Three years ago the FTC adopted final amendments to the Children’s Online Privacy Protection Rule. Those amendments significantly changed the Rule in several ways, including by classifying persistent identifiers as “personal information” and prohibiting child-directed apps and websites from allowing third parties to collect personal information through the app or site without parental notice and consent. The amendments went into effect in July 2013, but until now, the agency has provided education and issued warning letters but has not enforced the new provisions in COPPA. Many wondered if there was any bite behind the FTC’s bark regarding COPPA’s new provisions. The Retro Dreamer and LAI Systems (doing business as TapBlaze) cases demonstrate that the Commission is more than willing to take action against those who violate COPPA’s newest requirements. These actions put defendants under order for 10 years, held Retro Dreamer officers individually liable, and fined Retro Dreamer $300,000 and LAI $60,000.
In each case, the Commission alleged that the defendants operated several apps directed towards children and failed to communicate their audience to their third party ad networks, resulting in targeted ads presumptively being served to children. According to the complaints, the apps contained “brightly colored, animated characters,” subject matter that “would be highly appealing to children” (such as creating cakes, playing dress up, learning animal sounds, collecting cats, moving ice cream), “simple play,” and simple app store language that would appeal to children and in some cases identified children as the intended audience. The complaints allege the defendants allowed third-party ad networks to collect persistent identifiers in order to serve targeted ads on the child-directed apps based on users’ activities over time and across sites. Moreover, the Commission indicated that defendants did not: 1) notify the third parties that the apps are child-directed; 2) prohibit, via instruction or contract the third parties from conducting targeted advertising; or 3) obtain parental consent consistent with COPPA. With respect to Retro Dreamer, the Commission also alleged that the company was on notice that certain apps were child-directed because in 2013 an ad network asked the company to identify its child-directed apps and in 2014 it notified Retro Dreamer that it believed certain apps were directed to children and would be excluded from the ad network. Nevertheless, Retro Dreamer continued to allow other ad networks to serve targeted ads to those apps.
These cases end any uncertainty as to whether the FTC will enforce the new provisions of COPPA and serve as a reminder that if you operate a child-directed app or website, you should ensure you are complying with all of COPPA’s requirements, including not allowing targeted ads without parental consent. Failure to comply could be costly.