In late December 2014, the FTC staff sent China-based mobile app developer BabyBus a letter warning the company that several of its apps may violate the FTC’s Children’s Online Privacy Protection Act (COPPA) Rule. Staff alleged that the apps are marketed for young children and “use cartoon characters to teach children letters, counting, shapes, music, and matching.” The FTC claimed the company must comply with the COPPA Rule’s notice, verifiable parental consent, and other requirements because some of the apps collect precise geolocation information that is shared with third parties, such as advertising networks or analytics companies. The letter warned that staff will review the apps again and encouraged the developer to take steps to comply with COPPA.
The FTC has never brought an enforcement action alleging violations of COPPA against a foreign-based company. However, FTC staff previously has stated in informal guidance that foreign-based websites and apps are subject to COPPA if they either are directed to children in the U.S. or knowingly collect personal information from children in the US. For example, COPPA FAQ B.7 states:
7. The Internet is a global medium. Do websites and online services developed and run abroad have to comply with the Rule?
Foreign-based websites and online services must comply with COPPA if they are directed to children in the United States, or if they knowingly collect personal information from children in the U.S. The law’s definition of “operator” includes foreign-based websites and online services that are involved in commerce in the United States or its territories. As a related matter, U.S.-based sites and services that collect information from foreign children also are subject to COPPA.
In addition, shortly after the revised COPPA Rule was adopted, the FTC staff sent letters to multiple foreign-based companies whose mobile apps collect persistent identifiers or photographs, videos, and audio recordings of children. Those letters emphasized that the FTC had not evaluated the apps or the companies’ practices to determine if they comply with the COPPA Rule, but reminded the companies that if their apps collect, use, or disclose children’s personal information, they must comply with the revised COPPA Rule.
Notwithstanding this nonbinding, informal guidance, the FTC likely would face a number of practical challenges in enforcing COPPA against a foreign company, including, for example, the requirement that a US court have personal jurisdiction over the defendant.
FTC enforcement, however, is only one potential risk. After the letter was published, Google suspended the BabyBus apps from the Google Play app store. In response, BabyBus issued a statement that geolocation information was collected only on the Google Android platform “due to the Android’s third party statistics software plug-in.” BabyBus stated that it has updated the apps to come into compliance.