What Your Company Needs to Know

On December 10, 2012, the Federal Trade Commission issued its second report on kids' mobile apps, entitled "Mobile Apps for Kids, Disclosures: Still Not Making the Grade." The FTC was highly critical of the industry and indicated that it will soon launch nonpublic investigations.  

In the report, the FTC selected 200 apps from Apple's App Store and 200 Apps from Google Play. The Commission reviewed the privacy disclosures for each app, analyzed the app's functionality and performed a robust interception of the network traffic associated with each app in the study. By further analyzing IP addresses and packet payloads, the Commission was able to tell what data an app would transmit over the network and to whom the app would transmit it.

The FTC Findings

The FTC found that a majority of kids' apps "failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data." It called the results "troubling" because of the types of information being shared with third parties: "device ID, geo-location, or phone number . . . without disclosing that fact to parents." Finally, the FTC also noted with dismay that "a number of apps contained interactive features — such as advertising, the ability to make in-app purchases, and links to social media — without disclosing these features to parents prior to download."

It is important to note that the FTC was also concerned with the disclosures that they did encounter. The Commission stated that most were long and "filled with irrelevant information" while "[o]thers lacked basic details, such as what specific information about a child would be collected, the reason for collecting such information, or what parties would obtain the information." The Commission noted one example in which an app "shared device ID and geolocation with advertising networks [but] had a misleading privacy disclosure that discussed features about the user interface of the app.” It did not “disclose the fact that advertising networks or analytics companies would be receiving information through the app."

Investigations to Begin

As a result of the findings, FTC staff is set to start “multiple nonpublic investigations to determine whether certain entities in the mobile app marketplace have violated the Children’s Online Privacy Protection Act (“COPPA”), or engaged in unfair or deceptive trade practices in violation of the FTC Act."

The FTC noted that the purpose of the survey was to examine the disclosures and practices of kids' apps, and that it had not made any determination as to whether the disclosures and practices violated COPPA or constituted unfair or deceptive practices under the FTC Act. However, during the press conference announcing the findings, the FTC signaled that there were problems on both counts. The Commission hinted that it found information being collected without appropriate consent in violation of COPPA and, during its review, found certain disclosures to be inaccurate.

What the FTC Urges the Apps Industry to Do  

The FTC "strongly urges the mobile app industry to develop and implement 'best practices' to protect privacy,” including the following recommendations:

  • incorporate privacy protections into the design of mobile products and services (“Privacy By Design”)
  • offer parents easy-to-understand choices about the data collection and sharing through kids’ apps
  • provide greater transparency about how data is collected, used and shared through kids’ apps

Reading Between the Lines

Considering the report as a whole, companies would do well to keep several points in mind:

  1. The FTC understands the technology. Companies need to as well.

Companies should strongly consider undertaking a tech-based review of their apps — including analysis of network traffic — to comply with COPPA effectively or to mount a successful response to an FTC investigation. Companies should not take the word of the developer, or even the FTC for that matter, regarding the nature of an app's network traffic. FTC staff and consultants analyzed app network traffic all summer and fall, for a total of 400 apps. To avoid the FTC dragnet, companies must employ the same tactics and focus on tech-based compliance.

  1. Don’t rely on your online privacy policy.

Companies should not simply rely on their current online privacy polices. The mobile environment is fluid, and relying on what you've done for your website likely will not translate to your app. The disclosures that were found raised concerns. More likely than not, these disclosures linked to or restated the companies' online privacy policy.

  1. In-app notices are important.

In-app notices provided by the platform — such as those that are common on Apple devices — may be insufficient to qualify as notice to parents. In its report, the FTC mentioned more than a few times the importance of pre-download disclosures. If a game has location-based services, interactive features or social network links, these items should be disclosed pre-download, according to the FTC.

  1. The FTC is coming, so get ready.