Business Blog
Big COPPA problems for TinyCo
Fans of Tiny Pets, Tiny Zoo, Tiny Village, Tiny Monsters, and Mermaid Resort will be relieved to know that adorable Sully the Dog and arch-nemesis Duke Spendington haven’t been named in their individual capacities. But the developer of those kid-directed apps – San-Francisco-based TinyCo, Inc. – just settled an FTC lawsuit alleging the company violated the Children’s Online Privacy Protection Act (COPPA) Rule. One interesting allegation: In exchange for in-app currency to buy game enhancements, TinyCo encouraged kids to turn over their email addresses, but the company didn't get parental permission as required by COPPA.
TinyCo offers a number of kid-directed apps through popular app stores. For example, users of Tiny Pets could “Help your best friend Sully the Dog save the pets of TinyLand from the evil Duke Spendington. Hide them in your tree house by building homes for them.” (Darn that Duke Spendington!) The apps are free and have been downloaded millions of times, but users can make in-app purchases to enhance game play.
Under COPPA, operators of commercial websites or online services directed to children under 13 must – among other things:
- post on their sites clear, understandable privacy policies explaining their information practices,
- provide direct notification to parents about the information they collect from kids and how it’s used and disclosed, and
- get verifiable parental consent before collecting, using, or disclosing that data.
According to the FTC, TinyCo didn’t live up to its legal responsibilities. Here’s just one example. Next to a fill-in box was this enticing offer: “Get 5 Acorns for adding your email!” The practical effect was to illegally collect children’s addresses without their parents’ permission in exchange for game goodies. Users of other TinyCo apps were encouraged to turn over their email “for information and promotions,” a practice the FTC says also violated COPPA. As a result, TinyCo collected tens of thousands of email addresses.
In addition to a $300,000 civil penalty, the settlement mandates a major COPPA clean-up and the destruction of all information TinyCo collected from kids under 13.
On the fence about whether COPPA applies to your company? The Rule covers the operators of two kinds of sites and services: 1) those directed to children under 13, and 2) those geared to general audiences when they have “actual knowledge” they're collecting information from kids in that age group. While the FTC's just-announced settlement with review site Yelp is an example of that second group, the TinyCo case offers insights into when a site or service is “directed to children.” Section 312.2 of COPPA cites some factors, including:
subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children.
In this case, the FTC looked to the colorful characters and locales of TinyCo apps, including “adorable animals,” “lovable cubbies,” “magical monsters,” baby dinosaurs, zoos, treehouses, and a “resort” inspired by the Little Mermaid fairy tale. The complaint also cites the simple language of the games, which would be easy for kids under 13 to understand.
Although the FTC applied COPPA’s “directed to children” standard – which doesn’t include an element of actual knowledge – TinyCo knew that kids were using their apps because parents of young children had contacted them to complain. But the FTC says even that didn’t motivate the company to ask itself, “Hmm. Did we collect information from kids without parental permission?” So aside from the COPPA compliance message, there’s another moral of the story for app developers: Read – and heed – what customers are saying to you.
The FTC has free resources to help keep your site or service COPPA-compatible.
It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.