On December 10, 2012, the Federal Trade Commission issued its second report on kids' mobile apps, entitled "Mobile Apps for Kids, Disclosures: Still Not Making the Grade." The FTC was highly critical of the industry and indicated that it will soon launch nonpublic investigations.
In the report, the FTC selected 200 apps from Apple's App Store and 200 Apps from Google Play. The Commission reviewed the privacy disclosures for each app, analyzed the app's functionality and performed a robust interception of the network traffic associated with each app in the study. By further analyzing IP addresses and packet payloads, the Commission was able to tell what data an app would transmit over the network and to whom the app would transmit it.
The FTC Findings
The FTC found that a majority of kids' apps "failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data." It called the results "troubling" because of the types of information being shared with third parties: "device ID, geo-location, or phone number . . . without disclosing that fact to parents." Finally, the FTC also noted with dismay that "a number of apps contained interactive features — such as advertising, the ability to make in-app purchases, and links to social media — without disclosing these features to parents prior to download."
It is important to note that the FTC was also concerned with the disclosures that they did encounter. The Commission stated that most were long and "filled with irrelevant information" while "[o]thers lacked basic details, such as what specific information about a child would be collected, the reason for collecting such information, or what parties would obtain the information." The Commission noted one example in which an app "shared device ID and geolocation with advertising networks [but] had a misleading privacy disclosure that discussed features about the user interface of the app.” It did not “disclose the fact that advertising networks or analytics companies would be receiving information through the app."
Investigations to Begin
As a result of the findings, FTC staff is set to start “multiple nonpublic investigations to determine whether certain entities in the mobile app marketplace have violated the Children’s Online Privacy Protection Act (“COPPA”), or engaged in unfair or deceptive trade practices in violation of the FTC Act."
The FTC noted that the purpose of the survey was to examine the disclosures and practices of kids' apps, and that it had not made any determination as to whether the disclosures and practices violated COPPA or constituted unfair or deceptive practices under the FTC Act. However, during the press conference announcing the findings, the FTC signaled that there were problems on both counts. The Commission hinted that it found information being collected without appropriate consent in violation of COPPA and, during its review, found certain disclosures to be inaccurate.
What the FTC Urges the Apps Industry to Do
The FTC "strongly urges the mobile app industry to develop and implement 'best practices' to protect privacy,” including the following recommendations:
incorporate privacy protections into the design of mobile products and services (“Privacy By Design”)
offer parents easy-to-understand choices about the data collection and sharing through kids’ apps
provide greater transparency about how data is collected, used and shared through kids’ apps
Reading Between the Lines
Considering the report as a whole, companies would do well to keep several points in mind:
The FTC understands the technology. Companies need to as well.
Companies should strongly consider undertaking a tech-based review of their apps — including analysis of network traffic — to comply with COPPA effectively or to mount a successful response to an FTC investigation. Companies should not take the word of the developer, or even the FTC for that matter, regarding the nature of an app's network traffic. FTC staff and consultants analyzed app network traffic all summer and fall, for a total of 400 apps. To avoid the FTC dragnet, companies must employ the same tactics and focus on tech-based compliance.
In-app notices are important.
In-app notices provided by the platform — such as those that are common on Apple devices — may be insufficient to qualify as notice to parents. In its report, the FTC mentioned more than a few times the importance of pre-download disclosures. If a game has location-based services, interactive features or social network links, these items should be disclosed pre-download, according to the FTC.
The FTC is coming, so get ready.
Holland & Knight's lawyers routinely perform tech-based app reviews — which include the interception of app network traffic as described in the FTC's report. Our Data Privacy and Security Team can also advise you on the forthcoming investigations and on the other new regulatory challenges posed by the FTC report.
For regular news related to privacy policies and data security, bookmark Holland & Knight’s Privacy Blog.
To ensure compliance with Treasury Regulations (31 CFR Part 10, §10.35), we inform you that any tax advice contained in this correspondence was not intended or written by us to be used, and cannot be used by you or anyone else, for the purpose of avoiding penalties imposed by the Internal Revenue Code.