FTC Announces Second Mobile Application Settlement

by Mehmet Munur

The FTC announced an enforcement action against the two marketers of mobile applications on Apple and Google mobile application stores that claimed, among other things, to cure acne by “resting the iPhone against your skin’s acne-prone areas for 2 minutes daily to improve skin health without prescription drugs.” This is the second enforcement action that the FTC brought against mobile application developers. The first mobile application enforcement action was for violations of COPPA.

According to the FTC complaint against AcneApp, the advertisement for the application contained statements that the application was an effective treatment for acne and that the representations relating to the application were false and misleading. The description of the application stated that it had been developed by a dermatologist and a British Journal of Dermatology study showed the effectiveness of the treatment. As a result, the FTC alleged that the marketer’s actions amounted unfair and deceptive trade practices under Section 5 of the FTC Act.

The accompanying agreement and consent order requires the marketers to pay $14,294 in fines to the FTC . It also prohibits the marketers from representing that the AcneApp provides effective treatment for Acne unless they have reliable scientific evidence substantiating that representation. The consent order also contains record keeping requirements relating to all advertisements and notification requirements. As is customary with FTC enforcement action, the order terminates in 20 years. However, it does not include any third party assessments, which is usual for enforcement actions relating to security breaches. The complaint and the agreement sand consent order for the second application (aptly titled Acme Pwner) marketer are similar in nature. However, the fines are limited to $1,700.

This enforcement action is the second enforcement action for the FTC in the mobile space. At the time of the first enforcement action, we proclaimed that the FTC would continue to be active in this area. This is yet another indication of the FTC’s willingness to bring enforcement actions in the mobile space. We expect the next enforcement action to be based on the privacy or security practices of a mobile application directed towards adults.

Read More...

FTC Announces Settlement with Mobile App Developer

by Mehmet Munur

The Federal Trade Commission announced a settlement  with mobile application developer W3 Innovations, LLC for violations of the Children’s Online Privacy Protection Act (COPPA).  According to the FTC complaint, the developer collected personal information from children under the age of 13 through its mobile applications without a privacy notice to the children, without a privacy notice to their parents, and without verifiable consent from the parents as required by the COPPA rules. The FTC settlement requires the developer to 1) cease all violations of COPPA, 2) delete all personal information collected in violation of COPPA, 3) pay a civil penalty of $50,000, and 4) subject itself to a compliance reporting program.  Also today, the FTC announced a guide for teens for Living Life Online.

According to the FTC complaint, the developer offers for download approximately 40 applications in Apple’s App Store.  Some of the applications, Emily's Girl World, Emily's Dress Up, Emily's Dress Up & Shop, and Emily's Runway High Fashion, are, as the exhibits to the FTC complaint show, directed to children.  According to the complaint, Emily's Girl World application was downloaded 32,000 times while Emily’s Dress-up was downloaded 27,000 times. The applications allowed users to share names, email addresses, comments, and “blush” stories using the application or emails related to the application. The blog functionality was also accessible from within the applications.  The developer maintained a database of over 30,000 email addresses as a result of the information collected from the apps. The developer failed to provide notice to the users, their parents, and failed to obtain verifiable consent from the parents before collecting the personal information from the users as required under the COPPA rules located at 16 C.F.R. § 312.4.

The resulting consent decree and order bars the developer from continuing violations of the COPPA rules, requires it to pay $50,000 in civil fines, and requires it to submit to a compliance monitoring program.  The program requires the developer to allow the FTC to monitor compliance with the consent order by obtaining reports and documents from the developer.  Under the order, the developer also takes on reporting obligations with respect to any changes in address, ownership, or name and other information such as bankruptcy filings.  In addition, the developer has record keeping obligations relating to demonstrating its compliance with the consent decree and order for a period of 6 years.  

This enforcement action is not entirely unexpected because the FTC has been signaling its interest in bringing an enforcement action in the mobile space for some time.  Jessica Rich testified in front of Congress in May relating to mobile privacy issues.  Most recently, BNA reported that, at the August 8^th American Bar Association Toronto meeting, the FTC Commissioner Julie Brill stated that the FTC would be bringing enforcement actions in the mobile space under its Section 5 authority.The selection of the FTC’s jurisdiction under COPPA makes perfect sense as well.  Under the FTC’s COPPA regulations, the mere failure to post privacy notices and obtain verifiable consent from parents before collecting personal information is a violation of the regulations—without unfair and deceptive practices in relation to the treatment of that information.  As a result, applications that target children under the age of 13 without posting notices and obtaining verifiable consent from parents make an efficient enforcement target for the FTC. 

However, the monetary fines pale in comparison to the $3 million in fines assessed to Playdom Inc. in May 2011 for violations of COPPA.  There, Playdom operated 20 online virtual worlds and collected personal information from children under the age of 13 without obtaining verifiable consent from parents and without providing parents with notice.  The size of the fine in that enforcement action is likely proportional to the size of the users Playdom’s virtual worlds.  According to the FTC, one Playdom website had 403,000 registered users while another had 821,000 registered users.   Another egregious factor was that Playdom’s website privacy policy stated that it would prohibit children under the age of 13 from posting personal information on its websites—thought it clearly did not.  

Taken together, these two enforcement actions show that the FTC will continue to be active in the mobile space with large consequences for developer.  The number of users of mobile technologies is increasing tremendously.  Congress has had to pay closer attention to this area because their constituents are becoming more concerned with these issues.  It does not help that the treatment of personal information collected by mobile applications is rarely, if ever, disclosed through privacy policies.  Add to this the missteps by Apple and Google with regards to their location tracking features and you end up with the perfect conditions for FTC to step in with enforcement actions based on well-established Section 5 authority.  Considering that Pandora and other mobile application developers received subpoenas from a federal grand jury, this is unlikely to be the last enforcement action in the mobile arena. 

Read More...