Apple and Google (Finally) Get Serious About COPPA

Happy New Year! At AgeCheq, we’ve declared 2015 as the year “Privacy Explodes”.  What does that mean?  Frankly, people have been quite blasé about their own privacy as digital devices and the Internet have become central to our daily lives.  Have you ever actually read a privacy policy that your bank sent you?  Did you ever think twice about using online services like Facebook and Gmail that use your personal information and activity to make money? Most people don’t.

But in the last 18 months, “Privacy” has been in the headlines much more.  The Snowden revelations showed how much of our information governments are capturing on a massive scale. The near-daily breaches of huge commerce sites like Home Depot, Target, JP Morgan made us wonder how safe any personal information can be.  Most recently, the massive hack of Sony’s private servers, which resulted in the release of all sorts of private information of tens of thousands of employees, celebrities and others, should have made us all take notice.  A recent Pew survey found that 91% of people surveyed felt their privacy was “out of control”.

After a 14 month “grace period”, the FTC is now actively enforcing COPPA

In September 2014, the Federal Trade Commission began enforcement of the Children’s Online Privacy Protection Act (COPPA), with actions taken against Path ($450,000) and TinyCo ($300,000). Then in November, the FTC announced a $200,000 settlement with TRUSTe, the leading COPPA “safe harbor” certification company for (among other things) failing to actually certify the compliance of their customers over a ten year period.  Then in December, the FTC took the unusual step of publicly warning BabyBus that it was in violation of COPPA, giving them a month to bring their apps into compliance. 

Even a COPPA warning can get your app pulled from the app store

Here’s the thing I think is interesting.  After the FTC warned BabyBus, Google took the unprecedented step of pulling all of BabyBus’s apps from their app store.  As of this writing, Apple has not followed suit. 

Can COPPA get your app pulled from an app store?  On Google Play, yes.  How about the Apple app store?  I can’t predict that, but I did some research and in July 2013, Apple made some interesting changes to its written guidelines for “Kids” category apps, including the following:

17.4 Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, persistent identifiers, the ability to chat, or other personal data) from a minor must comply with applicable children’s privacy statutes.

So, to put it into plain English, if your app is not COPPA compliant and they become aware of it, Apple can simply delist your apps, just like Google did.

And now for the surprise ending… What personally identifiable information was the BabyBus app capturing?

Modern apps are rarely islands of code, completely written in house by their developers. There are literally hundreds of third party APIs that get built into apps, from ad networks, to analytics services, to crash reporting, revenue optimizers, and on and on.  According to BabyBus, the cause of the entire mess was a third party API that they didn’t know captured GPS location.

This highlights an important safety tip I’ve blogged about before.  As a publisher, you are responsible for the actions of ALL of the components your app includes, not just your code.  BabyBus used an analytics API that they didn’t know captured GPS (or perhaps they knew but didn’t make the logical connection that such a capture would be a big deal in a kid’s app).

If you think your apps aren’t for kids so you’re safe, let me remind you that on January 1, the CalOPPA law went into effect.  CalOPPA is not a kids’ privacy law – it covers EVERY mobile app and website. 

The potential risks of not complying with privacy laws are continuing to increase, and now include getting thrown out of the app stores. The available technology for easily adding compliance to your apps continues to get better. The FTC is now pursuing enforcement actions on a monthly basis. 

How long will the “I’ll just wait until later to deal with COPPA and CalOPPA” strategy continue to work? In the year “Privacy Explodes”, I don’t think it’s a viable strategy at all.

If you'd like to educate yourself on COPPA, here's a page of history and links AgeCheq has created for game developers. To learn more about COPPA directly from The Federal Trade Commission, check out this list of answers to frequently asked questions: http://www.ftc.gov/tips-advice/business-center/complying-coppa-frequently-asked-questions.  Because there are numerous “incomplete” versions on the web, I encourage you to always view the final, official text of the COPPA law, which can be found here:

http://www.ecfr.gov/cgi-bin/text-idx?tpl=/ecfrbrowse/Title16/16cfr312_main_02.tpl