As we wrote previously, kids are spending more of their days online and are using online platforms for virtual learning and entertainment. Much of this environment is funded through online advertising. All companies thus need to think about the impact that children’s privacy laws, like COPPA, have on the online environment, as they will see the outcomes of this applicability in their contracts.
Continue Reading Back to School Special: But I’m Just an Ad Network! Am I Subject to Children’s Privacy Laws?

In our online world, one of the challenges (and opportunities) for companies is the increased use of their websites, apps, and connected devices. For platforms directed to both adults and children, or platforms previously directed to adults which would like to now also direct their services to children, the FTC’s recently streamlined FAQs, and ICPEN’s guide (both of which we introduced earlier this week) can help companies in this space. The information is particularly helpful for those that were aimed mostly toward adults, and are now shifting their business plans to direct products or services to children as well.
Continue Reading Back to School Special: Is My Multi-Age Platform Subject to Child Protection Requirements?

In this remote era, companies are increasingly being approached by their business teams with ideas about products and services that involve video or audio recordings of their consumers. It may also involve letting people manipulate photos of themselves. Sometimes, those recordings and pictures are of children. Content that contain images or audio of individuals are considered personal information under many laws, including the Children’s Online Privacy Protection Act (COPPA). What does this mean for companies? As we discussed in our previous blog post, COPPA requires obtaining parental consent if the personal information collected is being collected by the company online, and being collected from the child. The FTC’s recently streamlined FAQs help companies find and understand obligations if collecting photos or recordings from children. Namely, a reminder that this content is personal, and does require verifiable parental consent before being collected.
Continue Reading Back to School Special: Recordings, Photos, Kids, and Parental Consent

In the current pandemic era, kids are spending more time online, be it for school or entertainment. Companies are therefore gearing up for increased interaction with children online or through connected devices. As children around the globe return to school, whatever  that return looks like, the FTC and the International Consumer Protection Enforcement Network (ICPEN) remind us that certain rules apply when dealing with kids online.
Continue Reading Back to School Special: COPPA Consent in the COVID Era

HyperBeard, the makers of several children’s mobile apps (including KleptoCats), recently settled with the FTC over failure to obtain verifiable parental consent before collecting children’s personal information online, in violation of COPPA. In its complaint, the FTC argued that the HyperBeard apps were clearly directed to children. The apps contained brightly-colored animated characters, kid-friendly language, games that were easy to play, and were promoted on kids’ websites and publications.
Continue Reading KleptoCats Maker Settles with FTC Over Failure to Get Parental Consent

The Federal Trade Commission is requesting comments and input on the effectiveness of the 2013 amendments it made to the Children’s Online Privacy Protection Rule. Although the FTC typically reviews its rules every ten years, it is doing so early because of rapid changes in and children’s expanded use of technology. Part of the input it is seeking is whether the COPPA Rule should be updated again. Among the specific input the FTC has requested, it wants to know if companies and other interested parties believe that the Rule should be amended to include websites and online services that are not directed at children but have large numbers of child users.
Continue Reading FTC Seeks Comments on COPPA Rule

Two mobile apps directed at children were recently subject to action by the Children’s Advertising Review Unit. The first, “My Talking Tom,” is a virtual pet game for children operated by Outfit7 Limited. One issue was the display of Outfit7’s privacy policy. Under the Children’s Online Privacy Protection Act, privacy policies must be understandable, and contain no unrelated material. The app’s policy, however, contained advertisements for other games, and animated balloons that obstructed the user’s view. Accordingly, CARU found that the distracting content violated COPPA. Outfit7 prudently removed the content, and CARU took no further action on the issue.
Continue Reading CARU Takes Action Against Two Mobile Apps

The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member information with third parties like Acxiom and Equifax). Here, in reaching its conclusion that the company had violated UK privacy laws, the ICO found the volume of sharing in which Bounty engaged “unprecedented,” and accused the company of both “careless data-sharing” as well as violations of the UK law that pre-dated GDPR (the violation having occurred prior to the law’s May 2018 implementation date). Interestingly, the violation has been described by commentators as a “data breach,” although it did not involve the typical “hacker” scenario that one thinks of when contemplating a breach. Instead, the company collected information and shared it with third parties without appropriate notice and consent.
Continue Reading UK ICO Fines Parenting Club £400,000 Over Breach Involving PII of Mothers and Babies

Citing cybersecurity concerns with a children’s smartwatch, the European Commission recently issued a recall of the device. The Safe-KID-One is a smartwatch that gives parents the ability to track and communicate with their children. According to the European Commission, security issues with the device could allow a hacker to access a user’s data, including location history, phone numbers and serial number. Additionally, the hacker could use the watch to “call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.” This is one of the first recalls of an internet of things device by the European Commission and puts device makers on notice that they should take cybersecurity seriously when designing new devices.
Continue Reading Cyber Concerns Lead to EU Recall of a Connected Kids Devices

Unixiz, operator of the i-Dressup site, reached an agreement with the New Jersey Attorney General to settle charges that the company had violated the Children’s Online Privacy Protection Act and the New Jersey’s Consumer Fraud Act. The New Jersey AG claimed that Unixiz violated these statutes by collecting information about children without first getting parental consent. The AG’s investigation into Unixiz’s privacy practices began after Unixiz disclosed a data breach in 2016. Users of the i-Dressup site created accounts with the site (and thus established usernames and passwords). In 2016 hackers accessed approximately 2.2 million users’ names and passwords.  In response to the breach, the New Jersey AG launched an investigation into the company. The investigation revealed that in addition to failing to safeguard its users’ information, Unixiz did not get parental consent before collecting children’s personal information, as required under COPPA. Included among its users were 2,519 New Jersey children. 
Continue Reading Unixiz Settles COPPA Allegations with NJ AG

The Federal Trade Commission recently posted a blog entry reminding companies about the deletion requirements under the Children’s Online Privacy Protection Act. Namely, that companies under the Act must give parents the right to review and delete their children’s information. In addition COPPA also requires companies to delete children’s personal information when the information is no longer necessary to fulfill the purpose for which it was originally requested. An example given is when a parent decides not to renew a subscription on behalf of their child. In that case, the company must delete the information even if the parent has not specifically requested deletion. The FTC recommends that companies make sure that their document retention policies take into account the stated purposes for which children’s personal information is collected, and under what circumstances the information will no longer be needed for those purposes. The FTC also recommends that companies ensure that they have secure deletion practices in place.
Continue Reading FTC Provides Insight into COPPA Deletion Requirements