Marketing to children on the Internet can be fraught with legal peril unless one is attuned to the applicable statutory and regulatory framework. That’s what two app developers found out when the Federal Trade Commission (FTC) accused them of allowing third-party advertisers to collect personal information from kids. The enforcement actions against LAI Systems, LLC and Retro Dreamer are newsworthy in that they were the first to accuse defendants of collecting “persistent identifiers,” pieces of data tied to a particular user or device.
The FTC actions are based on the Children’s Online Privacy Protection Act (COPPA), which Congress passed to respond to the rise of Internet marketing targeting children and collecting their personal information. COPPA protects the privacy of children under 13 by requiring parental consent for the collection or use of children’s personal information. Persistent identifiers were among the categories added to the COPPA Rule’s definition of personal information when it was updated in 2013.
COPPA generally applies to commercial websites and online services directed at children but can also apply to services that have actual knowledge that their site or app is being used by children. In the 2012 Statement of Basis and Purpose, the FTC identified two instances in which the actual knowledge standard will likely be met:
- where a child-directed content provider directly communicates the child-directed nature of its content to the ad network; and,
- where a representative of the ad network recognizes the child-directed nature of the content.
The determination of whether an app is directed to children depends on the subject matter, visual content, language, and use of animated characters or child-oriented activities and incentives. For LAI Systems, its My Cake Shop app, which allowed users to create images of their own cakes, qualified.
Entities subject to the Act must follow a number of requirements, which include:
- Providing parents with “direct notice” before collecting kids’ information.
- Requiring verifiable parental consent prior to collection of personal information from a child under the age of 13 and allowing parents to revoke consent.
- Limiting the collection of personal information when a child participates in online games and contests.
- Restricting the amount of time personal information may be maintained.
- Protecting the confidentiality, security, and integrity of any personal information that is collected online from children through reasonable procedures.
The FTC accused LAI Systems and Retro Dreamer of violating COPPA by facilitating the collection of children’s personal information without providing the requisite notice and obtaining verifiable parental consent. The companies resolved the enforcement actions by entering into settlements with the FTC, with the former agreeing to pay a $60,000 civil penalty, and the latter a $300,000 penalty. Had they instead decided to litigate, each could have faced civil penalties of up to $16,000 per violation.
- Hackers are Leveraging Fear during the COVID-19 Pandemic
- No Trespassing: Can Public Websites Ever Be Off Limits?
- Cybersecurity – Global Ransomware Attack is Top of Mind with U.S. Securities Regulator
- Cybersecurity - a Top Operational Risk in FINRA’s 2017 Regulatory and Examination Priorities Letter
- Following Intense Industry Criticism, New York Overhauls Cybersecurity Requirements for Financial Services Companies
- FINRA Imposes Fines Against 12 Firms for Cybersecurity Violations
- OCC Announces Long-Awaited Fintech Charter Decision
- FCC Adopts New Consumer Privacy Rules for Internet Service Providers
- New York Announces Proposed “Groundbreaking” Cybersecurity Regulation for Financial Institutions
- Cybersecurity Programs at Securities Firms under Increasing Scrutiny by the Financial Industry Regulatory Authority (FINRA)