Published on:

FTC’s December 10, 2012 Report: Mobile Apps for Kids: Disclosures Still Not Making the Grade

Sure, we’ve all heard that mobile software applications collect more personal data from our smart phones than they need to or should; and the mobile apps’ privacy policies are such a byzantine morass, none of us read them anyway. But the news that the most popular children’s mobile software apps are surreptitiously collecting and then selling to dozens, even hundreds, of marketers and third parties exactly where our children are at all times, what their mobile phone numbers are, and where exactly they go and what they do online, and that this all being done without notice to parent or child…well that creeps out even the most jaded adult.

Yesterday, December 10, 2012, the Federal Trade Commission released a detailed Report replete with research and data that demonstrates the most popular mobile software apps designed for, marketed to, and used by our children are doing all of this, and in so doing, may be running afoul of numerous federal and state consumer protection/deceptive advertising and privacy laws.

The 12/10/12 Report is a follow-up to a February 2012 FTC report wherein the FTC surmised that there may be significant privacy issues with mobile apps designed for and targeted to children. After releasing the February 2012 report, the FTC did its homework: it investigated 400 popular children’s mobile software apps; it reviewed the apps’ stated privacy policies; and it tested the apps’ actual data collection and tracking practices. What it found is troubling, to say the least.

First, the FTC noted that only 20% of the 400 children’s mobile software apps it investigated-most of which are available, and supposedly vetted, through Apple and Google’s respective mobile App stores-even provided disclosures about their data collection practices. Those 20% that did so employed links to long, verbose, technically-detailed privacy policies beyond the average adult user’s ken, much less that of a child.

Overwhelmingly, the vast majority of the investigated children’s apps, even those with stated privacy policies, failed to provide any information about:

• the general data collected • the type of data collected • the purpose of the data collection • who would and who could obtain access to the data
Worse still, most apps routinely and actively shared with numerous third parties the following data about the child:

• the child’s device’s phone number • the precise location of the child’s device (and hence the child)
• the unique identification code of the device being used by the child o in the case of one app’s privacy policy, it claimed it did not transmit any information to 3rd parties, yet a quick look by the FTC revealed that it in fact transmitted the exact location of the child via his or her cellphone, the cellphone or device’s number, and the device’s unique identification number.

The immediate and invasive nature of private data collected and transmitted to third parties will both astonish and frighten parents. For instance, the FTC noted that “one app…transmitted [the child’s] geolocation information to two separate ad networks within the first second of the app’s use.” But being a diligent parent or guardian does not stop the data gathering. Why? Because the FTC found that vast majority of the apps failed to advise parents when the app contained interactive features like advertising, social network sharing and allowing children to purchase virtual goods within the app. The FTC found the apps that linked, without disclosure, to social media sites to be particularly troubling, noting that children could “communicate with other users who they have never met or post information about themselves or their whereabouts.”

Mobile apps that allow children to upload photos or that record children’s voices without advising parents of social media linkage enables another potentially insidious privacy violation. Because some social media sites that use or have used face recognition software or voice identification software to surreptitiously scan and record users’ facial biometrics or voice biometrics for future identification and marketing purposes are potentially gathering children’s face and voice biometrics. This means that marketers will potentially be able to track children’s whereabouts via their face biometrics in public places, like malls, even when the child does not have his or her mobile device on their person .

The FTC’s research found that over 50% of the 400 popular children’s mobile apps it investigated were transmitting children’s data to numerous third parties, often marketers. And while a mere 9% of the children’s apps reviewed willingly admitted to parents that the apps contained advertising targeted to their children, the FTC found that over 58% of the apps reviewed were actually advertising to the child users.

According to news sources, prominent media companies want the FTC to reduce their restrictions for children and online privacy protection because of the vast marketing income the child market presents, whereas child and privacy advocates argue that this detailed collection of data, including the child’s photo, voice recordings and unique device identification codes will enable marketers/advertisers to track children wherever they go, on and offline. Right now, according to the FTC, the law may be on the side of the privacy advocates. It contends that the majority of these popular children’s apps could be violating numerous laws, including the FTC’s prohibition against unfair or deceptive marketing practices, as well as federal and state consumer protection statutes, and the Children’s Online Privacy Protection Act (COPPA)

What are the potential legal consequences? While Apple and Google have already responded announcing requirements that apps available through their app stores must contain adequate privacy and data collection notices, the damage has been done: children’s data has been collected and stored, and this will likely continue to happen. Accordingly, litigation will be plentiful. Consumer protection statutes are often written with per violation damages; thus, the repeated surreptitious, undisclosed data collection of intimate details of potentially millions of children’s daily activities, whereabouts, and how to contact the children, may amount to staggering damage figures. For more information, please contact privacy and social media lawyer Anne McKenna.