This is a post about the Children’s Online Privacy Protection Act (COPPA) Rule. Some readers already have a finger poised over the DELETE button since their business isn’t child-related. But as the FTC’s settlement with Yelp suggests, that would be a mistake.
Yelp is an online service where people can read and create reviews about businesses and connect with others online and at local events. Many users post profiles with photos and detailed information about themselves. Yelp's "check in" feature lets users announce their presence at a certain business.
Yelp introduced its apps in 2009 so people can access those services from their mobile devices. Before that, people had to register through the company’s website, which had a screening mechanism that prohibited users under 13 from signing up. Why that age? Because COPPA applies to operators of general audience websites or online services – including apps – with actual knowledge they’re collecting, using, or disclosing personal information from kids under 13. (Of course, COPPA also applies to kid-directed sites and services without regard to that “actual knowledge” standard. The FTC’s just-announced settlement with TinyCo deals with that aspect of the Rule.)
The problem with Yelp apps was how that age-screening mechanism worked – or more accurately, didn’t work. People who registered on the app were asked for a date of birth, but regardless of what they entered, the Yelp app allowed them to sign up and gave them full access to all features.
Yelp also collected certain information automatically from the phones of registered Yelp users. For example, to get metrics about its mobile user base, Yelp grabbed their Mobile Device ID, the unique identifier assigned to each phone. Furthermore, if people let Yelp offer them location-based services, the company used the device’s GPS to collect the user’s precise location. Given the flaw in the app’s age-screening mechanism, that meant Yelp was collecting personal information from users who said they were under 13 without parental notice and consent. According to the FTC, that went on from April 2009 to April 2013 on both the iOS and Android versions of the Yelp app – and in violation of the COPPA Rule.
The FTC’s complaint charges that Yelp failed to comply with COPPA even though it knew, based on registrants’ birth dates, that kids under 13 were registering via the company’s mobile apps. The lawsuit also alleges that Yelp didn’t adequately test its apps to ensure that users under the age of 13 were prohibited from registering.
The settlement imposes a $450,000 civil penalty, requires the company to comply with COPPA in the future, and mandates a report to the FTC a year from now describing what Yelp is doing to comply. In addition, Yelp has to delete information it collected from consumers who said they were under 13 years when they registered. The order includes an exception if Yelp can show the person actually was over 13 when he or she signed up.
What can other marketers take from the Yelp settlement?
COPPA coverage may be broader than you think. COPPA isn’t just for kids' sites. If you’ve disregarded COPPA compliance because your business isn’t child-related, it’s time for a rethink. Children's Online Privacy Protection Rule: Not Just for Kids’ Sites offers a quick intro.
Appraise your apps. It’s great to offer customers the convenience of an app, but if you make privacy or security promises, does your app measure up? Some companies use contractors to design or test their apps. That’s fine, but the compliance buck always stops with you.
Pay attention to what prospective customers are telling you. This isn’t the first case where the FTC has charged that a company featured an age-screening mechanism, but then didn’t respond appropriately to the information people provided. An age-screening feature that doesn’t really screen for age can hardly be considered effective.
If your company is new to COPPA, The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business offers nuts-and-bolts guidance. Need to dig deeper? Bookmark Complying with COPPA: Frequently Asked Questions and watch for periodic updates.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.