02:11 PM
Connect Directly

Smartphone Data Collection From Kids Draws FTC Fine

W3 Innovations agrees to pay $50,000 for failing to provide a clear privacy policy or secure parental consent before gathering personal information on tens of thousands of children.

On Monday, the Federal Trade Commission announced that mobile application developer W3 Innovations had agreed to pay a $50,000 fine for its failure to create clear privacy policies for its smartphone applications, as well as for improperly collecting and sharing information on at least 30,000 children under the age of 13.

The FTC complaint--made against W3 Innovations, as well as company owner and president Justin Maples--alleged that they violated the Children's Online Privacy Protection Act of 1998 (COPPA). The law, which the FTC enforces, prohibits the collection of personal information on children under the age of 13 without a parent's prior consent. The law also requires websites to post complete, clear, and understandable privacy policies.

Legal experts said this is the first FTC case to involve smartphone applications. But as more people embrace smartphones, tablets, and other mobile devices to meet their computing needs, don't expect it to be the last.

According to the complaint, W3 Innovations "allowed children to publicly post information, including personal information, on message boards. These interactive apps send and receive information via the Internet, and are online services covered by the COPPA Rule." Furthermore, said the FTC, "the defendants did not provide notice of their information-collection practices and did not obtain verifiable parental consent before collecting and/or disclosing personal information from children," which violated COPPA.

W3 Innovations, which does business under the name Broken Thumbs Apps, bills itself on LinkedIn as "a small, family-owned and operated mobile device app developer based out of Silicon Valley," and according to its website, has four employees. The 40-odd mobile applications it's developed for Apple iOS feature titles such as "Emily's Dress Up and Shop," "Santa's Run," "Beer Toss," and "Zombie Duck Hunt."

Several of the company's applications, including six "Emily"-themed applications--first released in February 2010 and collectively downloaded more than 50,000 times--drew the FTC's attention since they were designed for children. According to the FTC, "the Emily apps encouraged children to email 'Emily' their comments and submit blogs to 'Emily's Blog' via email, such as 'shout-outs' to friends and requests for advice." But, according to the FTC complaint, W3 Innovations "collected and maintained thousands of email addresses from users of the Emily apps," without first obtaining parental consent.

As part of its settlement, W3 Innovations agreed to not violate COPPA, as well as to delete all information it collected in violation of COPPA rules.

This isn't the first time that the FTC has fined a company for COPPA violations. Notably, in 2006, blogging community Xanga paid a $1 million fine for improperly collecting, using, and disclosing information relating to children under the age of 13.

According to Christopher Wolf, director of the privacy and information management practice at law firm Hogan Lovells and co-chair of the Future of Privacy Forum, the FTC has lately been taking a tougher stance on privacy, including website privacy policy clarity. "I think it's clearly more aggressive in the area of privacy," he said in a recent telephone interview. "I think the FTC has a sensitivity to the value of data in our information society, they're not allergic to the use of data." Furthermore, he said, "I think they've been relatively cautious in their enforcement actions." But expect that to change.

Where smartphone applications are concerned, there's room for improvement. "In the app world, which often implicates cloud computing, there is a serious question of how app developers will handle privacy," according to a recent post to the Hogan Lovells Chronicle of Data Protection blog.

Notably, a study conducted earlier this year by the Future of Privacy Forum tested 30 leading smartphone applications for Android, BlackBerry, and iOS, and found that 24 of them "lacked even a basic privacy policy." On a related note, Sen. Al Franken, D-Minn., in May wrote to Apple and Google, requesting that they require developers of smartphone applications that collect location data to specify how that data will be used, in their privacy policies.

See the latest IT solutions at Interop New York. Learn to leverage business technology innovations--including cloud, virtualization, security, mobility, and data center advances--that cut costs, increase productivity, and drive business value. Save 25% on Flex and Conference Passes or get a Free Expo Pass with code CPFHNY25. It happens in New York City, Oct. 3-7, 2011. Register now.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-24
adsetgroups in Centrify Server Suite 2008 through 2014.1 and Centrify DirectControl 3.x through 4.2.0 on Linux and UNIX allows local users to read arbitrary files with root privileges by leveraging improperly protected setuid functionality.

Published: 2014-10-24
The Remote Controls feature on Samsung mobile devices does not validate the source of lock-code data received over a network, which makes it easier for remote attackers to cause a denial of service (screen locking with an arbitrary code) by triggering unexpected Find My Mobile network traffic.

Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.