Signaling a predicted renewal of enforcement of the federal children’s privacy law following broad expansion last year of who and what is covered by the rules, the FTC has filed and settled two recent law suits against mobile app publishers, resulting $750,000 in civil penalties. Most noteworthy is that only one of the two is directed at children. Operators of even general audience web sites, mobile applications and online services (“Service(s)”) have certain obligations under the Children’s Online Privacy Protection Act (“COPPA”), and its corresponding regulations, regulate the collection of certain data from children under 13 years of age (“Child” or “Children”). FTC settlements of COPPA violations typically range in the six to seven figure range. Here, as is typical, the defendants entered into civil settlements with the FTC whereby one agreed to pay $450,000 and the other is paying $300,000. Other details of the settlements are detailed here. COPPA compliance should be part of the data privacy and security assessment Service providers conduct at least annually, and with each material Service update.
The latest FTC actions filed in federal court on September 16, follow more than a year hiatus in enforcement while the Commission staff worked to educate industry of the rule changes, target the popular business review Yelp! and a mobile game publisher named Tinyco. Notably, Yelp! does not target children. However, it is alleged to have made a common mistake of general audience Services even under the old rule – to collect user age at registration without blocking, and preventing resubmission attempts, by those indicating they are under 13. Another frequent mistake is to explain to users they must be 13, which is deemed impermissible coaching, or ffailure to take reasonable measures to prevent additional submission attempts, such as dropping a cookie that prevents submission for a reasonable period, generally considered to be 24 to 72 hours. The new Yelp! suit is a good example of why all Service operators need to be aware of COPPA obligations.
Tinyco operates so-called “freemium” mobile games – free to play, but with in-app purchases that enhance the game experience. The FTC concludes that several of the publisher’s games should be considered child directed because the “appeal to children by containing brightly colored, animated characters from little animals to zoo creatures to tiny monsters, and by involving subject matters such as a zoo, tree house or resort inspired by a fairy tale…. [and] the language used to describe the games in the app stores and the gameplay language is simple and would be easy for a child under 13 to understand.” Unlike general audience Services, which must comply with COPPA only when they have knowledge that a user is a child or they are interacting with another Service that is Child-directed, Children’s Services must assume all users are Children until certain notice and parental verification steps are taken, absent narrow exceptions. For details on these issues see: “Obligations of Online and Mobile Services to Protect Children’s Privacy — AN OVERVIEW OF COPPA DATA RESTRICTIONS.”
Undoubtedly, the FTC picked these particular cases for a reason. Yelp! is most certainly designed to send a message to general audience Services that they are not immune from COPPA obligations when they have actual knowledge that a user is a Child or they are interacting with a Children’s Service, such as by means of a plug-in. Tinyco appears to send a warning to Services that are reasonably attractive to Children that are trying to avoid the more stringent obligations on Children’s Services by purporting to be for users 13 and over. It is also no coincidence that both actions involve mobile apps, which the FTC has made a particular focus of its education efforts. The next round of FTC actions are likely to address more complex compliance issues, such as behavioral advertising, social media plug-ins, push notifications and the new category of “mixed use” sites added by the 2013 rule revisions.