The Federal Trade Commission (“FTC”) released on December 10, 2012, its second staff report on disclosures for mobile apps targeted at children, building on its prior report issued 10 months earlier. The reports appear designed to support the FTC’s upcoming proposed changes in Children’s Online Privacy Protection Act (“COPPA”) rules (which we analyzed here and here). Where the first report emphasized mobile app compliance with notice and consent provisions in the FTC’s COPPA Rule, the latest report went beyond examination of disclosures and tested whether apps collected and shared data with third parties, or included interactive features like in-app advertising, purchasing, and/or links to social media. It also focused in particular on the use of device identifiers and concerns raised by their collection and/or use, while in doing so appearing to overlook uses of device IDs that pose no privacy risk and/or that are otherwise pro-consumer.
While the new survey found small improvements in disclosure frequency since the initial review, FTC staff were concerned that when tested, most apps collected and used device IDs, and many shared the device ID with ad networks or analytics companies. The FTC staff did not know how or what use the companies actually made of device IDs, but expressed concern that the data could allow third parties to “potentially develop detailed profiles of the children using the apps, without a parent’s knowledge or consent.” The survey assumes children using these apps do so via a mobile device owned and controlled by a parent, but that parents would have no way to know what data is collected, or how it is used, without more thorough and timely disclosures.
The staff report leverages the FTC’s proposed revision to its COPPA Rule that would define device IDs as “personal information” if they “can be used to recognize a user over time, or across different websites or online services.” The report also cites the proposed exception for collection of device IDs for “internal operations,” which would be limited to network communications, site maintenance and analysis, user authentication, site navigation, maintenance of user preferences, serving contextual ads, and protection against fraud or theft.
But as with the proposed COPPA rule changes, the staff report’s treatment of device IDs does not recognize some uses of device IDs that pose no privacy risk, or are otherwise pro-consumer. These include use of device IDs to preserve customer anonymity, to maintain user game data (like high scores), to limit the number of times targeted ads will be delivered to the device, and to verify valid app installation. The report’s focus on and treatment of device IDs may be harbingers of what to expect from the FTC’s long-awaited COPPA Rule review.
The staff’s report also recognizes parallel efforts by the National Telecommunications Information Administration, which is in the midst of a multistakeholder process to create an industry code of conduct to provide transparency for mobile applications and other interactive mobile services. It further discloses that the FTC is commencing multiple investigations to determine whether certain entities in the mobile app space have violated COPPA’s disclosure and consent requirements, or the FTC Act, through unfair or deceptive app-related trade practices. Staff reports that it will soon issue consumer education directed at parents to help them supervise their children’s online activities, and that it will undertake a third kids app survey at a future date. With the COPPA Rule review hanging over the staff’s endeavors in this area, these are important mile markers to keep in sight as that proceeding progresses.
