FTC Fines Mobile App Developer $50K for Violating Kids' Data Privacy

Mobile app developers beware. The FTC is showing that it will not hesitate to go after application developers for leaking personal data or collecting information without proper consent.

The Federal Trade Commission's fining of a mobile-application developer for collecting children's personal information without parental consent sends a strong message to other developers that the agency would closely monitor the mobile software market to protect consumers.

The mobile application from Broken Thumbs Apps violated COPPA (the Children's Online Privacy Protection Act) because personal information of children under 13 was collected without parental consent, the FTC said Aug. 15.

The 20-year settlement with parent company W3 Innovations and its president, Justin Maples, specifies that W3 must delete all personal information that had been collected through its "Emily Apps" software line, pay a $50,000 fine and be subject to FTC monitoring to ensure it is no longer violating consumer privacy. If W3 slips up, the company could incur additional penalties of up to $16,000 for each violation, according to the FTC.

Broken Thumbs Apps develops and sells a line of "Emily Apps," which lets kids design outfits and create virtual models, and are available through the "Games-Kids" section of Apple's App Store. Children are encouraged to send emails to "Emily" on practically any topic, and those messages were publicly posted on "Emily's blog" and easily accessed from all Emily Apps Websites. Children could submit responses to the blog posts that required them to enter their names and email addresses.

Under COPPA, the privacy policy has to be prominently posted on Websites with information about what information is collected and how it is used as well as steps parents can take to refuse, review or remove the information. Parental consent also needs to be obtained before data is collected, used or publicized. Passed in 1998, COPPA applies to anyone who operates an online service or Website directed to children, as well as operators of general sites and services that are aware they are collecting information from children.

The case was notable because it was the first time the FTC indicated it will take action in the mobile space, Andrew B. Serwin, founding chair of the privacy, security and information management practice at Foley & Lardner, told eWEEK. Going after mobile application developers is not a "jurisdiction change" for the FTC because the applications transmit information over the Internet, according to Serwin.

Organizations with mobile applications now need to ensure their application complies with laws regarding privacy and disclosure requirements to avoid being investigated by the FTC, Serwin said. For applications targeting children, developers will have to figure out a way to get what COPPA would recognize as parental consent, which can be a challenge because mobile devices are involved, Serwin said.

The settlement itself was not a surprise to anyone who had been following the case, Serwin said. The fine itself wasn't all that high and was relatively reasonable," Serwin said.

The terms of the settlement were more interesting because they reinforce what the FTC is willing to do to regulate mobile applications, but they have no requirement for consumer education, Serwin said.

In the past, when Websites or online services violated COPPA, they were required to link to, or display, certain language when personally identifiable information was being collected, as part of a consumer education remedy. That kind of language would be difficult to display on a mobile device. The lack of a remedy requirement may indicate that the FTC understands disclosures need to be handled differently with mobile applications, Serwin said.

This case is not the only case involving mobile devices and data on the FTC's radar. Jessica Rich, deputy director of the FTC's Bureau of Consumer Protection testified earlier this year to Congress that the agency had several active investigations into privacy issues associated with mobile devices.

The "Do Not Track Kids Act" currently introduced in the House of Representatives by Rep. Ed Markey (D-Mass.) and Rep. Joseph Barton (R-Texas) is an attempt to "bring COPPA up to date and add additional safeguards for teens," Markey said.