August 6, 2020

Volume X, Number 219

August 06, 2020

Subscribe to Latest Legal News and Analysis

August 05, 2020

Subscribe to Latest Legal News and Analysis

August 04, 2020

Subscribe to Latest Legal News and Analysis

FTC COPPA Settlement with App Developer Highlights Penalty Policy Considerations

A recent Federal Trade Commission (FTC) settlement with an online game company that allegedly tracked children illegally highlights some important questions, namely, how should the FTC assess the penalties it imposes for privacy violations, and what is the most effective way to both deter and punish companies for such violations?

The complaint in question was filed by the Department of Justice (DOJ) on behalf of the FTC. It charged mobile game developer Hyperbeard, Inc. and its principals with allowing third-party ad trackers to collect children’s personal information without first obtaining verifiable parental consent, in violation of the Children’s Online Privacy Protection Act Rule (COPPA Rule). The COPPA Rule requires that websites and online service providers obtain verifiable parental consent before collecting personal information from children under 13. The FTC alleged that Hyperbeard not only knew that children were using its apps, which used animated animal cartoon characters and child-friendly language, but also created products specifically for kids based on the characters. Hyperbeard also neglected to tell its ad networks that the apps were often child-directed and therefore subject to COPPA, according to the complaint.

The proposed settlement, which bars Hyperbeard and its officers from collecting, benefitting from, or using personal information from children under 13, included a civil penalty of $4 million, which was reduced to $150,000 because of Hyperbeard’s inability to pay. This amount is less than 4% of the stated civil penalty. While the FTC voted 4-1 in favor of the stipulated final order, the outcome sparked a disagreement between FTC Chair Joe Simons and Commissioner Noah Phillips over penalties. Commissioner Phillips and Chairman Simons both issued statements outlining considerations that should underpin the FTC’s approach to remedying and deterring privacy violations.

In his dissent, Commissioner Phillips took a harms-based stance, arguing that the initial $4 million penalty was excessive in relation to the extent of consumer harm caused by Hyperbeard’s violations of the COPPA Rule. Phillips decried what he described as a “recent push to heighten financial penalties even where the law permits only equitable relief, without clear direction other than to maximize the amount in every case,” which he views as potentially unfair and counterproductive – a position he also took regarding YouTube’s settlement with the FTC last September. Chairman Simons addressed Commissioner Phillip’s criticisms directly with a statement of disagreement. Simons expressed the view that the $4 million fine was appropriate because, while harm was an important factor, deterrence was the key priority. “If our goal is to make compliance more attractive than violation, we should also consider the cost and effect of the other sanctions imposed in the context of an enforcement action,” he wrote.

Protecting privacy and safeguarding sensitive information – particularly where children are concerned – are vital goals of the FTC, and those goals are shared by responsible businesses. But in crafting public policy, it is equally important that penalties for alleged privacy violations are appropriate and consistent. The debate over whether a harms-based or deterrent approach should prevail is not likely to be resolved soon, and is part of a larger conversation about how to balance competing public policy considerations where privacy violations are concerned that is likely to play out in continued legislative discussions as well as within the FTC.

© 2020 Keller and Heckman LLPNational Law Review, Volume X, Number 170


About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association