Following a February 2012 report chastising the mobile app industry for not disclosing data privacy practices in connection with apps directed to children, the FTC has issued a follow-up report that concludes the industry has not improved. The new FTC report indicates that since its first study on kid’s apps 10 months ago, 80% of those examined still do not have posted privacy policies and many of those that do disclose data practices are inaccurate or incomplete. In a press conference the FTC also announced that it had commenced a series of law enforcement investigations against unnamed companies for violations of law in this regard. Both California and federal law require disclosure of data privacy practices by website and mobile app publishers, and the Children’s Online Privacy Protection Act (COPPA) requires verified parental consent in most instances before collection of personal information of children under the age of 13.
The mobile industry is lagging behind the Internet industry in developing effective self-regulation of consumer data privacy and the investigations that the FTC and the CA Attorney General have each announced they have opened against multiple companies in the mobile app space should be a wakeup call. It seems clear that there will be a series of law enforcement actions in 2013, and it would not be surprising to see the class action bar pile on soon with private law suits. Companies should take heed and audit their data practices and ensure that their apps and web sites have accurate privacy policies posted. They should also ensure that they take reasonable precautions to protect the security of the data and are prepared to respond to a breach.
As for law enforcement, expect to see actions not only against app publishers (like Delta), but also the market places like Apple and Android, and third parties like ad exchanges, ad networks, social media plug-ins and analytics companies. Indeed, one of the things the proposed changes to COPPA would do is to make both publishers and third parties responsible for sharing of device identifiers associated with children with third parties, though it remains unclear what the knowledge standard will be for each.