To access our COVID-19 related information, click here

FTC Updates COPPA Guidelines for App Developers, Easing (But Not Eliminating) Compliance Requirements

By: Aaron Krowne

The Federal Trade Commission (“FTC”) has recently made a number of significant updates to its guidance for Children’s Online Privacy Protection Act (“COPPA”). Chiefly, these updates streamline compliance requirements for COPPA’s parental consent mandate, in response to the widespread popularity of “app stores” for obtaining and running software. The updates also add support for “knowledge based identification,” a new method of verification that utilizes credit cards.

The Recent COPPA Updates

The FTC provides an online “FAQ” which serves as its guidance on how to comply with COPPA (for more background on COPPA click here for the extended version of this article). Periodically, it updates this FAQ in response to various developments, including changing technology. On July 16, 2014, a significant set of updates was made, containing key clarifications and additions.

1.         Knowledge Based Identification

One of the updates was to section H.5 of the FAQ, where the FTC added “credit card plus” authentication as an express approved means to confirm parental consent. Originally, the FTC’s guidance expressly approved verification via the use of a parent’s credit card, but only if it was charged. The rationale for this requirement, as originally written, was that it would cause an actual financial record to be generated that a parent would be sure to see. But this guidance by itself had the effect of foreclosing other useful authentication methods that made use of a credit card without charging it.

The new H.5 now suggests that a credit card, used in combination with additional questions (the “plus”) which only a parent would typically know the answers to, such as detailed items from a parent’s credit history, can constitute valid confirmation of parental consent.

This update was most likely in direct response to Imperium, Inc.’s December 13, 2013, consent method inquiry for such “knowledge-based identification,” which included questions associated with credit history (e.g., past addresses), that was ultimately approved by the FTC.

2.         App Store Apps And Parental Consent

The FTC also updated H.10 of the FAQ, to state expressly that developers can rely on parental consent obtained by “app stores.” “App stores” (e.g., Google Play and Apple’s App Store) are the now-popular venues where customers can purchase, download and install software for their smartphones, computers or tablets. This update considerably lowers the barrier for app store developers, as they no longer have to implement the “mechanics” of COPPA parental consent.

However, app developers still cannot simply ignore parental consent entirely. In H.10, the FTC explicitly cautioned that merely utilizing an app store login does not in itself constitute parental consent. Rather, an actual “call” to the app store’s parental consent facility must be made by each app that chooses to rely on its app store to obtain this consent. Further, app developers still must present their own privacy policy addressing COPPA’s requirements. Thus, a COPPA-compliant privacy policy is still needed, and must be presented in the proper way.

Finally – and critically – the developer must ensure the app store’s parental consent method complies with COPPA fully; it is not enough to simply trust assurances.

In sum, a significant part of the COPPA compliance process has been removed vis-a-vis app developers; but operators of apps must still comply with the other aspects of COPPA, including actually invoking the app store’s parental consent method properly, and making sure the consent method is actually compliant.

3.         App Store Liability

On the flip side, since app stores can now take an “active” role in the COPPA consent-obtaining process for the apps they carry, they themselves might be liable for non-compliance under COPPA – for example, in the case of a deficiency in an app’s privacy policy.

Luckily, H.16 allays this concern, by (1) reiterating that app stores are not considered “operators” under COPPA, and (2) setting forth that an app store “will not be liable under COPPA for failing to investigate the privacy practices of the [app] operators for whom [it] obtains consent.” Thus, in the scenario described above, or even in the case of an app with no privacy policy whatsoever, there would be no liability for the app store itself. Of course, if the app store misrepresents its particular part of the process, i.e., the actual parental consent-obtaining service, it could still be liable under the FTC’s general Section 5 “unfair or deceptive” authority.

Conclusion

The above updates to the COPPA guidelines bring them further in tune with the current state of real-world software distribution and use, providing welcome guidance that has the effect of significantly lowering the COPPA compliance burden for app store app developers, as well as bringing COPPA up to speed with credit card “knowledge based authentication” methods that do not require charging a card. However, this new guidance far from eliminates all COPPA burdens on app store developers; rather, it merely focuses them, leaving undisturbed basic COPPA requirements – such as proper formulation and display of a privacy policy – and a backdrop of active FTC enforcement. Thus, all developers of apps or web sites which even might be considered directed toward children should contact a certified OlenderFeldman privacy attorney today and make sure their privacy and data security policies are COPPA-compliant.