The FTC has strict regulations that protect Internet users under the age of 13, and if app developers aren't aware of these restrictions, they could face huge fines for data collection. In fact, a few mobile developers are learning this lesson the hard way.
The FTC announced that TinyCo – the app maker behind Tiny Zoo, Tiny Chef, and Tiny Pets – has been fined $300,000 after it collected email addresses in exchange for in-app currency children could use in a game.
The Children's Online Privacy Protection Act (or COPPA) prohibits websites, apps, and other online services from collecting any data from children under the age of 13 unless they have explicit permission from the user's parents. The problem is that many app makers don't realize that their users are under 13, or are unaware they have to follow special protocol.
Given that more mobile companies are putting an increased emphasis on big data and collecting marketing information, it's important for mobile developers to take a step back and make sure they're in compliance with this complicated area of the law.
So what do you need to know to avoid COPPA fines? Let's look at a few areas of the law that can trip up mobile developers and lead to huge fines.
Mobile Developer Liability: Know These Laws to Manage Your Risk
Mobile and web developers should take the time to read COPPA regulations or a comprehensive guide to the law. Let's go over some basic points of the law and where you'll have to be in compliance.
In order to avoid mobile developer lawsuits and fines, make sure you…
- Password protect in-app purchases. Recently, the FTC ruled that Apple and Amazon needed to refund families whose children were able to make in-app purchases without their parents' permission. The agency has criticized Apple's standards and wants all in-app purchases to require passwords. (See our full write up here: "Develop Apps? Use Password Protection to Avoid Fines.")
- Screen for under-13 users. Screening users is trickier than it seems. On the FTC's COPPA FAQs page, the agency suggests that before users enter any information, ask them for their birthday. If they are 13 or over, you can collect email addresses and other data. If not, you'll have to get permission from their parents to collect their data, or grant them access to your app without collecting any data from them. If you screen users after they enter their user information (including name, address, etc.) and create an account, you've already violated the law. Make sure to screen for birthdays right away.
- Don't collect data from under-13 users. Mobile developers can't collect data from users under the age of 13 – this includes email addresses, full names, phone numbers, addresses, SSNs, and other data. Yelp was recently fined $450,000 for doing so, which is an important reminder that even if your app is marketed for and geared toward adults, you still have to follow the same guidelines.
Note: All these rules apply to optional information requests as well as account creation. For instance, if you have an email newsletter, you'll have to make sure you aren't collecting a child's email address when they sign up for it.
Ignoring these guidelines can lead to other problems for app developers. Apple will pull your app from its store if you don't follow its age-specific guidelines. While Google Play and the Windows Phone stores don't have similar guidelines yet, they may in the future.
This blog post shouldn't be taken as the final word on COPPA compliance. One of the challenges of mobile developer liability is keeping up with new laws and court rulings as they're passed. Two years from now, the FTC may change the way it enforces COPPA guidelines. It's always up to developers to make sure they're following the most current interpretation of data privacy laws.