Lawsuit Claims App Violates Children’s Privacy Law
New Mexico’s attorney general, Hector Balderas, has filed a lawsuit claiming that app maker Tiny Lab Productions violates the Children’s Online Privacy Protection Act (COPPA).
As the Federal Trade Commission (FTC) explains, COPPA “gives parents control over what information websites can collect from their kids.”
COPPA prohibits websites, apps, and other online services from collecting personal information from children under the age of 13 without first obtaining verifiable parental consent.
Specifically, COPPA requires websites and similar services
- to disclose the information they collect from children and how they use that information,
- to ensure that disclosure is provided directly to parents, and
- to obtain verifiable consent from the parent before collecting, using, or disclosing any personal information from children.
As I explained in this previous blog post, online privacy is governed by several state and federal laws, including:
- The Health Insurance Portability and Accountability Act (HIPAA)
- The Children’s Online Privacy Protection Act (COPPA)
- The California Online Privacy Protection Act (CalOPPA)
International privacy laws, such as the new General Data Protection Regulation (GDPR), make privacy compliance even more complicated for US companies.
In the Tiny Labs case, as the New York Times reports, apps designed for young children, such as the Fun Kid Racing app, “shared users’ data, sometimes including the precise location of devices, with more than a half-dozen advertising and online tracking companies.”
Fun Kid Racing alone has been downloaded millions of times.
According to the complaint, filed in US federal court for the district of New Mexico, Tiny Labs’ CEO stated that “it is precisely because the company’s apps are directed at children that it engages in tracking and user profiling.”
In an interview, the CEO said it was difficult to “monetize” children, because
there is a low buying power of our players who are mainly under 13 years old. It’s hard to convince them to spend their money on additional game items or levels as most of them have to ask their parents for the purchase.
According to the complaint, software development kits (or “SDKs”) embedded in the apps allow the apps to communicate with advertising companies:
The SDK sends the child’s data back to the SDK Defendants, where it is analyzed, stored, and used to build increasingly-detailed profiles of child users. It is also shared with and sold to myriad third-parties so that each can continue to build their own profiles. All of this activity serves one primary purpose: to learn more about the child in order to send her highly-targeted advertisements.
Also according to the complaint, “Federal law prohibits this very conduct.”
The violations appear to be widespread.
An analysis by The New York Times found that children’s apps by other developers were also collecting data. The review of 20 children’s apps — 10 each on Google Android and Apple iOS — found examples on both platforms that sent data to tracking companies, potentially violating children’s privacy law; the iOS apps sent less data over all.
An academic analysis of almost 6,000 free children’s Android apps found that more than half shared details with outside companies in ways that may violate COPPA.