Firefly Games agreed to take corrective action in response to the Children’s Advertising Review Unit’s allegations that the company had violated COPPA by inaccurately (and confusingly) explaining its privacy practices. The app in question, LOL Surprise! Room Makeover, featured dolls and characters intended for children and animated characters. It also included content directed to adult users. CARU concluded as part of its routine reviews that, inter alia, the app was “mixed audience.” As such, the app needed to comply with not only CARU’s guidelines, but the Children’s Online Privacy Protection Act as well.
The Children’s Advertising Review Unit recently settled with TickTalk Tech, LLC over its information collection practices. CARU, a self-regulatory body that reaches voluntary settlements with companies, conducts regular audits of privacy practices by companies in the child space. During one such audit, it identified concerns over TickTalk Tech’s kids smart watch, TickTalk4.
The FTC recently announced the removal of Aristotle International, Inc. from the list of seven approved safe harbor programs under the Children’s Online Privacy Protection Act. Programs that are approved by the FTC must place requirements on participating organizations that are the same -or greater- than the requirements of COPPA. (As we have reported in the past, COPPA requires, inter alia, getting verified parental consent before collecting personal information from children online.) Companies that participate in those approved COPPA safe harbor programs are deemed in compliance with COPPA. Such protection can be valuable with a law, like COPPA, that has been found to be confusing to operationalize.
Continue Reading A COPPA First: Safe Harbor Program Removed From Approved List
The ICO first began its examination of Bounty UK Ltd. (a support club for parents) when the ICO was investigating the data brokerage industry generally, of which it viewed Bounty as taking part (given that it shared member information with third parties like Acxiom and Equifax). Here, in reaching its conclusion that the company had violated UK privacy laws, the ICO found the volume of sharing in which Bounty engaged “unprecedented,” and accused the company of both “careless data-sharing” as well as violations of the UK law that pre-dated GDPR (the violation having occurred prior to the law’s May 2018 implementation date). Interestingly, the violation has been described by commentators as a “data breach,” although it did not involve the typical “hacker” scenario that one thinks of when contemplating a breach. Instead, the company collected information and shared it with third parties without appropriate notice and consent.
Continue Reading UK ICO Fines Parenting Club £400,000 Over Breach Involving PII of Mothers and Babies
The settlement between VTech Electronics Ltd. and the FTC in the first Internet-connected toys COPPA case is a reminder for companies looking to enter the connected toys space not to forget this child-focused law.
Continue Reading Connected Toys, COPPA, and What’s Next
The FTC announced that it has given guidance on when the Children’s Online Privacy Protection Act (COPPA) requires collection of parental consent before collecting voice recordings online from children under 13. The issue arose because, as the FTC noted, voice is beginning to be a “replacement for written words,” especially when conducting searches or instructing digital devices. COPPA requires collecting parental consent before collecting personally identifiable information from children online. The definition of “personal information” under COPPA is broad, and includes audio files. Arguably, then, online operators would need parental consent before children “submitted” audio files, including in the form of conducting verbal searches or giving verbal instructions to their connected device.
Continue Reading FTC Gives COPPA Guidance on Voice Recordings