So, what are the new amendments to COPPA that affect apps?
- The definition of “personal information” has been expanded to include photos, videos, voice recordings, the IP addresses and the geo-location data, in addition to name, address and phone numbers. Such personal information cannot be collected from children under the age of 13 without parental consent;
- Data received by apps cannot be shared with third parties unless the third parties are “capable of maintaining the confidentiality, security and integrity of such information”;
- Collecting certain tracking processes, such as cookies, usernames, IP addresses and device IDs also require parental consent (but no consent is needed if the collected data is used only for internal purposes, such as ensuring functionality of the app, personalizing its content, offering contextual advertisements, authenticating users);
- Interactive features in the apps, such as integration with social networks, are allowed so long as such third party networks do not collect and share information in violation of COPPA;
- Parents can now provide their consent in a variety of ways, including electronically scanned consent forms, video-conferencing, emails accompanied by a PIN or password, and toll-free numbers they can call to answer consent questions (obtaining valid parental consent, however, is likely the most confusing aspect of complying with COPPA since the consent must meet certain criteria to be valid. The exact criteria, however, have not been disclosed by the FTC);
- App stores and app download platforms are exempted from complying with COPPA and therefore don’t have to confirm that apps for sale are in compliance with COPPA.
So, what can children’s apps developers do now to comply with the new rules? They can stop collecting any personal information from children unless it is for strictly internal use (which may negatively affect the monetization of their apps). Alternatively, they can target their apps to teenagers who are older than 13 (thus avoiding COPPA). Finally, they can increase the price of their apps to account for the increased legal and compliance costs associated with obtaining parental consents and providing adequate disclosure regarding the data collection practices of the apps and their affiliates.
Some argue that the amendments may already be ineffective and outdated. For example, it is widely believed that children can get around privacy protections by simply misrepresenting their age. While app developers play a part in enforcing privacy policies, parents should be the ones ultimately bearing the burden of policing their children’s online behavior and the amount of information they reveal while playing the apps. Parents should use device controls such as location blocking and privacy management settings on their mobile devices to limit access to theirs and their children’s private information.
Compliance with COPPA is by far the most important legal aspect of apps development that developers should be aware of if their apps are targeting children. Failure to comply can result in costly lawsuits. Earlier this month, an apps developer Path, Inc. settled with the FTC for $800,000 for inappropriately acquiring personal information from children. Path's app allowed users to share their journals that included photos, thoughts or their location with up to 150 people. Path collected personal information from users’ mobile address books without disclosing such collection practices or obtaining parental consent. The FTC said that the app had been downloaded over 2.5 million times and that Path allowed the registration of approximately 3,000 users whose birth dates showed that they were under 13. Aside from having to delete all personal information relating to children, Path also agreed to implement a thorough privacy program and to obtain privacy audits from a third party. Path’s alleged practices are now subject of a putative class action lawsuit in the Northern District of California.
This article is not a legal advice, and was written for general informational purposes only. If you have questions or comments about the article or are interested in learning more about this topic, feel free to contact its author, Arina Shulga. Ms. Shulga is the founder of Shulga Law Firm, P.C., a New York-based boutique law firm specializing in advising individual and corporate clients on aspects of business, corporate, securities, and intellectual property law.