The Federal Trade Commission staff has sent “educational” letters to more than 90 businesses that may be affected by the revisions to FTC’s Children’s Online Privacy Protection Act rules that take effect on July 1, 2013. For a summary of the extensive changes, see http://www.wileyrein.com/publications.cfm?sp=articles&newsletter=4&id=8582.)
In its letters, which were sent to mobile app developers, the FTC notes the new requirements imposed on app developers, triggered by the agency’s expansion of the definition of personal information to reach items that previously fell outside of the definition, including: screen or user names that function as online contact information, cookies, IP addresses, and mobile device IDs.
If an app collects any of these types of “ID,” they are subject to the new regulation even if they do not collect names and emails addresses or any other information from children under 13.
The letters also noted other requirements, including the need to give notice and obtain consent, to disclose data only to entitities that can keep it secure, and new data retention and deletion requirements.
Clearly, the companies that received these letters are on notice that they are in the FTC’s sights. And the FTC has not been reticient about bringing enforcement actions.
But just because you do not receive such a warning letter does not mean that your app is in the clear. There are millions of apps and websites, and the FTC will surely be looking for ripe, easy targets to set some examples.