In September 2015, the Online Interest-based Advertising Accountability Program (Accountability Program) of the Advertising Self-regulatory Council (ASRC) began enforcing the Digital Advertising Alliance (DAA) Guidelines for Mobile Advertising (Mobile Guidance) and now the inevitable has happened: the Accountability Program has issued three compliance decisions with mobile app publishers whose apps allegedly failed to comply with the Mobile Guidance. Two of those decisions, the Bearbit Studios decision and the Top Free Games decision, reinforce the heightened duties that mobile app publishers take on when developing mobile apps that appeal to children under 13 (children). For more information on the third decision, the Spinrilla decision, and the Accountability Program's stance on cross-app enhanced notice and precise location data, see our companion post here.
As a bit of an overview, further explored in our prior post, the Mobile Guidance incorporates the DAA's Online Behavioral Advertising Self-Regulatory Principles (Principles) and covers entities engaged in interest-based advertising (IBA) across websites or mobile apps. If a mobile app publisher allows a third party to collect data through its mobile app, the mobile app publisher is considered a covered entity and must comply with the Mobile Guidance.
The Mobile Guidance provides, by reference to the "Sensitive Data Principle" in the Principles, that where a mobile app publisher has actual knowledge that children use its mobile app or has a mobile app directed to children, the mobile app publisher should not collect "personal information" as defined by the Children's Online Privacy Protection Act (COPPA) (which definition includes device id, other unique id, geolocation, picture, audio file, phone number and more) for IBA purposes unless as compliant with COPPA. In order to comply with COPPA, as further discussed here, a mobile app publisher must first obtain verified parental consent before collecting children's personal information for IBA or most other purposes not necessary to operate the basic service; or, if the mobile app publisher's mobile app has a mixed audience that includes both children and adults, the mobile publisher may implement an age-gating mechanism to flag users under 13 (there are additional nuances to these requirements) and provide children a COPPA-compliant version. Whether a mobile app is directed or appeals to children is determined based on a multifactor test that considers factors such as subject matter, visual content, language, simplicity of operation, how and where the app is marketed, and use of animated characters and other content that appeals to children.
Keeping all this in mind, the Accountability Program found that Bearbit Studios and Top Free Games violated the Sensitive Data Principle (and COPPA) by allowing third parties to collect persistent identifiers on their child-directed mobile apps for IBA purposes without first obtaining verified parental consent. The Accountability Program found that both mobile apps were directed to children based on the cartoon characters and settings, simplicity of initial levels of play, and comments in user reviews; however, it also allowed them to be considered mixed-audience mobile apps. The Accountability Program specifically noted that language in a privacy policy stating that a mobile app is not intended for children is evidence of intent but does not turn a child-directed mobile app into a general audience mobile app. Bearbit Studios and Top Free Games resolved the compliance problems under the Sensitive Data Principle by adding age-screening mechanisms to their mobile apps and by agreeing to provide children a version that did not collect personal information in a manner that would require verified parental consent (e.g., IBA).
These two inaugural mobile app decisions from the Accountability Program serve as poignant reminders of the risks associated with publishing content that appeals to children. First, even if a mobile app publisher does not collect personal information from children, it may still be subject to COPPA if it allows third parties to collect data through its mobile app. IBA is an example of third-party data collection on sites and apps. Moreover, a mobile app that has any content that appeals to children could be subject to COPPA even if the mobile app publisher has a privacy policy stating that the mobile app is not intended for children. Also, in addition to enforcement by the Accountability Program, both the Federal Trade Commission (FTC) and the ASRC's Children's Advertising Review Unit (CARU) regulate and take action against publishers that violate COPPA. In the past year, CARU has brought action against publishers that collected persistent identifiers in violation of COPPA (see Art for Kids and Pottermore). Likewise, the FTC has brought dozens of actions against publishers that violated COPPA, most recently settling charges with a mobile app publisher for $60,000 and a 20-year consent order (available here). For these reasons and more, publishers should take extra precautions when publishing content that appeals to children.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
