On December 17, the Federal Trade Commission (FTC) announced settlements with operators of kids’ mobile apps relating to violations of the Children’s Online Privacy Protection Act (COPPA). These companies had wrongly collected personal information from children, and the settlements totaled $360,000.
It is axiomatic that you should not collect personal information from children under the age of 13 without proper parental consent.
Things get complicated in remembering what is considered “personal information” for purposes of COPPA, as certain information is covered by COPPA that may not be considered “personal” in other circumstances.
The COPPA rules define “personal information” as “individually identifiable information about an individual collected online” including a “persistent identifier that can be used to recognize a user over time and across different websites or online services.” This may include “a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device”. Read more>
The apps in question collected or created “persistent identifiers” – snippets of code that can be used to recognize a person over time and across different websites and other apps. These sorts of identifiers include “cookies” that track users for advertising and optimization purposes, as well as, potentially other “fingerprinting” tools that enable an app provider (or third party) to track a user without the users’ knowledge or consent.
There are many situations where judges and privacy experts have determined that these sorts of persistent identifiers are not personally identifiable – including a recent string of federal cases interpreting the Video Privacy Protection Act (VPPA), which have generally found that linking the viewing of a specific video to a specific persistent identifier is not the same as disclosing that a particular person has watched a given video.
But children under 13 are different. And the COPPA rules are clear: If you have a site that targets children under 13, or if you know that a user is under the age of 13, then COPPA restricts the collection of data.
It is straightforward to avoid the obvious collection of data from children – or to obtain consent if you do. But given the extensive use of “persistent identifiers” in the functioning of the internet, and in the operation of the market for targeted advertising, it requires extra care to prevent the presence of these “persistent identifiers” on your site. Not only must you monitor how your own site works, and how your service providers’ systems work, but you may be found responsible for all third parties on your site, including those who are there simply due to the open nature of the targeted advertising ecosystem. Be sure that all these parties are not setting persistent identifiers for your users under 13 – whether through cookies, fingerprinting techniques or other tracking mechanisms.
With the December 17 settlements, the FTC is sending the message that it will strictly enforce the COPPA rules restricting data collection from children.