App Developers Should Note Revisions to COPPA FAQs

The FTC’s July 10, 2014 complaint filed against Amazon has left app developers with concerns about how to make apps that target kids and still comply with the law. The complaint, brought under Section 5(a) of the FTC Act, alleged that Amazon failed to obtain parents’ or account holders’ informed consent to in-app charges incurred by children. While the complaint was not brought under the Children’s Online Privacy Protection Act (COPPA), the increased scrutiny on child-targeted apps should have all app developers making sure they understand what COPPA requires when it comes to getting parental consent.

Generally, COPPA requires “operators” of online services (including mobile apps) to get “verifiable parental consent” before collecting personal information from a child. This week, the FTC updated its COPPA FAQs page with three new or revised entries elaborating how verifiable parental consent works in the context of mobile apps. Importantly, new FAQ H.10 makes clear that collecting a parent’s app store password – i.e., the password linked to a parent’s account on the iTunes App Store, the Amazon App Store, or the Google Play Store – does not, by itself, qualify as notice to and consent from a parent as COPPA requires. The consent mechanism “must be reasonably calculated, in light of the technology available, to ensure that the person providing consent is the child’s parent.” The FAQ suggests that password entry in combination with such measures as authentication questions may provide sufficient assurance that the person entering the password is the child’s parent.

Importantly, provision of credit card information alone is not verifiable consent. Credit card information is considered verifiable consent if the card is used in connection with a monetary transaction, but not necessarily without one. Revised FAQ H.5 suggests that provision of credit card information without a transaction may be part of verifiable consent when used in combination with such measures as security questions.

The newly added FAQ H.16 reiterates that COPPA does not apply to app stores, “when such stores merely offer the public access to someone else’s child-directed content.” Children’s Online Privacy Protection Rule, 78 Fed. Reg. 3972, 3976 (January 17, 2013). App store owners are generally not “operators” to which COPPA applies. H.16 does, however, caution app store owners to “evaluate [their] potential liability under Section 5 of the FTC Act.” In light of the Amazon complaint, that is sage counsel.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Foley Hoag LLP - Privacy & Data Security | Attorney Advertising

Written by:


Foley Hoag LLP - Privacy & Data Security on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.