FTC Nabs Non-Children’s Businesses In Children’s Privacy Snare

With its announcement of a settlement with Yelp, Inc. on September 17, 2014, the United States Federal Trade Commission, a consumer watchdog agency, sent word to the public of an aggressive enforcement initiative under the Children’s Online Privacy Protection Act (“COPPA”), with a special focus on mobile devices.  In its press release, the FTC urged companies to “take steps as they build and test their [mobile] apps to make sure that children’s information won’t be collected without a parent’s consent.”  The FTC’s advice is well taken.  Even the mere collection of Mobile Device IDs can get you in trouble.

But, as important as the focus on mobile apps may be, the FTC’s target in this privacy case was a business that does not cater to children.  In fact, it’s meant for adults.   The often overlooked truth is that COPPA has never been limited to businesses that promote to or serve children, and, now, those businesses are on notice that the FTC plans to drive this point home with a campaign of intrusive investigations, large penalties, and onerous settlement demands.  It’s best to get your privacy house in order before an FTC summons or subpoena arrives.

Here’s what you need to know.

The COPPA Privacy Framework

COPPA is limited to online privacy.  It applies to both (1) sites (and apps) that serve (or promote to) children under the age of thirteen; and (2) “general audience” websites (and apps) not meant for minors where the owner/operator has “actual knowledge” that it is “collecting, using, or disclosing personal information” from children under thirteen.  If your site or app falls into either of these categories, significant legal obligations apply, including the requirement, with very limited exceptions, of obtaining parental consent prior to collecting information from preteen minors.  If you want to dig a little deeper into COPPA, the FTC has some useful resources.  Bear in mind, however, that this information is quite general and is tilted towards the government’s point of view (of course).

General audience businesses should keep in mind that the concept of “actual knowledge” is, and always has been, highly fluid in the context of consumer protection laws, including those related to privacy.  Doubts are often resolved against businesses.

Note that the “actual knowledge” standard only applies to the age of your users/visitors.  It does not apply to the collection, use, or disclosure of information from those persons.  This is an important distinction, and a trap for the unwary.  For example, a company may not realize that its mobile app is collecting Mobile Device IDs, particularly when the company isn’t using those IDs for any purpose.  The FTC is likely to assert that even “unknowing” collection of such information from persons known to be under thirteen violates federal law.  Similarly, if you have a web site forum that permits users to publish information, you will be presumed to know what personal information your preteen users post publicly, and prevent its publication if necessary.  Simply put, if you are aware that your users/visitors are preteen minors, you have an affirmative obligation to figure out what you may be collecting from them, or what they themselves are publishing online on your site, and determine an appropriate course of action that complies with COPPA’s privacy regime.

The Yelp Settlement

Yelp was penalized $450,000 for children’s privacy violations because it asked app users for their date of birth during the registration process “showing they were under 13 years old,” and, at the same time, collected their names, e-mail address, and location, “as well as any information they posted on Yelp.”  The collection of birth dates gave the company “actual knowledge” that it was dealing with minor children, and yet it failed to have an adequate age-screening mechanism to prevent the collection of information from them.  As is often the case in these kinds of settlements, Yelp is now subject to close government supervision as it moves forward, and must submit a compliance report to the FTC in one year.  If it makes a mistake, it will need to confess to it in its report.

Once Yelp was found to possess “actual knowledge” of its users’ ages, everything it collected “from” those under thirteen was swept into COPPA. This included Mobile Device IDs associated with the mobile devices that happened to be used by those children, even if the devices and their IDs belonged to adults.

Some Lessons Learned

Companies that do not intend to serve or promote to an audience under the age of thirteen should carefully examine the information they collect to ensure it does not in some way put them on notice that some of their users/visitors are pre-teen minors.  Once such information is obtained, even in website comments or from third-party sources, it may trigger privacy obligations under COPPA.  And, if you ask users for their birth dates or ages (or any other information that reveals a user’s age), you must have a mechanism in place that either stops information collection from pre-teens before it happens (even “passive” information collection, such as Mobile Device IDs), or complies with the privacy requirements of COPPA.  Finally, COPPA is just one more reason to make sure you know what your websites and apps are collecting and from whom.  This knowledge is vital to comply with many privacy obligations, not just COPPA.

Privacy Audit?

If you aren’t sure about COPPA compliance or other privacy issues, an audit of your privacy practices is a critical first step.  Find out what information you collect, and from whom, and how that information is used or disclosed.  And, in doing so, seek appropriate advice and guidance from lawyers and your own technical staff and consultants.  COPPA is a surprisingly nuanced privacy law with multiple traps for Internet companies, many of which may be sprung as the FTC directs its firepower at COPPA compliance.