The Federal Trade Commission (FTC) announced two settlements of enforcement actions involving the Children’s Online Privacy Protection Act (“COPPA”) on September 17, 2014. These settlements are the first COPPA cases the agency has made public since its revised COPPA regulation went into effect in July 2013. Although not focused on the aspects of the COPPA regulation that were revised, the cases reaffirm the agency’s interest in enforcing COPPA against mobile apps.
One case was brought against Yelp, which offers a website and apps for consumers to post reviews of businesses. The FTC’s complaint charges that Yelp apps accepted registrations from users who indicated that they were younger than 13, and thus acquired “actual knowledge” that these users were children. Allegedly, the Yelp app then collected from such registered users a variety of data that included “personal information” as defined by COPPA, without providing notice and obtaining verifiable parental consent as required by COPPA.
To settle the enforcement action, Yelp agreed to pay a $450,000 civil penalty, to comply with COPPA in the future, and to delete personal information previously collected from children within 30 days. In a blog post discussing the case, Lesley Fair of the FTC stated that the Yelp case “shows that COPPA isn’t just for kids’ sites” and encouraged companies to assess their mobile apps, including those provided by contractors, and to act on the information that users provide through an age screen.
The FTC’s other case involved a company called TinyCo, which offers numerous game apps for mobile platforms. The FTC concluded that certain TinyCo apps are “directed to children” under the COPPA regulation, noting that the apps contained simple language; brightly animated characters; and subject matters including a zoo, tree house, and fairy tale references. The complaint against TinyCo alleged that the company had nevertheless failed to provide notice and obtain verifiable parental consent to collect email addresses from its users. TinyCo agreed to pay a $300,000 civil penalty, to comply with COPPA going forward, and to delete all personal information collected by children within 10 days.