Wednesday, February 27, 2013

Apps Developers: Please Pay Attention to the New Amendments to COPPA

This blog’s mission is to summarize the recent amendments to the Children’s Online Privacy Protection Act (COPPA), a federal law that regulates whether and how website owners as well as mobile apps developers can use personal information collected from children under the age of 13. Interestingly, according to The Wall Street Journal’s study, apps and websites that target children tend to collect more tracking data than any other websites or apps. The WSJ compared 50 popular sites for teens and children with the 50 most popular sites generally aimed at adults, and found that the sites targeting kids placed 30% more cookies, beacons and other pieces of tracking technology than the sites targeting the adults.

So, what are the new amendments to COPPA that affect apps?
  • The definition of “personal information” has been expanded to include photos, videos, voice recordings, the IP addresses and the geo-location data, in addition to name, address and phone numbers. Such personal information cannot be collected from children under the age of 13 without parental consent; 
  • Data received by apps cannot be shared with third parties unless the third parties are “capable of maintaining the confidentiality, security and integrity of such information”; 
  • Collecting certain tracking processes, such as cookies, usernames, IP addresses and device IDs also require parental consent (but no consent is needed if the collected data is used only for internal purposes, such as ensuring functionality of the app, personalizing its content, offering contextual advertisements, authenticating users); 
  • Interactive features in the apps, such as integration with social networks, are allowed so long as such third party networks do not collect and share information in violation of COPPA; 
  • Parents can now provide their consent in a variety of ways, including electronically scanned consent forms, video-conferencing, emails accompanied by a PIN or password, and toll-free numbers they can call to answer consent questions (obtaining valid parental consent, however, is likely the most confusing aspect of complying with COPPA since the consent must meet certain criteria to be valid. The exact criteria, however, have not been disclosed by the FTC); 
  • App stores and app download platforms are exempted from complying with COPPA and therefore don’t have to confirm that apps for sale are in compliance with COPPA. 
According to The New York Times, small apps developers will be affected the most by these amendments. Previously, many small app developers were able to comply with COPPA by outsourcing data collection, often free of charge, to advertising networks and analytics companies. The new COPPA, however, makes app developers primarily liable for inappropriate or illegal data collection processes by such third parties. In practice, it means that the app developers have to notify parents of data collection practices of every third party whose services are integrated into the app and obtain parental consent. This greatly increases compliance burdens on the small apps developers that often operate on a tight financial budget. Additionally, if the small developers continue outsourcing their data collection practices to the analytics companies, they will have to limit such companies’ use of the collected information in compliance with COPPA, which may provide a disincentive for the analytics companies to collect and analyze data free of charge.

So, what can children’s apps developers do now to comply with the new rules? They can stop collecting any personal information from children unless it is for strictly internal use (which may negatively affect the monetization of their apps). Alternatively, they can target their apps to teenagers who are older than 13 (thus avoiding COPPA). Finally, they can increase the price of their apps to account for the increased legal and compliance costs associated with obtaining parental consents and providing adequate disclosure regarding the data collection practices of the apps and their affiliates.

In any case, it is highly advisable for the apps developers to have a well-written privacy policy that accurately describes data collection and data use practices of the app and its partners. It is also helpful to bring any unusual or important data collection practices to the attention of the parents through special notices.

Some argue that the amendments may already be ineffective and outdated. For example, it is widely believed that children can get around privacy protections by simply misrepresenting their age. While app developers play a part in enforcing privacy policies, parents should be the ones ultimately bearing the burden of policing their children’s online behavior and the amount of information they reveal while playing the apps. Parents should use device controls such as location blocking and privacy management settings on their mobile devices to limit access to theirs and their children’s private information.

Compliance with COPPA is by far the most important legal aspect of apps development that developers should be aware of if their apps are targeting children. Failure to comply can result in costly lawsuits. Earlier this month, an apps developer Path, Inc. settled with the FTC for $800,000 for inappropriately acquiring personal information from children. Path's app allowed users to share their journals that included photos, thoughts or their location with up to 150 people. Path collected personal information from users’ mobile address books without disclosing such collection practices or obtaining parental consent. The FTC said that the app had been downloaded over 2.5 million times and that Path allowed the registration of approximately 3,000 users whose birth dates showed that they were under 13. Aside from having to delete all personal information relating to children, Path also agreed to implement a thorough privacy program and to obtain privacy audits from a third party. Path’s alleged practices are now subject of a putative class action lawsuit in the Northern District of California.

This article is not a legal advice, and was written for general informational purposes only.  If you have questions or comments about the article or are interested in learning more about this topic, feel free to contact its author, Arina Shulga.  Ms. Shulga is the founder of Shulga Law Firm, P.C., a New York-based boutique law firm specializing in advising individual and corporate clients on aspects of business, corporate, securities, and intellectual property law.

1 comment:

  1. This article highlights the important factor. I work in a smartphone app development company where they make policies to restrict this problem.