The FTC Warns Developers of Children's Mobile Apps Concerning Their Failure to Adequately Disclose their Data Practices to Parents
March 27, 2012White & Case Technology Newsflash
Daren M. Orzechowski
White & Case Technology Newsflash
On February 16, 2012, the Federal Trade Commission ("FTC") released a report ("FTC Report")1 admonishing developers of mobile applications ("apps") directed to children for failing to adequately disclose their data practices on their app store pages and the first page ("landing page") of their websites prior to parents and users downloading the apps. The FTC Report was based on a survey carried out by the FTC where FTC staff reviewed the app Store pages and developer landing pages of 200 Android apps and 200 Apple apps for the apps data collection and sharing practices.2 According to its findings, although 76% of Android apps required at least one "permission" allowing the app to collect data from the mobile device while the app is running, only three (1.5%) of the 200 Android apps provided some information about their data practices on the app pages by describing what the permissions were being used for.3 None of the Apple apps provided any information about their data practices on the app pages.4 In addition, only two (0.5%) out of the 400 app store pages reviewed linked to landing pages that disclosed information about data collection and sharing.5 The FTC was clearly troubled by these findings, calling it a warning call to the industry to provide greater transparency about their data practices to parents.6 The call for greater disclosure is consistent with the initiatives of the Obama administration to force business to provide greater transparency concerning privacy and data practices.
Protecting the privacy of children is a top priority for the FTC, and according to the FTC Report, the FTC "vigorously enforces" the Children's Online Privacy Protection Act ("COPPA") and the FTC's implementing Rule, which require operators of online services including mobile apps directed to children under age 13 to provide notice and obtain parental consent before collecting personal information from children.7 Within this mandate, the FTC is particularly concerned about mobile apps which can automatically collect a broad range of user information from the mobile devices such as geolocation data, telephone numbers, list of contacts and unique device identifiers, and disclose such information to a large number of recipients.8 In most cases such collection is occurring without the user, in this case a child, being aware of the activity.
The FTC was also concerned about the lack of disclosures regarding in app purchase features, noting that the lack of information about this feature prior to downloading prevents parents from being above to exercise adequate control over their children's activity. The FTC similarly raised concerns about the lack of disclosures regarding in-app advertising, and how this lack of information may expose children to advertising, particularly personalized advertising based on a child's in-app activities without the parent's knowledge or consent.9
In order to address these issues, the FTC recommended that developers create easy to find and understand disclosures or icons through which parents can quickly determine what information an app collects, what it will be used for, and whether it will be shared with a third party.10 The FTC Report also admonished app stores, including Apple's App Store and Google's Android Market, for not taking a more active role in ensuring that developers and their apps provide greater disclosure, reasoning that as gatekeepers, these companies should provide the basic architecture for disclosures and other communications that would protect children.11 The FTC recommended that app stores should provide standard designated areas that display the data practices of the apps, in addition to standardized icons that for example indicate that an app connects to social media services.12
The FTC has already settled its first COPPA enforcement action against an app developer based on the findings of this survey, which included a $50,000 fine as well as compliance monitoring and a six-year record-keeping obligation.13 The FTC has also stated that it will conduct further investigations over the next six months for COPPA violations followed by enforcement actions where appropriate.14 Given the FTC's active interest in this area, it is advisable for developers of apps directed towards children to review their data practices and provide greater disclosure of their data practices on their app store pages, which should include what data is being collected and the purpose of such collection. Such practices will also serve to prepare such companies for potential changes in United States privacy law that appear to be coming.
1 - Trade Commission, FTC Staff Report, Mobile apps for Kids: Current Privacy Disclosures are Disappointing (February 2012), http://www.ftc.gov/os/2012/02/120216mobile_apps_kids.pdf.
2 - Id. at 4.
3 - Id. at 11-12.
4 - Id. at 12. The FTC was unable to measure how many Apple apps required permissions as the Apple app Store does not require its apps to display permissions to users prior to download. Id. at 11.
5 - Id. at 13.
6 - Id. at 2.
7 - Id.
8 - Id. at 1.
9 - Id. at 14-15.
10 - Id. at 3.
11 - Id. The FTC Report notes that although both the Apple and Android app stores require developers to disclose what information their apps are collecting, the app stores do not appear to enforce these requirements. Id.
12 - Id.
13 - United States v. W3 Innovations, LLC, No. CV-11-03958 (N.D. Cal. Sept. 8, 2011) (FTC consent order with developer of child-directed mobile apps for alleged violations of the COPPA Rule), available at http://ftc.gov/os/caselist/1023251/110908w3order.pdf.
14 - FTC Report, supra note 1 at 2.
This article is provided for your convenience and does not constitute legal advice. It is prepared for the general information of our clients and other interested persons. This article should not be acted upon in any specific situation without appropriate legal advice, and it may include links to websites other than the White & Case website. White & Case LLP has no responsibility for any websites other than its own, and does not endorse the information, content, presentation or accuracy, or make any warranty, express or implied, regarding any other website.
This article is protected by copyright. Material appearing herein may be reproduced or translated with appropriate credit.
© 2012 White & Case LLP