Caution: Your Mobile App May Unintentionally Violate COPPA
As online activity shifts to mobile devices, regulators are watching. Last week, Yelp agreed to settle a claim with the FTC for $450,000 for its alleged violations of the Children’s Online Privacy Protection Act (COPPA). As most savvy shoppers know, Yelp provides a service that allows users to search for and review local businesses via its website and mobile app. Although not intended for children, Yelp collects age information as part of its registration process.
Yelp did a lot right.
In developing its website, Yelp was careful to screen out users under the age of 13. It likely did so in part to avoid triggering COPPA obligations, which broadly apply to operators of commercial websites and online services with “actual knowledge” that they are collecting information from children (e.g., collecting age information without a functional screen).
Here’s where Yelp went wrong.
Like many companies, Yelp later developed a mobile app. The mobile app registration process mostly mirrored that of its website, but with one key difference—the mobile app did not include an age-screen. As Yelp describes on its blog, there was “a bug in [its] mobile registration process that allowed certain users to register with any birth date when it was supposed to disallow registrations from individuals under 13.” As a result, Yelp had “actual knowledge” that it was collecting information from children using its mobile app and did not comply with COPPA by, among other things, requiring prior parental consent.
What can you do to lower the risk of a COPPA violation?
1. Don’t Collect Age Information Without a Screen
General audience website and mobile app providers should avoid collecting age information or screen out children under the age of 13, if collecting age information.
Although COPPA may be triggered in other ways, such practices may help mitigate risk.
2. Incorporate Privacy Considerations into Product Development
The Yelp case provides a valuable lesson on the need to incorporate privacy considerations into every stage of product development, including your website and mobile apps.
For more information about COPPA compliance or other privacy considerations, please contact Peter Guffin, Chair of the firm's Privacy and Data Security Group at 207.791.1199 or pguffin@pierceatwood.com.