FCC Confirms That Sellers Can Be Liable for Telemarketer TCPA Violations

Posted by Michael Beder on May 18, 2013

A seller who authorizes a third-party telemarketer to market the seller’s goods or services may be held vicariously liable if the telemarketer violates the Telephone Consumer Protection Act (TCPA), the Federal Communications Commission held in a May 9 declaratory ruling.

The FCC’s ruling interprets two subsections of the TCPA. The first subsection — 47 U.S.C. § 227(b) — includes several restrictions, including a general prohibition on making calls to landline or mobile telephones using a prerecorded message without  the recipient’s prior express consent. Section 227(b)(3) allows individuals or companies to bring private lawsuits “based on a violation of this subsection” or the FCC’s implementing regulations.

A separate portion of the TCPA — 47 U.S.C. § 227(c) — authorizes the FCC to set up a national Do Not Call registry, which the FCC did in coordination with the Federal Trade Commission several years ago. Section 227(c)(5) authorizes private lawsuits by individuals who receive “more than one telephone call within any 12-month period by or on behalf of the same entity” in violation of the Do Not Call rules.

Last week’s declaratory ruling came in response to questions referred to the FCC by two federal courts in two separate TCPA-based lawsuits.

Continue Reading

FTC Reminds Mobile App Developers To Comply With Revised Children's Privacy Requirements By July 1

Posted by Lindsey Tonsager on May 16, 2013

The Federal Trade Commission has sent letters to more than 90 different companies who develop mobile apps that the FTC claims may be directed to children.  The letters emphasize that the FTC has not evaluated the apps or the companies’ practices to determine if they comply with the current or revised COPPA Rule.  Instead, the letters remind these companies that if their apps collect, use, or disclose children's images and voices, mobile device identifiers, and other types of "personal information," they must bring their apps into compliance with the revised COPPA Rule by July 1, 2013.  

The letters were sent to US companies and foreign companies that the FTC claims direct their apps to children in the US.  The letters focus on the collection of persistent identifiers and photographs, videos, and audio containing a child’s image or voice.  The FTC did not identify the companies receiving the letters, but made templates of the different versions available on its website, including a letter to:  (1) US companies with apps that collect persistent identifiers; (2) US companies with  aps that collect videos, images, or audio of kids; (3) foreign companies with apps that collect persistent identifiers; and (4) foreign companies with apps that collect videos, images, or audio of kids.

The letters suggest that the FTC could continue to focus attention on kid-directed mobile apps once the revised COPPA Rule takes effect.  In February 2012 and December 2012, the FTC released reports analyzing hundreds of kid-directed mobile apps and concluding that many app developers could be doing more to provide clear and complete notice of their privacy practices.  And earlier this year the FTC entered into a consent decree with mobile app developer Path for alleged COPPA violations.  

Delta succeeds in dismissing California AG's first CalOPPA case

Posted by Nigel Howard on May 10, 2013

California Attorney General Kamala Harris failed in her first attempt to sue a company for failing to post a privacy policy on a mobile app.

Harris alleged that Delta Airlines violated the California Online Privacy Protection Act (“CalOPPA”) by failing to include a privacy policy on its mobile app. The lawsuit, in the California Superior Court in San Francisco, was the first enforcement action under CalOPPA since it came into force in 2004. 

On Thursday, the district court granted Delta’s motion to dismiss the complaint, concluding that the Airline Deregulation Act (ADA) pre-empts the state’s claims. The ADA provides that “a State….may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” Courts have construed the scope of preemption by the ADA broadly, and the majority of courts which have considered the issue have held that the ADA preempts the application of state consumer protection laws to airlines. See Morales v. Trans World Airlines, 504 U.S. 374 (1992). The judge decided that the operation of a mobile app for air travel services is “related to price, route or service of an air carrier” and thus agreed with Delta’s argument that the California AG’s claim is pre-empted.

Continue Reading

China Regulates Smart Device Manufacturers' Use of Pre-installed Apps

Posted by Scott Livingston on May 02, 2013

China’s Ministry of Internet and Information Technology (“MIIT”) has promulgated a new regulation targeting manufacturers of mobile smart devices (such as smart phones) that prohibits them from preinstalling certain apps that raise privacy, security, or prohibited content concerns.  Entitled “Notice Regarding Strengthening the Management of Network Access for Mobile Smart Terminals,” the new regulation forbids mobile smart device manufacturers from pre-installing any app that:

  • collects or modifies a user’s personal information without express notification and user consent;
  • accesses a network without express notification or consent, causing unauthorized bandwidth use, monetary loss, information disclosure, or other negative consequences;
  • affects the smart device’s normal operations or the safe operation of the telecommunications network;
  • contains content restricted by PRC law (e.g., obscene, anti-government, or hate speech); or
  • infringes a user’s personal information, safety, legitimate rights or interests, or prejudices the security of network information.

Continue Reading

FTC's Current Enforcement Priorities: Infographic

Posted by Lindsey Tonsager on April 26, 2013

Speaking at a seminar hosted by the International Association of Privacy Professionals, Assistant Director Chris Olsen and Senior Attorney Peder Magee, both of the Federal Trade Commission's Division of Privacy and Identity Protection, provided a useful overview of the FTC's recent enforcement actions and current enforcement priorities.  Based on this discussion, the following infographic identifies the FTC's top four enforcement priorities, and recent and future activity that will inform its path forward:  

Slide1.JPG

5 Privacy and Data Security Measures That Can Protect Your Company Against Trade Secret Theft

Posted by Lindsey Tonsager on April 05, 2013

At a recent forum in New York, a team of Covington lawyers addressed the growing concern among companies that their most valuable assets could leave the building on a thumb drive in an employee’s pocket or be disclosed through an employee’s use of a social media site.  Addressing this threat involves many disciplines beyond trade secret law, including employment, employee benefits and executive compensation, white collar crime, corporate and securities, insurance coverage, and crisis management.  This post identifies five proactive ways in which companies can use comprehensive privacy programs and robust data security measures to help prevent and respond to an insider’s intentional or inadvertent disclosure of confidential company information.

  1. Internal Privacy and Data Security Principles:  By specifying how the company collects, uses, discloses, and protects personal data of its customers and employees, internal privacy and data security policies can help companies identify who needs access to confidential data, how this data should be secured, and procedures for effectively deleting or destroying data once it is no longer needed by the company. 
  2. Internet Access and Use Policies:  Many companies implemented employee policies in the 90s governing how employees may access and use the Internet and the company’s computer networks.  However, these policies should be updated as new technologies that may increase the disclosure of confidential company information, such as peer-to-peer programs and third-party mobile applications, emerge.   
  3. Social Media Policies:  Social media policies typically govern how employees may use social media for work purposes, and, in some cases, set forth guidelines for employee use of personal social media accounts as well.  While these policies help to remind employees that they should be cautious when using social media to avoid the disclosure of confidential or proprietary company information, employers need to ensure that these policies are consistent with federal labor laws and state laws restricting an employer’s ability to request access to an employee’s personal online accounts.
  4. Robust Protections in Service Provider Agreements:  Confidentiality clauses and nondisclosure agreements with service providers are common and important.  But robust privacy and data security provisions can provide additional protection and mitigate the risk of a breach, especially where the service provider will handle your customer’s personal information.   
  5. Bring Your Own Device (“BYOD”) Policies:  Employers increasingly are allowing employees to use their personal smartphones, tablets, and other devices to access work e-mail accounts and the employer’s computer network.  While both employers and employees can benefit from this approach, companies need to make sure that their bring-your-own-device policies provide employees adequate notice and allow employers to implement appropriate data security measures, such as remote wiping tools.

EU Data Protection Working Party Sets Out App Privacy Recommendations

Posted by Dan Cooper on March 15, 2013

By Dan Cooper and Philippe Bradley

This week the Article 29 Working Party released its Opinion 2/2013 on apps on smart devices (WP 202), a 30-page report on mobile app privacy and data protection considerations. This development follows on the Working Party’s Statement on the draft General Data Protection Regulation on 27 February 2013 (which we previously discussed here). 

The report sets out several sets of prescriptive, but non-binding, recommendations that target app developers, app stores, OS and device manufacturers, and other third party participants in app ecosystems, such as advertisers and network operators that bundle apps with devices. 

This short post sets out a summary of some of the report’s less conventional prescriptions and recommendations, which could present participants in the European digital/mobile ecosystem with significant compliance challenges.

Continue Reading

FTC Releases New Guidance For Online Advertising Disclosures

Posted by Mali Friedman on March 14, 2013

On March 12, 2013, the Federal Trade Commission (FTC) released new guidance for online advertisers, providing specific tips and examples of how to make disclosures clear and conspicuous, and, therefore, not deceptive in the context of emerging technologies, space-constrained screens, and social media platforms.

The guidelines—titled “.com Disclosures:  How to Make Effective Disclosures in Digital Advertising”—update prior guidance known as “Dot Com Disclosures,” which was released in 2000.  The updated guidelines emphasize that consumer protection laws apply to commercial activities across all mediums, including on computers, mobile devices, and tablets.

 

Continue Reading

Rep. Johnson Releases Discussion Draft of Mobile App Privacy Bill Following NTIA's 8th Meeting Concerning a Voluntary Code of Conduct

Posted by Kristi Cercone on January 18, 2013

On Friday, Rep. Hank Johnson (D-Ga.) released a discussion draft of a bill for mobile privacy. Named the Application Privacy, Protection and Security Act of 2013 (“APPS Act”), the bill would obligate app developers to disclose to users the terms and conditions around the collection, use, storage, and sharing of user data. Additionally, the bill would require apps to allow users to opt out of the service and delete personal data collected by the app. The Federal Trade Commission would head enforcement and state attorneys general could bring suits against those who violate the regulations promulgated by the FTC.

 In drafting the bill, Johnson and his Web-based initiative, AppRights, held meetings with members of the Internet community, public-interest groups, app developers, and other industry stakeholders. AppRights stated: “Over the coming days, we will release helpful clarifications of the updated provisions of the APPS Act so that everyone is on the same page." It is not yet clear when the bill will be introduced to Congress as possible legislation.

Continue Reading

FTC Enters into Consent Order with Mobile Application Developers for Fair Credit Reporting Act Violations

Posted by Mike Nonaka on January 14, 2013

Last week, the Federal Trade Commission entered into a consent order with two companies alleged to have operated as consumer reporting agencies, by providing criminal record reports through mobile applications, without complying with the Fair Credit Reporting Act (FCRA).  The consent order represents the FTC’s first FCRA case involving mobile applications. 

According to the FTC’s complaint, Filiquarian Publishing LLC, Choice Level LLC, and their CEO, Joshua Linsk, designed and marketed mobile applications that enabled users to search criminal records databases.  The companies marketed the applications for employment purposes as a tool to use in screening potential employees.  Indeed, one advertisement for the applications offered “Are you hiring somebody and wanting to quickly find out if they have a record?  Then Texas Criminal Record Search is the perfect application for you.”  The FTC alleged that the companies were operating as consumer reporting agencies in providing the criminal records reports for employment purposes and that the companies failed to comply with the FCRA.  The applications included disclaimers that the applications were not compliant with the FCRA and not to be used for FCRA permissible purposes; however, the FTC viewed these disclaimers as insufficient to insulate the companies from liability since the companies actively marketed the applications for employment purposes. 

The consent order, among other provisions, prohibits the companies from providing consumer reports to individuals if the companies do not have a reason to believe the individuals have a permissible purpose under the FCRA.  The order also prohibits the companies from failing to maintain reasonable procedures to assure maximum possible accuracy with respect to the consumer reports provided by the companies to consumers.  The companies are required to submit periodic reports to the FTC demonstrating compliance with the consent order.

Key Takeaways from the California AG's Mobile Apps Report

Posted by Steve Satterfield on January 11, 2013

Yesterday, California Attorney General Kamala Harris continued her efforts to promote privacy best practices in the mobile app ecosystem by issuing a number of recommendations in her report, “Privacy on the Go.”  The report encourages app developers, platform providers, ad networks, OS developers, and even mobile carriers to incorporate privacy by design into their products and services and provides detailed suggestions on how to do so.  Importantly, the report notes that its recommendations in many cases go beyond what’s currently required by law; they are, for the most part, best practices. 

As the report explains, “[t]he basic approach . . . is to minimize surprises to users from unexpected privacy practices.”  A practice is “unexpected” when it’s not “related to an app’s basic functionality” or when it involves “sensitive information.”  Minimizing surprises means limiting the collection and retention of data that is unrelated to the app’s core functionality; giving users “enhanced notice” (i.e., notice beyond what is provided in the developer’s general privacy policy) of unexpected practices; and giving users control over those practices.  (These concepts, if not the precise terminology, will be familiar to those who have read the FTC’s March 2012 report, which recommended that companies provide consumers with robust notice and meaningful choices for practices that were “inconsistent with the context” of a particular transaction or with the company’s relationship with the consumer.)

The report goes onto make a number of specific recommendations that build on these basic propositions.  After the jump, we discuss a few that struck us as particularly noteworthy.

Continue Reading

California AG Will Reportedly Release App Privacy Guide

Posted by Steve Satterfield on January 09, 2013

Politico is reporting that California Attorney General Kamala Harris will release a report containing privacy recommendations for key players in the mobile app ecosystem (including developers, advertisers, and others).  The report could be released as early as this week. 

As we have noted elsewhere, Harris has made mobile privacy a key priority for her office.   Most recently, she sued Delta Airlines for allegedly failing to comply with the California Online Privacy Protection Act, which requires online service providers to post a privacy policy containing certain elements and to comply with the policy.   

FCC Provides Consumer Tips On Mobile Privacy And Security

Posted by Libbie Canter on December 19, 2012

The Federal Communications Commission yesterday released a Smartphone Security Checker, a tool designed to help consumers secure their smartphones against mobile security threats.  The tool provides consumers with tips that are customized for four different mobile operating systems.  Many of tips focus on security-related topics.  For instance, the tool recommends that consumers set a password or Personal Identification Number on their phones, accept updates and patches to smartphone software, and wipe phones of personal data before reselling or recycling them. 

The FCC also made recommendations that touch on the role of in-app privacy disclosures ―a topic that has received attention recently from state regulators and the Federal Trade Commission.  Specifically, the FCC recommends that users understand app permissions before accepting them.  The FCC says, “You should be cautious about granting applications access to personal information on your phone or otherwise letting the application have access to perform functions on your phone.  Make sure to also check the privacy settings for each app before installing.” 

While the FCC has not been as active as the FTC and others on mobile privacy issues that do not affect the telephone portion of the mobile service, the FCC’s announcement demonstrates that it continues to see a role for itself in helping “consumers understand and combat cyber threats and mobile device theft.”  Earlier this year, the FCC partnered with mobile operators to launch their “PROTECTS Initiative” which was designed to combat mobile device theft and trafficking. 

FTC Releases Second Report on Mobile Apps Directed To Children

Posted by Lindsey Tonsager on December 10, 2012

The Federal Trade Commission released today its second report on mobile apps directed to children.  The report, which follows up on an analysis that staff conducted in February 2012, examined the privacy disclosures of hundreds of kid-directed mobile apps and tested the apps’ practices against these disclosures to determine if the disclosures were accurate and complete.  

Staff found the results of the second report "disappointing," concluding that many apps do not contain privacy disclosures that fully explain how the app collects, uses, and discloses children's data.  Among other things, the report focused on disclosures related to advertising, links to social media, and in-app purchases. 

Announcing the release of the report, Jessica Rich, Associate Director, FTC Division of Financial Practices, expressed concern that a number of the apps disclosed device identifiers to third parties, including ad networks and analytics companies.  She emphasized that the staff made no findings about how these third parties used the device identifiers, but noted that the FTC's proposed revisions to the Children's Online Privacy Protection Act (COPPA) Rule would treat this information as "personal information" for purposes of COPPA, unless the data is used to support internal operations.  (Ms. Rich declined to comment on the timing of the release of a final COPPA Rule; other FTC staff previously have suggested the final Rule might come in the next few weeks or early next year.) 

Ms. Rich also stated that the Commission is investigating whether the apps violate laws such as COPPA or Section 5 of the FTC Act.  At the same time, she emphasized that the issues raised in the second report are widespread and that the report is focused on identifying industry best practices.  She encouraged industry to accelerate self-regulatory efforts to improve mobile app disclosures.  In particular, she applauded recent efforts to develop icons and similar mechanisms to shorten privacy policies for mobile apps. 

Delta Sued for Failure to Provide In-App Privacy Policy

Posted by Nigel Howard on December 07, 2012

California Attorney General Kamala Harris has made good on her promise to get tough with mobile app makers that fail to provide privacy policies in their apps.  Yesterday, her office sued Delta Airlines for violating the California Online Privacy Protection Act (“CalOPPA”), which requires providers of websites and “online services” to conspicuously post privacy policies that describe the provider’s data practices.  Harris contends that Delta’s “Fly Delta” app does not contain a privacy policy, despite the fact that Delta collects “personally identifiable information” (“PII”), as that term is defined in CalOPPA. 

Interestingly, Harris also alleges that Delta “fail[ed] to comply with the provisions of its privacy policy,” which itself is a violation of CalOPPA.  This allegation is somewhat puzzling given that the core assertion of the suit is that Delta has failed to maintain any privacy policy at all in its app.  But it appears possible that Harris will argue Delta has failed to comply with its website privacy policy, which, the complaint notes, does not disclose certain categories of PII that are being collected through the app (e.g., location information). 

Also noteworthy are allegations that the “Fly Delta app is not the primary commercial activity of Delta,” and that “CalOPPA does not relate to rates, routes or services of any air carrier.”  These allegations anticipate a preemption challenge by Delta pursuant to the Airline Deregulation Act.  Delta would appear to have a strong argument that the suit is, indeed, preempted.  As noted in the complaint, the app enables people to search for and book flights.  Thus, the Attorney General’s argument that the app is not related to the “routes and services” of Delta would seem to face an uphill battle.

The one-count complaint seeks recovery under Cal. Bus. & Prof. Code § 17200, alleging that the violations of CalOPPA are “unfair” acts.  In addition to injunctive relief, Harris seeks a $2,500 per-violation civil penalty.

FTC Hosts Workshop to Examine Comprehensive Data Collection

Posted by Kristi Cercone on December 07, 2012

On Thursday, the Federal Trade Commission (“FTC”) hosted a workshop to explore the practices and privacy implications of comprehensive data collection. The event gathered consumer protection groups, academics, privacy professionals, and business and industry representatives to examine the current state of comprehensive data collection, its risks and potential benefits, and what the future holds for consumers and their choices.

In her opening remarks, FTC Commissioner Julie Brill indicated the agency was open to revising its consumer privacy framework if comprehensive data collection warranted heightened restrictions or enhanced consent to protect and inform users: “We know that comprehensive data collection allows for greater personalization and other benefits, but there may be other contexts in which it does not lead to desirable results.”

The workshop was one of five main action items adopted by the FTC as part of its March 2012 report, Protecting Consumer Privacy In an Era of Rapid Change.  In the report, the commission told companies that consent was not required for the collection and use of information that was consistent with a particular transaction or the company's relationship with the consumer. But the agency said it needed more information to determine how this principle applied to technologies that could capture large amounts of consumer information, such as deep packet inspection (DPI).

Continue Reading

California AG Puts Mobile App Developers on Notice

Posted by Steve Satterfield on November 01, 2012

California Attorney General Kamala Harris has formally warned 100 app developers that their apps are not in compliance with the California Online Privacy Protection Act (OPPA).  Harris has given these developers 30 days to come into compliance by “conspicuously post[ing] a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information.”  Harris’s press release also noted that “[c]ompanies can face fines of up to $2,500 each time a non-compliant app is downloaded.”  (The list of developers that received warnings has not been made public.)

Although a recent study showed that app developers increasingly are transparent about their data practices, many still are struggling to find ways to disclose material information to users in the limited space available on mobile devices.  As we noted last week, regulators and industry groups currently are working on different approaches intended to address this issue.  One potential approach--which the FTC and Attorney General Harris support--is the development of privacy “nutrition labels” that would present essential terms in much the same way that the food industry presents nutrition information on packages.  Industry groups, on the other hand, seem more focused on developing privacy icons that would work similarly to the now-ubiquitous AdChoices Icon.

Attorney General Harris has made mobile privacy a top priority for her office.  Earlier this year, she announced an agreement with leading providers of mobile app marketplaces — including Amazon, Apple, and Google — under which those companies committed to require app developers to post privacy policies within their apps in accordance with the OPPA.  Shortly thereafter, Harris launched a “Privacy Enforcement and Protection Unit” that would focus on the enforcement of California’s privacy laws. 

FCC Sets Comment Cycles for Additional Petitions Seeking to Clarify TCPA Provisions

Posted by Kara Azocar on October 26, 2012

In follow up to our previous blog entry on the subject, comment deadlines were set for additional petitions seeking to clarify TCPA provisions and related FCC rules.  Comments on these Petitions are due on November 23, 2012, and reply comments are due on December 10, 2012.

  1. The Westfax Petition asks the FCC to clarify whether “efaxes,” which are facsimile messages that are converted to e-mail, are subject to the facsimile advertising rules under the TCPA and the Junk Fact Prevention Act of 2005.
  2. The iHire Petition asks the FCC to declare that a third party faxing resumes of individual job applicants in response to help wanted postings is not an “advertisement” subject to the TCPA and, therefore, is exempt from the requirement to include an opt-out provision on the first page of the fax.
  3. The 3G Collect LLC Petition asks the FCC to declare that operator service providers are not subject to the TCPA prohibition on prerecorded calls to wireless phones when connecting collect callers to telephone numbers assigned to wireless telephones. 
  4. The Revolution Messaging Petition asks the FCC to clarify that certain internet-to-phone text messaging technology is an “automatic telephone dialing system” within the meaning of the TCPA and thus is subject to related FCC rules.

Telemarketing Recap: Recent Key Developments at the FCC, FTC and in the Courts

Posted by Kara Azocar on October 19, 2012

A number of key developments affecting telemarketing emerged over the past week:

1.  The distinction between informational and telemarketing calls was further defined.  The 9th Circuit held that calls intended to impart information about a customer rewards program could be construed as “dual purpose” calls subject to federal and state telemarketing restrictions.  See Chesbro v. Best Buy Co., Inc.

2.  Effective dates were announced for the new requirements on autodialed and prerecorded calls that were adopted by the FCC in February 2012. 

  • Effective immediately:  all prerecorded “heath care” messages subject to HIPAA transmitted to residential lines are exempt from the FCC’s consent, identification, time-of-day, opt-out, and call abandonment requirements.
  • Effective November 15, 2012:  the FCC’s three percent call abandonment rate must be calculated on a 30-day basis for every telemarketing calling campaign.  (It is possible that the FCC will consider delaying this effective date to January 14, 2013, to align it with the interactive opt-out requirement discussed below.)
  • Effective January 14, 2013:  all prerecorded telemarketing calls must include an automated, interactive opt-out mechanism throughout the duration of the call, as well as a toll-free telephone number that can be contacted to opt out when a prerecorded telemarketing message is left on voicemail or an answering machine. 
  • Effective October 16, 2013:  prior express written consent is required to transmit prerecorded or autodialed telemarketing calls to wireless numbers, and the established business relationship exception no longer applies to prerecorded telemarketing calls to residential lines.

Continue Reading

FTC Releases Privacy Guide for Mobile Application Developers

Posted by Mike Nonaka on September 07, 2012

The Federal Trade Commission has released a guide, Marketing Your Mobile App: Get It Right from the Start, to help mobile application developers comply with truth-in-advertising standards and privacy principles.  Although the guide is informal and not binding guidance, it does represent helpful FTC commentary.  The guide notes that a one-size fits all approach is not workable since all applications are different but provides general guidelines for developers to follow:

Truth-in-Advertising Standards

  • Tell the truth about what the application can do.  The guide directs developers to consider their product from the perspective of average users and not software engineers or application experts.  If the developer makes objective claims about the application, the developer must have solid proof to support the claims.
  • Disclose key information clearly and conspicuously.  Developers must provide key disclosures in a manner that is “big enough and clear enough that users actually notice them and understand what they say.” 

Privacy Principles

  • Build privacy considerations into the application from the start.  In selecting the default settings for an application, developers should incorporate privacy protections into their practices, limit the information collected, securely store information collected, and safely dispose of information no longer needed. 
  • Be transparent about data practices.  Developers should explain what information the application collects from users or their devices and how the information is used.
  • Offer choices that are easy to find and easy to use.  Developers should give users tools that offer choices in how to use the application, such as privacy settings, opt-outs, or other ways for users to control how their personal information is collected and used. 
  • Honor privacy promises.  Developers must adhere to assurances made to users in privacy policies and obtain users’ affirmative consent for any material changes to privacy practices.  
  • Protect kids’ privacy.  Applications that are designed for children or that collect information from children may be subject to additional requirements under the Children’s Online Privacy Protection Act (COPPA). 
  • Collect sensitive information only with consent.  Developers should obtain users’ affirmative consent before collecting any sensitive data, such as medical, financial, or precise geolocation information. 
  • Keep user data secure.  Developers must take reasonable steps to keep sensitive data secure and adhere to data security promises made to users.

Older Posts