02:11 PM

Smartphone Data Collection From Kids Draws FTC Fine

W3 Innovations agrees to pay $50,000 for failing to provide a clear privacy policy or secure parental consent before gathering personal information on tens of thousands of children.

On Monday, the Federal Trade Commission announced that mobile application developer W3 Innovations had agreed to pay a $50,000 fine for its failure to create clear privacy policies for its smartphone applications, as well as for improperly collecting and sharing information on at least 30,000 children under the age of 13.

The FTC complaint--made against W3 Innovations, as well as company owner and president Justin Maples--alleged that they violated the Children's Online Privacy Protection Act of 1998 (COPPA). The law, which the FTC enforces, prohibits the collection of personal information on children under the age of 13 without a parent's prior consent. The law also requires websites to post complete, clear, and understandable privacy policies.

Legal experts said this is the first FTC case to involve smartphone applications. But as more people embrace smartphones, tablets, and other mobile devices to meet their computing needs, don't expect it to be the last.

According to the complaint, W3 Innovations "allowed children to publicly post information, including personal information, on message boards. These interactive apps send and receive information via the Internet, and are online services covered by the COPPA Rule." Furthermore, said the FTC, "the defendants did not provide notice of their information-collection practices and did not obtain verifiable parental consent before collecting and/or disclosing personal information from children," which violated COPPA.

W3 Innovations, which does business under the name Broken Thumbs Apps, bills itself on LinkedIn as "a small, family-owned and operated mobile device app developer based out of Silicon Valley," and according to its website, has four employees. The 40-odd mobile applications it's developed for Apple iOS feature titles such as "Emily's Dress Up and Shop," "Santa's Run," "Beer Toss," and "Zombie Duck Hunt."

Several of the company's applications, including six "Emily"-themed applications--first released in February 2010 and collectively downloaded more than 50,000 times--drew the FTC's attention since they were designed for children. According to the FTC, "the Emily apps encouraged children to email 'Emily' their comments and submit blogs to 'Emily's Blog' via email, such as 'shout-outs' to friends and requests for advice." But, according to the FTC complaint, W3 Innovations "collected and maintained thousands of email addresses from users of the Emily apps," without first obtaining parental consent.

As part of its settlement, W3 Innovations agreed to not violate COPPA, as well as to delete all information it collected in violation of COPPA rules.

This isn't the first time that the FTC has fined a company for COPPA violations. Notably, in 2006, blogging community Xanga paid a $1 million fine for improperly collecting, using, and disclosing information relating to children under the age of 13.

According to Christopher Wolf, director of the privacy and information management practice at law firm Hogan Lovells and co-chair of the Future of Privacy Forum, the FTC has lately been taking a tougher stance on privacy, including website privacy policy clarity. "I think it's clearly more aggressive in the area of privacy," he said in a recent telephone interview. "I think the FTC has a sensitivity to the value of data in our information society, they're not allergic to the use of data." Furthermore, he said, "I think they've been relatively cautious in their enforcement actions." But expect that to change.

Where smartphone applications are concerned, there's room for improvement. "In the app world, which often implicates cloud computing, there is a serious question of how app developers will handle privacy," according to a recent post to the Hogan Lovells Chronicle of Data Protection blog.

Notably, a study conducted earlier this year by the Future of Privacy Forum tested 30 leading smartphone applications for Android, BlackBerry, and iOS, and found that 24 of them "lacked even a basic privacy policy." On a related note, Sen. Al Franken, D-Minn., in May wrote to Apple and Google, requesting that they require developers of smartphone applications that collect location data to specify how that data will be used, in their privacy policies.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
Secure Application Development - New Best Practices
Secure Application Development - New Best Practices
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.