FTC Announces First-Ever COPPA Enforcement Action Against Mobile Apps

By David Silverman The Federal Trade Commission (“FTC”) announced that it has obtained a consent decree requiring payment of a $50,000 penalty for violations of the Children’s Online Privacy Protection Act (“COPPA”) and FTC rules implementing it, marking its first ever COPPA enforcement proceeding involving mobile phone applications (“apps”). The new app enforcement action follows in the wake of another FTC action brought this past spring involving “virtual worlds” that resulted in the largest COPPA civil settlement to date.The enforcement actions show an FTC branching out from traditional websites that may collect children’s personal information (“PI”), to newer media, even while it is in the midst of a proceeding weighing whether and how it should update the COPPA rules to address new platforms and online apps through which children’s PI can be collected. The violators in the current app-based enforcement action collected names and email addresses from children without parental consent in connection with numerous apps available for the iPhone and iPod Touch. In addition to payment of a civil penalty, the consent decree requires compliance reports to the FTC for three years covering any websites or online services that the alleged violator operates and uses to collect or disclose PI. The most popular apps involved were known as Emily’s Girl World and Emily’s Dress Up, each of which had been downloaded approximately 30,000 times. Both included blogging features that allowed users to submit blog entries that required users to provide their names and email addresses in order to post. W3 Innovations, the company supplying the apps, collected and maintained more than 30,000 email addresses obtained from these blogs. Because Emily’s Girl World and Emily’s Dress Up are directed toward children under age 13, and because the FTC deemed the apps to fall within COPPA’s definition of a “commercial website or online service,” W3 was required to comply with COPPA’s requirements.Those include 1) posting a privacy notice on the website providing a complete notice of the company’s information practices, including what PI is collected from children, how it is used, and the company’s disclosure practices; 2) obtaining verifiable parental consent prior to collecting, using and/or disclosing children’s PI; 3) giving parents the option to consent to collection and internal use of their children’s PI while denying consent to disclose it to third parties; 4) providing a means for parents to review their children’s PI; 5) not conditioning participation in an activity on children disclosing more PI than is reasonably necessary; and 6) establishing and maintaining reasonable procedures to protect the confidentiality, security and integrity of PI collected from children. The FTC found W3 had not taken any of those steps and filed a complaint against the company in the U.S. District Court for Northern California. That led to the Consent Decree requiring W3 to comply with COPPA and delete all PI collected in violation thereof, in addition to paying the $50,000 fine. This decision was praised by members of Congress, including Rep. Ed Markey (D-Mass.), the initial proponent of COPPA, as well as Senate Commerce Committee Chairman Jay Rockefeller (D-W.Va.).Markey is co-sponsoring the Do Not Track Kids Act with Rep. Joe Barton (R-Texas), which was the subject of an earlier blog.