In late December 2014, the FTC staff sent China-based mobile app developer BabyBus a letter warning the company that several of its apps may violate the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule. Staff alleged that the apps are marketed for young children and “use cartoon characters to teach children letters, counting, shapes, music, and matching.” The FTC claimed the company must comply with the COPPA Rule’s notice, verifiable parental consent, and other requirements because some of the apps collect precise geolocation information that is shared with third parties, such as advertising networks or analytics companies. The letter warned that staff will review the apps again and encouraged the developer to take steps to comply with COPPA.

The FTC has never brought an enforcement action alleging violations of COPPA against a foreign-based company. However, FTC staff previously has stated in informal guidance that foreign-based websites and apps are subject to COPPA if they either are directed to children in the U.S. or knowingly collect personal information from children in the US. For example, COPPA FAQ B.7 states:

7. The Internet is a global medium. Do websites and online services developed and run abroad have to comply with the Rule?

Foreign-based websites and online services must comply with COPPA if they are directed to children in the United States, or if they knowingly collect personal information from children in the U.S. The law’s definition of “operator” includes foreign-based websites and online services that are involved in commerce in the United States or its territories. As a related matter, U.S.-based sites and services that collect information from foreign children also are subject to COPPA.

In addition, shortly after the revised COPPA Rule was adopted, the FTC staff sent letters to multiple foreign-based companies whose mobile apps collect persistent identifiers or photographs, videos, and audio recordings of children. Those letters emphasized that the FTC had not evaluated the apps or the companies’ practices to determine if they comply with the COPPA Rule, but reminded the companies that if their apps collect, use, or disclose children’s personal information, they must comply with the revised COPPA Rule.

Notwithstanding this nonbinding, informal guidance, the FTC likely would face a number of practical challenges in enforcing COPPA against a foreign company, including, for example, the requirement that a US court have personal jurisdiction over the defendant.

FTC enforcement, however, is only one potential risk.  After the letter was published, Google suspended the BabyBus apps from the Google Play app store.  In response, BabyBus issued a statement that geolocation information was collected only on the Google Android platform “due to the Android’s third party statistics software plug-in.”  BabyBus stated that it has updated the apps to come into compliance.

Print:
EmailTweetLikeLinkedIn
Photo of Lindsey Tonsager Lindsey Tonsager

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the…

Lindsey Tonsager helps national and multinational clients in a broad range of industries anticipate and effectively evaluate legal and reputational risks under federal and state data privacy and communications laws.

In addition to assisting clients engage strategically with the Federal Trade Commission, the U.S. Congress, and other federal and state regulators on a proactive basis, she has experience helping clients respond to informal investigations and enforcement actions, including by self-regulatory bodies such as the Digital Advertising Alliance and Children’s Advertising Review Unit.

Ms. Tonsager’s practice focuses on helping clients launch new products and services that implicate the laws governing the use of endorsements and testimonials in advertising and social media, the collection of personal information from children and students online, behavioral advertising, e-mail marketing, artificial intelligence the processing of “big data” in the Internet of Things, spectrum policy, online accessibility, compulsory copyright licensing, telecommunications and new technologies.

Ms. Tonsager also conducts privacy and data security diligence in complex corporate transactions and negotiates agreements with third-party service providers to ensure that robust protections are in place to avoid unauthorized access, use, or disclosure of customer data and other types of confidential information. She regularly assists clients in developing clear privacy disclosures and policies―including website and mobile app disclosures, terms of use, and internal social media and privacy-by-design programs.