Adults probably don’t spend much time thinking about SpongeBob SquarePants. They should.
Mobile “apps” on iPhones and similar devices have become important entertainment and even learning tools for children. My three-year-old niece probably has 20 on my sister’s phone and, indeed, many seem to have legitimate educational value. The best part is these apps often cost less than a dollar or are even free. Or so it appears.
Many app developers are small start-ups with little to no capital. How can they afford to just give their work away? The answer, of course, is advertising. One of the most important revenue streams in the mobile app marketplace is the sale of user information to advertising networks. This often includes device identification numbers, geolocation information and, in more egregious cases, even names and email addresses.
This information is then used by advertisers to target you and your child with products and services that may be enticing based on previous purchases, location or other information regarding you personally. The all-too-typical result: that app you downloaded for free may have advertisements embedded within it for additional products that your child may be able to click through and purchase without your knowledge. Worse, that click-through process may requisition more personal information (perhaps even a credit card number) from your child without your knowledge. In short, the free app may have costs you did not anticipate — not only economic costs but privacy and data security risks.
Following a year-long investigation into data collection practices of mobile apps, the Federal Trade Commission found that only 20 percent of them disclosed any information about the developer’s information collection practices to the user. Nearly 60 percent transmitted user information from the user’s device back to the app developer, an advertising network or other third party. This industry behavior is particularly disturbing in light of the fact that there is a federal law, the Children’s Online Privacy Protection Act, which requires providers of online services directed at children under 13 to disclose clearly their information collection and usage practices and to obtain parental consent before collecting, using or disclosing personal information about a child under 13. Mobile apps flout these requirements regularly.
Recently, the FTC attempted to remove any doubts as to the applicability of law to these common mobile app practices by, among other things, revising its definition of “personal information” to include persistent identifiers (like device identification numbers), geolocation information and other data sources relevant in the mobile marketplace.
While simple in theory, it is not always easy for mobile app developers to provide clear disclosures and obtain parental consent in practice. So far, the task has been left to individual developers and the mobile marketplace remains a Wild West of inadequate disclosures and privacy practices.
So what can you do as an app user or parent? Find the developer’s privacy policy and read it on a large screen. That policy should disclose what information it collects and how it is used. There are, of course, times when a privacy policy is not entirely accurate or is misleading, as the FTC has found in a few cases. If you are concerned that you do not have enough information about a developer to make an informed decision, limit downloads to apps certified by an independent agency such as TrustE. Typically, you will see a TrustE seal in the app description. You can also Google a developer for any online commentary about its privacy practices, possibly from outside sources that may have conducted an investigation.
This truly is a fluid legal landscape, with legal requirements always a step behind the technology they seek to govern.
And what about that SpongeBob app? Well, if your child really wants to play “SpongeBob Diner Dash,” he or she is going to have to wait, as that app has been pulled from Apple’s App Store because it was collecting children’s email addresses without obtaining parental consent.
Christopher J. Librandi, an attorney with Westpost law firm Levett Rockwood P.C., practices business law, including commercial transactions, mergers and acquisitions, information technology, general corporate and commercial litigation matters. He can be reached at (203) 222-0885 or www.levettrockwood.com
