The Federal Trade Commission has made it quite clear that it is serious about advising mobile app developers that the rules of the road will be changing very soon. Since 2011, the Commission has been working to update the rules governing the collection of children’s personal information by mobile apps. The relevant law is the Children’s Online Privacy Protection Act (COPPA), and the rules are set to change in just over a month, on July 1.
As part of its effort to encourage compliance, the Commission recently issued more than 90 warning letters to app developers, both foreign and domestic, whose online services appear to collect data from children under the age of 13. The letters alert the recipients about the upcoming COPPA rule change and encourage them to review their apps, policies, and procedures for compliance. According to the letters, the Commission did not evaluate whether the recipients’ apps or company practices are in compliance. Therefore, we view this move as a public warning to all app developers that may be collecting personal information from children.
Until now, COPPA, which was originally enacted in 1998, defined “personal information” to include only the basics such as a child’s name, contact information, and social security number. Over the past decade, it has become antiquated by the development of mobile apps and other technological advancements affecting data collection. Unfortunately but understandably, COPPA’s original incarnation failed to account for the proclivities of today’s children, who – reared in the age of smartphones, Facebook, and Google-everything – routinely use mobile apps to share their lives with their friends, their family, and the world.
The FTC has expressed major concerns that, unbeknownst to many users, mobile app developers also collect and disseminate their users’ persistent identifiers (things such as cookies, IP addresses, and mobile device IDs). This information, which can recognize users over time and across different websites and online services, is often used by developers and third parties to market products to children based on each child’s specific online behavior. Come July 1, this practice will be illegal.
Under the revised rule, the definition of “personal information” has been expanded to include persistent identifiers, photos and videos with a child’s image, and recordings of a child’s voice. Additionally, developers of apps directed to children under 13 – or that knowingly collect personal information from children under 13 – will be required to post accurate privacy policies, provide notice, and obtain verifiable parental consent before collecting, using, or disclosing such information. However, there are some exceptions for developers that only use the information to support internal operations (i.e., analyze the app’s functionality, authenticate app users, etc.)
Protecting children’s privacy continues to be one of the Commission’s major initiatives, and the FTC has levied some hefty penalties for COPPA violations over the past year. That said, the Commission has indicated that it may be more lenient in cases where a small business has violated the rule despite well-intentioned attempts to comply. As we mentioned back in February, developers should beware of increased data privacy enforcement on the state level, as well. We encourage all mobile app developers to be proactive and review/update their policies to ensure compliance and avoid costly penalties.
Maryland Attorney General Douglas Gansler (D) has announced that his office is launching a new Internet Privacy Unit designed to address issues related to online privacy and to ensure that companies are in compliance with state and federal consumer protection laws. The unit will also handle issues related to cyberbullying and cybersecurity.
Gansler, who also serves as the president of the National Association of Attorneys General (NAAG), has previously stated that online privacy was a priority. Gansler said in a statement that Internet privacy is “one of the most essential consumer protection issues of the 21st century.”
The Internet Privacy Unit will also work with major industry stakeholders and privacy advocates to provide outreach and education to businesses and consumers. The unit may also pursue enforcement actions “where appropriate” to ensure that consumers’ privacy is protected.
One area of online privacy that the unit will examine is whether companies are complying with the Children’s Online Privacy Protection Act (COPPA), a federal law that restricts site operators from knowingly collecting personal data from children younger than 13. The Federal Trade Commission (FTC) announced in December that it adopted new rules governing COPPA that will go into effect in July 2013, which were the first significant revisions since the original rules went into effect in 2000. The new rules significantly increase the number of types of companies that are required to obtain parental permission before knowingly collecting personal details from children, as well as the types of information that will require parental consent to collect.
The unit will also “examine weaknesses” in online privacy policies. Not only will companies be required to have privacy policies in place, but these policies need to be thorough and comprehensive to ensure compliance with all relevant privacy laws. And, of course, companies need to be following in practice what they “preach” in their privacy policies.
The FTC and state attorney general offices will doubtless continue to be aggressive in their enforcement of privacy laws. Companies with an online presence should review their privacy policies and practices, particularly as affected by recent rule changes such as the COPPA revisions. Also, Maryland is signaling that it will be an active player in monitoring and enforcement of personal privacy and cybersecurity. While federal legislation continues to stall, the states are most definitely moving ahead.
The Federal Trade Commission announced on December 19, 2012, that it has adopted final amendments to the Children’s Online Privacy Protection Act (COPPA) that strengthen privacy protections online and give parents greater control over their children’s personal information. FTC officials said that they updated the rules to keep pace with the increasing use of mobile phones and tablets by children.
The original rules have not seen significant changes since they went into effect in 2000. The FTC has been examining possible changes to the COPPA rules since March 2010 and has received hundreds of comments from interested parties through multiple comment periods.
“Congress enacted COPPA in the desktop era and we live in an era of smartphones and mobile marketing,” FTC Chairman Jon Leibowitz said. “This is a landmark update of a seminal piece of legislation.”
The new rules go into effect on July 1, 2013. The vote was approved by a 3-1 vote, with one commissioner abstaining. Commissioner Maureen Ohlhaussen voted no on the ground that she believes a core provision of the new rules, extending the statutory definition of “operator” to impose obligations on certain websites or online services that do not collect personal information from children or have access to or control of such information collected by a third party, exceeds the scope of the authority granted by Congress in COPPA.
The new rules significantly increase the types of companies that are required to obtain parental permission before knowingly collecting personal details from children, as well as the types of information that will require parental consent to collect.
Under the new amendments, the FTC said companies must seek permission from parents to collect a child’s photographs, videos, audio files, and geo-location information.
The new rules also expand the definition of personal information to include persistent IDs, such as a unique serial number on a mobile phone or the IP address of a browser, if they are used to show a child behavior-based ads. It requires third parties such as advertising networks and social media networks that know they are operating on children’s sites to notify and obtain consent from parents before collecting personal information. Additionally, the rule makes children’s sites responsible for notifying parents about data collection by third parties that are integrated into their services.
The FTC said that the new amendments will now require apps and websites that are targeted at children with third-party plug-ins to websites such as Twitter and Facebook, to require parental consent to collect personal information. Those third parties must obtain parental consent when they have “actual knowledge” that they are collecting information from a website or service targeted at children.
In a departure from the rule changes that were proposed by the government in August, the FTC explicitly exempted app stores, such as those run by Google and Apple, from responsibility for privacy violations by games and software sold in their stores. The government also reversed a prior proposal by agreeing to continue to allow parental consent to be obtained by email as long as apps and websites only collect the data for internal usage.
Now that these new guidelines have been issued, all operators need to review their policies to ensure compliance. These revisions have significantly expanded the type of information that is considered private and the number of companies that will need to comply. The FTC has previously brought enforcement actions against companies that were in violation of COPPA in the past, and these new rules will allow for more actions to be brought in the future.
The Federal Trade Commission released a report on December 10, 2012, that concluded that mobile apps targeted at children were collecting large amounts of data from children and sharing their information with advertisers without disclosing their practices.
The FTC report examined 400 leading apps designed for kids that were sold in the mobile stores run by Apple and Google. The agency said it is launching an investigation to determine if certain mobile apps developers have violated the Children’s Online Privacy Protection Act (COPPA) or engaged in unfair or deceptive trade practices.
The FTC’s authority over children’s mobile apps comes from laws that prohibit unfair and deceptive acts of commerce, as well as from COPPA, which requires operators of online services for children under 13 to get consent from parents before collecting and sharing personal information, among other requirements.
The report itself does not call for regulatory changes. However, the FTC is reviewing COPPA to determine if it needs to be updated, and is expected to announce updates soon COPPA was enacted in 1998, and FTC officials say the law needs to be changed to reflect the growing prominence of mobile apps and social networking sites used by children. The regulations under COPPA have not been substantially revised since its introduction. COPPA sets forth specific requirements for websites aimed at children, but its guidance on mobile technology is far less clear.
The FTC proposed updating COPPA, but it has been met with pushback thus far from technology companies. The proposed changes could significantly increase the need for children’s sites and apps to obtain parental permission to collect certain types of data, including device IDs, photos, and voice recordings. FTC officials have also emphasized that they consider the exact location of a mobile device to be personal information that would require parental permission to collect.
The FTC report noted that it was particularly concerned with the collection of a user’s device ID, which is a string of letters or numbers that identifies each mobile device. Nearly 60 percent of the mobile apps that the FTC reviewed transmitted the device ID. Some of those apps then shared that ID with an advertising network or other third party, including some apps that disclosed the phone number and location of the device. Additionally, more than half the apps also contained interactive features such as advertising or in-app purchases that were largely undisclosed to parents.
Only 20 percent of the apps reviewed in the report disclosed any information about the app’s privacy practices. FTC Chairman Jon Leibowitz said, “Our study shows that kids’ apps siphon an alarming amount of information from mobile devices without disclosing this fact to parents.”
This week’s report serves as further notice to all mobile app developers that the FTC is monitoring the mobile app market. App developers, particularly developers that are targeting children, need to review their compliance with FTC guidelines, as well as their overall truth-in-advertising and data privacy policies, to make sure their apps are complying. The FTC has made clear that it will take enforcement actions against industry participants and will continue to aggressively pursue action in the future.
Speaking at a Dec. 15 Capitol Hill forum on children’s and teens’ online privacy, Federal Trade Commission Chairman Jon Leibowitz said that the agency is recommending that the Children’s Online Privacy Protection Act (COPPA) expand the definition of personally identifiable information.
Leibowitz explained that he supports expanding the definition of “personally identifiable information” to include geolocation information, photos, videos, IP addresses, and similar items found on computers or mobile devices.
COPPA applies to the online collection of personal information from children under 13 years old. The act applies to websites and online services that are operated for a commercial purpose and are directed at children under the age of 13 or whose operator has actual knowledge that children under 13 are providing information to the site online.
In September, the FTC announced proposed revisions to the COPPA rules, the first significant changes to the Act since it the rules were issued in 2000. The FTC has been seeking public comments on the proposed revisions since September.
According to Leibowitz, the definition of personally identifiable information should be expanded from information provided by the consumer, to also include information used by the user’s computer or mobile device. This would include information held in cookies, processor numbers, IP addresses, geolocation information, photographs, videos, and audio files. Additionally, the new definition would now include information that web site operators, advertising networks, and others use to track consumers as they use the Internet.
The proposed rule changes would also expand the definition of what it means to “collect” data from children. The new definition would make it clear that personal information is being collected not only when the operator is requiring the personal information but also when the operator prompts or encourages a child to provide the information.
The way parental consent is obtained from parents would also be changed to add several new methods such as electronic scans of parental consent forms and the use of government issued identification that is checked against a database. The rules would also eliminate the popular “e-mail plus” mechanism .
The new rules would also present a data retention and deletion requirement, which would mandate that data that is obtained from children is only kept for the amount of time necessary to achieve the purpose that it was collected for. The rules would also add the requirement that operators ensure that any third parties to whom a child’s information is disclosed have reasonable procedures in place to protect the information.
These proposed changes to COPPA will have a significant effect on online operators, particularly the expansion of the definition of personally identifiable information. We note, particularly, that the expansion of the definition of “personally identifiable information” in the children’s privacy context could lead to a general expansion by the FTC of the definition in all contexts. The FTC has cracked down on COPPA violations in the past, and these new powers will likely continue this trend.