Tag Archives: COPPA

Disney Gets Caught in COPPA Lawsuit

The Walt Disney Company ended up on the wrong end of a lawsuit over violations of the Children’s Online Privacy Protection Act (COPPA). The class action suit alleges violations related to embedded software collecting children’s personal information from Disney’s apps.

COPPA Background

COPPA rules are regulated by the Federal Trade Commission. They require operators of commercial websites and online services directed at children under the age of 13 to comply with certain privacy standards. For example, COPPA rules require applicable organizations to post privacy policies, notify parents about their information practices, and obtain parental consent before collecting, using, or disclosing children’s personal information.

Disney Lawsuit

Ad tech companies provide the software development kits that Disney uses to track behavior across various apps and devices. This class action complaint makes several allegations and claims about Disney’s potential violations:

  • Tracking children’s online behavior to facilitate behavioral advertising or marketing analysis
  • Creating online profiles for child users with data elements like location, browsing history, and app usage
  • Failing to obtain verifiable parental consent, and never providing a mechanism for consent to be given

Disney released a statement, “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”

Disney has been involved in alleged COPPA violations in the past, when a subsidiary company was given a $3 million penalty in 2011 for collecting and disclosing children’s personal information without parental consent.

Safe Harbor Update

The FTC made news in regards to COPPA by approving TRUSTe’s modifications to its safe harbor program. Organizations in an approved safe harbor program – like TRUSTe’s – are subject to program-regulated guidelines rather than COPPA’s formal FTC investigation and enforcement process.

Organizations covered under TRUSTe’s safe harbor program should review the approved updates.

Increasing Regulatory Requirements for IoT

The COPPA update is part of a larger regulatory wave to address the expanding privacy and security issues surrounding the Internet of Things (IoT).

While the FTC update focuses on ‘smart toys,’ the overall trend will require all organizations to analyze the privacy and security implications stemming from the emerging ‘smart’ business models.

The security industry expects to see much more action in the near future (including legislation making its way through Congress) related to shifting regulation and new vulnerabilities for the Internet of Things.

FTC Updates COPPA Compliance Guidance

Anyone who falls under regulations with the COPPA knows the FTC takes children’s privacy seriously.

With more products being marketed towards minors (i.e. internet-connected toys) the Federal Trade Commission revisited compliance requirements under the Children’s Online Privacy Protection Act (COPPA).

The FTC released an update to the ‘Six-Step Compliance Plan for Your Business’ to simplify COPPA compliance for organizations. Several new focus areas are noted in the guidance including:

  • New business models. As technologies evolve, organizations are changing the way they collect data. Evolving data collection activities are addressed in the new update. For example: The update added regulations for voice-activated devices that collect personal information.
  • New products covered by COPPA. COPPA no longer applies strictly to websites and mobile apps. The law now covers a growing list of connected devices that make up the Internet of Things. This includes web-connected toys and other products intended for children that collect personal information, such as voice recordings or geolocation data.
  • New methods for getting parental consent. The revised Compliance Plan discusses two newly-approved methods for getting parental consent: asking knowledge-based authentication questions and using facial recognition to get a match with a verified photo ID.

The FTC offers an additional FAQ resource for organizations that have further questions regarding COPPA compliance.

The FBI also released a related article on privacy risks associated with Internet-connected children’s toys.

Warning! Are You Advertising Online to Children?

The FTC settled with two companies – LAI Systems and Retro Dreamer – over violations of the Children’s Online Privacy Protection Act (COPPA). One area of significance from these enforcement actions is that the allegations are founded in third-party advertisers collecting and using persistent identifiers within the online apps to provide targeted advertising.

Persistent identifiers are labeled as an element of personal information under COPPA and are not allowed to be collected from the user for targeted advertising purposes.

LAI Systems

LAI is an app developer responsible for apps including My Pizza Shop, My Cake Shop, and Hair Salon Makeover. LAI generates revenue through advertising within the app. Because LAI’s apps are intended for children under 13 years old, they are responsible for adopting privacy protections under COPPA. The FTC found that LAI allowed their advertising partners to collect persistent identifiers and target ads to the apps’ users without providing notice or obtaining parental consent. The penalty in this case is $60,000.

Retro Dreamer

Retro Dreamer – developer of Ice Cream Jump, Ice Cream Drop, and Wash the Dishes – settled a similar case with the FTC. Retro Dreamer also uses advertising in the app to generate revenue, and allowed their advertising partners to collect persistent identifiers in order to target advertisements without providing notice or obtaining parental consent.

The caveat with the Retro Dreamer case is that the company was warned in 2014 by one of its advertisers that it was violating COPPA by collecting personal information for the purposes of advertising, but it continued to do so anyway. The penalty in this case is $300,000.

Key Takeaway

Companies should know whether their online service is directed towards children under the COPPA regulations. If so, it’s important to ensure compliance with the various requirements under COPPA. These two cases demonstrate the limitations of how targeted advertising takes place under COPPA.

Two Resources from the Consortium for School Networking

The Consortium for School Networking (CoSN) has introduced two resources to accompany its previously released privacy toolkit.

•    “10 Steps Every District Should Take Today“; and
•    “Security Questions to Ask of an Online Service Provider

The privacy toolkit addresses compliance with laws such as the Family Education Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Act (COPPA).

FTC Approves Knowledge-Based COPPA Authentication

The Federal Trade Commission (FTC) has approved the use of knowledge-based authentication as a method to verify that the person providing consent for a child’s use of online service is in fact the child’s parent. Under the COPPA Rule, online sites and services directed at children must obtain permission from a child’s parents before collecting personal information from that child. The rule lays out a number of acceptable methods for gaining parental consent, including a provision allowing interested parties to submit new verifiable parental consent methods to the Commission for approval.  Imperium Inc. submitted such a method, which was approved by the FTC, provided it is appropriately implemented based on factors including: 1) the use of dynamic, multiple-choice questions, where there are a reasonable number of questions with an adequate number of possible answers such that the probability of correctly guessing the answers is low; and 2) the use of questions of sufficient difficulty that a child age 12 or under in the parent’s household could not reasonably ascertain the answers.

FTC COPPA FAQs Updated Again

The U.S. Federal Trade Commission (FTC) has again updated the Children’s Online Privacy Protection Act Frequently Asked Questions (COPPA FAQs). The changes are as follows –

Share buttons.  FAQ D.9 makes it clear that if your app includes embedded buttons or plug-ins that allow kids to send email or otherwise post information (via a social network for example), you need to get verifiable parental consent unless an exception applies.  This is true even if your app doesn’t otherwise collect personal information.

Actual knowledge.  FAQs D.10, 11, and 12 offer guidance on how you might be considered to have “actual knowledge” that you’re collecting personal information on a child-directed site.  The new FAQs address some of the fact patterns organizations may have questions on.

Information collected from a child-directed site.  FAQ K.2 poses the hypothetical of a person who operates an ad network and finds out after the effective date of the Rule that he’s been collecting personal information via a child-directed website.  Unless an exception applies, he must stop collecting the information immediately and needs to get verifiable parental consent before using any personal information he now knows came from that child-directed site or service.  What if he doesn’t know the source of the information?  The FAQ addresses that scenario, too, and discusses some best practices.

See also – Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business.

FTC Sends Educational COPPA Letters to 90 Businesses

As part of an ongoing effort to help businesses comply with the requirements of the updated Children’s Online Privacy Protection Rule (COPPA), the Federal Trade Commission (FTC) announced that it sent educational letters to more than 90 businesses that may be affected by the changes. The letters went to companies both in the U.S. and abroad whose online services, including mobile applications, appear to collect personal information from children under 13. The letters are designed to help businesses come into compliance with the rule’s new requirements which go into effect July 1.