It’s 10 p.m. Do You Know What Your Third-Party Integrations Are Doing? Mobile App Developer Fined $4 Million for Alleged COPPA Violations Through In-App Advertising
It’s 10 p.m. Do You Know What Your Third-Party Integrations Are Doing? Mobile App Developer Fined $4 Million for Alleged COPPA Violations Through In-App Advertising
In the wake of the COVID-19 pandemic, children are spending more of their lives in the digital realm, both for education and entertainment purposes—but that doesn’t mean the Federal Trade Commission (FTC) is cutting online operators slack for not complying with the Children’s Online Privacy Protection Act (COPPA). Last week, the FTC levied a $4 million penalty against HyperBeard, Inc., a popular mobile app developer, to settle allegations that HyperBeard integrated third-party ad networks into its child-directed apps in violation of COPPA.[1]
The complaint is notable in that the FTC did not allege that HyperBeard itself collected any personal information from children—rather, the alleged violations centered around the company enabling third parties to collect personal information from children through its service. The fine serves as a warning to online operators that they are strictly responsible for their third-party integrations, even if they themselves do not collect personal information from children. Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, emphasized, “If your app or website is directed to kids, you’ve got to make sure parents are in the loop before you collect children’s personal information. This includes allowing someone else, such as an ad network, to collect persistent identifiers, like advertising IDs or cookies, in order to serve behavioral advertising.”
COPPA generally requires operators of child-directed online services to provide notice and obtain parental consent before collecting—or permitting third parties to collect—personal information from children under 13. In 2013, the FTC amended its rule implementing COPPA to, among other things, expand the definition of “personal information” to include persistent identifiers that collect information about a child’s online activity when that information is used to serve targeted ads to the child. This presents an issue for app developers, such as HyperBeard, looking to monetize their apps through the use of in-app advertising.
HyperBeard has publicly offered a number of mobile apps, including BunnyBuns, Clawbert, KleptoCats, and MonkeyNauts (the “Apps”). The Apps were free to download and play but relied on in-app advertising and in-app purchases to generate revenue. The complaint calls out the prominent usage of brightly colored, animated characters in the Apps as evidence that the Apps were child-directed. The complaint further noted that the descriptions for the Apps included adjectives such as “SUPER cute,” “adorable,” and “silly,” which are kid-friendly, and that the Apps are “very simple and easy to play.”
The FTC also pointed to HyperBeard’s marketing as evidence that the Apps were child-directed. For example, the complaint alleges that HyperBeard’s website descriptions for several of its Apps recommended the games to children as well as adults. In addition, HyperBeard promoted its Apps on a kids entertainment website, YayOMG! The YayOMG! reviews for certain Apps focused on how “adorable,” “fun,” and “cute” the games were and recommended the games to the website’s readers. HyperBeard amplified these reviews through the use of “retweets” and “likes” on its Twitter page.
Moreover, HyperBeard published books related to two of its Apps—KleptoCats and KleptoDogs. The FTC noted that the books were written by a children’s author and were categorized under “Children’s Books” on an online bookseller’s website, with a suggested age range of 7-10 years and grade level of 2-5. HyperBeard also sold KleptoCats stuffed animals and licensed its characters to other companies to create child-directed products, including a K’Nex block construction set, calendars, posters, stickers, and bookmarks.
In order to monetize the Apps, HyperBeard integrated numerous third-party ad networks in its Apps. The ad networks used persistent identifiers to collect information about children’s activity over time and across online services, and it targeted ads to those children based on their information. Because HyperBeard allegedly did not provide notice to or obtain verifiable parental consent from parents in connection with the ad networks’ activity, the ad networks’ collection of personal information violated COPPA.
Furthermore, the FTC alleged that HyperBeard did not exercise adequate oversight and controls over the ad networks. For example, the FTC alleged that HyperBeard did not inform the ad networks that the Apps were directed to children until after being contacted by FTC staff about the matter. In addition, HyperBeard allegedly failed to properly instruct or contractually require the ad networks to refrain from behavioral advertising in light of the child-directed nature of the Apps. The settlement reinforces the fact that, under COPPA, an online operator is strictly liable for the actions of any third party that collects personal information through the operator’s service.
[1] Due to HyperBeard’s inability to pay the full amount, the $4 million penalty will be suspended upon payment of $150,000 by HyperBeard.
Practices