Earlier this month, the FTC sent a letter to Wildec, LLC, the Ukraine-based maker of several mobile dating apps, alleging that the apps were collecting the personal information and location data of users under the age of 13 without first obtaining verifiable parental consent or otherwise complying with the Children’s Online Privacy Protection Act (COPPA). The letter pressed the operator to delete personal information on children (and thereafter comply with COPPA and obtain parental consent before allowing minors to use the apps) and disable any search functions that allow users to locate minors. The letter also advised that the practice of allowing children to create public dating profiles could be deemed an unfair practice under the FTC Act. Subsequently, the three dating apps in question were removed from Apple’s App Store and Google’s Google Play Store following the FTC allegations, showing the real world effects of mere FTC allegations, a response that might ultimately compel Wildec, LLC to comply with the statute (and cause other mobile apps to reexamine their own data collection practices). Wildec has responded to the FTC’s letter by “removing all data from under age accounts” and now prevents minors under the age of 18 from registering on the dating apps.
COPPA was first passed in 1998 (with the COPPA Rule implemented in 2000, and later revamped in 2013), children’s privacy has been on the FTC’s radar, with the agency expanding its enforcement scope to the mobile sphere in 2011 when it brought its first COPPA case involving an app. Generally speaking, websites and online services covered by COPPA must post privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from children. Since the revised COPPA Rule came into effect, the FTC is certainly looking more closely at less traditional areas where violations may occur.
Indeed, in recent months, the FTC and privacy advocates have taken aim at just these modern children’s privacy issues:
- In April 2019, Unixiz, Inc., the operator of i-Dressup.com agreed to settle FTC allegations that it violated COPPA by failing to obtain parental consent before collecting personal information of children under 13 or take reasonable steps to secure consumer information (resulting in a data breach). i-Dressup allowed users, including children, to play dress-up games and also enter an online community where users could create personal profiles and interact with other users. If the site was unable to obtain parental consent from under-13 users, they were given a “Safe Mode” membership that barred them from the social features of the site, yet the FTC alleged that i-Dressup still collected personal information despite a lack of parental consent. The FTC also alleged that i-Dressup, among other things, stored and transmitted users’ personal information in plain text and failed to perform vulnerability testing of its network, shortcomings that resulted in a security breach. Under the proposed settlement, i-Dressup agreed to pay a $35,000 civil penalty, and implement a comprehensive data security program and obtain biennial assessments.
- In February 2019, the operator of the video social networking app Musical.ly (now known as TikTok) agreed to pay $5.7 million and settle FTC charges, the largest fine ever under COPPA, that it allegedly collected personal information from children, despite having knowledge that many children using the app were under 13. The Musical.ly app allowed users to create short videos lip-syncing to music and share those videos and otherwise interact with other users. According to the complaint, while the site allowed users to change their default setting from public to private so that only approved users could follow them, users’ profile pictures and bios remained public. Beyond the civil penalty, the settlement required the operators to comply with COPPA going forward and take offline all videos made by users under 13. Moreover, following the settlement, the operator announced changes that will place younger U.S. users into a limited, separate app that contains certain privacy protections.
What’s up next for FTC enforcement? IoT-connected and voice-activated electronic devices and toys have caught the agency’s attention in the last several years. The 2013 COPPA Rule amendment added several new types of data to the definition of personal information, including a photograph, video, or audio file that contains a child’s image or voice. Seeing the new technologies out in the market, in 2017 the agency released an enforcement statement where it noted that it would not take an enforcement action against an operator for not obtaining parental consent before collecting the audio file with a child’s voice when it is collected solely as a replacement of written words, as long as it is held for a brief time and only for that purpose. Still, the issue of IoT toys remains an unsettled issue in children’s privacy. This past week, private advocates sent a complaint to the FTC requesting an investigation into the Amazon Echo Dot Kids product, which is a version of its Alexa home assistant. The complaint alleged that this device violated COPPA by collecting children’s voice recordings and associated it with data from browsing habits, and retaining it indefinitely. It also alleges that Amazon failed to give notice and obtain parental consent for information collected through third parties, because Amazon recommended that parents review third-party service policies, but the complaint revealed that only about 15% of the third-party services targeted towards children actually had posted privacy policies. Amazon has denied the allegations and stated it complies with COPPA.
We await the resolution of the Echo Dot inquiry and will continue to monitor developments in children’s privacy, particularly with respect to IoT toys and other new technologies that necessarily feature data collection capabilities that implicate COPPA.