New Jersey’s Attorney General Jeffrey Chisea and the state’s Division of Consumer affairs have filed suit in federal court against smart-phone app-provider 24x7digital LLC, to enjoin its alleged violation of the Children’s Online Privacy Protection Act (COPPA) and the Federal Trade Commission’s (FTC) COPPA Rule. In the complaint, the state alleges 24×7 violates the statute and rules – which allow enforcement by the FTC and state regulators – by offering educational apps targeted to children that collect their personally identifiable information (PII), which is transmitted also to a third-party data-analyst, without notice to or consent from players’ parents. The case is significant because, while the FTC has brought a number of enforcement actions, the statute does not directly allow private causes of action – only enforcement by the FTC and state regulators. There has thus been no real case-law guidance on how the COPPA and the COPPA Rule apply, outside that developed in FTC-originated proceedings.
24x7digital is the developer, provider, and operator of the TeachMe series of apps for smart-phone and tablet devices. The series uses educational games to teach basic subjects like the ABCs, phonics, shapes, colors, counting, sight-words, reading, addition and subtraction, to toddlers, kindergarteners and first- and second-graders. According to the complaint, 24×7 promotes the apps as having a “simple and intuitive” interface that “allows children to play without help from an adult.” The complaint also alleges the apps encourage and/or enable players to provide their first and last names, and a picture of themselves, and that the apps collect the unique device identification number (UDID) for the mobile device a player uses, and that the profile and UDID are transmitted to a third-party data analytics company. It further alleges this activity occurs without notice on 24×7’s website or in its apps, or direct notice to parents, what children’s PII is collected, or how it is used and/or disclosed.
All of this, alleges New Jersey, violates COPPA and the COPPA Rule insofar as the games target children under 13 and the PII is thus collected and disclosed without first obtaining verifiable parental consent. It is fair to wonder, of course, how toddlers, kindergartners, and first- and second-graders are getting the TeachMe apps in the first place, if not through their parents, and how those too young to read and write create profiles containing PII without parental assistance (COPPA only regulates the collection of children’s PII from the child directly, not its collection from parents or others). In any event, the state’s suit seeks to enjoin 24x7digital from continuing to violate COPPA and the Rule in this manner, from offering apps in the future that do so, and from keeping any PII it has collected to date in violation the statute and Rule. The state also has indicated it continues to investigate other apps and their possible unlawful collection and/or disclosure of users’ PII.
It will be interesting to see if this case leads to a quick settlement (or default), or if a defense will mount that results in law being made in this area. To date, FTC enforcement actions generally have resolved through consent decrees, which accordingly embody essentially the FTC’s view of how the statute and rule works, without creating a body of law explicating their effect, or through default or other similarly minimally-litigated judgments, that likewise do not test COPPA and the COPPA Rule through the prism of competing views resolved by a court of law. Chisea v. 24x7digital thus becomes a case to watch for its potential to provide such guidance.