Who’s Getting Fined for COPPA Violations, and How To Avoid Their Fate
Navigating the ever-changing world of data privacy can seem like a minefield for mobile apps. Especially for smaller publishers and indie developers to whom one penalty fine can mean the end of their company, the whole business can be daunting. What regulations does your app fall under, if any? Can you still be liable for COPPA violations if your app isn’t based in the US? (Yes!) Are you liable if data violations are perpetrated by a 3rd-party SDK? (Yes!) What’s the difference between COPPA and GDPR-K?
Looking to the large tech companies that dominate the industry is no help, as many of them are repeat offenders when it comes to privacy regulations. Still, it can be useful for educational purposes to stay on top of high-profile companies that are being fined for COPPA and GDPR violations, just so you can know what to avoid doing.
Download OpenBack’s whitepaper outlining our unique approach to data privacy and regulation compliance:
WhatsApp – €225 Million
Starting with the most recent, WhatsApp recently received a €225 million fine in Ireland for data protection breaches. (Unsurprising, for an app owned by Facebook, perpetrator of the data privacy breach so notorious it caused the Trump presidency and Brexit.)
Apparently the fine was a long time coming, as complaints had been filed against Facebook as well as WhatsApp and Instagram (both owned by Facebook) back in 2018. Their violation of data privacy came in the form of
“using a strategy of ‘forced consent’ to continue processing the individuals’ personal data — when in fact the law requires that users be given a free choice unless a consent is strictly necessary for provision of the service.”
The Irish Data Protection Commission (DPC) ascertained that WhatsApp was failing to be transparent in what happens to user data it collects, and under what circumstances it shares it with Facebook. They thus levied a €225 million fine on WhatsApp. And while this may seem like a sizeable deterrent to future data privacy abuse, others have pointed out that a) the DPC dragged its feet for 3 years before levying the penalty. And b) the DPC initially proposed a mere €50 million.
Still, this GDPR penalty is a landmark case, marking the first time the Irish DPC followed through on their first major GDPR decision.
TikTok Sued for Billions
TikTok is another repeat offender who seems to take the repercussions of privacy violations as a fee they have to pay to continue their unethical data practices. As of April 2021, they are being sued for GDPR violations, on behalf of children users in the UK and EU. TikTok has long fallen afoul of GDPR, and this lawsuit will be over a wide range of shady data-processing behavior by parent company ByteDance.
TikTok is being accused of harvesting children’s personal information, exact location, biometric data, and other contact information without obtaining parental consent first. Moreover, like WhatsApp, they have failed to provide any sort of transparency about what they do with that data.
ByteDance has been fined by the FTC in the past for COPPA violations, including knowingly hosting content by users younger than 13 and selling their data to advertisers for the purpose of sending targeted ads. They have also failed to delete the data of underage users, even when requested to by those users’ parents.
The current lawsuit is on behalf of all children who have used TikTok since May 25, 2018, would could be entitled to thousands of pounds.
Kuuhuub Inc. – $3 million
In July 2021, Kuuhuub Inc., the publisher behind the popular coloring app Recolor, received a $3 million penalty from the FTC for COPPA violations. Despite the app being for the most part directed at adults, there is a section of it that is specifically aimed at children. And Kuuhuub was processing the data of its users younger than 13 without any provisions for gaining parental consent beforehand. Moreover,
“[Recolor] allowed third-party advertising networks to collect personal information from users in the form of persistent identifiers, also known as cookies, for targeted ads. The companies failed to instruct the ad networks to refrain from using children’s persistent identifiers for behavioral advertising… [and] failed to provide notice to parents or obtain verifiable parental consent before collecting personal information from underage users of the Recolor app.”
Kuuhuub’s full payment will be suspended due to their inability to pay it all, once they have paid $100,000. Although Kuuhuub had various compliance failures that earned it its fine, it’s worth noting that their main privacy violation was actually carried out by 3rd-party advertisers.
Google and YouTube – $170 million
Google is another repeat offender, and in 2019 YouTube agreed to pay a $170 million fine to the FTC for violating COPPA. This was the largest ever civil penalty paid for a children’s privacy violation. (A record previously held by TikTok.) YouTube was found guilty for knowingly processing children’s data without their parents’ consent, for purpose of sending them targeted ads.
Following a settlement, YouTube enacted a requirement for all content creators to identify their content that’s aimed at children, so targeted ads are not included in those videos. Many view this as YouTube shrugging off their responsibilities to individuals who may be confused about what they are and aren’t liable for.
In more recent COPPA news, Google is also being sued by New Mexico’s attorney general, for its failure to ensure protect children’s privacy in kids’ apps available on Google Play. A shocking 20% of apps aimed at kids on Google Play were found to be violating COPPA. Half of these are collecting data from children without any privacy measures inplace, while 9% had embedded SDKs that could potentially do so. Crucially, many apps and developers have been penalized by the FTC for privacy regulation violations were technically doing it by proxy, with 3rd-party SDKs being the actual culprit.
Still, this is one of the many factors you will have to keep in mind if your mobile app is processing user data for any purpose. If you would like to learn more about how to get compliant with COPPA, HIPAA, GDPR, and any other local data privacy regulations, get in touch with the team at OpenBack and we’ll set you up with a free demo of our mobile engagement platform, which is fully compliant by default.