Company Will Pay $950,000 For Tracking Children Without Parental Consent
Singapore-based mobile advertising company InMobi will pay $950,000 in civil penalties and implement a comprehensive privacy program to settle Federal Trade Commission charges it deceptively tracked the locations of hundreds of millions of consumers – including children – without their knowledge or consent to serve them geo-targeted advertising.
The FTC alleges that InMobi mispresented that its advertising software would only track consumers’ locations when they opted in and in a manner consistent with their device’s privacy settings. According to the complaint, InMobi was actually tracking consumers’ locations whether or not the apps using InMobi’s software asked for consumers’ permission to do so, and even when consumers had denied permission to access their location information.
The FTC alleges that InMobi, whose advertising network has reached more than one billion devices worldwide through thousands of popular apps, offers multiple forms of location-based advertising to its customers, including the ability to serve ads to consumers based on their current locations, locations they visit at certain times, and on their location over time.
“InMobi tracked the locations of hundreds of millions of consumers, including children, without their consent, in many cases totally ignoring consumers’ express privacy preferences,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “This settlement ensures that InMobi will honor consumers’ privacy choices in the future, and will be held accountable for keeping their privacy promises.”
The complaint alleges that inMobi created a database built on information collected from consumers who allowed the company access to their geolocation information, combining that data with the wireless networks they were near to document the physical location of wireless networks themselves. InMobi then would use that database to infer the physical location of consumers based on the networks they were near, even when consumers had turned off location collection on their device.
The FTC alleges that InMobi also violated the Children’s Online Privacy Protection Act (COPPA) by collecting this information from apps that were clearly directed at children, in spite of promising that it did not do so. The complaint noted that InMobi’s software tracked location in thousands of child-directed apps with hundreds of millions of users without following the steps required by COPPA to get a parent or guardian’s consent to collect and use a child’s personal information.
Under the terms of its settlement with the FTC, InMobi is subject to a $4 million civil penalty, which is suspended to $950,000 based on the company’s financial condition. In addition, the company will be required to delete all information it collected from children, and will be prohibited from further violations of COPPA.
In addition, InMobi will be prohibited from collecting consumers’ location information without their affirmative express consent for it to be collected, and will be required to honor consumers’ location privacy settings. The company will also be required to delete the location information of consumers it collected without their consent and will be prohibited from further misrepresenting its privacy practices. The settlement also will require InMobi to institute a comprehensive privacy program that will be independently audited every two years for the next 20 years.
The Commission vote to authorize the staff to refer the complaint to the U.S. Department of Justice and to approve the proposed stipulated order was 3-0. The DOJ filed the complaint and proposed stipulated order on behalf of the Commission in U.S. District Court for the Northern District of California.
NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.
The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.
Federal Trade Commissioner Julie Brill, one of the agency’s most vocal privacy advocates, is leaving the commission at the end of the month.
She will go to the law firm Hogan Lovells, where she will serve as co-director of the privacy and cybersecurity practice.
Today’s huge news that the FTC has settled COPPA violation cases with two small app developers with civil penalties totaling $360,000 came as quite a surprise. Since it has been nearly two and a half years since the updated COPPA became law, many had written off the FTC ever enforcing COPPA.
The EU thinks it can out-guess tweens and teens. US Congress thinks it can out-guess tweens and teens. The FTC used to think it could out-guess tweens. But anyone whom has ever taught young people, raised a young person or interacted with a young person knows they are wrong. No one can out-guess a tween or teen, except another tween or teen.
The fact that the FTC is making a show of enforcing COPPA is notable because it’s over a quarter of a million dollars’ worth of reminder that your games should be COPPA-compliant if there’s a chance they could collect personal information about a player under the age of 13, or be used to do so.
Some operators of websites and online services directed at children would do well to learn a lesson that youngsters often know: ask permission before using something that’s not yours.Read more >
As a parent, you have control over the personal information companies collect online from your kids under 13. This includes your child’s name, address, phone number, email address, and information the companies can use to track your child’s online activities. The Children’s Online Privacy Protection Act (COPPA) gives you tools to do that. If a site or service is covered by COPPA, it has to get your permission before collecting personal information from your child and it has to honor your choices about how that information is used.
Companies’ Apps Shared Kids’ Information with Ad Networks; Will Pay $360K In Civil Penalties
Two app developers will pay a combined $360,000 in civil penalties as part of settlements with the Federal Trade Commission over charges they violated the Children’s Online Privacy Protection Act, or COPPA, Rule.
“It’s vital that companies understand the rules of the road when it comes to handling children’s personal information online,” said Jessica Rich, director of the FTC’s Bureau of Consumer Protection. “These cases make it clear that we’re closely watching this space to ensure children’s privacy online is being protected.”
These cases are the first in which the FTC alleged that companies allowed advertisers to use persistent identifiers to serve advertising to children. Persistent identifiers – pieces of data that are tied to a particular user or device – were among the categories added to the COPPA Rule’s definition of personal information when it was updated in 2013.
In its complaint against LAI Systems, LLC, the FTC alleged that the company created a number of apps directed to children, including My Cake Shop, My Pizza Shop, Hair Salon Makeover, Friday Night Makeover, Marley the Talking Dog and Animal Sounds. According to the FTC’s complaint, the defendant allowed third-party advertisers to collect personal information from children in the form of persistent identifiers. Defendant failed to inform the ad networks that the apps were directed to children and did not provide notice or get consent from children’s parents for collecting and using the information.
The settlement with LAI Systems prohibits the company from further violations of the COPPA Rule, and requires the company to pay a $60,000 civil penalty.
In its complaint against Retro Dreamer, and its principals, Craig E. Sharpe and Gavin S. Bowman, the FTC alleged that the company created a number of apps targeted to children, including Ice Cream Jump, Happy Pudding Jump, Ice Cream Drop, Sneezies, Wash the Dishes, Cat Basket and Tappy Pop.
The defendants in this case, according to the complaint, allowed third-party advertisers to collect children’s personal information through the apps. One advertising network over the course of 2013 and 2014 specifically warned the defendants about the obligations of the revised COPPA Rule, and also told the defendants that certain of their apps appeared to be targeted to children under the age of 13.
The settlement with Retro Dreamer, Sharpe and Bowman prohibits the defendants from further violations of the COPPA Rule, and requires the defendants to pay a $300,000 civil penalty.
The Commission votes to authorize the staff to refer the complaints to the Department of Justice, and to approve the proposed stipulated civil penalty orders, were 4-0. The DOJ filed the complaints and proposed stipulated orders on behalf of the Commission in U.S. District Court for the Central District of California on Dec. 17, 2015.
NOTE: The Commission authorizes the filing of a complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when signed by the District Court judge.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.
A hacker broke into the servers of toymaker VTech last month, compromising the personal information of millions of children and adults. While the consequences of the hack are still unclear, police now have a suspect. Authorities have arrested a 21-year-old man in the UK on suspicion of crimes related to unauthorized access to a computer, reports the BBC. “We are still at the early stages of the investigation and there is still much work to be done,” said officials in a statement.
On this past Monday, a class action lawsuit was filed in Superior Court in Los Angeles against Mattel and ToyTalk in their active roles promulgating the safety and privacy aspects of Hello Barbie. kidSAFE is also named under their role of COPPA safe haven. The lawsuit alleges unfair competition, negligence, unjust enrichment, and invasion of privacy. The plaintiffs so far are two little girls (and their mothers) who state that Hello Barbie is an “inherently dangerous product” and the information she gathers is unlawful and and the collection is negligent.
Plaintiff C.H. received the doll as a gift on December 2, 2015 from her mother Ashley Archer-Hayes. Plaintiff A.P. is a friend of C.H. and played with the doll at C.H.’s birthday party as did other party-goers. C.H. and her mother, Charity Johnson were not registered with ToyTalk or Mattel while they played with the doll allegedly “triggering” voice recording and cloud storage and the A.I. routines based on the recorded voice.
Plaintiff’s lawyers propose the following questions of law for certification in California and nationally:
- Whether Defendants failed to satisfy the requirements of COPPA;
- Whether Defendants’ conduct is an unlawful business act or practice within the meaning of Cal. Bus. & Prof. Code § 17200, et seq.;
- Whether Defendants have collected, used, or maintained recordings of children under 13 whose parents have not consented;
- Whether Defendants failed to reasonably prevent or detect recordings of children under 13 whose parents have not consented;
- Whether recordings of children under 13 whose parents have not consented have bee shared or sold to third parties by Defendants;
- Whether Defendants failed to notify affected individuals that their children had been recorded without their consent;
- Whether Defendants notified purchasers that they may only use the doll outside the presence of other children under 13;
- Whether Defendants’ conduct violated the causes of action herein alleged;
- Whether, as a result of Defendants’ conduct in this case, Plaintiffs have suffered ascertainable loss; and
- Whether Plaintiffs are entitled to monetary damages and/or other remedies, and, if so, the nature of any such relief.
Copy of the lawsuit (warning, large file to do processing and OCR): HelloBarbieComplaint.pdf
I’m think COPPA won’t be the lynch pin here. I think the dodge is the Actual Knowledge standard. COPPA doesn’t kick in unless the online site or service is aware that someone under 13 is using the service. C.H. is under COPPA and verified parental consent was obtained from her mother. “Actual Knowledge” is a huge loophole though I haven’t seen it used when”incidental” PII is captured.
The COPPA angle seems to be against common sense. A 13 year old may upload a video to a COPPA compliant website of his 10 year old brother playing video games. The 13 year old isn’t a parent but I’m sure the 10 year old doesn’t have to have verified parental consent else the video service is in trouble. Another example is smart phone created for a child under 13 where the child’s parent provided verified consent. Lets say the child handed the phone to another preteen who then snaps a selfie of their self. Is it a violation that the phone manufacturer should have known that the phone would come into contact with other children? Did C.H.’s mom have enough information provided by Mattel that would make her responsible for understanding what the doll does and therefore how it might gather info from other girls that enter the house?
The other causes of action might have more merit and they definitely can survive if COPPA gets knocked out. They include:
Violation of the Unfair Competition Law
Unjust Enrichment (they made money on the doll where they shouldn’t have)
Invasion of Privacy
David vs. Goliath:
The attorneys for the proposed class are not ambulance chases (though this lawsuit came together in a few days). They are big time tort and class action practitioners. The primary law-firm is Kirtland & Packard with 4 attorneys appearing in the case. There are three more in California, two in Florida, and one in Wilmington N.C. That’s 10 attorneys total
But will Mattel be toppled? I’ve always been concerned with the fact that they didn’t do all of the heavy lifting themselves. They are exporting a lot of risk to a third party that they are ultimately responsible for. Did Mattel’s lawyers didn’t think of this? The main thing that has made me think that Mattel was COPPA compliant was because they have better lawyers than the F.T.C.
This would be a massive screw-up. Forget the money or removing the doll from the marketplace, good will is paramount for them.
What happens next:
Mattel has 30 calendar days to respond to the lawsuit starting from December 7, 2015. They will likely motion for additional time which the Plaintiff’s lawyers will agree to out of courtesy. No danger for a market upset this Christmas. There’s also a chance that the case will be removed to Federal court which will make it easier for court watchers to keep an eye on it. If that happens then the laws of California will still prevail.
The long-term solution would be to have a notice explaining what can happen if the doll interacts with other children. Maybe it should say that the parent is responsible for how their children play with the dolls. But isn’t that common sense?
Blame Mattel or blame mom?
The lawsuit states that kidSAFE’s list (seals) do not included Hello Barbie but the doll seems to be listed here: http://www.kidsafeseal.com/certifiedproducts/toytalk_hellobarbie_device.html