Business and Legal Insights

Marketing to children on the Internet can be fraught with legal peril unless one is attuned to the applicable statutory and regulatory framework. That’s what two app developers found out when the Federal Trade Commission (FTC) accused them of allowing third-party advertisers to collect personal information from kids. The enforcement actions against LAI Systems, LLC and Retro Dreamer are newsworthy in that they were the first to accuse defendants of collecting “persistent identifiers,” pieces of data tied to a particular user or device.

The FTC actions are based on the Children’s Online Privacy Protection Act (COPPA), which Congress passed to respond to the rise of Internet marketing targeting children and collecting their personal information. COPPA protects the privacy of children under 13 by requiring parental consent for the collection or use of children’s personal information. Persistent identifiers were among the categories added to the COPPA Rule’s definition of personal information when it was updated in 2013.

COPPA generally applies to commercial websites and online services directed at children but can also apply to services that have actual knowledge that their site or app is being used by children. In the 2012 Statement of Basis and Purpose, the FTC identified two instances in which the actual knowledge standard will likely be met:

1. where a child-directed content provider directly communicates the child-directed nature of its content to the ad network; and,
2. where a representative of the ad network recognizes the child-directed nature of the content.

The determination of whether an app is directed to children depends on the subject matter, visual content, language, and use of animated characters or child-oriented activities and incentives. For LAI Systems, its My Cake Shop app, which allowed users to create images of their own cakes, qualified.

Entities subject to the Act must follow a number of requirements, which include:

• Posting a privacy policy describing the information collected from its users.
• Providing parents with “direct notice” before collecting kids’ information.
• Requiring verifiable parental consent prior to collection of personal information from a child under the age of 13 and allowing parents to revoke consent.
• Limiting the collection of personal information when a child participates in online games and contests.
• Restricting the amount of time personal information may be maintained.
• Protecting the confidentiality, security, and integrity of any personal information that is collected online from children through reasonable procedures.

The FTC accused LAI Systems and Retro Dreamer of violating COPPA by facilitating the collection of children’s personal information without providing the requisite notice and obtaining verifiable parental consent. The companies resolved the enforcement actions by entering into settlements with the FTC, with the former agreeing to pay a $60,000 civil penalty, and the latter a $300,000 penalty. Had they instead decided to litigate, each could have faced civil penalties of up to $16,000 per violation.

Relevant Resources:

• Two App Developers Settle FTC Charges They Violated Children's Online Privacy Protection Act
• Complying with COPPA: Frequently Asked Questions
• Children's Online Privacy Protection Rule ("COPPA")