The Federal Trade Commission ("FTC") recently reached settlements with two app developers (LAI Systems and Retro Dreamer) concerning violation of the Children’s Online Privacy Protection Act ("COPPA").
These app developers created several apps directed to children, and allowed third-party advertisers to collect end users' persistent identifiers (i.e., data that can be used to recognize a user over time and across different websites or online services, such as MAC address and IMEI), for the purpose of delivering targeted ads. According to the FTC, the app developers did not inform the ad networks that the apps were directed to children and failed to satisfy COPPA’s parental notice and consent requirements before collecting and using the information. Pursuant to the settlements, the FTC has imposed civil penalties which accumulated to $360,000 on the app developers.
These enforcement actions are especially noteworthy given that this is the first enforcement action of the FTC under COPPA with respect to the sole collection of persistent identifiers and not other types of children's personal data. Furthermore, both app developers were held liable for the data collection activities of third parties even though the app developers, themselves, did not collect the data, but rather the data was collected by the ad networks integrated within the respective apps. This enforcement action reflects the FTC's rigorous approach with respect to children's data collection and related advertising practices within sites and mobile apps and underscores the importance of taking steps to ensure compliance with COPPA when offering ad-supported apps for children.
In this context, we note that the Global Privacy Enforcement Network, which fosters cross-border cooperation among privacy authorities, has published its Privacy "Sweep" results, which provided interesting conclusions concerning children's targeted apps and websites, among which:
- 41% of the 1,494 sites and apps that were reviewed worldwide raised legal concerns, which include the amount of personal data collected, the manner in which the personal data was shared and insufficient or misleading disclosures about the practices of processing personal data.
- over 70% of the total sites and apps didn’t offer an accessible means for deleting account information; and
- Less than 25% of the sites and apps requested some form of parental involvement.
In light of the increasing popularity of computers and smart devices with young children, the issue of privacy compliance with regard to apps and websites is likely to be a growing area of interest for regulators worldwide.