App developers – Disregard COPPA at Your Own Risk

Feb 18, 2013 by

Parental Control

COPPA Rules

Assuring compliance with privacy standards used to be a lot easier. Now with new guidelines for “contextual” notice, mobile app developers must develop  must develop new features and procedures unique to the mobile marketplace.

Let’s start with a simple example. First. follow the law. In our example, this involves COPPA, the children online privacy protection act. Frankly, too many mobile App developers give only cursory thought to COPPA. An unnecessary and costly risk.

This month (Feb. 2013), the developers of the mobile app Path agreed to settle chargers brought by the FTC (Federal Trade Commission) that they violated COPPA standards by failing to obtain parental authorization before collecting personal information from children under the age of 13. Path allowed children under 13, based on date of birth inputs, to register an account, build a profile, submit personal information and share personal details. Moreover, Path gained access, without notice or permission, to the smartphone’s address book and collected any available information. And the result?

  1. Path has to develop a comprehensive privacy procedure;
  2. Path has to obtain an independent privacy assessment every other year for the next 20 years; and
  3. Path has to pay $800,000 to settle charges for violating COPPA.

A bit of forethought would have prevented this problem.

  1. Would this has been solved by drafting a privacy policy? No. But it would have been a good starting point. Most app developers fail to realize that their apps, by law, must provide a privacy policy to its users.
  2. Next, Path would have had to either prevent children under 13 from ever registering an account or require parental notice and approval before doing so.
  3. Last, Path would have had to contextualize its practices. What does that mean? The FTC, the White House and the Commerce Department have all issued guidelines about how mobile practices, such as privacy settings, must be contextual. For example, would an average user of an app such as Path ever expect that the app would access and and retain personal information from the address book? If not, then saying it in a 7 page privacy policy will probably not suffice.

Contextualizing privacy terms is a new approach to mobile compliance. It’s structure is still developing and it doesn’t have an equivalent in the online/desktop world. Nonetheless, privacy legal experts will need to develop new approaches to what has been considered old “hat”. How do I assure that users receive, acknowledge and understand my clients’ privacy practices when delivered on a mobile platform. A challenge? Yes, but not without solutions.

USA v. Path, Inc., United States District Court for the Northern District of California, San Francisco Division, Case No. C 13 0448, FTC File No. 122 3158, February 1, 2013

Related Posts

Share This

2 Comments

  1. Great article is there any chance I can take it and copy it onto my own blog

Leave a Reply

Connect with:

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>