FTC Settles Advertising-Related COPPA Charges Against Two App Developers
This week, the FTC announced settlements with two developers of children’s apps that it claimed had failed to comply the Children’s Online Privacy Protection Act (“COPPA”). While any COPPA enforcement by the FTC is noteworthy, these cases are particularly interesting in that they are the FTC's first COPPA enforcement actions that are based on allegations that a child-directed online service allowed advertisers to collect and use persistent identifiers for the purpose of targeting advertisements.
Persistent identifiers were classified as a type of “personal information” under COPPA as part of the amendments to the FTC's COPPA Rule that went into effect in July 2013. [For more on the July 2013 rule change, please see our previous coverage here.] The amended COPPA Rule permits operators of a child-directed online service to collect persistent identifiers about a user without first securing verifiable parental consent only when the collection satisfies certain narrow exceptions. One such exception allows for the collection of a persistent identifier where the identifier is the only personal information collected from the user and it "is used for the sole purpose of providing support for the internal operations of the Web site or online service." [16 C.F.R. 312.5(7)] However, "[s]upport for the internal operations of the Web site or online service" is defined under COPPA to expressly exclude use for behavioral-advertising purposes.[16 C.F.R. 312.2]
The defendant in the first case, LAI Systems (d/b/a TapBlaze) ("LAI"), is an app developer that offered iOS and Android app titles such as My Cake Shop, My Pizza Shop, Hair Salon Makeover, Friday Night Makeover, and Marley the Talking Dog. The apps were free to download and generated revenue in part through in-app advertising.
For COPPA purposes, the determination of whether a particular online service is "directed to children" (and therefore subject to COPPA) involves the application of a multi-factor test that considers "its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children."[16 C.F.R. 312.2] According to the FTC's complaint, "an assessment of these factors demonstrates that LAI’s kids’ apps are directed to children under the age of 13. For example, LAI’s kids’ apps contain brightly colored, animated characters including dogs and children .... and involve only simple play. Their subject matter, which includes creating images of cakes and pizzas, playing dress up, hair styling, and learning animal sounds, would be highly appealing to children."
As a result, COPPA requires LAI to presume that all users of its child-directed apps are children younger than 13 and apply COPPA's protections. According to the FTC's complaint, LAI failed to inform its third-party advertising partners that these apps were directed to children and allowed them to collect persistent identifiers from and target ads to app users, all without providing notice and securing parental consent as required by COPPA. Pursuant to its settlement with the FTC, LAI will (among other things) pay a civil penalty of $60,000.
The facts of the FTC's complaint against Retro Dreamer are very similar to those in LAI Systems. Retro Dreamer produces iOS and Android apps, including the titles Ice Cream Jump, Happy Pudding Jump, Ice Cream Drop, Sneezies, Wash the Dishes, Cat Basket, and Tappy Pop, which the FTC determined to be child-directed pursuant to COPPA. Retro Dreamer generated revenue (among other ways) by selling advertising inventory within each of these apps. Like LAI, Retro Dreamer allowed third-party ad networks to collect persistent identifiers from users of its child-directed apps and to use that information to target advertisements, all without providing notice or securing parental consent as required by COPPA.
However, the Retro Dreamer case included an additional wrinkle: according to the FTC, Retro Dreamer had been warned in 2014 that it was serving behaviorally targeted ads to users of child-directed apps and failed to remedy that conduct. Per the FTC's complaint:
In June 2014, the network [a third-party ad network that served ads in Retro Dreamer's apps] informed Defendants it believed that certain apps submitted to the network for ads were directed to children under the age of 13, including Ice Cream Jump, Ice Cream Drop, Cat Basket, Sneezies, Tappy Pop, and Wash the Dishes, and therefore those apps would be excluded from the ad network. Although this ad network did not serve ads to Defendants’ apps, Defendants have continued to allow other ad networks to collect personal information in the form of persistent identifiers, in order to serve targeted advertising in Defendants’ kids’ apps.
To settle the FTC's charges, Retro Dreamer has agreed to pay a civil penalty of $300,000 (among other requirements).
The LAI and Retro Dreamer settlements provide a helpful reminder that just because your online service may not collect obvious personal information (like user's name or email address) does not mean that you are necessarily beyond the reach of COPPA. If you offer an online service that either may be considered "directed to children" under COPPA or that has users you actually know to be younger than 13, you should verify that you are operating in accordance with COPPA's requirements – including ensuring that any ad served within that online service is placed in a COPPA-compliant manner.
* * * *