In late December 2014, the FTC staff sent China-based mobile app developer BabyBus a letter warning the company that several of its apps may violate the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule. Staff alleged that the apps are marketed for young children and “use cartoon characters to teach children letters, counting, shapes, music, and matching.” The FTC claimed the company must comply with the COPPA Rule’s notice, verifiable parental consent, and other requirements because some of the apps collect precise geolocation information that is shared with third parties, such as advertising networks or analytics companies. The letter warned that staff will review the apps again and encouraged the developer to take steps to comply with COPPA.

The FTC has never brought an enforcement action alleging violations of COPPA against a foreign-based company. However, FTC staff previously has stated in informal guidance that foreign-based websites and apps are subject to COPPA if they either are directed to children in the U.S. or knowingly collect personal information from children in the US. For example, COPPA FAQ B.7 states:

7. The Internet is a global medium. Do websites and online services developed and run abroad have to comply with the Rule?

Foreign-based websites and online services must comply with COPPA if they are directed to children in the United States, or if they knowingly collect personal information from children in the U.S. The law’s definition of “operator” includes foreign-based websites and online services that are involved in commerce in the United States or its territories. As a related matter, U.S.-based sites and services that collect information from foreign children also are subject to COPPA.

In addition, shortly after the revised COPPA Rule was adopted, the FTC staff sent letters to multiple foreign-based companies whose mobile apps collect persistent identifiers or photographs, videos, and audio recordings of children. Those letters emphasized that the FTC had not evaluated the apps or the companies’ practices to determine if they comply with the COPPA Rule, but reminded the companies that if their apps collect, use, or disclose children’s personal information, they must comply with the revised COPPA Rule.

Notwithstanding this nonbinding, informal guidance, the FTC likely would face a number of practical challenges in enforcing COPPA against a foreign company, including, for example, the requirement that a US court have personal jurisdiction over the defendant.

FTC enforcement, however, is only one potential risk.  After the letter was published, Google suspended the BabyBus apps from the Google Play app store.  In response, BabyBus issued a statement that geolocation information was collected only on the Google Android platform “due to the Android’s third party statistics software plug-in.”  BabyBus stated that it has updated the apps to come into compliance.

Tags: Children's Online Privacy Protection Act, COPPA, Mobile
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection…

Lindsey Tonsager co-chairs the firm’s global Data Privacy and Cybersecurity practice. She advises clients in their strategic and proactive engagement with the Federal Trade Commission, the U.S. Congress, the California Privacy Protection Agency, and state attorneys general on proposed changes to data protection laws, and regularly represents clients in responding to investigations and enforcement actions involving their privacy and information security practices.

Lindsey’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of artificial intelligence, data processing for connected devices, biometrics, online advertising, endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, e-mail marketing, disclosures of video viewing information, and new technologies.

Lindsey also assesses privacy and data security risks in complex corporate transactions where personal data is a critical asset or data processing risks are otherwise material. In light of a dynamic regulatory environment where new state, federal, and international data protection laws are always on the horizon and enforcement priorities are shifting, she focuses on designing risk-based, global privacy programs for clients that can keep pace with evolving legal requirements and efficiently leverage the clients’ existing privacy policies and practices. She conducts data protection assessments to benchmark against legal requirements and industry trends and proposes practical risk mitigation measures.

Read more about Lindsey TonsagerEmail
Show more Show less