by Mehmet Munur
The Federal Trade Commission
announced a settlement with mobile application developer W3 Innovations, LLC for violations of the Children’s Online Privacy Protection Act (COPPA). According to the
FTC complaint, the developer collected personal information from children under the age of 13 through its mobile applications without a privacy notice to the children, without a privacy notice to their parents, and without verifiable consent from the parents as required by the COPPA rules. The FTC
settlement requires the developer to 1) cease all violations of COPPA, 2) delete all personal information collected in violation of COPPA, 3) pay a civil penalty of $50,000, and 4) subject itself to a compliance reporting program. Also today, the FTC announced a guide for teens for
Living Life Online.
According to the FTC complaint, the developer offers for download approximately 40 applications in Apple’s App Store. Some of the applications, Emily's Girl World, Emily's Dress Up, Emily's Dress Up & Shop, and Emily's Runway High Fashion, are, as
the exhibits to the FTC complaint show, directed to children. According to the complaint, Emily's Girl World application was downloaded 32,000 times while Emily’s Dress-up was downloaded 27,000 times. The applications allowed users to share names, email addresses, comments, and “blush” stories using the application or emails related to the application. The blog functionality was also accessible from within the applications. The developer maintained a database of over 30,000 email addresses as a result of the information collected from the apps. The developer failed to provide notice to the users, their parents, and failed to obtain verifiable consent from the parents before collecting the personal information from the users as required under the COPPA rules located at
16 C.F.R. § 312.4.
The resulting consent decree and order bars the developer from continuing violations of the COPPA rules, requires it to pay $50,000 in civil fines, and requires it to submit to a compliance monitoring program. The program requires the developer to allow the FTC to monitor compliance with the consent order by obtaining reports and documents from the developer. Under the order, the developer also takes on reporting obligations with respect to any changes in address, ownership, or name and other information such as bankruptcy filings. In addition, the developer has record keeping obligations relating to demonstrating its compliance with the consent decree and order for a period of 6 years.
This enforcement action is not entirely unexpected because the FTC has been signaling its interest in bringing an enforcement action in the mobile space for some time. Jessica Rich
testified in front of Congress in May relating to mobile privacy issues. Most recently, BNA reported that, at the August 8
th American Bar Association Toronto meeting, the FTC Commissioner Julie Brill stated that the FTC would be bringing enforcement actions in the mobile space under its Section 5 authority.The selection of the FTC’s jurisdiction under COPPA makes perfect sense as well. Under the FTC’s COPPA regulations, the mere failure to post privacy notices and obtain verifiable consent from parents before collecting personal information is a violation of the regulations—without unfair and deceptive practices in relation to the treatment of that information. As a result, applications that target children under the age of 13 without posting notices and obtaining verifiable consent from parents make an efficient enforcement target for the FTC.
However, the monetary fines pale in comparison to the $3 million in
fines assessed to Playdom Inc. in May 2011 for violations of COPPA. There, Playdom operated 20 online virtual worlds and collected personal information from children under the age of 13 without obtaining verifiable consent from parents and without providing parents with notice. The size of the fine in that enforcement action is likely proportional to the size of the users Playdom’s virtual worlds. According to the FTC, one Playdom website had 403,000 registered users while another had 821,000 registered users. Another egregious factor was that Playdom’s website privacy policy stated that it would prohibit children under the age of 13 from posting personal information on its websites—thought it clearly did not.
Taken together, these two enforcement actions show that the FTC will continue to be active in the mobile space with large consequences for developer. The number of users of mobile technologies is increasing tremendously. Congress has had to pay closer attention to this area because their constituents are becoming more concerned with these issues. It does not help that the treatment of personal information collected by mobile applications is rarely, if ever, disclosed through privacy policies. Add to this the missteps by
Apple and Google with regards to their location tracking features and you end up with the perfect conditions for FTC to step in with enforcement actions based on well-established Section 5 authority. Considering that Pandora and other mobile application developers received
subpoenas from a federal grand jury, this is unlikely to be the last enforcement action in the mobile arena.
Labels: Enforcement Action, Federal Trade Commission, FTC, Mobile Application