COPPA: When persistence doesn’t pay

Some operators of websites and online services directed at children would do well to learn a lesson that youngsters often know: ask permission before using something that’s not yours.

For a quick primer, companies may want to check out two settlements that the FTC announced today with the operators of mobile apps for children. The settlements provide for civil penalties totaling $360,000 against the operators, who the FTC charged violated the Children’s Online Privacy Protection Act (COPPA) Rule by letting third-party advertising networks use their apps to collect children’s personal information without their parents’ knowledge or consent.

What kind of personal information were the apps collecting? That’s where it gets really interesting. According to the FTC, the apps collected “persistent identifiers,” or data that can be used to recognize a user – in this case, a child – over time and across different websites. Advertisers use identifiers to track online behavior and target their ads based on what the users’ behavior reveals about them. The FTC said the app operators allowed the advertising networks to collect persistent identifiers from children using their apps so that advertisers could serve targeted advertising.

One case named LAI Systems, LLC, whose apps include My Cake Shop, My Pizza Shop, Hair Salon Makeover, Friday Night Makeover, Marley the Talking Dog, and Animal Sounds.

The other case named Retro Dreamer and its principals, Craig Sharpe and Gavin Bowman, whose apps include Happy Pudding Jump, Ice Cream Jump, Ice Cream Drop, Sneezies, Wash the Dishes, Cat Basket, and Tappy Pop. The FTC said that LAI Systems and Retro Dreamer offered their apps through popular app stores and generated revenues through in-app advertising and in-app purchases.

The two cases are the first in which the FTC has alleged violations of the COPPA Rule based solely on the collection of persistent identifiers. The actions follow amendments to the Rule that took effect in July 2013. Among other things, the amendments expanded the list of personal information about children under the age of 13 that websites and online services can’t collect, use, or disclose without parental notice and consent.

What types of personal information are COPPA-covered? Section 312.2 of the Rule lists ten items, including some you would easily guess – full names, addresses, telephone numbers, Social Security numbers, and online contact information. The amendments added other items, including:

  • persistent identifiers, such as a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or a unique device identifier,
  • a photograph, video, or audio file that contains a child’s image or voice, and
  • geolocation information sufficient to identify a street name and name of a city or town.

The settlements announced today require LAI Systems to pay $60,000 in civil penalties and Retro Dreamer to pay $300,000. They’ll also have to comply with COPPA before they collect personal information online from children under age 13. Among other things, that means they have to post on their sites clear, understandable privacy policies explaining their information collection practices and get verifiable parental consent before collecting, using, or disclosing kids’ personal information.

Are you wondering if COPPA applies to your company? In a nutshell, you’re covered by COPPA if:

  • Your website or online service is directed to children under 13 and collects personal information from them;
  • Your website or online service is directed to a general audience, but you have “actual knowledge” you’re collecting personal information from a child under 13; or
  • You run a third-party service like an ad network or plug-in and you’re collecting information from users of a site or service directed to children under 13.

The FTC offers free resources to help COPPA-covered companies stay COPPA-setic. Our Six-Step Compliance Plan is the best place to start. We also have FAQs and a COPPA hotline at CoppaHotline@ftc.gov, where we’ve answered more than 1000 substantive questions. And, keep an eye on the Business Blog for news about COPPA developments, such as our past lawsuits against TinyCo and Yelp.

 

Comments

Add new comment

Comment Policy

Please enter a username. Don't use your email address.

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.