MoFo Privacy Minute
More than two years after the Federal Trade Commission (FTC) revised its COPPA rule to prohibit certain uses of persistent identifiers without parental consent, it has enforced those provisions for the first time. On December 17, 2015, the FTC announced that it had settled alleged violations of the rule with the operators of two mobile apps directed to children, LAI Systems and Retro Dreamer.
When the FTC revised the COPPA rule in 2012, it made two noteworthy changes relevant here: (1) it added to the definition of “personal information”—which generally may not be collected online from children under 13 without parental consent—the use of a persistent identifier over time and across different online services for certain purposes, including the delivery of targeted advertising; and (2) it clarified that the operator of an online service is strictly liable for the COPPA compliance of third parties that collect personal information directly from the users of the online service. In its complaints against LAI Systems and Retro Dreamer, the FTC charged that the app operators allowed ad networks to use persistent identifiers to collect personal information from app users without first obtaining parental consent. Retro Dreamer allegedly permitted this even after an ad network specifically warned it about its COPPA obligations. Retro Dreamer will pay civil penalties of $300,000, while LAI Systems will pay $60,000. Both are enjoined from further violations of COPPA, and violations of that injunction could give rise to civil penalties of up to $16,000 per violation per day.
These actions demonstrate that the FTC believes it has given businesses sufficient time to come into compliance with the revised rule. They also show that the FTC will look closely at online services’ automatic, behind-the-scenes collection of information, and that it will not hesitate to hold the operator accountable for all information collection practices on its service, even when provided by a third party. For these reasons, operators of sites, apps and other online services that are subject to the rule need to understand exactly how, by whom and for what purposes information is collected from their users, so that they can craft an appropriate COPPA compliance strategy.