Risk
8/17/2011
02:11 PM
Connect Directly
RSS
E-Mail
50%
50%

Smartphone Data Collection From Kids Draws FTC Fine

W3 Innovations agrees to pay $50,000 for failing to provide a clear privacy policy or secure parental consent before gathering personal information on tens of thousands of children.

On Monday, the Federal Trade Commission announced that mobile application developer W3 Innovations had agreed to pay a $50,000 fine for its failure to create clear privacy policies for its smartphone applications, as well as for improperly collecting and sharing information on at least 30,000 children under the age of 13.

The FTC complaint--made against W3 Innovations, as well as company owner and president Justin Maples--alleged that they violated the Children's Online Privacy Protection Act of 1998 (COPPA). The law, which the FTC enforces, prohibits the collection of personal information on children under the age of 13 without a parent's prior consent. The law also requires websites to post complete, clear, and understandable privacy policies.

Legal experts said this is the first FTC case to involve smartphone applications. But as more people embrace smartphones, tablets, and other mobile devices to meet their computing needs, don't expect it to be the last.

According to the complaint, W3 Innovations "allowed children to publicly post information, including personal information, on message boards. These interactive apps send and receive information via the Internet, and are online services covered by the COPPA Rule." Furthermore, said the FTC, "the defendants did not provide notice of their information-collection practices and did not obtain verifiable parental consent before collecting and/or disclosing personal information from children," which violated COPPA.

W3 Innovations, which does business under the name Broken Thumbs Apps, bills itself on LinkedIn as "a small, family-owned and operated mobile device app developer based out of Silicon Valley," and according to its website, has four employees. The 40-odd mobile applications it's developed for Apple iOS feature titles such as "Emily's Dress Up and Shop," "Santa's Run," "Beer Toss," and "Zombie Duck Hunt."

Several of the company's applications, including six "Emily"-themed applications--first released in February 2010 and collectively downloaded more than 50,000 times--drew the FTC's attention since they were designed for children. According to the FTC, "the Emily apps encouraged children to email 'Emily' their comments and submit blogs to 'Emily's Blog' via email, such as 'shout-outs' to friends and requests for advice." But, according to the FTC complaint, W3 Innovations "collected and maintained thousands of email addresses from users of the Emily apps," without first obtaining parental consent.

As part of its settlement, W3 Innovations agreed to not violate COPPA, as well as to delete all information it collected in violation of COPPA rules.

This isn't the first time that the FTC has fined a company for COPPA violations. Notably, in 2006, blogging community Xanga paid a $1 million fine for improperly collecting, using, and disclosing information relating to children under the age of 13.

According to Christopher Wolf, director of the privacy and information management practice at law firm Hogan Lovells and co-chair of the Future of Privacy Forum, the FTC has lately been taking a tougher stance on privacy, including website privacy policy clarity. "I think it's clearly more aggressive in the area of privacy," he said in a recent telephone interview. "I think the FTC has a sensitivity to the value of data in our information society, they're not allergic to the use of data." Furthermore, he said, "I think they've been relatively cautious in their enforcement actions." But expect that to change.

Where smartphone applications are concerned, there's room for improvement. "In the app world, which often implicates cloud computing, there is a serious question of how app developers will handle privacy," according to a recent post to the Hogan Lovells Chronicle of Data Protection blog.

Notably, a study conducted earlier this year by the Future of Privacy Forum tested 30 leading smartphone applications for Android, BlackBerry, and iOS, and found that 24 of them "lacked even a basic privacy policy." On a related note, Sen. Al Franken, D-Minn., in May wrote to Apple and Google, requesting that they require developers of smartphone applications that collect location data to specify how that data will be used, in their privacy policies.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0914
Published: 2014-07-30
Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management f...

CVE-2014-0915
Published: 2014-07-30
Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8...

CVE-2014-0947
Published: 2014-07-30
Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site.

CVE-2014-0948
Published: 2014-07-30
Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive.

CVE-2014-2356
Published: 2014-07-30
Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request.

Best of the Web
Dark Reading Radio