Children’s Online Privacy Protection: U.S. Developments Compared to Canada

There were two important developments in the U.S. regarding children and mobile technologies.

FTC Staff Report

On December 10, 2012, the U.S. Federal Trade Commission (FTC) released a Staff Report entitled“Mobile Apps for Kids: Disclosures Still Not Making the Grade”. The Staff Report examines the privacy disclosures and practices of mobile apps. The survey was conducted during the summer of 2012. FTC Staff tested 400 apps. Among the interesting survey results:

  • 80% of the apps (319) apparently did not disclose any information about the apps privacy practices prior to download. Many of those that contained privacy disclosures “consisted of a link to a long, dense, and technical privacy policy” according to the FTC Staff Report.
  • 60% of the apps (235) transmitted the device ID to the developer, an advertising network, an analytics company, or other third party. The most common transmission was to advertising networks (by a large margin). Only 20% (44) of the 223 apps that transmitted device ID, geolocation or phone number to third parties provided any privacy disclosures.
  • 58% of the apps (230) contained in-app advertising, but only 15% of the apps (59) disclosed information about the presence of advertising.
  • 17% of the apps (66) contained in-app purchase functionality.

The FTC Staff Report states that FTC Staff have commenced a number of investigations where FTC have identified gaps between the company practices and disclosures, which could constitute violations of the U.S. Children’s Online Privacy Protection Act (COPPA) or the Federal Trade Commission Act’s prohibition on deceptive practices.

In Canada, app developers should be aware of provincial consumer protection legislation and the federal Competition Act, which contain prohibitions on deceptive practices, as well as federal and provincial privacy legislation, such as the Personal Information Protection and Electronic Documents Act (PIPEDA), which required transparency with respect to an organization’s practices regarding the collection, use, retention and disclosure of personal information. In addition, app developers marketing apps with in-app advertising should be aware of Quebec’s Consumer Protection Act, which prohibits advertising to children under 13 years of age.

Amendments to the COPPA Rule

On December 19, 2012, the FTC adopted the final amendments to the Children’s Online Privacy Protection Rule (COPPA Rule). Highlights from the amendments include:

  • Expanded Definition of Personal Information. The new definition includes geolocation information, photos, videos and audio files that contain a child’s image or voice. Persistent identifiers such as a unique device ID or MAC address may also be personal information.
  • Extension of Rule to Third Party Applications. The FTC perceived a gap or loophole to the existing COPPA Rule that permitted advertising networks, third party plug-ins and other applications to collect personal information from children without parental consent. The amended COPPA Rule provides that an organization will be considered an “operator” of a website directed to children if it is benefits from the collection of information by a third party even where the third party is not acting as its agent. This will place an obligation on the operator to obtain consent to the collection of the personal information collected by the third party. FTC Commissioner Ohlhausen dissented from the new COPPA Rule on the basis that this extension went beyond what the statute permitted.
  • New Rules for Verifiable Parental Consent. The new COPPA Rule permits obtaining consent by way of electronically scanned parental consent, video conferencing, government-issued identification or payment systems that provide notice to the primary account holder of each discrete transaction.

Canada contains no equivalent to COPPA; however, the Office of the Privacy Commissioner of Canada (OPC) has focused on children’s online privacy as a priority. In the OPC’s guidance regarding online behavioural advertising, the OPC stated:

“The most obvious type of information that should not be tracked involves children’s information. Operators of web sites that are targeted at children should not permit the placement of any kind of tracking technologies on the site. It is hard to argue that young children could meaningfully consent to such practices, and the profiling of youngsters to serve them online behaviourally targeted ads seems inappropriate in such circumstances. The Canadian advertising industry has indicated that it will require its members to not knowingly target children; this is a position that the OPC endorses and encourages.”

Given the increasing focus on meaningful consent to the collection of personal information, it may be only a matter of time before Canadian privacy commissioners issue a decision regarding the collection and use of personal information about children. In the meantime, app developers hoping to offer their apps in the U.S. should take note of the new COPPA Rule.

 

Subscribe and stay updated
Receive our latest blog posts by email.
Privacy and Cybersecurity Group

About Privacy and Cybersecurity Group

Our Privacy and Cybersecurity lawyers operate at the intersection of technology and law. We understand that data is one of your core assets, driving insights and enabling development of valuable new products and services. Our global Privacy and Cybersecurity group works across all sectors offering a full complement of counseling and advice, regulatory and litigation services.