The Federal Trade Commission (“FTC”) recently published a Staff Report entitled “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing” (the “Report”). The Report summarizes a recent survey created and conducted by the FTC which concluded that current disclosures by app stores, app developers and third parties (such as advertising networks) are inadequate. Specifically, a large majority of those involved in what the FTC described as the kids app ecosystem do not adequately disclose prior to downloading whether use of the app enables data collection, the type of data that is collected, the purpose of collecting the data, and who collected or obtained access to the data.
The FTC stated that the Report itself, along with its recent, first enforcement action against a mobile app developer under the Children’s Online Privacy Protection Act (“COPPA”) is “a warning call to [the] industry that it must do more to provide parents with easily accessible, basic information about the mobile apps that their children use.” It seems clear that a failure to voluntarily provide more transparent, pre-download privacy disclosures with kids’ apps is likely to draw FTC scrutiny and, possibly, an enforcement action.
Background
COPPA, and the FTC’s implementing Rule (16 C.F.R. Part 312), require operators of online services (including interactive mobile apps) directed to children under age 13 to provide notice and obtain parental consent before collecting items of “personal information” from children. COPPA applies to websites and online services that are operated for a commercial purpose and are directed at children under the age of 13 or whose operator has actual knowledge that children under 13 are providing information to the site online. Further, it outlines what a website operator (including, again, an interactive mobile app) must include in a privacy policy, the responsibilities of the operator to protect children’s online safety and how consent can be obtained from a parent.
Since 2008, consumers have downloaded apps [available from apps stores, apps developers and third parties via the Internet or a smartphone] more than 28 billion times, according to the Report. Children and teens are increasingly embracing smartphone technology and the apps that go with it.
Mobile apps can capture a broad range of user information from a device automatically, including the user’s precise geolocation, phone number, list of contacts, call logs, unique device identifiers and other information stored on the mobile device. These capabilities can provide beneficial services to consumers, and they may be necessary for the functionality of the app itself (e.g., geolocation for access to maps and directions), but the FTC has also noted that these capabilities can also be used by apps to collect detailed personal information in a manner parents may not be able to detect.
Survey Results
The Report highlights a series of issues regarding current disclosure practices, including a lack of clear, understandable information on the promotion and permission pages of the app stores, a lack of contact information for the Web developers; and disclosures in long, legalistic prose under headers such as “privacy policy” or “terms and conditions of use.” The Report concludes that under current disclosure practices of the apps surveyed, parents generally cannot determine, before downloading an app, whether the app poses risks related to the collection, use and sharing of their children’s personal information, and it calls upon the industry as a whole to do more to ensure that parents have access to clear, concise and timely information about the apps they download for their children.
Recommendations
If a mobile app is directed to children and in fact collects information from children, the app must provide a notice and obtain parental consent prior to collection pursuant to COPPA. (See 16 C.F.R. §312.3). In the Report, the FTC suggests that app developers should provide this information through simple and short disclosures or icons that are easy to find and understand on the small screen of a mobile device. App developers also should alert parents if the app connects with any social media or allows targeted advertising to occur through the app. Third parties that collect user information through apps should also disclose their privacy practices, whether through a link on the app promotion page, the developer’s disclosures or another easily accessible method. The Report also suggests that app stores should provide a more consistent way for developers to display information regarding their app’s data collection practices and interactive features. For example, app stores could provide a designated space for developers to disclose this information or standardized icons to signal features, such as connections with social media services.
The FTC has existing business guidance in this regard, entitled “Dot Com Disclosures,” regarding online advertising disclosures. However, the FTC is currently engaged in a project to update these guidelines and will host a public workshop this year to gain input from interested parties on current issues, including mobile privacy disclosures. Thus, it will be important for those in the kids app ecosystem to stay abreast of the development of these guidelines and practices.
This is particularly important where the FTC has proposed expanding its COPPA rule to include information that website operators, advertising networks and others use to track consumers as they use the Internet. The proposed rule changes would also expand the definition of what it means to “collect” data from children. The new definition would make it clear that personal information is being collected not only when the operator is requiring the personal information but also when the operator prompts or encourages a child to provide the information.
Significantly, the Report points out that the survey focused on the disclosures provided to users regarding their data practices; it did not test whether the selected apps actually collected, used or disclosed personal information from children. “Over the next six months, staff will conduct an additional review to determine whether there are COPPA violations and whether enforcement is appropriate.”
The FTC message is clear: to minimize the possibility of an enforcement action companies, should strive to voluntarily provide short, clear, easy to access and understand privacy disclosures.
This article was originally published by Bingham McCutchen LLP.