Mobile App Developer Settles COPPA Violations with NJ AG

Date: Jun 29, 2012

The State of New Jersey just successfully concluded an enforcement action against a mobile app developer that was allegedly collecting personal information in violation of the Children's Online Privacy Protection Act (COPPA). This is the first time a state Attorney General had initiated enforcement action under COPPA. The action reflects the recent focus on mobile app privacy in general and mobile app privacy of children in particular.

On June 6, 2012, the New Jersey Attorney General sued mobile app developer, 24x7 Digital, LLC ("24x7 Digital"), for allegedly violating COPPA and the COPPA Rule by collecting and transmitting the names and unique device identification numbers ("UDID") specific to the mobile devices used by children, without providing notification of this policy on their website and without obtaining parental consent. Chiesa, et al. v. 27 x 7 Digital, LLC, Case No. 12-cv-03402 (D.N.J., June 6, 2012). 24x7 Digital develops, markets, distributes, and sells approximately 21 apps for Apple products that are directed specifically to children under the age of 13 (many to grade-schoolers), including its Teach Me apps. To play the Teach Me Apps, children are encouraged to create "player" profiles by entering their first and last name along with a picture. Through the Teach Me Apps, 24x7 Digital allegedly transmitted the personal information ("PI") of children, including full names and the UDIDs associated with the mobile device, to a third-party data analytics company, Flurry Inc.

The AG and 24x7 Digital entered into a Consent Decree and Order ("Agreement") that enjoins 24x7 Digital from: (1) failing to provide notice on its website or mobile apps of its privacy policy; (2) failing to provide direct notice to parents; (3) failing to obtain verifiable parental consent; and (4) otherwise violating COPPA or the COPPA rule. In the Agreement, 24x7 Digital also represented that it had: (a) destroyed all PI that had been collected and maintained in violation of COPPA; (b) caused all data that had been transmitted to Flurry and other third parties (except for metadata covered by an existing litigation hold) to be destroyed; and (c) no longer collects the PI of children, including names and UDIDs. The privacy policy currently on 24x7 Digital's website reflects these changes. The AG's press release also states that 24x7 Digital agreed to "remove data analytics from their apps."

The New Jersey settlement occurred within a backdrop of many other state and federal actions involving mobile app privacy. The California Attorney General recently reached an agreement with the major app platform providers on mobile privacy disclosures (click here for our prior alert on that topic), and efforts to develop best practices for mobile app privacy in light of this settlement continue. The Federal Trade Commission (FTC) is in the process of finalizing its revisions to the COPPA Rule in the meantime. The FTC has taken the view that mobile applications are subject to COPPA if apps are directed to children or the provider has actual knowledge it is dealing with a child. The FTC has also proposed to revise the COPPA Rule to include "persistent identifiers," geolocation information and photographs in the definition of "personal information," changes with enormous implications for websites and mobile app providers. In the FTC's recent report, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, the Commission also makes clear that "parents should be able to learn what information an app collects, how the information will be used, and with whom the information will be shared." The FTC's recent "DotCom Disclosure" workshop included discussions about disclosures in the mobile environment, including privacy disclosures.

More recently, the National Telecommunications and Information Administration ("NTIA") announced that it will begin evaluating mobile apps through its "multi-stakeholder process" for developing enforceable codes of conduct. This stakeholder meeting follows on recommendations in the White House's privacy framework report, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (click here for our summary of the White House framework). The NTIA will hold its first meeting on July 12, 2012, with the intent of developing a code of conduct addressing personal data collected by mobile devices.

All of these developments, as well as ongoing self-regulatory initiatives, will continue to influence the mobile privacy landscape.

For more information on privacy and data security issues and litigation, please contact:

Sheila Millar (+1 202.434.4143, millar@khlaw.com),
Douglas Behr (+1 202.434.4213, behr@khlaw.com),
Tracy Marshall (+1 202.434.4234, marshall@khlaw.com)