The FTC recently issued over 90 letters to mobile app developers, stating that their apps may violate the upcoming changes to the Children's Online Privacy Protection Rule, which—as we have mentioned previously—take effect July 1. The FTC's letters tell the companies that they should review their apps, policies, and procedures; and the updated COPPA Rule. The letters (version 1, version 2, version 3, and version 4) were sent to companies whose apps the FTC believes may collect images or sounds of children or collect persistent identifiers from children. Under the revised COPPA Rule, the definition of "personal information" will include photos, videos, or sounds of children and also persistent identifiers, such as cookies and mobile device IDs that can recognize children over time and across apps. The FTC's letters make clear that the Commission has not determined that the apps would violate the revised COPPA Rule without modifications, but it is a safe bet that the FTC will be looking closely at these companies once the revised Rule takes effect. Under the COPPA Rule revisions, an app that collects personal information from children, and does not fall under an exception, would need to get prior parental consent. The FTC also recently updated its new FAQ (that address the revised COPPA Rule) to describe child-directed apps' obligations with respect to push notifications. The FTC indicates in the FAQ that information gathered from a device to send push notifications is personal information. As such, parental consent is needed, unless the "more than once" exception to obtaining parental consent applies. Namely, that the child requested the push notifications. In that circumstance, the parent would need to be notified and given the ability to opt-out, but would not have to provide prior (or opt-in) consent. Also, as we explained recently, the revised Rule applies to information collected in apps by third parties, such as advertising networks, not just to information collected by the app developer itself. Under the revised COPPA Rule, companies can obtain verifiable parental consent by several means, such as providing a form to be signed by a parent and returned by mail, fax, or e-scan; requiring the parent to use a credit card or other payment system in connection with a monetary transaction if the payment method notifies the parent of each discrete transaction; calling a toll-free number; checking a government-issued ID against a database of IDs.
TIP: The FTC's letters—while not containing allegations of wrongdoing—carry the implicit message that the FTC will be keen to enforce the updated COPPA Rule after its implementation date. Although there was hope among industry groups that the FTC would delay the implementation of the updated COPPA Rule, the FTC recently announced that it will keep the July 1 date.