC’s advertising guidelines before making any claims to consumers.

The guidance also advises mobile app developers to disclose key information about their products “clearly and conspicuously.” While the guidance recognizes that FTC regulation does not dictate a specific font or type size for disclosures, mobile app developers are encouraged to develop disclosures that are “big enough and clear enough that users actually notice them and understand what they say.” The FTC warns mobile app developers that it will take action against mobile app developers that attempt to “bury” important terms and conditions in long, dense licensing agreements. 

(2)        Consumer Privacy – The guidance calls upon mobile app developers to build privacy considerations into their products from the start, also known as “privacy by design” development. The FTC suggests that mobile app developers establish default privacy settings which would limit the amount of information the app will collect. The FTC also recommends that app developers provide their users with conspicuous, easy-to-use tools to control how their personal information is collected and shared. The guidance pushes mobile app developers to get users’ express agreement to: (1) any collection or sharing of information that is not readily apparent in the app; (2) any material changes to an app’s privacy policy; or (3) any collection of users’ medical, financial, or precise geolocation information. At all times, mobile app developers should be transparent with consumers about their data collection and sharing practices, especially when the app shares information with other entities. 

The FTC also advocates that mobile app developers install strong personal information security protections in their products. In order to keep sensitive data secure, the guidance suggests that mobile app developers: (1) collect only the data they need; (2) secure the data they keep by taking reasonable precautions against well-known security risks; (3) limit access to a need-to-know basis; and (4) safely dispose of data they no longer need. Mobile app developers are also encouraged to establish similar standards with any independent contractors.

The guidance also pays special attention to the issue of mobile app protection of children’s privacy under the Children’s Online Privacy Protection Act (“COPPA”). The guidance reminds mobile app developers that they must clearly explain their information practices and get parental consent before collecting personal information from children if their apps are “directed to” kids under age 13 and keep such information confidential and secure. The FTC’s recommendations parallel its recently proposed rules designed to clarify the responsibilities under COPPA when third parties (such as advertising networks or downloadable “plug-ins”) collect personal information from users on child-directed websites. Mobile app developers are encouraged to contact the FTC or review the Bureau of Consumer Protection’s business resources when developing their privacy policies.

Comment Deadline on Proposed Children's Online Privacy Rules Extended by FTC

By J. Bradford Currier and Marc Martin

The Federal Trade Commission has extended the deadline for comments on the agency’s proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) released earlier this month. As we reported previously, the proposed rules would modify key definitions contained in COPPA to clarify the parental notice and consent responsibilities of website operators as well as third-party advertisers and “plug-in” developers that collect personal information on children. The proposed rules also aim to establish clear guidelines for the use of so-called “persistent identifiers” and would potentially allow websites which appeal to a general audience to “age screen” users by birth date and provide parental notice and obtain consent only for users who identify themselves as under 13 years of age. 

Comments on the proposed rules will now be accepted until September 24, 2012.

Revisions to Children's Online Privacy Rules Proposed By FTC

By J. Bradford Currier, Marc Martin, and Lauren Pryor

Websites, social media platforms, software “plug in” developers, and online advertisements aimed at children may face new restrictions under proposed rules recently released by the Federal Trade Commission. The proposed rules would modify key definitions contained in the Children’s Online Privacy Protection Act (“COPPA”), which requires websites or online services directed at children under the age of 13 to seek and obtain parental consent before collecting or using a child’s personal information. With the new definitions, the FTC aims to clarify the responsibilities under COPPA when third parties (such as advertising networks or downloadable “plug-ins”) collect personal information from users on child-directed websites. The proposed rules represent another example of the FTC’s recent efforts to expand its enforcement on a variety of privacy-related issues related to children. Comments on the proposed rules will be accepted until September 10, 2012.

The proposed rules modify the scope of the FTC’s COPPA Notice of Proposed Rulemaking released in September 2011. As we reported previously, the earlier proposals would have expanded the definition of personal information to include so-called “persistent identifiers,” which represent unique user identification information obtained through “cookies” or other methods for purposes other than to support the website/service’s internal operations. The initial proposals would also have extended COPPA protections to photographs, videos, or audio files that include a child’s image or voice. The prior proposals further stated that the FTC would consider a wider range of factors, including whether a website included child celebrities and music content, when determining whether a website or online service was directed to children. Stakeholders submitted hundreds of comments in response to the 2011 proposals, leading the FTC to release this new round of proposed rule changes.

The new proposed rules modify the obligations under COPPA in three key areas:

(1)        Website Operators

Previous FTC guidance suggested that the responsibility for providing notice to parents and obtaining consent for the collection of personal information from children rested with the entity actually collecting the information. As a result, a child-directed website/service operator could permit others to collect personal information from child visitors without taking responsibility for seeking and obtaining parental consent. The proposed rules would now hold responsible both the child-directed website/service operator andany third-parties collecting information on such operator’s behalf for the parental consent requirements. Specifically, the FTC stated that “an operator of a child-directed site or service that chooses to integrate into its site or service other services that collect personal information from its visitors should be considered a covered operator under [COPPA].” The FTC noted that the website/service operator is often in the best position to give notice and obtain consent from parents and can control which third-party plug-ins, software downloads, or advertising networks are integrated into its site.

(2)        Website/Service Directed to Children

The COPPA rules only apply to websites/services “directed to children.” The new rules would clarify that that a third-party plug-in, software download, or advertising network is covered under COPPA when the third-party provider “knows or has reason to know” that it is collecting personal information through a child-directed website or online service. The new rules would not require third-party providers to monitor or investigate whether their services are incorporated into child-directed websites/services, but providers may not ignore information brought to their attention indicating that incorporation has occurred.

The proposed rules also attempt to address the fact that some websites/services that contain child-oriented content may also be of interest to adults. Under current FTC rules, these sites must treat all visitors as under 13 years of age. In response, some commenters suggested that the FTC adopt a system that would permit websites/services directed to a broad audience to implement procedures to differentiate among users and require notice and consent only for users who self-identify as under age 13 years of age. The FTC agreed. The new rules allow general audience websites/services to “age screen” all users (i.e. by supplying a birth date) and provide notice and obtain consent only for users who identify themselves as under 13 years of age. The FTC recognized that child users may lie about their age, but thought the age screening process “strike[s] the correct balance” between privacy and access. However, child-directed websites/services that knowingly target children under 13 as their “primary audience” or whose overall content is likely to attract children under 13 must continue to treat all users as children under COPPA.

(3)        Persistent Identifiers and Website/Service Support

The new rules clarify how child-directed websites/services can use persistent identifiers. The FTC first reiterated its 2011 proposal that persistent identifiers should be included in the definition of personal information. The FTC then stated that website/service operators may still use persistent identifiers without obtaining consent for activities such as performing site maintenance and analysis; performing network communications; authenticating users; maintaining user preferences; serving contextual advertisements; and protecting against fraud and theft. The exemption would not apply when the information collected through persistent identifiers is used to contact a user directly, including through the use of behaviorally-targeted advertising, or for any other purpose.

FTC Warns Mobile App Developers About Privacy Practices

By Samuel Castic, J. Bradford Currier, and Lauren B. Pryor

In another example of its recent efforts to step up enforcement on a variety of privacy-related issues, the Federal Trade Commission released a staff report on privacy disclosures for mobile applications used by kids. The report follows a recent FTC enforcement action against a mobile app developer for children and a notice of proposed rulemaking to amend the Children’s Online Privacy Protection Act (“COPPA”). The staff report represents a “warning call” to the app industry to provide parents with easily accessible, basic information about the mobile apps that their children use.

Under COPPA, operators of mobile apps directed at children under the age of 13 must provide notice and obtain parental consent before collecting personal information from children. The report surveyed approximately 1,000 apps designed for children and reviewed the types of privacy disclosures currently available to parents and kids. The FTC found that users frequently received the privacy disclosures only after downloading the app, limiting parents’ ability to “pre-screen” apps for their children. Additionally, the FTC reported that app websites often failed to provide meaningful notice regarding the data collection features of the app such that parents were not informed as to whether the app collecteddata from their children, the type of data collected, the purpose for such collection, and what parties may access such data. The FTC found this lack of disclosure troubling, especially in light of current technologies that allow mobile apps to access a child’s information with the click of a button and to transmit it invisibly to a wide variety of entities. 

In light of these concerns, the report offered four key recommendations:

  • App developers should provide “simple and short” privacy disclosures that are easy to find and understand on a mobile device screen;
  • App developers should “alert parents if the app connects with any social media, or allows targeted advertising to occur through the app”;
  • Third parties obtaining user information through apps should make their privacy policies “easily accessible” through a link on the app promotion page or in the app developer’s disclosures; and
  • Companies that provide platforms for downloading mobile apps should take action to help better protect kids and inform parents (e.g., develop a uniform practice for developers to disclose data collection practices).

The FTC plans to conduct additional reviews over the next six months to determine whether to take enforcement action against app developers that violate COPPA. The FTC also plans to hold a workshop on mobile privacy issues later this year.

FTC Proposes Major Expansion to COPPA's Scope and Compliance Requirements

Update (11/22/11): The FTC extended the deadline for comments on the proposed COPPA reforms until December 23, 2011, citing the complexity of the questions and issues raised by the proposed amendments. The original comment deadline was November 28, 2011.


The Federal Trade Commission recently announced a set of proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) which would expand the Act’s application to a greater number of websites and online services. COPPA requires that website operators notify parents and obtain parental consent before they collect, use, or disclose personal information from individuals under 13 years of age. Specifically, the proposed rules would expand the definition of personal information to include so-called “persistent identifiers,” which represent unique user identification information obtained for purposes other than for the support of the internal operations of a website or online service. The new rules would also extend COPPA protections to photographs, videos, or audio files that include a child’s image or voice. The FTC will consider a wider range of factors, including whether a website includes child celebrities and music content, when determining whether the site or online service is directed to children. The proposed rules rejected a number of alternative means of obtaining parental consent proposed by stakeholders and declined to establish a safe harbor for websites and online services which follow best practices guidelines issued by the Direct Marketing Association.

A K&L Gates Client Alert providing a detailed summary of the FTC’s proposed COPPA revisions and an analysis of the potential impacts of the reforms on websites and online services may be found here.

FTC Settles Privacy Case Against Children's Social Networking Site

The Federal Trade Commission recently announced its settlement with the operator of www.skidekids.com, a social media website marketed as the “Facebook and Myspace for kids.” The FTC claimed that the website collected personal information from approximately 5,600 children without parent consent in violation of the Children’s Online Privacy Protection Act (“COPPA”). COPPA requires that website operators notify parents and obtain parental consent before they collect, use, or disclose personal information from individuals under 13 years of age. The agency also alleged that the website’s operator made deceptive claims regarding the website’s privacy policy and information collection practices.

While the Skid-e-Kids website asserted that parents would be contacted by email prior to their child’s use of the site, the FTC found numerous instances where parental notice was not provided and consent was not received. As a result, the site allowed children to create profiles, post personal information, upload pictures, and send messages to other users, resulting in the unauthorized collection of user names, birth dates, email addresses, and cities of residence. 

In addition to barring any future COPPA violations and deceptive privacy claims, the operator of Skid-e-Kids agreed to: (i) destroy all information collected from children in violation of COPPA; (ii) provide online educational material about privacy, retain an online privacy professional, or join a FTC-approved safe harbor program; and (iii) pay a $100,000 civil penalty. All but $1,000 of the penalty will be waived if the operator complies with the settlement’s oversight requirements and supplies accurate financial information to the FTC. The settlement remains subject to court approval.

The settlement is further evidence of the FTC’s recent efforts to step up enforcement on a variety of privacy-related issues. On the same day as the Skid-e-Kids settlement, the FTC reached another settlement with an online advertising company for misleading customers regarding the use of tracking cookies. Less than a month ago, the FTC settled a privacy case against a mobile application developer for alleged COPPA violations. The FTC has specifically emphasized online privacy protections for children, recently launching a website promoting safe use of social networking sites by tweens and teens.

FTC Settles First Privacy Case Involving a Mobile Application

By Samuel Castic

The FTC announced a consent decree and order on Monday settling the civil action that was commenced against W3 Innovations, LLC, and Justin Maples—the entity and person respectively behind the Broken Thumbs Apps brand—for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). Broken Thumbs Apps developed Apple Store Apps including Emily’s Girl World, Emily’s Dress Up, Emily’s Dress Up & Shop, and Emily’s Runway High Fashion, which were collectively reported to have more than 50,000 downloads. The FTC announcement indicated that this is the FTC’s first case involving mobile applications, or “apps.”

The FTC found that the apps at issue contained “subject matter, visual content, and language” that was directed at children under the age of 13, which directly implicated the COPPA requirements. The allegations in the complaint suggest that the FTC was most concerned with two aspects of the apps’ operation. First, the FTC took issue with the apps’ invitation for users to “e-mail Emily,” the fictional namesake of the apps, and the developer’s subsequent collection and maintenance of e-mail addresses from individuals who were likely to be children, even though those e-mail addresses were not publicly displayed. Second, the FTC called out the blog feature of several of the apps, which permitted users to submit comments (which could include personal information), and required users to provide a name when submitting a comment.  The app developer was thus alleged to collect personal information from children under the age of 13, but it did not comply with the COPPA by: (i) providing required notices, including parental notices, about how such information was collected or used; or (ii) obtaining verifiable parental consent before collecting, using, or disclosing personal information about children.

In settling the action, the developers agreed to, among other things: (i) a civil penalty of $50,000; (ii) an obligation to promptly respond to FTC compliance monitoring inquiries and consenting to broad FTC investigatory powers; (iii) reporting obligations for three years on changes in the app developers’ address, employment status, name, or corporate structure and on the app developer’s practices and compliance with the COPPA; (v) detailed record keeping obligations for six years; (vi) a three year obligation to report the consent decree requirements to specified types of third party entities that the app developer deals with; and (vii) a mandatory requirement to delete all personal information that was collected without complying with the COPPA. The details of the consent decree provide a continuing set of compliance obligations, and failure to comply in any respect can subject the app developer to further penalties. 

This FTC settlement comes several months after a hearing on the COPPA was held by the U.S. Senate Committee on Commerce, Science, and Transportation. This past spring, the chairman of that committee, Senator Jay Rockefeller, made inquiries of companies like Apple and Google to ascertain what efforts they undertake to verify that app developers comply with the COPPA. Significantly, this consent decree may foreshadow continuing FTC interest in COPPA compliance for mobile application developers and content providers.