On August 15, 2011 the Federal Trade Commission (FTC) announced a settlement with mobile application game publisher W3 Innovations, LLC, which included a $50,000 payment. The FTC alleged that W3 had violated the Children's Online Privacy Protection Act (COPPA) by collecting personal information from children under 13 without verifiable parental consent, the first federal privacy action against a mobile app publisher. This collection included giving access to children to blogs and other online tools that allowed them to post their personal information to the game community.
The complaint alleged that COPPA applied because the "apps send and/or receive information over the Internet, and are thus 'online services' directed to children" as defined by COPPA. While the settlement resulted in no findings of fact or conclusions of law, it settles any question as to whether the FTC would apply COPPA to mobile apps, at least where any Internet connectivity is present, an issue that was raised in responses to the FTC's request for public comments last year as part of its review of COPPA.
COPPA provides specific federal statutory regulation of children's privacy with respect to "online services" so it is no surprise that the first mobile privacy action be brought under it. With respect to adults and general audience apps, outside of particular regulated areas such as financial services and health care, there is no specific statutory authority beyond the FTC's general Section 5 authority to protect consumers from fraud, deception and unfair business practices. Nonetheless, mobile app publishers that do not target children or knowingly collect personal information from them (the basis for COPPA's application) need to address consumer privacy issues and particularly the FTC's guidance on privacy and data security.
FTC Director of Consumer Protection David Vladeck recently testified before a Senate committee addressing privacy and mobile technology and stated that the FTC was "committed to protecting consumers in the mobile marketplace." Further, California's Online Privacy Protection Act, CA Bus. & Prof Code section 22575 et seq., which applies to all websites and "online services" that collect personally identifiable information without regard to age, requires conspicuously posted privacy policies that meet certain specific requirements. Just as the FTC has done, California regulators may apply "online services" to mobile apps.
Copies of the complaint, consent decree and the FTC's press release announcing the settlement are available here.