As we’ve discussed in a previous post, the United States lacks a comprehensive federal privacy law regulating the collection, storage, use and disclosure of personal information in the online context and lawmakers have introduced several new initiatives in an attempt to address the issue.  However, under COPPA, one of the few existing federal laws that deals with online privacy, the FTC has been flexing its muscles by regulating online (i.e., website-based), and with this case, mobile (i.e., app-based), privacy.

According to the FTC, several of W3’s apps are directed at children under the age of 13, including the popular “Emily’s Girl World”, “Emily’s Dress Up”, “Emily’s Dress UP & Shop” and “Emily’s Runway High Fashion”.  These apps encourage, but do not require, users to post comments (which could include personal information) to the Emily’s Girl World blog and to directly email their comments to “Emily”.  The FTC’s complaint states that, “in addition to the collection and maintenance of over 30,000 emails, containing email addresses, [the company has] collected, maintained, and/or disclosed personal information from over 300 Emily’s Girl World app users and 290 Emily’s Dress Up app users who have registered to submit comments.” Specifically, the FTC alleges that W3 failed to: (a) maintain or link to an online notice of its information collection, use and disclosure practices; (b) provide direct notice to parents of their practices regarding the collection, use, and/or disclosure of children’s personal information; and (c) obtain verifiable consent from parents prior to collecting, using or disclosing such information, all in violation of COPPA.

In response to the FTC action, W3 stated that its “sole purpose in collecting email data was to improve the user experience with [its] apps; we never used any email address for marketing purposes or sold it to other firms”.  The company appears to have taken immediate corrective action after receiving notice from the FTC and implemented “a strict email policy that removes any possibility of collecting and retaining email addresses, even unintentionally, from users under the age of 13”.  As part of the settlement, W3 has also agreed to delete all the personal information previously collected from children and to refrain from future violations of COPPA.

This is the second federal enforcement action made public this year over a COPPA violation which suggests that the FTC may continue to aggressively pursue privacy violations involving children.  Playdom, a Disney Enterprises subsidiary, is the first website/app developer to settle with the FTC this year over COPPA violations.  The company operates virtual world websites where users, many of whom are Children, are required to provide ages and email addresses in order to register to play online games.  They are also allowed to post their full names, email addresses, instant messenger IDs, and location data to personal profile pages and online community forums .  In May, Playdom agreed to pay $3 million in a costly settlement over FTC charges, similar to those set forth in the W3 complaint, that it collected information from children without notifying parents and obtaining prior parental consent in violation of COPPA.

Most notably for app developers and distributors, FTC Chairman Jon Leibowitz emphasized the importance of obtaining parental consent, and made clear that the app space is no different from traditional website platforms.  “The FTC’s COPPA Rule requires parental notice and consent before collecting children’s personal information online, whether through a website or a mobile app,” said Chairman Jon Leibowitz in a statement given in response to the settlement. According to Senator Amy Klouchar, who has been working to prevent deceptive in-app purchase practices on mobile devices, “Mobile apps can be great tools for kids to learn and have fun, but parents should never have to worry that their child’s personal information is being collected or violated.”

In light of the current evolving enforcement climate, developers, distributors and operators of apps and websites targeted at children that collect personal information, should, among other things, ensure that they adhere to the requirements of COPPA, including  the basic guidelines described below. Specifically, prior to collecting, using or disclosing personal information received from children under 13, developers, distributors and operators must obtain verifiable parental consent for any such collection, use or disclosure.  They should also provide notice on their apps, websites and other applicable platforms regarding the kind of information that is collected from children, how such information is used and their disclosure practices related thereto. Further, if and whenever requested by a parent (or guardian), such developers, distributors and operators must provide (a) a description of the specific types of personal information collected from that child; (b) the opportunity at any time to refuse to permit further use or maintenance in retrievable form, or future online collection, of personal information from that child; and (c) reasonable means for the parent to obtain any personal information collected from that child. In addition, COPPA rules proscribe conditioning a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonably necessary to participate in such activity.

As apps continue their meteoric rise in popularity, and become, in many instances, the preferred method of digital content distribution and consumption, we will continue to monitor the FTC’s actions in both the online and mobile spaces, the new privacy initiatives making their way through Congress and what these events may ultimately mean for the current stakeholders.

The ”Act To Prevent Predatory Marketing Practices against Minors“, prohibits companies from collecting personal information–such as name and e-mail address–from minors without receiving verifiable parental consent.  The restrictions are considerably broader than the federal Children’s Online Privacy Protection Act (“COPPA”), applying to information related to everyone under 18 (COPPA is limited to children under 13) and extending to such information collected offline as well as on.  

If enforced, it would have compelled sites with broad appeal to teenagers, like Facebook and MySpace, as well as news, education and other sites requiring registration, to verify the ages of users from Maine and then obtain permission from the parents of minors from the state.  In addition, the Maine Independent Colleges Association, argued that the law would prevent Maine colleges from sending marketing materials to prospective students without first obtaining consent from their parents.

Before the attorney general decided to not to enforce the law, a group of companies including online advocacy coalition NetChoice (whose members include AOL, eBay, IAC, NewsCorp and Yahoo!, among others), challenged it in federal court, alleging that it violated the First Amendment and Commerce Clauses of the US Constitution and is preempted by COPPA.  The suit was dismissed last week on consent of the parties when the AG announced her decision.  However, prior to granting the dismissal, the federal judge to whom the case was assigned indicated that he agreed with the plaintiff’s that the law is likely unconstitutional.

The law was originally focused on protecting the health-related information of those under 18 in an attempt to prevent pharmaceutical companies from using such information to market drugs to minors.  As the proposed bill passed through the Maine legislature, “personal information” was included in the marketing prohibitions. 

While the potential upheaval to many companies that would result from enforcement of the Maine law was real, it does not appear that this law is signaling a trend by the states to dramatically expand the coverage of their privacy laws.  In fact, the law’s author, Maine state senator Elizabeth Schneider, admitted that she intended the law to be limited to health-related information.  Apparently, the broader coverage was added with little notice or debate.

The Maine Senate’s judiciary committee is planning on reviewing the bill in the upcoming legislative session in order to enact amendments to address the concerns that have been raised.  However, while the attorney general’s office will not be enforcing the law until then, the private right of action remains on the books.  It is unclear whether any such suits brought could survive a constitutional challenge on the same grounds as those brought in the dismissed lawsuit.  But the specter of incurring costs to defend any such suits hangs over any company conducting business online since doing so on the internet means doing business in Maine.

COPPA requires website operators to meet specific requirements prior to collecting children’s personal information, including:

• posting a privacy policy with a notice of what information it collects from children and how it uses such information;
• obtaining verifiable parental consent prior to collecting, using or disclosing children’s information; and
• providing parents with the option to consent to the collection and internal use of their children’s information without consenting to disclosure to third parties.

The Act applies to any website that has actual knowledge it collects, uses and disclosed personal information from children. 

The FTC’s complaint alleges, among other things, that Sony BMG’s  over 1,100 music-related websites collect certain personal information upon registration, including e-mail addresses, birthdate, zip code and country.  Some of the sites also collected names, mobile phone numbers and full street addresses.  The sites offered a variety of features and functions including enabling registered users to create profile pages, post comments on message boards and receive e-mail notices. 

The FTC found that, despite the sites’ privacy policy advising children under 13 not to provide personally identifiable information and a representation that those under 13 would be restricted from certain features and functions, Sony BMG accepted registrations from users of all ages, including those indicating they were under 13, and enabled those users to freely use the sites.  The sites also enabled children under 13 to create user profile pages through which the children were able to interact with others, including adults.

The FTC alleged that Sony BMG violated COPPA by not clearly and accurately setting forth its policies for disclosing and using children’s information; failing to provide parents with notice of the information practices prior to collecting information; and failing to take steps to obtain verifiable consent from parents prior to collecting children’s information.

In addition to the fine, Sony BMG agreed to ensure future compliance with the COPPA provisions, as well as to include links to the FTC’s children’s privacy policy information page at www.ftc.gov/privacy/privacyinitiatives/childrens and the page containing social networking tips for parents at www.onguardonline.gov/socialnetorking.html.

The case is a reminder to all website operators of the importance of carefully crafting a comprehensive and thorough privacy policy.