Earlier this month, HyperBeard, Inc., a developer of popular children’s mobile applications, agreed to settle with the Federal Trade Commission (FTC) over allegations of its failure to comply with the Children’s Online Privacy Protection Act (COPPA) Rule. HyperBeard agreed to pay $150,000 in fines and to delete the information allegedly obtained from children under 13 years old without proper parental consent.
Notably, the case against HyperBeard arose out of a joint referral directly from the Children’s Advertising Review Unit (CARU) and Digital Advertising Accountability Program (DAAP). In March 2019, CARU initially investigated the game KleptoCats. Although the app’s privacy statement excludes children under 13 from playing, CARU questioned whether the app nonetheless attracts a substantial number of children under 13 and thus is subject to COPPA. CARU investigated whether KleptoCats collected personally identifiable information from users under 13 without first obtaining parental consent. At the time, CARU attempted to engage HyperBeard in its investigation, but the game operator failed to respond and simply ignored CARU. Accordingly, CARU referred the case to the FTC for a full federal investigation.
In a complaint filed by the DOJ on behalf of the FTC, the DOJ alleged that HyperBeard violated the COPPA Rule by allowing third-party ad networks to collect personal information in the form of persistent identifiers to track users of the company’s child-directed apps, without notifying parents or obtaining verifiable parental consent. The ad networks used the identifiers to target ads to children using HyperBeard’s apps. The complaint is notable in that the FTC did not claim that HyperBeard itself collected any personal information from children—rather, the alleged violations centered on the company enabling third parties to collect personal information from children through its service.
In the press release announcing the settlement, Andrew Smith, Director of the FTC’s Bureau of Consumer Protection, noted: “If your app or website is directed to kids, you’ve got to make sure parents are in the loop before you collect children’s personal information. This includes allowing someone else, such as an ad network, to collect persistent identifiers, like advertising IDs or cookies, in order to serve behavioral advertising.”
Generally speaking, COPPA requires that child-directed websites, apps and online services provide notice of their information practices and obtain parental consent prior to collecting personal information from children under 13 years of age, including the use of persistent identifiers for targeted advertising.
According to the complaint, the FTC believes that many of the apps HyperBeard offers are directed to children, including Axolochi, BunnyBuns, Chichens, Claberta, Clawbert, KleptoCats, KleptoCats 2, KleptoDogs, MonkeyNauts and NomNoms. These kids’ apps contain brightly colored animated characters such as cats, dogs, bunnies, chicks, monkeys and other cartoon characters, and are described in child-friendly terms such as “super cute” and “silly.” For example, users of the KleptoCats apps send a cartoon cat out on a mission and the cat returns with surprises that users collect in a virtual room. The apps also allow users to pet, groom, feed and dress their virtual cats.
The FTC alleges that HyperBeard was aware that children were using its kids’ apps and promoted those same apps to children. From early 2017 through 2019, it promoted its apps on the kids’ entertainment website YayOMG. It also published children’s books and licensed other products, including stuffed animals and block construction sets, based on its apps’ characters.
As part of the proposed settlement, HyperBeard is required to notify and obtain verifiable consent from parents for any child-directed app or website it offers that collects personal information from children under 13. The company is also prohibited from using or benefiting from personal data it collected from children under 13 in violation of COPPA, and must destroy that data. The settlement included a $4 million penalty, which was suspended upon payment of $150,000 by HyperBeard due to its inability to pay the full amount.
Why it matters: 2020 continues to be a banner year for COPPA enforcement. All of this attention in 2020 can be linked back to several high-profile FTC COPPA enforcement actions from 2019. Popular short-form video app TikTok agreed in February 2019 to a $5.7 million settlement with the FTC after it was accused of collecting personal information of children under age 13 without consent via an integrated karaoke app called Musical.ly. The TikTok settlement was nearly double the largest prior COPPA settlement. Also, in September 2019, the FTC announced a record $170 million settlement with Google and YouTube after allegations that YouTube’s video-sharing service illegally collected personal information from children without parental consent—by far the largest such settlement since COPPA was enacted.
In the wake of the COVID-19 pandemic and home quarantines, children are spending significantly more time on digital devices, for both education and entertainment purposes—which has now caused the FTC to ramp up its COPPA enforcement efforts. The case against HyperBeard underscores that developers of child-directed services must not allow third-party interest-based advertising unless they meet COPPA’s parental notice and consent requirements, and that COPPA enforcement remains an FTC priority while COPPA is under FTC review. However, it is important to note that HyperBeard could have entirely avoided this case and paying fines had it just been willing to work with CARU after CARU notified HyperBeard last year that the KleptoCats app violated COPPA. Responding to CARU would clearly have been the way to go in order to avoid the significant time and resources the company ended up investing in defending and settling an FTC enforcement action.