Tracking Kids Through Your App? Think Again.
Klepto Cats and Dogs have been “stealing” children’s personal information without parental consent and using it for targeted advertising. Bad dog! Well, almost. HyperBeard, Inc., a developer of apps popular with children under 13 years old – including games like BunnyBuns, Chichens, MonkeyNauts, NomNoms, KleptoCats, and KleptoDogs – is in trouble with the FTC for alleged violations of the Children’s Online Privacy Protection Act Rule (“COPPA Rule”).
According to the Complaint, HyperBeard allowed third-party ad networks to collect personal information in the form of persistent identifiers to track users of its games, and then used that information to target ads to children, without first notifying parents or obtaining verifiable parental consent. Although targeted advertising powers free content across the web, the FTC’s COPPA Rule prohibits child-directed websites, apps, and online services from collecting personal information from children under 13, including the use of persistent identifiers for targeted advertising, without first providing notice of their information practices and obtaining parental consent. The FTC determined HyperBeard’s apps were marketed toward children because they used brightly colored and animated characters, which were described with child-friendly adjectives like “super cute” and “silly.” The apps were also marketed on kids’ entertainment website YayOMG and through licensed sales of children’s books, stuffed animals, and block construction sets, all based on the characters in the apps. Although the games posted disclaimers that they were not intended for use by children under the age of 13, after reviewing numerous factors, the FTC determined that they clearly were, and must therefore comply with the COPPA Rule.
The case came to the FTC through a referral by two industry self-regulatory groups, after repeated attempts to contact HyperBeard to discuss the business practices at issue went unanswered. The FTC voted 4-1 to authorize the Department of Justice to file the Complaint and agreed to a settlement on the allegations. HyperBeard’s CEO Alexander Kozachenko, and managing director, Antonio Uribe, were also named in the complaint. The proposed stipulated order would require the HyperBeard company, and Kozachenko and Uribe individually, to notify and obtain verifiable consent from parents for any child-directed app or website they offer that collects personal information from children under 13. They are also prohibited from using or benefitting from personal data they collected from children under 13 in violation of COPPA, and must destroy that data. The settlement also includes a judgment of $4 million against HyperBeard and Kozachenko, but was suspended upon payment of $150,000 by HyperBeard due to its inability to pay the full amount. If the government finds that the defendants misrepresented their finances, the full amount will become immediately due.
Commissioner Noah Joshua Phillips voted against the settlement and issued a dissenting statement, arguing that the harms in this case did not amount to those in the YouTube and Musical.ly (TikTok) cases from last year, so HyperBeard’s fine should be substantially lower. Musical.ly, for example, paid a $5.7 million fine for allowing children, which made up a substantial portion of its users, to establish public accounts that shared sensitive personal information and allowed them to receive direct messages from strangers. It was also aware of numerous parental complaints. Whereas HyperBeard collected persistent identifiers and used them to show targeted ads to children. It did not share or publicize sensitive personal information and was not a repeat offender.
Despite these differences in allegations, the FTC assessed a substantial $4 million fine against HyperBeard. The FTC’s action should serve as a warning to other online developers that simply saying an app, game, or website is not meant for children under 13 does not exempt them from following COPPA guidelines, when it is clear – based on the facts – that an app targets children.