Whether your six year old has hijacked your iPad again to rediscover the inexplicable joy of flinging birds with a finger activated slingshot or to harness her mighty math powers in the origami-paved streets of Umi City, children are tapping into the spring of entertainment and educational value offered by the mobile applications marketplace. Yet, according to a study issued last week by the Federal Trade Commission “Mobile Apps for Kids: Current Privacy Disclosures are DisAPPointing”, the lack of privacy disclosures in these apps may hint at deeper laden privacy pitfalls which members of the kids app ecosystem may soon have to remedy.
Mobile applications have powerful capabilities to automatically capture a broad range of user information, including a user’s geolocation, phone number, contact list, unique device identifiers, and other information on the mobile device. These capabilities can enhance the user experience, such as in the case of mobile gaming apps where the child’s geolocation allows a child to connect with others playing the same game nearby; however, some user information may be collected for other purposes such as targeted in-app advertising which parents may find less palatable.
While private groups including Moms With Apps and Kind Kid Apps have collaborated to form rules i.e. “Don’t be boring” and “Don’t’ be sneaky” to vet kid-friendly apps, it appears that the government will now be taking on a more active role in this realm. As important as what the FTC study discovered is what it did not find – the study focused on the disclosures provided to users regarding the developer’s data practices, it did not test whether the apps actually collected, used or disclosed personal information. FTC staff scoured the more than 8,000 apps in the Apple App store and the over 3,6000 Android Marketplace apps targeted at children and reviewed the promotional pages of the top 500 apps in each store. They found that in most instances, they were unable to determine from these landing pages whether the apps collected any data and if so, the type of data collected. As the regulatory body charged with enforcing the Children’s Online Privacy Protection Act (COPPA), a 1998 law requiring operators of online services directed at children under age 13 to provide notice and obtain parental consent prior to collecting personal information from children, the FTC plans on reviewing mobile applications for violations of the law over the next six months and may bring COPPA enforcement actions.
So, what should developers and app stores do in the mean time? According to the FTC, “Parents should be able to learn, before downloading an app for their children what data will be collected, how the data will be used, and who will obtain access to the data.” The study translated this basic premise into some practical recommendations for developers, third parties providing services within applications, and app stores.
- Provide privacy disclosures through simple and short disclosures that are easy to find and understand on the small screen of a mobile device.
- Alert parents if the app connects with any social media or allows targeted advertising to occur through the app.
Third Parties Providing Services (within the apps)
- Disclose privacy practices through a link on the app promotion page, developers disclosures or another easily accessible method.
- Provide a more consistent way for developers to display information regarding their app’s data collection practices and interactive features.
-Designate a space for developers to disclose information collection practices.
-Provide standardized icons to signal features such as connection with social media services.
- Enforce the requirements in the App Store Developer Agreement requiring developers to disclose the information their apps collect.
Additionally, the FTC will be hosting a public workshop this year on how to provide effective online disclosures, including accessible mobile privacy disclosures.