FTC Busts App Maker For Collecting Kids’ E-mail Addresses

Updated with response from app developer. When it comes to privacy law, the exploding world of mobile apps are pretty much the wild west. There’s no general-purpose federal law regulating privacy-except when it comes to kids. Broken Thumbs Apps, a maker of apps for kids, will have to pay $50,000 for violating the Children’s Online Privacy Protection Act, according to the terms of a settlement made public today.

The slapdown of Broken Thumb Apps, and its parent company W3 Innovations, are reminders that even as the Federal Trade Commission is considering asking Congress for new online privacy regulation, the agency also has rekindled its interest in tougher enforcement of the privacy laws it already is in charge of enforcing-especially ones that affect kids.

This is the second federal enforcement action this year over a COPPA violation. In May, Playdom agreed to pay $3 million to settle FTC charges it illegally collected information from children younger than 13.

The case against Broken Thumbs, though, is the first COPPA enforcement action involving mobile apps, and the agency’s statement made it clear that the same rules that apply on websites matter in the fast-growing app ecosystem. Parental consent is key “whether through a website or a mobile app,” said FTC Chairman Jon Leibowitz in a statement today. “Companies must give parents the opportunity to make smart choices when it comes to their children’s sharing of information on smart phones.”

The apps that got Broken Thumbs Apps in trouble include Emily’s Girl World, Emily’s Dress Up, Emily’s Dress Up & Shop, and Emily’s Runway High Fashion. They were listed in the “Games-Kids” section of Apple’s App Store, from which they were downloaded more than 50,000 times, says the FTC. The problem was that the apps encouraged kids to email comments to “Emily,” and the company “collected and maintained” thousands of childrens’ email addresses as part of that process. The complaint alleges the company ultimately collected more than 30,000 email addresses.

The FTC’s COPPA Rule forbids the collection of any personally identifiable information online from kids younger than 13 without getting parental consent beforehand. The FTC complaint [PDF] also said that setting up a system that allowed kids to post allowing kids to publicly post information on message boards, which collected additional personal information. The system invited (but did not require) children using the system to publish their thoughts on the Emily’s Girl World blog using their full name.

In addition to the $50,000 payment, the settlement will require Broken Thumbs Apps and W3 Innovations to delete all the personal information they’ve collected thus far, and to not violate COPPA any more.

Update. A spokesperson for Broken Thumbs offered an e-mail response to the FTC action this on Tuesday, stating:

Broken Thumbs Apps is a small, family-run mobile application development company. We have created popular apps such as Movie Quizzle, Galaxy Getaway, and Emily’s Dress Up & Shop. We hold ourselves to the highest ethical standards, and our goal as a company is simply to build mobile apps that are fun and engaging for our users. To this end, we provided users with a means of interacting with one another and with our customer service department, which required the collection and retention of users’ email addresses. We did not ask for or collect information about the age of our users because there was no technical or functional need for this information. Our sole purpose in collecting email data was to improve the user experience with our apps; we never used any email address for marketing purposes or sold it to other firms.

Consequently, we were very surprised when we received notice from the FTC about possible COPPA violations. As soon as the FTC informed us of its specific concerns – and long before entry of yesterday’s order – we took corrective action. Any violations were inadvertent. But because our apps may appeal to young people, we have implemented a strict email policy that removes any possibility of collecting and retaining email addresses, even unintentionally, from users under the age of 13.