Date: Jun 29, 2012
The State of New Jersey just successfully concluded an enforcement action against a mobile app developer that was allegedly collecting personal information in violation of the Children's Online Privacy Protection Act (COPPA). This is the first time a state Attorney General had initiated enforcement action under COPPA. The action reflects the recent focus on mobile app privacy in general and mobile app privacy of children in particular.
On June 6, 2012, the New Jersey Attorney General sued mobile app developer, 24x7 Digital, LLC ("24x7 Digital"), for allegedly violating COPPA and the COPPA Rule by collecting and transmitting the names and unique device identification numbers ("UDID") specific to the mobile devices used by children, without providing notification of this policy on their website and without obtaining parental consent. Chiesa, et al. v. 27 x 7 Digital, LLC, Case No. 12-cv-03402 (D.N.J., June 6, 2012). 24x7 Digital develops, markets, distributes, and sells approximately 21 apps for Apple products that are directed specifically to children under the age of 13 (many to grade-schoolers), including its Teach Me apps. To play the Teach Me Apps, children are encouraged to create "player" profiles by entering their first and last name along with a picture. Through the Teach Me Apps, 24x7 Digital allegedly transmitted the personal information ("PI") of children, including full names and the UDIDs associated with the mobile device, to a third-party data analytics company, Flurry Inc.
The New Jersey settlement occurred within a backdrop of many other state and federal actions involving mobile app privacy. The California Attorney General recently reached an agreement with the major app platform providers on mobile privacy disclosures (click here for our prior alert on that topic), and efforts to develop best practices for mobile app privacy in light of this settlement continue. The Federal Trade Commission (FTC) is in the process of finalizing its revisions to the COPPA Rule in the meantime. The FTC has taken the view that mobile applications are subject to COPPA if apps are directed to children or the provider has actual knowledge it is dealing with a child. The FTC has also proposed to revise the COPPA Rule to include "persistent identifiers," geolocation information and photographs in the definition of "personal information," changes with enormous implications for websites and mobile app providers. In the FTC's recent report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, the Commission also makes clear that "parents should be able to learn what information an app collects, how the information will be used, and with whom the information will be shared." The FTC's recent "DotCom Disclosure" workshop included discussions about disclosures in the mobile environment, including privacy disclosures.
More recently, the National Telecommunications and Information Administration ("NTIA") announced that it will begin evaluating mobile apps through its "multi-stakeholder process" for developing enforceable codes of conduct. This stakeholder meeting follows on recommendations in the White House's privacy framework report, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (click here for our summary of the White House framework). The NTIA will hold its first meeting on July 12, 2012, with the intent of developing a code of conduct addressing personal data collected by mobile devices.
All of these developments, as well as ongoing self-regulatory initiatives, will continue to influence the mobile privacy landscape.
For more information on privacy and data security issues and litigation, please contact:
Sheila Millar (+1 202.434.4143, email@example.com),
Douglas Behr (+1 202.434.4213, firstname.lastname@example.org),
Tracy Marshall (+1 202.434.4234, email@example.com)