It's getting easier and easier to gloss over media reports of online privacy scandals, given how common they are becoming – "SHOCK HORROR! FREE APP USES CUSTOMER DATA FOR ADVERTISING!"
But there are still important lessons to learn whenever a social media platform or an app developer slips up on privacy – if for no other reason than to allow others to take a quick peek at their own behaviour and tidy things up where needed.
Silicon Valley company Path is the latest app developer to take one for the team in the interests of industry education, having been fined US$800,000 by the Federal Trade Commission (FTC) for a raft of privacy breaches.
The main offence was that Path's iOS app accessed and copied customers' contacts data without permission (nothing new there), but the company was also collecting personal information about children under the age of 13 without parental consent – something that is illegal in the United States.
The Children's Online Privacy Protection Act (COPPA) is enforced by the FTC and applies to any commercial website or online service which is 'directed at' children under the age of 13, or any website or online service where the operator has actual knowledge it is collecting personal information from children.
Where it applies, COPPA sets out minimum content that must be included in a privacy notice – not only for the child's attention, but also in a separate notice to be sent to the child's parent. The operator must then obtain "verifiable consent" from the parent before being able to collect or use the child's personal information. The required form of consent – and method of verification – will differ depending on how sensitive the information is and what it might be used for, but it will generally involve something more than getting the parent to send an email (e.g., a follow-up confirmation by phone).
Whether a website or service is directed at children will be fact-specific, but the factors considered by the FTC include the subject matter of the site or service, its audio or visual content, language, the nature of any advertising and any other child-oriented features (such as the use of animated characters).
Even if a website or app isn't directed at children, if an operator later becomes aware that the personal data they've collected includes information about children (as was the case with Path), then COPPA will apply – though chances are that by then it will be too late to do anything about compliance.
So there's probably a choice to be made for any website or app developer looking to gather a following in the US – either get your privacy notices COPPA-compliant from day one, or make your site or app adults-only by blocking access or registration to anyone under the age of 13.
After all, someone's got to think of the children.
Allan Yeoman is a senior associate at law firm Buddle Findlay, specialising in media and technology