On April 26, 2018, the FTC sent warning letters to Gator Group Co., Ltd., based in China, and Tinitell, Inc., based in Sweden, for their marketing of the Kids GPS Gator Watch and its related app. According to the FTC, the watch is advertised a “child’s first cell phone,” appears to collect precise geolocation data from children, and is available in the US through the Apple App Store and the Google Play Store. However, the FTC asserts that neither company provided parents with the direct notice of this data collection nor obtained the verifiable parental consent required under the COPPA Rule.
Why This Matters . . .
First, remember that the COPPA Rule applies to foreign-based websites and online services that are directed to (or known to be used by) children under 13 in the US. The plain language of the Act sets out this extraterritorial reach[1], as does the Rule implementing the COPPA.[2] Even businesses that feel “untouchable” because they operate out of remote locations with no physical US presence should make the effort to comply with the Rule. After all, litigation is not the only weapon in the FTC’s arsenal. Copies of the warning letters issued about the Gator Watch were sent to the app divisions of both Apple and Google. And being pulled from US app stores can be a faster hit to COPPA offenders than litigation ever could be.
Second, businesses are required to comply the direct notice and parental consent requirements of COPPA, even when it may appear “obvious” that consumers would know their service is collecting personal data from children. This may appear to be a bit of a head-scratcher. Why was the Gator Group admonished by the FTC for failing to provide direct notice and obtaining parental consent for a product that is named Kids GPS Gator Watch? Wouldn’t any adult consumer purchasing a “child’s first cell phone” with the phrase “GPS” in the name know that it must be collecting GPS geolocation data from children?
For starters, consumers are unlikely to have a full picture of how much data any particular business collects, or whether that data is subsequently retained and used.[3] Additionally, no matter how clear your marketing materials are, the COPPA Rule has an extensive and granular set of requirements that must be followed. The Rule extends well beyond parental notice and consent to data collection from children; there are requirements relating to disclosure to third parties, right of parental access, right of review, deletion, and confidentiality and security.[4]
Compliance with the COPPA Rule, like many data-protection laws, does take some time and effort, but there is a silver lining. The process of becoming compliant invariably requires businesses to audit their own data retention and protection practices. A review of that information life cycle may cause the beefing up of security practices and the paring down of data retained - both useful methods of limiting liability for future data breaches. Moreover, compliance with the transparency facilitated by the COPPA Rule is not only the key to avoiding prosecution by the FTC, it is also simply a good business practice to avoid later misunderstandings and disputes with consumers.
For helpful and detailed information about compliance with the COPPA Rule, visit the FTC webpages on COPPA.
[1] 15 U.S.C. § 6501(2). [2] 16 C.F.R. § 312.2. [3] Alice Marwick & Eszter Hargittai, Nothing to Hide, Nothing to Lose? Incentives and Disincentives to Sharing Information with Institutions Online, 22 Information, Communication & Society 1697, 1702 (2019). [4] See,16 C.F.R. §§ 312.2(e), 312.5(a)(1) & (2), 312.6(a)(2)&(3), 312.8 & 312.10.