Using a third party’s software in your app? Make sure you’re (all) complying with COPPA

Does your company make online games, products, or services for children? Take note: the FTC is serious about children’s privacy. For proof, look no further than today’s settlement with Apitor Technology Co., Ltd. (“Apitor”), a Chinese toymaker, for allegations that the company violated the Children’s Online Privacy Protection Rule (“COPPA”).

Apitor develops, markets, and distributes robot toys for kids ages 6-14. To program the robots, users need to download Apitor’s free companion app. Apitor’s app incorporated a third party’s software development kit (“SDK”). (If you’re unfamiliar with SDKs, they enable app functionalities like push notifications and usage tracking.) That’s where the FTC alleges things went wrong: the SDK allowed the third party to collect geolocation data from children playing with the robot toys using an Android device.

COPPA is clear: companies providing online services directed to children must notify parents if they’re collecting, using, or disclosing personal information from children. They also have to get parents’ verified consent to do so — even if a third party is the one collecting the data on a company’s behalf. The FTC alleges that Apitor didn’t do either. As part of the settlement, Apitor has agreed to take steps to ensure it complies with COPPA in the future.

To protect both your customers and your bottom line, it’s important to do a COPPA-compliance check for your business. Here are some ways to get started:

1. Know that COPPA coverage is broad and can include third-party software and services. Whether your business is covered depends on several factors outlined in COPPA. Take this opportunity to review its detailed definitions and requirements, particularly if your website or online service involves child-oriented content or activities.
2. Understand how the SDKs that are incorporated into your company’s online services work. Do the SDKs operate in a way that could cause your company’s online service to violate COPPA?
3. Read the privacy policies of SDK vendors you work with to ensure they’re consistent with your own company’s privacy policy and with COPPA. For example, while Apitor’s privacy policy claimed the company complied with COPPA, its SDK provider’s policy included language about location tracking and use.  

As this case illustrates, COPPA enforcement is a key priority for the Trump-Vance FTC. Businesses subject to COPPA should work to understand what the law requires. And the FTC will continue its efforts to keep Americans first in the marketplace by protecting families and children from unlawful practices.

To learn more, check out Complying with COPPA: Frequently Asked Questions.