In its first action regarding mobile applications (apps), the Federal Trade Commission announced on Monday, August 15, 2011, that it settled charges that a mobile app developer violated the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule. The settlement includes a $50,000 civil penalty and requires deletion of all personal information collected in violation of COPPA. Further, the defendant is subject to reporting and compliance obligations for six years.

In the booming app industry, sometimes developers have been so acutely focused on getting their products to market, that legal issues have not been fully considered. W3 Innovations, doing business as Broken Thumb Apps, and its company president and owner are feeling the sting of taking this approach. Other app developers have now been duly warned that the FTC is watching them as well.

W3 Innovations offers approximately forty apps in Apple’s App Store for the iPhone and Ipod touch, some of which are directed at children. The apps at issue in the FTC action include Emily’s Girl World app, Emily’s Dress Up app, Emily’s Dress Up & Shop app and Emily’s Runway High Fashion app, in addition to a related blog called Emily’s Dress Up blog.

The complaint alleged that the blog sought submisssions from users, which were sent in by email. Several of the apps also encouraged users to send emails to “Emily.” Through these two avenues, W3 Innvoations collected over 30,000 email addresses.

The blog allegedly also allowed users to submit comments on posts through a “Leave a Reply” form which asked for a user’s name and email address, as required fields. Allegedly, a user could provide a full name, which was then publicly posted to the blog comments area with the comment. Defendants allegedly collected, maintained, and/or disclosed personal information from approximately 590 users who registered to submit comments.

The FTC asserted that Defendants violated COPPA in three respects:

  1. failing to provide notice in connection with their apps and blog regarding what information they collect from children, how they use such information, their disclosure practices, and other content required by COPPA and the FTC’s COPPA Rule (traditionally done through a privacy policy);
  2. failing to directly notify parents about what information they collect from children, how they use such information, their disclosure practices, and other content required by COPPA and the FTC’s COPPA Rule; and
  3. failing to obtain verifiable parental consent before any collection of personal information from children, as required by COPPA and the FTC’s COPPA Rule.

COPPA applies to the online collection of personal information from children under the age of 13. If a website or app (or a portion of a website or app) is “directed” to children or if a website operator has “actual knowledge” that it is collecting or maintaining personal information from a child (such as if it collects birthdate information) under age 13, it must comply with COPPA. COPPA and the FTC’s COPPA Rule contain very specific rules about what companies must do to comply.

In 2010, the FTC sought public comment on whether the COPPA Rule needs to be updated in light of evolving technology and changes in ways that children use and access the internet. Although the FTC received numerous comments, it has not yet announced whether it will propose revisions to the Rule. With this action against W3 Innovations, it appears that the FTC is not waiting for an updated rule to begin its enforcement efforts against mobile app providers.