GEORGETOWN LAW INSTITUTE FOR PUBLIC REPRESENTATION

Hope M. Babcock Angela J. Campbell Brian Wolfman Directors Thomas Gremillion Anne King Laura M. Moy* Margot J. Pollans Blake E. Reid Staff Attorneys 600 New Jersey Avenue, NW, Suite 312 Washington, DC 20001-2075 Telephone: 202-662-9535 TDD: 202-662-9538 Fax: 202-662-9634

December 17, 2012 Donald S. Clark Secretary Federal Trade Commission 600 Pennsylvania Ave., NW Washington, D.C. 20580 Re: Request for Public Comment on the Childrens Online Privacy Protection Rule, No. P104503 Requests to Investigate Mobbles and SpongeBob Diner Dash, Two Child-Directed Mobile Applications Dear Mr. Clark: The Center for Digital Democracy (CDD), by its attorneys, the Institute for Public Representation (IPR), writes to supplement the record of the COPPA Rule Review with information about how child-directed mobile apps collect personal information from children without notifying parents or obtaining their consent. Today we are also filing a Request for Investigation of the child-directed mobile app SpongeBob Diner Dash, which collects personal information from children without providing notice and obtaining parent consent as required by the COPPA Rule. This is the second Request for Investigation we have filed in a week; last week we asked the Commission to investigate a child-directed app

* Admitted to the Maryland bar only; DC bar membership pending. Practice supervised by members of the DC bar.

Childrens Privacy December 17, 2012 Page 2 of 5

called Mobbles, which also collects childrens personal information without providing notice and obtaining parental consent.1 The problems CDD discovered with Mobbles and SpongeBob Diner Dash, detailed in our Requests for Investigation, are representative of mobile app operators widespread disregard for COPPA. Indeed, a report released just this week by the FTC revealed that out of 400 popular childrens apps surveyed, a staggering 59% shared device ID, geolocation, or phone numbers with a developer or third party, yet only 20% provided any privacy disclosure whatsoever to users or their parents.2 Consistent with the FTCs findings, we found one or both of the apps we examined in-depth to be collecting the following: email address, social network information, geolocation, friends contact information, and a unique identifier that enables developers to directly contact children via push notifications. Mobbles had no public privacy policy at all; SpongeBob Diner Dash had a privacy policy available on the web but inaccessible in the app at the point of information collection. Neither app made any attempt to notify childrens parents of their information collection practices or to obtain verifiable consent. Mobbles is operated by a very small company, while SpongeBob Diner Dash is a joint venture of childrens gaming giants Nickelodeon and PlayFirst, suggesting that companies of all sizes operate child-directed apps that are not COPPA compliant. Not only does mobile apps collection of childrens personal information without parents knowledge or consent violate the law, but it violates parents expectations as well. In a recent survey commissioned by CDD and Common Sense Media and conducted by Princeton Survey Research Associates International, a clear majority of parents surveyed thought it was wrong for advertisers to track and record a childs behavior online, with 90% of parents

See CDD Charges Mobile Game Company with Violation of COPPA, Urges FTC ActionWhile Kids Capture Virtual Pets, Mobbles Captures Personal Information from Children, Center for Digital Democracy (Dec. 11, 2012), http://www.democraticmedia.org/cdd-charges-mobile-gamecompany-violation-coppa-urges-ftc-action-while-kids-capture-virtual-pets-mob. 2 Fed. Trade Commn, Mobile Apps for Kids: Disclosures Still Not Making the Grade 13 (Dec. 2012), available at http://www.ftc.gov/os/2012/02/120216mobile_apps_kids.pdf.
1

Childrens Privacy December 17, 2012 Page 3 of 5

saying it is not okay for advertisers to do this kind of tracking in exchange for free content. 91% of parents said that it was not okay for advertisers to collect information about a childs location from that childs phone. Mobile app operators widespread noncompliance with the COPPA Rule suggests that app operators either disregard their responsibilities under COPPA because they do not fear legal repercussions for failing to meet them, or are unaware of these responsibilities altogether. For COPPA to protect children and keep parents informed of their kids activities online, as it was intended to do, operators must both be aware of their COPPA obligations and commit to complying with those obligations. CDD urges the FTC to step up enforcement of the COPPA Rule against mobile app operators. At this time the FTC has brought only one enforcement action against a mobile app operator.3 But smartphones and tablets with downloadable apps have been popular for a number of years, and access to the Internet via mobile app is rapidly catching up to traditional Internet access using a computer. Indeed, a Common Sense Media research study released in 2011 reported that while 68% of families with children ages 0-8 had high-speed Internet access at home, almost as many52%had access to a smartphone, a video iPod or similar device, or an iPad or other tablet.4 The FTCs search of app stores in July 2011 for the term kids yielded over 8,000 results in the Apple App Store and over 3,600 in the Android Market.5 The Commission needs to go after child-directed app operators that ignore COPPA both to send a message to operators that childrens privacy obligations are to be taken seriously, and to reassure parents that the child-directed apps they and their children download are in compliance with the law. Merely stepping up enforcement, however, will not be enough; the FTC must also follow through with the proposed revisions to the COPPA Rule that will clarify child-directed app operators responsibilities. The Rule should make

United States v. W3 Innovations LLC, No. CV1103958 (N.D. Cal., filed Aug. 12, 2011). Common Sense Media, Zero to Eight: Childrens Media Use in America 9 (Fall 2011), available at www.commonsensemedia.org/sites/default/files/research/zerotoeightfinal2011.pdf. 5 Fed. Trade Commn, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing 4 (Feb. 2012), available at www.ftc.gov/os/2012/02/120216mobile_apps_kids.pdf.
3 4

Childrens Privacy December 17, 2012 Page 4 of 5

crystal clear that before app operators may collect a childs name, location data, email address or other contact information, they must find a way to notify the childs parents and ask their permission. In addition, the updated COPPA Rule must make clear that the support for internal operations exception does not cover: personal information that is integrated into gameplay, but unnecessarily so (such as the plotting of a childs physical location on a map displayed within the game), contact information other than an email address that is used to send push notifications to a childs device, or persistent identifiers used for the purpose of tracking a childs activities and delivering targeted advertisements.

Finally, we ask the FTC to add a section about mobile apps to its web-based Frequently Asked Questions About the Childrens Online Privacy Protection Rule.6 These FAQs have not been updated since October 7, 2008, and neither mobile nor app currently appears anywhere on the page.

Frequently Asked Questions About the Childrens Online Privacy Protection Rule, Fed. Trade Commn (Oct. 7, 2008), http://www.ftc.gov/privacy/coppafaqs.shtm.
6

Childrens Privacy December 17, 2012 Page 5 of 5

Mobile apps offer a rich source of content for children and adults, but they also present unprecedented opportunities for the collection of highly personal data. It light of evidence that a majority of child-directed mobile operators collect personal information from children without notifyinglet alone seeking the consent ofparents, it is critical that the FTC take swift action to ensure that the aims of COPPA are carried out. The FTC should update the COPPA Rule to clarify child-directed app operators responsibilities, and also step up enforcement so that app operators take those responsibilities seriously.

Respectfully submitted, /s/ Laura M. Moy Angela J. Campbell Institute for Public Representation Georgetown Law 600 New Jersey Avenue, NW Suite 312 Washington, DC 20001 (202) 662-9535 lmm258@law.georgetown.edu December 17, 2012 Counsel for Center for Digital Democracy