Answering the centuries’ old question, it appears it is the Federal Trade Commission (“FTC”) that watches the watchmen. The FTC sent warning letters to a pair of foreign app developers cautioning them that their practices of collecting children’s geolocation data without parental consent may be in violation of the Children’s Online Privacy Protection Act (“COPPA”). The letters warned China-based Gator Group Co. Ltd. and recently-defunct Sweden-based Tinitell, Inc. that companies targeting U.S. children must comply with U.S. privacy laws regardless of where they are based. The FTC also sent copies of the warning letters to the Apple App Store and the Google Play Store, which make the apps available to consumers. While the apps give parents peace of mind by enabling them to track their children’s location to ensure they are safe, that benefit is negated when parents are not aware that that information is being collected and stored in a way that enables others to access that same data.

The two companies produce similar smartwatch device and app combinations marketed toward children. Gator Group advertises an app and device called the “Kids GPS” Gator Watch, which it markets as a “child’s first cell phone.” It collects the child’s name, can track the child, and allows the parent or guardian to set an alarm for when the child leaves a geo-fenced “safe zone.” Tinitell’s app was “designed for kids, with calling and smart location features,” and connects to the phone, which is worn like a watch by a child, and can locate the child, call the child, and add contacts. Although Tinitell is no longer manufacturing or selling devices, its devices will remain functional through September 2018.

The warning letters accused both companies of violating the COPPA Rule, which implements COPPA and requires companies directed to children that collect this type of personal information to, among other things, provide direct notice and obtain verifiable parental consent before collecting, using, or disclosing children’s data. Companies that collect personal information from children must also take reasonable measures to secure that information. The FTC alleged that a review of both companies’ online practices revealed that they appear to collect precise geolocation data from children under 13 years of age, without providing notice of their collection practices to parents or seeking verifiable parental consent before collection. The FTC encouraged the companies to review and reassess their online data collection practices and reminded the companies that COPPA obligations attach not just at the time of purchase, but are ongoing while products or services remain in circulation.

COPPA requires that parents have a clear picture up-front of how their children’s data is being collected and used. It was enacted in 2000 to address the rapid growth of online marketing techniques targeting children, and broadened in 2013 to bring geolocation data, photographs, and other forms of sensitive personal information within its scope.

The letters from the FTC highlight the reach of COPPA and the importance of compliance, even for foreign-based websites and online services that avail themselves to U.S. markets.