Who’s covered by COPPA? FTC staff letter outlines the ABCs

Some of the apps offered by China-based BabyBus teach kids the fundamentals of the alphabet. Correspondence just sent to BabyBus by the FTC staff focuses on five of those letters:  C-O-P-P-A.

BabyBus advertises itself as a leader in early childhood education software and offers consumers more than 60 free apps in major U.S. app stores like Apple iTunes, Google Play, and the Amazon Appstore. The apps, which have been downloaded millions of times, use cartoon characters to teach kids about letters, counting, shapes, etc. So there’s really no question that BabyBus’ products are geared toward the under-13 set covered by the Children’s Online Privacy Protection Rule.

Under COPPA, developers of apps directed to kids under 13 – or app developers that knowingly collect personal information from children in that age group – have to post accurate privacy policies, provide notice, and get verifiable parental consent before collecting, using, or disclosing any “personal information” collected from kids.

So why the letter to BabyBus reminding them of their legal obligations under COPPA? Because several of the BabyBus apps appear to collect kids’ precise geolocation without parental approval. And it’s hard to imagine a more personal form of “personal information” under COPPA than where a child is located. What’s more, it looks to FTC staff like BabyBus transmits that information to third parties, including ad networks and/or analytics companies, without parental consent – another COPPA “don’t.”

One compliance takeaway from the BabyBus letter is the scope of the statute: “COPPA and its related rules apply to foreign-based Web sites and online services that are involved in commerce in the United States. This would include, among others, foreign-based sites or services that are directed to children in the United States, or that knowingly collect personal information from children in the United States.”

Another key point is the sensitivity of geolocation information. The transmission of precise location raises privacy considerations in any context. But kids and geolocation? The concerns should be obvious.

The staff told BabyBus that they'll review their apps again in the next month. That should give BabyBus time to “take the necessary steps to ensure that your company does not collect personal information from children other than in accordance with COPPA.”

The BabyBus letter offers a timely opportunity to make sure the companies you work with are COPPA-compliant. Are your international clients aware that COPPA may cover their activities? And do all the businesses with whom you work know that COPPA isn’t limited to kid-related sites? As recent FTC law enforcement actions demonstrate, sites geared toward a general audience need to comply with COPPA if they know they’re collecting personal information from children under 13.

The FTC offers a suite of free resources to streamline COPPA compliance. A starting point for businesses of any size is The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business. The FTC’s Children’s Privacy page offers deep cuts for companies looking for more information.



Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.