Two app developers – LAI Systems and Retro Dreamer – agreed to pay a combined $360,000 in civil penalties to settle allegations by the Federal Trade Commission (FTC) that they violated the Children's Online Privacy Protection Act (COPPA) Rule by allowing advertisers to collect persistent identifiers to serve behaviorally-targeted ads to children. Notably, these are the first actions in which the FTC alleged that the operators violated COPPA by allowing advertisers to collect persistent identities to target children.

Background

COPPA prohibits operators of web sites and online services from collecting personal information from children under 13 years of age without the express approval of their parents. In 2013, the FTC announced a number of updates to COPPA (new COPPA). As part of these updates, the FTC expanded the definition of "personal information" to cover (i) geolocation data that can identify a child's city and street, (ii) a child's image and voice, (iii) screen and user names, and (iv) persistent identifiers, which are pieces of data that can be used to recognize a child across different websites and online services (to read a previous D&G Alert on this topic, please click here). In 2014, the FTC brought its first action under new COPPA against Yelp for collecting geolocation information and photos of children (among other personal information) without parental consent in violation of new COPPA.

Complaints

In its complaint against LAI Systems, the FTC alleged that the app developer created a number of apps directed to children, including My Cake Shop, My Pizza Shop, Marley the Talking Dog, and Animal Sounds. According to the FTC's complaint, LAI Systems allowed third-party advertising networks to collect personal information from children in the form of persistent identifiers. The FTC asserted that LAI Systems failed to inform the ad networks that the apps were directed to children and did not instruct or contractually require the advertising networks to refrain from targeted advertising. The defendants also failed to provide notice to or obtain consent from parents before collecting and using the persistent identifiers to behaviorally target children.

Similarly, the FTC alleged in its complaint against Retro Dreamer and its principals, Craig E. Sharpe and Gavin S. Bowman, that the developer created a number of apps targeted to children, including Ice Cream Jump, Happy Pudding Jump, Sneezies, Wash the Dishes, Cat Basket, and Tappy Pop. The FTC also contended that these defendants allowed third-party advertising networks to collect personal information in the form of persistent identities in order to serve targeted advertising to children on the app and failed to inform the advertising networks that the apps were directed to children.

One interesting aspect of the Retro Dreamer complaint is that the FTC alleged that the defendants were aware of the existence of their COPPA obligations because at least one advertising network over the course of 2013 and 2014 specifically warned the defendants about their obligations under COPPA and also told the defendants that a few of their apps appeared to be targeted to children under the age of 13.

Settlement Agreements

Under its settlement agreement, LAI Systems agreed to pay $60,000 in civil penalties while Retro Dreamer, Mr. Sharpe, and Mr. Bowman agreed to pay $300,000 in civil penalties. The two settlements contain substantially similar injunctive provisions, including prohibiting the defendants from further violations of COPPA. In particular, the defendants are barred from:

  • Failing to make reasonable efforts, taking into account available technology, to ensure that a parent of a child receives direct notice of their practices with regard to the collection, use, or disclosure of personal information from children, including notice of any material change in the collection, use, or disclosure practices to which the parent has previously consented;
  • Failing to post a "prominent and clearly labeled link" to an online notice of their information practices with regard to children on the home or landing page or screen of its website or online service, and at each area of the website or online service where personal information is collected from children; and
  • Failing to obtain verifiable parental consent before any collection, use, or disclosure of personal information from children, including consent to any material change in the collection, use, or disclosure practices to which the parent has previously consented.

In addition, the defendants must submit compliance reports to the FTC that, among other things, set forth their methods to obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children and that set forth in detail the means provided for parents to review the personal information collected from their children.

Bottom Line

Due to the likelihood of increased FTC enforcement, operators of child-directed apps and websites should be reviewing their privacy practices to ensure that they are in compliance with COPPA and are not behaviorally targeting children in violation of COPPA. We anticipate that the FTC will bring further actions throughout the year against apps and web sites that allow advertisers to collect persistent identities to behaviorally target children without parental consent.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.