The Children’s Online Privacy Protection Act (COPPA) prohibits companies from collecting personal information from children under the age of 13 without first providing notice to parents and obtaining their verifiable consent. The Federal Trade Commission’s (FTC) recent settlements with Yelp and TinyCo serve as a reminder to mobile app developers that the failure to consider COPPA when developing and testing mobile apps can have serious consequences.

Yelp

In 2008, Yelp launched a mobile app companion to its popular reviewing website, which requires users to register for a Yelp account in order to rate, post reviews, and “check in” at businesses. In 2009, Yelp added the ability to register for a Yelp account directly to its mobile app. As part of the registration process for both the website and the mobile app, users were required to provide a date of birth. According to the FTC’s complaint, while this information helped Yelp screen out children under the age of 13 on its website, the company failed to correctly implement the age screen on its mobile app. Although Yelp hired a third party to perform a privacy review of the Yelp app a year after its launch, the third-party test results erroneously noted that the iOS application prohibited registrations from users under the age of 13. Yelp did not otherwise test the age-restriction aspect of the registration feature of the iOS version of the Yelp app, and never tested it in the Android version. Consequently, for four years, registrants of the mobile app who indicated they were under the age of 13 were nonetheless allowed to proceed and to create full Yelp accounts. Once the accounts were created, Yelp collected a multitude of personal information from users, including names, email addresses, precise geolocation data, mobile device IDs, and information about what the users posted on Yelp.

In its complaint, the FTC contended that because Yelp collected information from users who self-declared that they were under the age of 13, the company had “actual knowledge” that it was collecting information from children despite that its privacy policy clearly stated that “[Yelp] is not directed to children under 13.” As such, Yelp’s collection of personal information was subject to COPPA. Under the terms of settlement with the FTC, Yelp must pay $450,000 in civil penalties and delete the information it collected from children under the age of 13.

TinyCo

TinyCo offers free mobile apps, including “Tiny Pets,” “Tiny Zoo,” “Tiny Monsters,” “Tiny Village,” and “Mermaid Resort.” The FTC alleged that the apps’ features, including themes that appeal to children, brightly colored animated characters, and simple language, demonstrate that the apps were directed at children under the age of 13 and were thus subject to COPPA. According to the FTC’s complaint, many of TinyCo’s apps included an optional feature that collected email addresses from users, and some of the apps offered in-game currency in exchange for a user’s email address. Because TinyCo collected the information from users without parental notice and consent, the FTC alleged that TinyCo’s practices violated COPPA. Like Yelp, TinyCo settled with the FTC. TinyCo must pay $300,000 in civil penalties and delete the information it collected from children under the age of 13.

Implications

The TinyCo case reminds developers of mobile apps for kids that there are special requirements for data collected from such apps. The Yelp case stands as a further reminder that even apps made for general audiences need to add COPPA compliance to their product development checklists, especially where birth dates are collected. Yelp reflects the perils of incomplete product testing as well as the general risks of collecting date of birth information from users. Companies should weigh the business needs for collecting date of birth information against the risk of inadvertently collecting personal information from children in violation of COPPA.

Beyond the hundreds of thousands of dollars in fines they will have to pay to the FTC, both companies will have to go through the onerous process of deleting all data collected in violation of COPPA as well as producing COPPA compliance reports to the FTC. Companies should keep these high costs in mind throughout the development process and ensure their products are COPPA-compliant from the outset.