InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
FTC sues weight-loss companies alleging COPPA and FTC Act violations
On February 16, the FTC filed a complaint for permanent injunction in the U.S. District Court for the Northern District of California against an international weight loss service organization and its subsidy (collectively, “defendants”) for allegedly using unfair and deceptive practices to obtain personal information of underage users without parental consent. According to the complaint, the defendants violated the Children’s Online Privacy Protection Act and Section 5 of the FTC Act by collecting and keeping personal information from children under 13 without providing notice to or obtaining consent from their parents. The complaint alleges that the defendants, among other things, failed to: (i) “provide through the App and website a clear, understandable, and complete direct notice to parents of [the] Defendants’ practices”; (ii) “make reasonable efforts, taking into account available technology, to ensure that parents receive the direct notice”; and (iii) “obtain verifiable parental consent before any collection, use, or disclosure of personal information from children.” The proposed settlement is pending court approval.
New Mexico settles with technology company over COPPA violations
On December 13, the New Mexico attorney general announced a settlement in two federal court cases filed against a multinational technology company both of which resolve allegations against the company under the federal Children’s Online Privacy Protection Act (COPPA) and other state consumer protection laws. According to one complaint, the company allegedly violated COPPA and the New Mexico Unfair Practice Act by collecting the personal information of minors and the mining of student emails in connection with the use of the company’s educational tools. In a separate complaint, among other things, the company’s mobile ad platform permitted a third-party game developer to collect the personal data of minors without “verifiable parental consent.” According to the AG, under the terms of the settlement, the company must, among other things: (i) fund a new initiative to promote education, privacy, and safety for children across New Mexico and work with the AG to identify recipients of these funds; (ii) “provide[] school administrators with tools to protect minor students from improper collection of their personal data, including age-based access settings to ensure that minor children’s data is protected from unauthorized collection and disclosure”; (iii) monitor app developers that mislabel their child-directed apps; and (iv) require apps to implement age screening measures which ensure that these apps do not collect information from children.
FTC settles with advertising platform for COPPA violations
On December 15, the FTC announced a settlement with a California-based online advertising platform for allegedly engaging in deceptive acts of practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). (See also DOJ press release here.) According to the FTC, the defendant operates a programmatic advertising exchange that monetizes websites and mobile apps through the sale of ad space. The defendant also contracts with advertising technology companies that aggregate and sell advertising inventory for publishers and then send the defendant ad requests. The DOJ, on behalf of the FTC, filed a complaint claiming the defendant, among other things, violated COPPA by collecting personal information about children under the age of 13 without notifying their parents and obtaining their consent. Additionally, the FTC claimed that while the defendant’s privacy policy provided users the option to opt-out of the collection of their location data, the defendant still allegedly collected geolocation information from users who specifically asked not to be tracked. The FTC stated that the defendant reviewed hundreds of apps that were directed to children under 13, but did not flag the apps or their data as “child-directed” and permitted the apps to participate in the ad exchange. In addition, the FTC claimed that the defendant allegedly disclosed this personal data to third parties for ads targeted at users of these child-directed apps.
Under the stipulated final order, the defendant must, among other terms, (i) implement a comprehensive privacy program to ensure compliance with COPPA and stop collecting and retaining personal information from children under 13 without verifiable parental consent; (ii) stop misrepresenting a user’s ability to opt-out of the collection of personal information and location information (collectively, “covered information”) and confirm that a user has provided affirmative consent for the collection of location information; (iii) implement safeguards to protect covered information and conduct annual reviews to assess for internal and external risks to the privacy of covered information that could lead to unauthorized access; (iv) engage a third party to conduct biennial privacy assessments; (v) delete all ad request data collected to serve targeted ads prior to the issuance of the order; and (vi) periodically re-review apps to identify those that are directed towards children and ban these apps from its ad exchange. The order also provides for a $7.5 million penalty that will be suspended upon payment of $2 million due to the defendant’s inability to pay the full amount.
New Mexico sues gaming app maker for COPPA violations
On August 25, the New Mexico attorney general filed a lawsuit against an entertainment corporation for allegedly violating the Children’s Online Privacy Protection Act Rule (COPPA) and New Mexico’s Unfair Practices Act by knowingly collecting and selling personal information from children under the age of 13 without verifiable parental consent. According to the AG, the company purportedly collects data from children who play one of its gaming apps and sells it to third-party marketing companies, who in turn, analyze and repackage the data to sell targeted advertisements to those same children. The complaint stated that, “[t]his conduct endangers the children of New Mexico, undermines the ability of their parents to protect children and their privacy, and violates state and federal law,” adding that the “surreptitious and intentional monitoring, tracking, and profiling of children—in direct violation not only of federal law but of longstanding societal norms—is egregious and highly offensive conduct.” The AG further emphasized that even if a game is targeted towards a broad audience, developers must still ensure that data is not collected from users under the age of 13 without parental consent. The complaint seeks an injunction to prohibit the company’s data collection practices as well as civil penalties and restitution.
FTC settles with app for violating COPPA
On July 1, the FTC announced a settlement with the operators of a coloring book app (collectively, “defendants”) for allegedly engaging in unfair or deceptive acts or practices and violating the Children’s Online Privacy Protection Act Rule (COPPA). The DOJ, on behalf of the FTC, filed a complaint claiming that the defendants, among other things, violated COPPA by collecting and disclosing personal information about children who utilized the app without notifying their parents and obtaining their consent. The FTC claimed that some children, including those under 13, were able to register for accounts and use the app’s social media features. The defendants allegedly received numerous complaints that children were using the app’s social media features, such as posting “selfies” on the app’s “gallery” for public viewing and interacting with other users, including adults. Under the terms of the proposed stipulated final order, the defendants must complete several steps to remedy the alleged violations, including deleting all personal information collected from children under the age of 13 within 60 days, unless parental consent is obtained. The defendants must also offer current paid subscribers a refund if they were under the age of 18 when they registered for the app. In addition, the defendants agreed to notify users about the alleged COPPA violations and the steps that users can take in response to the settlement. The proposed order provides for a $3 million civil money penalty that is suspended upon payment of $100,000 due to the defendants’ inability to pay the full amount. If the defendants sell the app within a year following the order, they are required to remit the net proceeds from the sale to the FTC after debts and other related expenses are paid.
Court denies tech company's second request for COPPA claim dismissal
On February 2, the U.S. District Court for the District of New Mexico granted a technology company’s motion for reconsideration in part, but denied dismissal of the New Mexico attorney general’s action alleging the company designed and marketed mobile gaming applications (apps) targeted towards children that contain illegal tracking software in violation of the Children’s Online Privacy Protection Act (COPPA). As previously covered by InfoBytes, the attorney general filed a lawsuit against a group of technology companies, alleging that the companies’ data collection and sharing practices did not comply with COPPA’s specific notice and consent requirements, while the apps’ embedded software development kits (SDKs) allow the apps to communicate directly with the advertising companies that analyze, store, use, share, and sell the data to other third-parties to build “increasingly-detailed profiles of child users” in order to send highly-targeted advertising. In April 2020, the court denied in part a motion to dismiss by one of the companies, concluding the attorney general plausibly alleged that the company “had actual knowledge of the child-directed nature” of the apps, and under COPPA, “ad networks may be held liable for the collection of personal information from child app users only if they have ‘actual knowledge’ that the apps in which their (SDKs) are embedded are ‘directed to children.’” The company moved for reconsideration, arguing that the court improperly held whether “children were the ‘primary target audience’ of the app was not relevant to the ‘actual knowledge’ determination.”
Upon reconsideration, the court agreed with the company that its April 2020 opinion “misapprehended the significance of the mixed-audience exception to the actual knowledge determination,” but concluded that there is no basis to dismiss the COPPA claim because the attorney general still “adequately alleged actual knowledge on the part of [the company].”
FTC settles with app developer for COPPA violations
On June 4, the FTC announced that a children’s mobile application developer agreed to pay $150,000 and to delete the personal information it allegedly unlawfully collected from children under the age of 13 to resolve allegations that the developer violated the Children’s Online Privacy Protection Act Rule (COPPA). According to the complaint filed in the U.S. District Court for the Northern District of California, the developer, without notifying parents or obtaining verifiable parental consent, allowed third-party advertising networks to use persistent identifiers to track users of the child-directed apps in order to send targeted advertisements to the children. The proposed settlement requires the developer to destroy any personal data collected from children under 13 and notify and obtain verifiable consent from parents for any child-directed app or website they offer that collects personal information from children under 13. A $4 million penalty is suspended upon the payment of $150,000 due to the developer’s inability to pay.
In dissent, Commissioner Phillips argued that the fine imposed against the developer was too high, noting that having children view advertisements based on the collection of persistent identifiers “is something; but it is not everything,” under COPPA. Commissioner Phillips argued that because the developer did not “share[] sensitive personal information about children, or publicize[] it” nor did the developer expose children “to unauthorized contact from strangers, or otherwise put [the children] in danger,” the assessed penalty was too large in comparison to the harm.
In response to the dissent, Chairman Simons argued that while “harm is an important factor to consider…[the FTC’s] first priority is to use [] penalties to deter [] practices. Even in the absence of demonstrable money harm, Congress has said that these law violations merit the imposition of civil penalties.”
FTC report highlights 2019 privacy and data security work
On February 25, the FTC released its annual report highlighting the agency’s privacy and data security work in 2019. Among other items, the report highlights consumer-related enforcement activities in 2018, including:
- A $5 billion penalty—the largest consumer privacy penalty to date—against a global social media company to resolve allegations that the company violated its 2012 FTC privacy order and mishandled users’ personal information. (Covered by InfoBytes here.)
- A $170 million penalty against a global online search engine and its video-sharing subsidiary to resolve alleged violations of the Children’s Online Privacy Protection Act (COPPA). (Covered by InfoBytes here.)
- A proposed settlement in the FTC’s first case against developers of “stalking” apps that monitor consumers’ mobile devices and allegedly compromise consumer privacy in violation of the FTC’s Act prohibition against unfair and deceptive practices and COPPA.
- A global settlement of up to $700 million issued in conjunction with the CFPB, 48 states, the District of Columbia and Puerto Rico, to resolve federal and state investigations into a 2017 data breach that reportedly compromised sensitive information for approximately 147 million consumers. (Covered by InfoBytes here.)
The report also discusses the FTC’s enforcement of the EU-U.S. Privacy Shield framework, provides links to FTC congressional testimony on privacy and data security, and offers a list of relevant rulemaking, including rules currently under review. In addition, the report highlights recent privacy-related events, including (i) an FTC hearing examining consumer privacy as part of its Hearings on Competition and Consumer Protection in the 21st Century; (ii) the fourth annual PrivacyCon event, which hosted research presentations on consumer privacy and security issues (covered by InfoBytes here); (iii) a workshop examining possible updates to COPPA; and (iv) a public workshop that examined issues affecting consumer reporting accuracy.
States recommend FTC “significantly” strengthen COPPA
On December 9, a coalition of 25 state attorneys general responded to the FTC’s request for comments on a wide range of issues related to the Children’s Online Privacy Protection Rule (COPPA). As previously covered by InfoBytes, the FTC released a notice in July seeking comments on all major provisions of COPPA, including definitions, notice and parental consent requirements, exceptions to verifiable parental consent, and the safe harbor provision. In response the AGs strongly recommend that, while the FTC should “significantly” strengthen COPPA, any changes must be flexible and evolve to meet a rapidly-changing data landscape’s needs. Specifically, the AGs state that COPPA’s definition of “web site or online service directed to children,” as well as its definition of an “operator,” need to be modified, as many first-party platforms embed third parties who allegedly engage in the majority of the privacy-invasive online tracking. By expanding the definition of an operator, the AGs claim that COPPA would require compliance by companies that use and profit from the data as well as companies that collect the data. According to the AGs, COPPA, places a lower burden on third-parties and requires them to be bound by the rule only when they have “actual knowledge” that they are tracking children, even though these entities “are arguably as well-positioned as the operators of the websites and online services to know that they are tracking and monitoring children.”
The AGs also believe that the prong that “recognizes the child-directed nature of the content” should be strengthened, because companies that are able to identify and target consumers through sophisticated algorithms are often disincentivized to use the information to affirmatively identify child-directed websites or other online services. Among other things, the AGs also discuss the need for specifying the appropriate methods used for determining a user’s age, expanding COPPA to protect minors’ biometric data, and providing illustrative security requirements.
Video-sharing site reaches $170 million settlement with FTC and New York AG
On September 4, the FTC and the New York Attorney General announced (see here and here) a combined $170 million proposed settlement with the world’s largest online search engine and its video-sharing site subsidiary concerning alleged violations of the Children’s Online Privacy Protection Act (COPPA). According to the complaint, the video-sharing site allegedly collected personal information in the form of “persistent identifiers” from viewers of child-directed channels without first obtaining verifiable parental consent. The persistent identifiers allegedly generated millions of dollars in revenue by delivering targeted ads to viewers. The FTC and New York AG allege, among other things, that the defendants knew the video-sharing site hosted numerous child-directed channels but told advertisers that the video-sharing site contains general audience content, even informing one advertising company that it did not have users younger than 13 on its platform and therefore channels on its platform did not need to comply with COPPA.
Under COPPA, operators of websites and online services directed at children are prohibited from collecting personal information of children under the age of 13—including through the use of persistent identifiers for targeted advertising purposes—unless the company has explicit parental consent. Furthermore, third parties—such as advertising networks—must also comply with COPPA where they have actual knowledge that personal information is being collected directly from users of child-directed websites and online services.
While neither admitting nor denying the allegations, except as specifically stated within the settlement, the defendants will, among other things, (i) pay a $136 million penalty to the FTC and a $34 million penalty to New York; (ii) change their business practices to comply with COPPA; (iii) maintain a system for channel owners to designate their child-directed content on the video-sharing site; and (iv) disclose their data collection practices and obtain verifiable parental consent prior to collecting personal information from children. According to the FTC, the $136 million penalty is “by far the largest amount the FTC has ever obtained in a COPPA case since Congress enacted the law in 1998.”