Last week, in settlements with two app developers, the Federal Trade Commission (“FTC”) announced its first enforcement actions under the Children’s Online Privacy Protection Rule (“COPPA Rule”) amendments on persistent identifiers. Persistent identifiers are data that can be used to recognize a user over time and across different websites or online services. In 2012, we blogged about the FTC’s update to the COPPA Rule, which added persistent identifiers to the definition of “personal information.” Although some exceptions apply, the FTC made clear that persistent identifiers cannot be used for targeted (behavioral) advertising on child-directed sites or services, absent parental notice and consent.
In last week’s settlements, the FTC alleged that defendant LAI Systems, LLC (“LAI Systems”) created several apps directed to children, and allowed third-party advertisers to collect persistent identifiers for targeted ads. LAI Systems did not inform the ad networks that the apps were directed to children and failed to satisfy COPPA’s parental notice and consent requirements before collecting and using the information. The settlement prohibits LAI Systems from future COPPA Rule violations, and imposes a $60,000 civil penalty.
Much like LAI Systems, defendant Retro Dreamer and its principals, Craig E. Sharpe and Gavin S. Bowman (referred to collectively as “Retro Dreamer”) created several apps targeting children, and allegedly allowed third-party advertisers to collect persistent identifiers for targeted ads. Retro Dreamer made matters worse by ignoring warnings from one advertising network that their apps seemed to be targeting children under the age of 13, and that Retro Dreamer needed to comply with COPPA Rule requirements. In addition to a prohibition against future COPPA Rule violations, Retro Dreamer must pay a $300,000 civil penalty.
These settlements are noteworthy for two reasons. First, this is the first time that the FTC has announced an enforcement action under the COPPA Rule based solely on the collection of persistent identifiers and no other type of personal information. These actions reinforce the FTC’s willingness to use the new definition of personal information to scrutinize advertising practices within sites and services directed to children. Second, both operators were held liable for the data collection activities of the third parties that collected data from the operators’ apps, even though the operators themselves did not collect the data. In the Retro Dreamer settlement, the FTC noted that the app developers were warned that their apps were directed to children. Together, these cases show that the FTC is following through on its message that app operators must take steps to comply with COPPA when offering ad-supported apps for children.