On September 11, 2018, New Mexico’s Attorney General Hector Balderas filed a federal lawsuit against an app developer and its contracted advertisers for violating the Children’s Online Privacy Protection Act (“COPPA”), New Mexico’s Unfair Business Practices Act, and the Federal Trade Commission Act. The 85-page complaint contains allegations that Tiny Lab Productions, an app developer, operated 91 apps designed for children that failed to adequately comply with COPPA. The complaint states that the developer collected and sold children’s data to advertisers, who then used the data to track and profile the children for targeted advertising without parental consent. Under COPPA, companies must comply with a certain privacy rules before they are able to collect a child’s data, including obtaining explicit consent from the child’s parents. New Mexico also alleges that some of the apps’ advertisers, namely Google (and its advertising company, AdMob) and Twitter (and its advertising company, MoPub,), marketed these apps through their platforms, which gave the public a false impression that the apps were in compliance with COPPA.
The Attorney General is seeking a permanent injunction to prevent any further tracking practices and destruction of any improperly obtained personal data, along with civil penalties for the COPPA violations, and nominal and punitive damages for violating New Mexico’s Unfair Business Practices Act.
App developers and online businesses need to recognize that privacy and data collection practices have become a principal concern for the Federal Trade Commission and Attorneys General throughout the country, especially when it pertains to the collection of children’s data. Website and online service operators should be aware of COPPA and must understand that compliance with it is necessary in order to avoid facing punishment.
What is COPPA?
COPPA is a series of federal laws that was enacted by Congress in 1998 to protect the privacy of children under 13 years old. Congress created the regulations to protect children from unknowingly sharing their data with companies, after noticing an increase of marketing techniques that targeted children. The data that was being collected often included personal information ranging from the child’s first and last name, home address, telephone number, and more recently, files that contained the child’s image or voice, and geolocation information that made it easy to identify the child’s street name and home city or town. Congress recognized that children giving away this information posed obvious dangers, and enacted a list of practices for website and online service operators to implement. Effectively, these practices allow parents to control what types of data operators are able to collect from their children. The Act was revised in 2012 to apply to social networks and smartphone apps as well.
Who does COPPA apply to?
Many people believe that COPPA only applies to commercial websites and online services that are directed to children under 13 years old, but the Act also extends to other operators who collect data from children. Under the Act, all general audience website or online service operators with actual knowledge that they are collecting, using, or disclosing personal information from children under 13 must also comply with COPPA. Additionally, all website or online service operators that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children will be subject to penalties for not complying with the Act.
The Act defines “online services” in a broad manner that includes any service available over the Internet or that connects to the Internet or a wide-area network. This includes all mobile apps that connect to the Internet, Internet-enabled gaming platforms, and services that allow users to play network-connected games, engage in social networking activities, purchase goods or services online. It also includes Internet-enabled location-based services also are online services covered by COPPA.
How to comply
Operators must make sure they follow these requirements in order to comply with COPPA:
What are the consequences of not complying?
For each violation of COPPA, courts may impose a civil penalty of up to $41,484. Courts look at a variety of factors when determining how severe of fine it should levy. If the operator was not collecting a great deal of personal information and had it never violated the Act previously, a court would be less likely to impose the maximum fine. However, if the operator repeatedly violated COPPA, collected a multitude of personal information, and it was sharing the data with third parties, a court would be more inclined to impose the maximum penalty. The fine amount can quickly add up since each violation is penalized. Last January, VTech Electronics agreed to pay the Federal Trade Commission $650,000 over charges that it violated COPPA by collecting personal information from children without providing direct notice and obtaining their parent’s consent, and failing to take reasonable steps to secure the data it collected.
As data collection and tracking continue to be valuable marketing tools for companies, it is important for these companies to understand that they must comply with certain regulations if they wish to perform these practices and collect data from children under the age of 13. By failing to do so, companies will be exposed to steep fines considering the volume of data that is continuously being collected. Without proper compliance and protections in place, a company may end up being subject to fines that can cause permanent damage to the company. If you have any questions on how to correctly with COPPA, please feel free to contact us.
This afternoon, I will be attending an event which focuses on the latest iPad solutions for retailers. I have seen several stores around Manhattan which use iPads as point of sale terminals instead of the old-fashioned cash registers, which makes sense as iPads are user-friendly and the apps are flexible in design. However, in a time where there is seemingly a major privacy leak every few months, the use of an iPad in point of sale transactions raises privacy concerns for the consumer and retailer, such as:
Quiles Law is an esports and sports law firm based in New York City.
60 Bay Street, Suite 700
Staten Island, New York 10301
(P) (917) 477-7942
(F) (917) 791-9782
Attorney Advertising. The information presented in this site should not be construed to be formal legal advice nor is it intended to form any attorney/client relationship. Our attorneys, collectively, are licensed to practice law in the States of New York, New Jersey, and Pennsylvania. Copyright Roger R. Quiles, Esq., 2018. All rights reserved.