Every parent has hopes and dreams for their children, but none more important than their health, safety, and welfare. In trying to provide a safe online environment for their children, many check to ensure all downloaded apps are age-appropriate and presumably compliant with the Children's Online Privacy Protection Act (COPPA).
It should be a safe assumption if the app appears in the children's section of Apple's iOS App Store or the family section of Android's Google Play. Certainly these big companies have vetted the apps. Right? Wrong! That assumption couldn't be further from the truth, and the New Mexico Attorney General has now filed a federal lawsuit against Tiny Labs, Twitter, Google, and AdMob for their role in violating COPPA and other laws. He hopes to protect the children of New Mexico, and maybe even those around the world.
Children's Apps and the Temptation to Sell User IDs
When it comes to apps, there are two revenue models for the publisher: subscription and ad based. Since most children don't have money to purchase one-time or monthly subscriptions, most publishers of children's games choose to offer free apps and earn revenue from advertising companies.
Normally this would be in the form of in-game advertising, however, you may have seen some of these children's games, and realize that there aren't many places to embed an ad. So what's a children's game developer to do, especially a fledgling one without deep pockets? How about selling user data, including contact information, location, and usage patterns, to third party advertising companies. While that may sound enticing, it is illegal if the user is under 13 years of age, under COPPA.
COPPA -- Protecting the Privacy and Safety of Children
COPPA was created to protect children and their privacy. Among other things, it requires clear and obvious parental consent to allow anyone under 13 years of age from interacting with the online content. COPPA applies to apps and websites operated for commercial purposes that are either directed towards children under 13, or have actual knowledge that children under 13 are interacting with the content.
Under COPPA, it is illegal to collect user ID information on children aged 13 or younger, in order to keep kids safe. A user's ID contains precise device geolocation and a host other user personal preference data, that could be used by a sophisticated kidnapper or molester to lure and trap unsuspecting children.
Tiny Lab and Its Accomplices -- Navigating a Slippery Slope
Tiny Lab, a Lithuanian company, develops family mobile games that are used by the "under 13" market, such as Fun Kid Racing and Run Cute Little Pony. Until August 2018, its apps collected and shared users' data with up to 10 advertising and online tracking companies. The Tiny Labs CEO didn't think this was a COPPA violation, since the apps were meant to be directed at "mixed audiences," with children under 13 forming only part of the market.
The distinction is important, since under COPPA, apps aimed at younger children are prohibited from tracking any users for ads without parental consent, but apps intended for a general audience can ask players their age and track older users. And all Tiny Labs had to do to get into the Families section for Google Play to entice young children to play was to state their intended audience. Google didn't verify it since it relies on self-policing. And that has gotten Google into hot water, and into this lawsuit. Same goes for Twitter. Tiny Labs allowed user data to be collected by third party ad companies, like AdMob, and so it has gotten a seat at the defendant's table too.
If you believe that your child's online privacy is at risk from a mobile app that never received your consent, contact a consumer protection attorney. An experienced legal adviser can fill you in on the most recent laws, hear the facts of your case, and see if you have a viable claim against these publishers and advertisers.