The FTC’s July 10, 2014 complaint filed against Amazon has left app developers with concerns about how to make apps that target kids and still comply with the law. The complaint, brought under Section 5(a) of the FTC Act, alleged that Amazon failed to obtain parents’ or account holders’ informed consent to in-app charges incurred by children. While the complaint was not brought under the Children’s Online Privacy Protection Act (COPPA), the increased scrutiny on child-targeted apps should have all app developers making sure they understand what COPPA requires when it comes to getting parental consent.
Generally, COPPA requires “operators” of online services (including mobile apps) to get “verifiable parental consent” before collecting personal information from a child. This week, the FTC updated its COPPA FAQs page with three new or revised entries elaborating how verifiable parental consent works in the context of mobile apps. Importantly, new FAQ H.10 makes clear that collecting a parent’s app store password – i.e., the password linked to a parent’s account on the iTunes App Store, the Amazon App Store, or the Google Play Store – does not, by itself, qualify as notice to and consent from a parent as COPPA requires. The consent mechanism “must be reasonably calculated, in light of the technology available, to ensure that the person providing consent is the child’s parent.” The FAQ suggests that password entry in combination with such measures as authentication questions may provide sufficient assurance that the person entering the password is the child’s parent.
Importantly, provision of credit card information alone is not verifiable consent. Credit card information is considered verifiable consent if the card is used in connection with a monetary transaction, but not necessarily without one. Revised FAQ H.5 suggests that provision of credit card information without a transaction may be part of verifiable consent when used in combination with such measures as security questions.
The newly added FAQ H.16 reiterates that COPPA does not apply to app stores, “when such stores merely offer the public access to someone else’s child-directed content.” Children’s Online Privacy Protection Rule, 78 Fed. Reg. 3972, 3976 (January 17, 2013). App store owners are generally not “operators” to which COPPA applies. H.16 does, however, caution app store owners to “evaluate [their] potential liability under Section 5 of the FTC Act.” In light of the Amazon complaint, that is sage counsel.