A recent report issued by the Federal Trade Commission (“FTC”) called for “greater transparency and meaningful disclosure about the data collection practices in [mobile applications] for children.” The FTC’s reasoning was twofold: (1) mobile applications (“apps”) that collect personal data of individuals under the age of thirteen may violate the Children’s Online Privacy Protection Act (“COPPA”); and (2) parents need to know if their child’s data is being collected, used, or shared to make an informed decision on which apps they approve of.
COPPA makes it illegal for “an operator of a website or online service directed at children” to collect their personal information unless certain conditions are met. (16 C.F.R. §312.3). Mobile apps, including mobile games, fall within the FTC’s definition of “online service.” Among the conditions COPPA places on app developers are notice (what information it collects from children, how it uses such information, and whether the information is disclosed to third parties) and parental consent. The FTC’s report noted serious deficiencies in the current mobile app market with respect to these conditions.
The study examined a random sample of 400 apps targeted at children (200 from Android and 200 from Apple). The FTC reviewed the information listed on each app store’s promotion page and the first page (“landing page”) of the associated developer’s website looking to see whether data collection practices were properly disclosed. The FTC’s findings were troublesome. “In most instances, staff was unable to determine…whether an app collected any data, let alone the type of data collected, the purpose for such collection, and who collected or obtained access to such data.” (Report, 10). Although the app store developer agreements require developers to disclose such information, they don’t seem to be enforcing these requirements. In fact, only 16% of the 400 app promotion pages linked to a developer landing page that contained or linked to disclosure information. (Report, 13).
Children’s privacy issues in mobile apps are a relatively new development in the gaming industry. Last August marked the first time that the FTC settled a COPPA enforcement action against a mobile app developer. In that case, the FTC’s complaint alleged that W3 Innovations, Inc. (d/b/a Broken Thumbs Apps [“Broken Thumbs”]) violated COPPA by collecting children’s e-mail addresses and allowing children to publicly post personal information on message boards. Specifically, the FTC alleged that Broken Thumbs: (1) had collected over 30,000 children’s e-mail addresses; and (2) collected/or disclosed personal information from over 590 child users. (Complaint, 7). Most importantly, however, was that Broken Thumbs did this without providing COPPA’s requisite notice of their information collection practices or obtaining verifiable parental consent. Although the case was settled for only $50,000, it will likely serve as a wake-up call to the mobile gaming industry that it must do more to inform parents about the data collection practices of mobile apps their children use. It’s possible that the FTC settled for such an insubstantial amount because applying COPPA to mobile apps is only a recent development in the protection of children’s privacy. In past cases involving COPPA violations the FTC has not been so generous. Last May, Playdom, Inc. (a leading developer of online multi-player games) was forced to pay $3 million for violating the act. That penalty was the largest in the 11-year history of the COPPA.
Clearly, the FTC has no qualms about severely punishing industries that have been put on notice that their actions will be analyzed under the COPPA standard. This report appears to be notice to the mobile app industry that they too must fall in line. As the FTC noted, they intend to “evaluate whether the industry is moving forward to address the disclosure issues raised in this report.” (Report, 2) Over the next six months, the FTC plans on conducting another study to determine whether specific mobile apps violate COPPA. (Report, 2). While there are advantages to an app developer’s data collection (i.e., recognizing your location to give relevant news and weather), these benefits cannot overcome the need to protect children’s privacy.