Published on Sep 27, 2016 With increasing amounts of children becoming mobile, developing age-targeted websites and apps can be a lucrative endeavor. According to a report from Common Sense Media[i], 24% of children age 8 to 12 have their own smartphones and 53% have their own tablet. Moreover, 79% of children from 8 to 12 have access to a smartphone in their home and 80% to a tablet. The report further identified that those who play mobile games spend nearly two hours a day doing so.
However, companies wishing to take advantage of the growing market should ensure they are in compliance with the Children Online Privacy Protection Act (COPPA) or suffer severe consequences. For example, the incredibly popular Pokémon Go (an application produced by The Pokémon Company, a joint company of Niantic Labs and Nintendo), recently came under fire from Senator Franken[ii] for privacy[iii] concerns; the sort of concerns which can become very expensive. Earlier this year, the FTC fined mobile advertising company InMobi nearly one million dollars[iv] for tracking adults and children without their consent.
So how can companies ensure they are in compliance with COPPA?
Operating under the Law
First, they should asses if they are an operator under COPPA. If a company is a commercial website or service or a third party servicer of such a site that is directed to children under thirteen or has actual knowledge of users under 13, it should assess the type of data it is collecting. If you or your client is a non-profit, you may be exempt. Also, operators that are geared towards general audiences are not required to investigate the age of its users.
For example, Pokémon Go transforms a popular children’s card game and cartoon into a new immersive augmented reality app where users can play by walking around and using their camera to see and capture cute little monsters. Since the Pokémon franchise began in 1995, it’s no wonder that it has become popular with nostalgic adults. According to report by Forbes[v], over 75% of its users are over eighteen. Though it may have a large adult audience, its cartoonish features and other child-targeted products trigger COPPA compliance. Further, since it gathers age data when a user signs up, it’s obligated to comply with COPPA.
Count Your Eggs before They Hatch
Second, operators should also assess the information they are collecting. Since the rules expanded what is considered personal information in 2013, a quick assessment to ensure compliance may be necessary. For example, Pokémon Go asks for access to a device’s: (1) location data, photos and media files, (2) contacts, and (3) picture and video abilities. This obviously allows a user to access the main features of the game, like visualizing Pokémon in front of the user, saving progress, and monitoring how closely a user is to a special stops in the game, called lures or gyms. However, this type of collection[vi] is restricted for users under 13 and requires the app to seek parental consent.
Make Sense Out of Consent
Third, notice to and verifiable consent from parents and users should comply with COPPA[vii]. Parental consent can take many forms as long as it reasonably ensures consent from the parent.
The rules are expansive enough to allow an operator to obtain parental consent via electronic scans of government documentation, video conferencing, and monetary exchanges[viii]. Once the parental consent is obtained, the operator is free to collect and use the information, providing they stay in line with their privacy policy and can reasonably ensure the protection of the “confidentiality, security, and integrity of personal information collected from children,” including when released to third parties[ix]. Pokémon Go’s consent process is fairly straightforward, only requiring a parent to register through their email address. To verify identity, a parent completes a form[x] asking for date of birth, and a verification question.
Policy Policing
Fourth, the FTC also recommends that all companies, even those not covered by COPPA, post a privacy policy that is prominent and clearly labeled. COPPA does not require a privacy policy be displayed at the point of purchase, such as in the app store. It only has to be present on the home page. However, the FTC does note there is “substantial benefit in providing greater transparency . . . at the point of purchase.”[xi] For example, Pokémon Go adds a link to their privacy policy in their app store, which is also displayed prominently on their website. The app maker also adds a policy specifically on child privacy[xii].
Above and Beyond the Law
Finally, though not yet required, best practices should include assessing whether an operator is collecting data from users 13 to 17 years old. In a 2012 report, the FTC discusses the fragility of teen data compared to adult data, noting teens were particularly vulnerable. Although they noted the difficulties of age verification, they urged companies to consider additional protections, such as assessing the type of data they collect when determining reasonable use and retention rates of data. Such protections would “function as an effective ‘speed bump’ … and provide an opportunity to better educate teens about the consequences of sharing their personal information[xiii].”
Assessment should include the reasonableness of the information collected, the length of time the data is retained, and if teens are aware of any privacy policies. For example, when handling data collected from teens, operators could consider disposing of data sooner and prompting user name creation instead of real names[xiv] Unfortunately, COPPA excludes privacy concerns for the 22% of children who are 13-17 who are playing Pokémon Go and other mobile games. There are no current regulations maintaining the privacy in the above manner for children who are above 13.
Businesses should also pay attention to regulation that could change the way they can collect data. Senator Edward Markey introduced a bill last year called “Do Not Track Kids Act of 2015[xv].” The bill seeks to amend COPPA by extending some of the regulations protections to minors. The proposed bill includes “minor” in addition to children in the existing language. It also adds a section called the “Digital Marketing Bill of Rights for Teens and Fair Information Practices Principles” which seeks to ensure operators having “actual knowledge that personal information being collected is from a minor” limit its collection, specifies its use and purpose of collection, and restricts retention of data among other safeguards[xvi].
While we can expect the number of smartphone and tablet users to rise with as devices become cheaper and more popular, businesses should also expect to increase their diligence with regards to privacy protections. Creating and implementing best practices with regards to data privacy will be especially important as increasing numbers of grow up in a bigger and bigger big-data world.
[i] Common Sense Media, Common Sense Census: Media Use by Tweens and Teens 2015, 2015, https://www.commonsensemedia.org/sites/default/files/uploads/research/census_researchreport.pdf
[ii] Sen. Franken Presses Makers of “Pokemon GO” Smartphone App Over Privacy Concerns, 2016, https://www.franken.senate.gov/?p=press_release&id=3512
[iii] Tom Risen, Niantic Clarifies ‘Pokemon Go’ Privacy Concerns, Promises Fix, 2016, http://www.usnews.com/news/articles/2016-07-12/niantic-clarifies-pokemon-go-privacy-concerns-promises-fix
[iv] Federal Trade Commission, Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers’ Locations Without Permission, 2016, https://www.ftc.gov/news-events/press-releases/2016/06/mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked
[v] Ryan Mac, More Women Than Men Are Playing ‘Pokemon GO’—By A Lot, 2016, http://www.forbes.com/sites/ryanmac/2016/07/26/more-women-than-men-are-playing-pokemon-go-by-a-lot/#68de25fe4f16
[vi] 15 U.S.C §6501
[vii] USC 15 6502(a-b(1)(a))
[viii] Children’s Online Privacy Protection Rule, 78 Fed. Reg. 3972, 3999 (January 17, 2013) (amending 16 C.F.R. § 312.5)
[ix] Id.at 3994
[x] The Pokemon Company, How Do I Set Up My Child’s Pokémon Trainer Club Account?, 2016, http://support.pokemon.com/ics/support/default.asp?deptID=15227&task=knowledge&questionID=69
[xi] Federal Trade Commission, Complying with COPPA: Frequently Asked Questions, 2015, https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions#Privacy Policies and
[xii] The Pokemon Company, Our Additional Privacy Commitment to Kids and their Parents, 2016, http://www.pokemon.com/us/privacy-policy/#kids
[xiii] Id. at 69
[xiv] Federal Trade Commission, Protecting Consumer Privacy in an Era of Rapid Change, 29 (2012), https://www.ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations-businesses-policymakers
[xv] Do Not Track Kids Act of 2015, S. 1563, 114th Congress (2015) (proposed Jun 11, 2015)
[xvi] Do Not Track Kids Act of 2015, S. 1563, 114th Congress § 4 (2015)
