Posted on February 17, 2012 by Michael Epshteyn

FTC Criticizes Privacy Disclosures for Children's Apps

The FTC yesterday issued a staff report calling upon members of the mobile app ecosystem to provide better privacy notices to parents about mobile apps directed to children.  The report, titled "Mobile Apps for Kids: Privacy Disclosures are Disappointing," highlights the findings from an FTC survey of the mobile apps for children available in the Apple App Store and the Android Market. 

The FTC evaluated the types of apps offered to children, the disclosures provided to users in the app stores and on the app developers' websites, interactive features such as connectivity with social media, and the ratings and parental controls offered for the apps.  FTC Chairman Jon Leibowitz stated that "right now, it is almost impossible to figure out which apps collect what data and what they do with it," and said the children's app ecosystem must "wake up" and provide "easily accessible, basic information, so that parents can make informed decisions about the apps their kids use."

To conduct its survey, the FTC searched the Apple and Android app stores using the word "kids" and examined the app store promotion pages of 200 apps (randomly selected from the first 480 search results) from each app store.  The FTC also reviewed the information available on the first page, or "landing" page, of the associated app developers' websites.  The FTC did not download any of the apps surveyed, explaining in the report that its focus was on the information that a parent could easily access prior to downloading (and possibly being charged for) an app.  The FTC also apparently did not examine the privacy policies or terms of use that were available through links on the app developers' websites (noting that "consumers are unlikely to read disclosures buried in privacy policies or 'terms of service' agreements because they are not easily accessible and are invariably long, legalistic, and difficult to understand"). 

According to the report, while FTC staff "encountered a diverse pool of apps for kids created by hundreds of different developers, staff found little, if any information, information in the app marketplaces about the data collection and sharing practices of these apps."  In addition, of the 400 app promotion pages examined by the FTC, only two (0.5%) linked to a developer landing page that disclosed information about data collection and sharing on the landing page itself. 

The report calls upon all members of the "kids app ecosystem" – the stores, developers and third parties providing services – to play an active role in providing key information to parents.  The report recommends that:

  • App developers should provide data practices information in simple and short disclosures. They also should disclose whether the app connects with social media and whether it contains ads. Third parties that collect data also should disclose their privacy practices.  
     
  • App stores, "as gatekeepers of the app marketplaces," also should take responsibility for ensuring that parents have basic information. The stores should be able to provide a way for developers to provide information about their data collection and sharing practices (such as a designated space for developers to disclose this information and standardized icons to signal certain features, such as social network connectivity). 

The report warns of future enforcement action, noting that the FTC will conduct an additional review over the next six months to identify potential violations of the Children's Online Privacy Protection Act ("COPPA") and determine whether enforcement is appropriate.  According to the FTC, the report, along with agency's settlement last year with a mobile app developer for alleged COPPA violations and its recent proposal to amend the COPPA Rule, is a "warning call" to industry that it must do more to provide parents with information about the mobile apps their children use.

The FTC report can be expected to increase scrutiny of mobile app privacy issues, which were in the spotlight in recent days following news that the popular social network app Path (and other iOS apps) would upload users' entire contact lists to the developer's servers without permission. 
Tags: , , , , , , ,
Posted on November 18, 2011 by Bret Cohen

FTC Extends Deadline for COPPA Comments from Nov. 28 to Dec. 23

The FTC today extended to December 23 the deadline for public comments to its proposed revisions to the Children’s Online Privacy Protection Rule, which regulates the collection of personal information online from children under 13 under the Children’s Online Privacy Protection Act (“COPPA”). Back in September, we extensively summarized the FTC’s announcement of the proposed revisions, which contemplate several major changes to the existing COPPA regime including:

  • clarifying that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages; 
  • a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information – all of which may impact companies’ behavioral advertising activities;
  • streamlining and clarifying the notices that operators must provide to parents about their information collection practices;
  • changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;
  • enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and
  • changing the existing COPPA enforcement program to require “safe harbor programs” to exercise more oversight.

The previous deadline for the submission of comments was November 28.

Tags: , ,
Posted on November 9, 2011 by HL Chronicle of Data Protection

FTC Announces First Flash Cookie Enforcement and Settlement with Child Social Network

This blog entry was contributed by Steven Spagnolo, an associate in the Privacy and Information Management group in Hogan Lovells' Washington, DC office

The Federal Trade Commission (FTC) yesterday announced settlements with two online companies for deceptively collecting personal information from consumers.  In the first enforcement action against the use of Flash cookies, the FTC alleged that ScanScout, an online behavioral advertiser that was recently acquired by Tremor Video, circumvented user choice by collecting information through Flash cookies even while telling consumers they could opt out of this collection through other means. In the case of Skid-e-Kids, a social networking website that targets children, the FTC alleged violations of both the FTC Act and Children’s Online Privacy Protection Act (“COPPA”) for the collection of personal information from children without parental consent. 

ScanScout

ScanScout, which claims it is the “web’s largest in-stream video ad network,” agreed to settle FTC charges that it violated Section 5 of the FTC Act by failing to live up to representations made in its website privacy policy. The FTC’s complaint states that ScanScout’s privacy policy claimed that users could “opt out of receiving a cookie by changing [their] browser settings to prevent the receipt of cookies.”  Despite this representation, ScanScout used Flash cookies—which are locally stored files associated with the Adobe Flash Player—to track user behavior, which could not be blocked by changing browser settings as indicated in the privacy policy. The FTC deemed ScanScout’s inaccurate description of the ways that consumers could opt out of tracking to be a deceptive act or practice that violated Section 5 of the FTC Act.  The privacy policies of many websites and Internet-based applications state that consumers can opt out of tracking by disabling cookies, so these companies should reexamine whether they (or their web vendors) also use Flash cookies, HTML5, ETags, or any other methods to track website users that would not cease when users disable traditional HTML cookies.

Under the consent decree (PDF), the FTC barred ScanScout from misrepresenting its online information practices, including how consumers’ data is collected, used, shared, and disclosed, and required ScanScout to implement measures aimed at providing consumers with more effective notice of how their data is used and simplified methods by which consumers may opt out of such use. 

As a corollary, the FTC yesterday released a consumer education article, entitled “Cookies: Leaving a Trail on the Web (PDF),” which explains how cookies can monitor online activity and how users can control this monitoring, including a section on controlling Flash cookies.

Skid-e-Kids

Skid-e-Kids, the self-proclaimed “Facebook and Myspace for kids,” agreed to settle FTC charges that it violated the COPPA Rule and made deceptive claims in violation of Section 5 of the FTC Act. 

The COPPA Rule requires that any collection, use, or disclosure of personally identifiable information of a child under 13 be preceded by verifiable parental consent. The FTC’s complaint (PDF) alleges that Skid-e-Kids collected personally identifiable information from approximately 5,600 underage users without first obtaining parental consent, a violation of the COPPA Rule. This enforcement action comes on the heels of the FTC’s recent proposal to amend the COPPA Rule aimed at keeping pace with developments in the online world, including the advent of social networks and the development of smartphone and geolocation technology.

The complaint also alleges that Skid-e-Kids represented in its privacy policy that a child’s account would not be activated until it received parental consent. Nevertheless, Skid-e-Kids registered children and activated their accounts without parental consent, and subsequently collected personally identifiable information from those registered child users. The FTC found that Skid-e-Kids’ failure to live up to the representations made in its privacy policy constituted a deceptive act or practice that violated Section 5 of the FTC Act.   

Under the consent decree (PDF), the FTC barred Skid-e-Kids from misrepresenting the details of its collection, use, and disclosure of children’s personal information. The settlement also required Skid-e-Kids to delete the information collected; provide links to a government website that educates consumers on children’s privacy issues on the Skid-e-Kids website, in notices sent to parents, and in its privacy policy; and employ a third-party oversight mechanism that will ensure future compliance with COPPA. In addition, the settlement imposed a civil penalty of $100,000 on the operator of the website, though all but $1,000 of which was suspended.
Tags: , , , , , , , , ,
Posted on September 15, 2011 by Eric Bukstein

FTC Proposes Significant Changes to COPPA Rule

On September 15, the Federal Trade Commission (“FTC”) released its proposed revisions to the Children’s Online Privacy Protection Act (“COPPA”) Regulation. COPPA and the FTC’s COPPA Rule regulate the collection of personal information online from children under the age of thirteen. This proposed rule arises from an FTC COPPA Rule Review, through which the FTC solicited comments about every aspect of the COPPA Rule and held a public roundtable to discuss whether and how technological advances – such as the proliferation of social media, mobile computing, and mobile commerce – necessitated revisions to the COPPA Rule. After reviewing comments from stakeholders – including industry, advocacy groups, and academics – the FTC has proposed significant changes to the COPPA Rule that will have a marked effect on the operation of websites and other online services, including mobile applications, that collect personal information from children.

This is the first major revision to the COPPA Rule, and as the FTC wrote in the preamble to the proposed rule, “[t]he Commission remains deeply committed to helping to create a safer, more secure online experience for children and takes seriously the challenge to ensure that COPPA continues to meet its originally stated goals, even as online technologies, and children’s uses of such technologies, evolve.” While the proposed changes may help create a better online experience for children, the changes will also create significant regulatory hurdles for companies that will have to make changes to their current information practices to comply with any revised rule.

The proposed rule contemplates several major changes to the existing COPPA regime, which include:

  • clarification by the FTC that the COPPA Rule applies not only to websites, but also to other technologies that can be considered “online services,” such as mobile apps, network-connected games, and some text messages; 
  • a more expansive definition of “personal information” to include IP addresses, customer numbers held in cookies, device identifiers, the linking of information across websites, and geolocation information -- all of which may impact companies’ behavioral advertising activities;
  • streamlining and clarifying the notices that operators must provide to parents about their information collection practices;
  • changing the existing parental consent mechanism by removing the popular “email plus” verification method and adding several new methods;
  • enhancing security provisions and requiring operators to ensure that third-party service providers to whom an operator discloses a child’s personal information have reasonable privacy and security procedures in place; and
  • changing the existing COPPA Safe Harbor program to require “safe harbor programs” to exercise more oversight.

Applicability of COPPA to Evolving Technologies

The FTC used this proposed rule to clarify its position that the COPPA Rule applies to a host of current technologies that could be considered “online services.” This includes “mobile applications that allow children to play network-connected games, engage in social networking activities, purchase goods or services online, receive behaviorally targeted advertisements or interact with other content or services[;] . . . Internet-enabled gaming platforms, voice-over-Internet protocol services, and Internet-enabled location based services.” The FTC concedes that some SMS and MMS text messages would not constitute “online services” as they do not cross the public Internet, however there is technology that allows users to send text messages utilizing “online services,” and these message would be covered by the COPPA Rule.

The FTC has already begun enforcing the COPPA Rule more broadly to account for developing technologies. Just last month, the FTC reached a settlement with a mobile app developer for violations of the COPPA Rule. That settlement, coupled with the FTC’s express recognition of the need for rule changes to address new technologies and services, suggests that the FTC will likely enforce the COPPA Rule much more broadly than it has in the past. This means that any media that is targeted at children under the age of thirteen will have to analyze whether it can be considered an “online service” and take appropriate steps to comply with COPPA if necessary.

Definition of “Personal Information"

One of the most significant proposed changes to the COPPA Rule is to the definition of “personal information.” The definition of “personal information” is important as the COPPA Rule only applies to operators whose websites or online service are directed to children or who have actual knowledge that they are collecting personal information from a child under the age of thirteen. The proposed definition of “personal information” adds or changes the following categories of information:

  • Online contact information – the FTC proposes to include not only a child’s email address but also “any other substantially similar identifier that permits direct contact with a person online,” such as an instant messenger name, a video chat name or a VOIP identifier.
  • Screen names or user names – however, the FTC would not consider screen or user names that are only used to support internal operations to be “personal information."
  • Persistent identifiers, including Internet Protocol (IP) addresses, customer numbers held in cookies, processor or device serial numbers, or unique device identifiers – however, the FTC would not consider these persistent identifiers that are only used to support internal operations to be “personal information.” This is a major change from the current COPPA Rule, which requires that a persistent identifier be associated with individually identifiable information to be considered “personal information.”
  • Identifiers that link activities of a child across different websites or online services – this category is “intended to serve as a catch-all category covering the online gathering of information about a child over time for the purposes of either profiling or delivering behavioral advertising to that child.”
  • Photographs, videos, or audio files that contain a child’s image or voice – the FTC proposes this change from the current standard which includes photographs only when they are combined with “other information such that the combination permits physical or online contacting.”
  • Geolocation information sufficient to identify a street name and name of a city or town.

Taken together, these proposed changes will significantly expand the scope of the COPPA Rule to operators that were not previously subject to the Rule. For one, the requirement that persistent identifiers only be used for internal operations or be considered “personal information” will force any operator having services directed to children or having knowledge that it is collecting information from children under 13 that wishes to provide targeted advertising to children to receive parental consent, even where such advertising is not based on what has been traditionally considered personally identifying information. The proposal also brings geolocation data into the definition of “personal information,” which will similarly require mobile apps or operators offering mobile apps to comply with the COPPA Rule. This proposed change will likely have the most significant effect on businesses as it would not only subject a wider array of entities to the COPPA Rule, but also may make it more difficult for a website or online service to determine whether it is subject to the COPPA Rule. 

Parental Notice

In the proposed rule, the FTC attempts to streamline the process by which operators are required to provide parents with notice of their privacy practices and the FTC tries to make the process easier for both operators and parents to understand. This change aligns with the FTC’s recent efforts to encourage businesses to provide consumers with more straightforward, understandable notice and choice about information practices. The proposed rule requires that a link to a notice of information practices must be prominently and clearly labeled and placed on a website’s homepage and at each page where personal information is collected in close proximity to the information request. The FTC both simplifies and expands the requirements for what must be included in the privacy policy, requiring they include:

  • Contact information for each operator – the current Rule allows multiple operators to select one operator to have their contact information listed.
  • What information is collected from children, and whether the website allows children to make this information publicly available.
  • How the operator uses the collected information.
  • The operator’s disclosure practices for collected information.
  • The fact that parents can review and delete or refuse the further collection of a child’s personal information, and the procedures for doing so.

The current COPPA Rule requires operators to send parents a direct notice, which informs the parent of a website’s information practices. The proposed rule reorganizes these provisions and includes specific information that an operator must address in different circumstances, including:

  • when affirmative parental consent is needed for the collection, use, or disclosure of a child’s personal information;
  • when a child’s online activities do not involve the collection, use, or disclosure of personal information;
  • when an operator intends to communicate with a child multiple times; and
  • when an operator collects a child’s personal information in order to protect a child’s safety.

While these proposed provisions may ultimately make compliance with the notice provisions easier for covered operators, these changes could require operators to expend time and resources to adjust current practices to comply with any new requirements. 

Parental Consent Mechanisms

The FTC proposes taking away one of the most popular parental consent mechanism under the current COPPA Rule – email plus. Currently, operators who collect personal information and do not disclose this information to external parties can utilize this consent mechanism by sending a parent an email and then using another step – such as another email at a later date – to confirm the consent. However, in the proposed rule, the FTC suggests that this consent mechanism is prone to abuse (such as when a child simply provides his or her own email address) and has inhibited the development of better, more reliable parental consent mechanisms. Therefore, the FTC has proposed the elimination of the email plus method of parental consent.

The FTC has also proposed new methods of parental consent, including allowing parents to send electronic scans of signed consent forms, using video-conferencing to signal consent, and providing government-issued ID numbers that the operator can check against a database. If an operator collects government-issued ID numbers, the FTC proposes that this information must be promptly deleted after the verification is complete.

The FTC also hopes to spur industry to develop new methods of obtaining parental consent. To this end, the FTC has proposed creating a procedure by which an operator can seek FTC approval of a consent mechanism through a notice and comment process. The FTC also proposes to allow FTC-approved Safe Harbor programs to create consent mechanism that their members can utilize.

The changes proposed by the FTC to the parental consent process could have a major impact on operators. Many websites currently rely on email plus to obtain consent from parents when the website will only be using the personal information collected from a child for internal purposes. The email plus method is often preferred as it is the easiest parental verification method to implement and it is also the least costly. The FTC proposal would require all operators to implement more robust parental verification methods. This change could mean that all of the operators currently using email plus will have to overhaul their parental verification practices. 

Confidentiality and Security Requirements

The current COPPA Rule requires operators to “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.” The proposed rule would require operators to also ensure that their service providers and any third parties to whom they disclose personal information have reasonable procedures in place.

Safe Harbor Program

The FTC has proposed some changes to the COPPA Safe Harbor program. These changes include:

  • requiring that entities that apply to be Safe Harbor self-regulatory bodies submit comprehensive information to the FTC about their ability to run an effective safe harbor program;
  • establishing more rigorous oversight of operators by Safe Harbor self-regulatory bodies, including annual, comprehensive reviews of operators’ information practices;
  • requiring Safe Harbor self-regulatory bodies to submit regular reports to the FTC, including the results of annual operator reviews.

As discussed above, the proposed changes to the COPPA Rule are far-reaching and may have significant impacts on businesses current practices. Comments on the proposed rule must be submitted to the FTC by November 28, 2011.
Tags: , , , ,
Posted on July 27, 2011 by Winston Maxwell

Cloud Computing for Regulated Industries: Security Requirements Differ

Data stored in the cloud will be subject to numerous data security laws, explains Hogan Lovells partner Phil Porter in a recent article.   Specific types of data will trigger different security regulations, ranging from HIPAA rules for health data, to Gramm-Leach-Bliley Act rules for financial service data, to COPPA for data about children.  Data hosted in the cloud in the U.S. might also subject the data to U.S. national security rules, including USA Patriot Act.  Cloud service providers and customers need to tailor their contractual provisions to match these regulatory imperatives.

Tags: , , , , , ,
Posted on June 15, 2011 by Timothy Tobin

FTC Focusing on Child Identity Theft, Holding Forum on July 12

Stolen Futures logoEmblematic of the increasing attention to children’s privacy, on July 12, 2011, the Federal Trade Commission (FTC) and the Department of Justice’s Office for Victims of Crime (OVC) are jointly hosting a day-long forum about child identity theft. The forum, entitled “Stolen Futures: A Forum on Child Identity Theft,” will discuss foster care and familial identity theft, which is a growing problem in these difficult economic times. Identity thieves often utilize their children’s or young relatives information to obtain credit cards and other credit and children’s sensitive personal information is also vulnerable to misuse for other reasons as well. This forum follows the FTC’s roundtable last year on its Children’s Online Privacy Protection Act (COPPA) rule. 

The FTC has noted that businesses may have a particular interest in children’s identity theft for a couple of reasons, which include raising awareness about this important issue and helping to stop an activity that can have significant economic consequences to businesses.

The forum will be held at the FTC’s Conference Center at 601 New Jersey Avenue in Washington, DC. Additional information including a tentative agenda, is available on the FTC's website.
Tags: , , , , , , , , , ,
Posted on November 2, 2009 by Tulasi Leonard

FTC Announces COPPA Enforcement Action

On October 20, 2009, the FTC announced a settlement with Iconix Brand Group, Inc., pursuant to which Iconix will pay a $250,000 penalty to settle the FTC’s charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule by knowingly collecting, using, and disclosing personal information from children online without first obtaining their parents’ consent.

Iconix, which owns, licenses, and markets several popular apparel brands, including Mudd, Candie’s, Bongo, and OP, required consumers on many of its websites to provide personal information, including full name, email address, mailing address, and phone number, in order to receive brand updates, enter sweepstakes, and participate in other website features.  According to the FTC, one of the websites allowed consumers to share photos and personal stories online.  In connection with the collection of personal information, the websites required that consumers provide their date of birth. 

 

The FTC alleged that since 2006, Iconix knowingly collected, maintained, and/or disclosed personal information of approximately 1,000 children under the age of 13 without first notifying their parents or obtaining parental consent, in violation of COPPA.  Additionally, the FTC alleged that Iconix’s statements in its online privacy policy that it would not seek to collect personal information from children under 13 without prior parental consent and that it would delete any such information about which it became aware, were misrepresentations, constituting deceptive acts or practices in violation of Section 5 of the FTC Act.

 

The settlement order requires Iconix to pay a $250,000 civil penalty, delete all personal information collected and maintained in violation of COPPA, and comply with certain consumer education, record-keeping, and reporting requirements.

 

Interestingly, this appears to be a fairly large settlement amount for a relatively small number of children whose information was allegedly collected in violation of COPPA.  Previous recent FTC COPPA settlements include the 2008 Sony BMG Music settlement, which involved a $1 million civil penalty and the collection of personal information from over 30,000 children; the 2008 imbee.com settlement, involving a $130,000 civil penalty and the collection of personal information from 10,500 children; and the 2006 Xanga.com settlement, which imposed a $1 million civil penalty and involved the collection of personal information from 1.7 million children.

Tags: , , , ,