FTC Criticizes Privacy Disclosures for Children’s Apps

The FTC evaluated the types of apps offered to children, the disclosures provided to users in the app stores and on the app developers’ websites, interactive features such as connectivity with social media, and the ratings and parental controls offered for the apps.  FTC Chairman Jon Leibowitz stated that “right now, it is almost impossible to figure out which apps collect what data and what they do with it,” and said the children’s app ecosystem must “wake up” and provide “easily accessible, basic information, so that parents can make informed decisions about the apps their kids use.”

To conduct its survey, the FTC searched the Apple and Android app stores using the word “kids” and examined the app store promotion pages of 200 apps (randomly selected from the first 480 search results) from each app store.  The FTC also reviewed the information available on the first page, or “landing” page, of the associated app developers’ websites.  The FTC did not download any of the apps surveyed, explaining in the report that its focus was on the information that a parent could easily access prior to downloading (and possibly being charged for) an app.  The FTC also apparently did not examine the privacy policies or terms of use that were available through links on the app developers’ websites (noting that “consumers are unlikely to read disclosures buried in privacy policies or ‘terms of service’ agreements because they are not easily accessible and are invariably long, legalistic, and difficult to understand”).

According to the report, while FTC staff “encountered a diverse pool of apps for kids created by hundreds of different developers, staff found little, if any information, information in the app marketplaces about the data collection and sharing practices of these apps.”  In addition, of the 400 app promotion pages examined by the FTC, only two (0.5%) linked to a developer landing page that disclosed information about data collection and sharing on the landing page itself.

The report calls upon all members of the “kids app ecosystem” – the stores, developers and third parties providing services – to play an active role in providing key information to parents.  The report recommends that:

• App developers should provide data practices information in simple and short disclosures. They also should disclose whether the app connects with social media and whether it contains ads. Third parties that collect data also should disclose their privacy practices.

• App stores, “as gatekeepers of the app marketplaces,” also should take responsibility for ensuring that parents have basic information. The stores should be able to provide a way for developers to provide information about their data collection and sharing practices (such as a designated space for developers to disclose this information and standardized icons to signal certain features, such as social network connectivity).

The report warns of future enforcement action, noting that the FTC will conduct an additional review over the next six months to identify potential violations of the Children’s Online Privacy Protection Act (“COPPA”) and determine whether enforcement is appropriate.  According to the FTC, the report, along with agency’s settlement last year with a mobile app developer for alleged COPPA violations and its recent proposal to amend the COPPA Rule, is a “warning call” to industry that it must do more to provide parents with information about the mobile apps their children use.

The FTC report can be expected to increase scrutiny of mobile app privacy issues, which were in the spotlight in recent days following news that the popular social network app Path (and other iOS apps) would upload users’ entire contact lists to the developer’s servers without permission.

Authored by Michael Epshteyn.