In the last five years, a variety of phone applications and other devices have quickly entered the market to help parents track their child’s whereabouts. The practical benefits of these services speak for themselves, as parents using these apps are able to immediately locate their children in real-time. Similarly, other companies offer consumers additional features, such as automatic notifications to a parent whenever their child wanders outside a pre-determined area.

The sudden explosion of child-oriented geolocation companies has not gone unnoticed in Washington. As often is the case with newly released technology, the Federal Trade Commission is seeking to reassert its role as the primary federal agency responsible for consumer protection.

The FTC recently sent two separate warning letters to China-based Gator Group Co. Ltd and Sweden-based Tinitell, Inc. The FTC also sent courtesy copies of the letters to the owners of app stores, which make the apps available to US consumers. Both of these companies market mobile geolocation services directed to children and appear to be violating the Children’s Online Privacy Protection Act.

These letters offer two important warnings to global geolocation service providers. First, the FTC has made it abundantly clear that the requirements of COPPA will apply to foreign-based geolocation providers that markets their services to the US. Second, geolocation service providers, regardless of where they are headquartered, must ensure that they are seeking verifiable parental consent before collecting geolocation information from US-based children.

The Child Online Privacy Protection Act and FTC Regulation

Congress passed COPPA to offer greater online privacy protections to children under the age of 13. The FTC has the authority to issue regulations and enforce COPPA, and as noted above, occasionally issues warning letters to companies fail to abide by COPPA’s requirements.

The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The law similarly requires that companies clearly disclose to parents how their children’s data is being used and collected. Among its many requirements, COPPA obligates website operators to seek “verifiable parental consent” prior to collecting information from a child under 13 years of age.

COPPA does not mandate a specific method for a company to obtain verifiable consent. Instead the FTC has adopted a “sliding scale” that balances the manner in which information is collected and the manner in which such information can be used. Additionally, the FTC requires that an operator select a method reasonably designed in light of “available technology” to ensure that the person giving the consent is truly the child’s parent. To avoid confusion, there are a number of methods the FTC has pre-approved for obtaining verifiable consent. Suggested methods include, but are not limited to, the following:

  • Clear display of downloadable consent forms that may be mailed or faxed to the operator;
  • Requiring, in connection with a monetary transaction, that a parent use a credit card to authenticate age and identity;
  • Requiring that a parent call a toll-free phone number; and
  • In limited circumstances, an e-mail may be used paired with an additional confirmatory step.

According to the FTC, both the Gator Group and Tinitell fall short of meeting these requirements. As noted in each letter, a review of both companies revealed that they failed to provide direct notice of their collection practices to parents. Additionally, both companies failed to implement the proper technical mechanisms to seek verifiable parental consent. To cure these defects, the FTC encouraged both companies to review their online services, policies, and procedures to confirm that they are in compliance with COPPA’s requirements. The FTC further reminded both companies that COPPA’s requirements are not just applicable at purchase, but are ongoing.

The Territorial Scope of COPPA

Equally important is the FTC’s view of COPPA’S territorial scope. At first glance, one might wrongly fully assume that a law passed by US Congress, designed to protect the online privacy of American children under 13, would apply only to US-based companies. The FTC disagrees.

Both the Gator Group and Tinitell have made their products available on platforms such as the Apple App Store and the Google Play Stores, and made concerted efforts to market their solutions to US parents. Despite being headquartered abroad, the Gator Group and Tinitell are clearly in the FTC’s cross-hairs. As outlined in its letter to both the Gator Group and Tinitell:

The COPPA Rule applies to foreign-based websites and online services that are involved in commerce in the United States. This would include, among others, foreign-based sites or services that are directed to children in the United States, or that knowingly collect personal information from children in the United States.

What Actions are Recommended?

These official letters from the FTC to global geolocation providers can serve as a clear warning to foreign based and US geolocation service providers – particularly those that distribute their applications via app stores. If any company is collecting information from American children under the age of 13, regardless of where the company is headquartered, COPPA’s requirements will apply.

We suggest that companies that are providing geolocation services review their verifiable consent procedures in light of this recent enforcement activity. For global providers, they should assess the risk of being subject to FTC jurisdiction in this area.