In late December 2014, the FTC staff sent China-based mobile app developer BabyBus a letter warning the company that several of its apps may violate the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule. Staff alleged that the apps are marketed for young children and “use cartoon characters to teach children letters, counting, shapes, music, and matching.” The FTC claimed the company must comply with the COPPA Rule’s notice, verifiable parental consent, and other requirements because some of the apps collect precise geolocation information that is shared with third parties, such as advertising networks or analytics companies. The letter warned that staff will review the apps again and encouraged the developer to take steps to comply with COPPA.
Continue Reading FTC Warns Foreign Mobile-App Developer To Comply With COPPA

Making good on its warnings that mobile apps will be an enforcement priority under the revised Children’s Online Privacy Protection Act (“COPPA”) Rule, the FTC has announced two settlements with mobile app developers:

  1. TinyCo., the developer of several child-directed mobile apps, will pay $300,000 to settle charges that it violated COPPA by collecting children’s email

Today, the Federal Trade Commission announced settlements with two mobile app makers that allegedly failed to provide reasonable security for the personal information collected in connection with their apps.  In complaints against Credit Karma, Inc. and Fandango LLC, the FTC alleged that both companies’ apps failed to validate SSL certificates, a security shortcoming that could have allowed an attacker to connect to the app—and collect unencrypted sensitive information—by presenting an invalid certificate.  (This type of attack is sometimes called a “man-in-the-middle attack.”)  Both respondents agreed to 20-year consent orders requiring, among other things, that they establish comprehensive information security programs. 

These cases are important for a number of reasons:  they reinforce past FTC guidance on the importance of performing security reviews and testing, overseeing service providers, and providing channels whereby security researchers can report vulnerabilities.  But what might be most notable is that in neither case does the FTC specifically allege that the respondent’s practices were “unfair” within the meaning of the Section 5 of the FTC Act.  Instead, both cases appear predicated upon the FTC’s authority to take actions against companies engaged in “deceptive” practices.


Continue Reading FTC Announces Settlements with Two Mobile App Providers

Yesterday, the FTC announced a settlement with Goldenshores Technologies, a company that makes the most-downloaded flashlight app on the Android platform.  The FTC alleged that Goldenshores violated Section 5 of the FTC Act by failing to disclose to consumers that it shared location data it collected from users’ device with third parties.  Although a list

The National Telecommunications & Information Administration (“NTIA”) announced today that it will convene a series of meetings about the commercial uses of facial recognition technology.  The goal of the meetings will be to develop a voluntary, enforceable code of conduct specifying how the Obama Administration’s “Consumer Privacy Bill of Rights” applies to facial

Earlier today, two entities — the Direct Marketing Association (“DMA”) and a Coalition of Mobile Engagement Providers (“Coalition”) — filed petitions at the FCC asking the agency to stay and forbear from enforcing, or clarify, certain aspects of the “prior express written consent” requirement that went into effect yesterday for prerecorded calls to residential numbers and autodialed

The Digital Advertising Alliance (“DAA”) recently released a guidance document titled Application of Self-Regulatory Principles to the Mobile Environment (“Mobile Guidance”).  The Mobile Guidance does not purport to establish new principles, but rather to explain how the DAA’s existing principles — the Self-Regulatory Principles for Online Behavioral Advertising and for Multi-Site Data — apply to the “mobile Web site and application environment.”  Still, the Mobile Guidance contains a considerable amount of new direction that should interest publishers, advertisers, and other companies that operate in the online advertising space.  Below is an overview of key takeaways from the Guidance. 

The Guidance explains how companies operating in the mobile space should provide consumers “transparency and “control” (i.e., notice and choice) in connection with four types of data: Multi-Site Data, Cross-App Data, Precise Location Data, and Personal Directory Data. 

Although the DAA’s definitions of these types of data focus on the way in which data is collected, the application of the key principles of “Transparency” and “Control” depends mainly on the way the data is used.  For example, the Multi-Site Principles define “Multi-Site Data” as “data collected from a particular computer or device regarding Web viewing over time and across non-Affiliate Web sites.”  This definition focuses on the nature of the collection, but the “Transparency” and “Control” principles’ application to the data turns on the way the data is used:  if Multi-Site Data is used for one of many enumerated purposes (e.g., IP protection, product or service fulfillment, and product development), the Principles’ transparency and control principles do not apply. 

Thus, the guidelines suggest that companies evaluate their obligations not only by considering whether the data they collect is covered by the Principles, but also by determining how that data will be used.  With that background, we turn to a discussion of the Mobile Guidance. 


Continue Reading The DAA Principles Applied to Mobile: Key Takeaways

Today, the Federal Trade Commission released the agenda and panelists for the public forum it is holding on mobile security, Mobile Security: Potential Threats and Solutions, on June 4, 2013.  The forum will bring together technology researchers, industry members, and academics to explore mobile malware, the security of existing and developing mobile technologies, and