On July 1, 2021, the Federal Trade Commission (FTC) announced that it settled allegations against Toronto-based Kuuhuub Inc., along with Kuuhuub's Finnish subsidiaries Kuu Hubb Oy and Recolor Oy (together, defendants), that defendants violated the Children's Online Privacy Protection Act Rule (COPPA Rule).1 The FTC alleged that defendants operated a coloring book mobile application that contained a section directed to children, and that defendants violated the COPPA Rule by failing to provide required COPPA notices and obtain verifiable parental consent prior to collecting, using, and disclosing personal information from children. As part of the settlement, defendants must implement new procedures, delete children's personal information, provide in-app notices and issue refunds to consumers, pay a civil penalty, and submit to routine compliance reporting.
The FTC's Complaint
The COPPA Rule applies to online service operators whose service, or a portion of the service, is directed to children under the age of 13 or who have actual knowledge that they collect information from children.2 It imposes rules surrounding the collection, use, and disclosure of personal information collected from children.
According to the FTC's complaint, while defendants' Recolor coloring book app (the App) was advertised as a "coloring book for adults," a portion of the App was directed to children under 13.3 The FTC noted that the App had various categories of pictures that could be colored in. These categories included a "Kids" category that featured simple characters that would appeal to children, including cartoonish animals.4 The complaint also noted that defendants received more than 120 reports by users and parents saying that children were using the App, roughly a dozen of which specifically mentioned children under 13. Although the FTC's complaint did not specifically allege that defendants had actual knowledge that they collected personal information from children under 13, the reports of use by children likely contributed to the FTC's conclusion that the "Kids" section of the App was directed to kids.
The FTC alleged that defendants violated COPPA by improperly collecting, using, and sharing children's personal information. The App contained social media features that enabled users to publish their finished pictures to a gallery and write a caption; import photos from their device, such as a selfie, without review by the company; and like and comment on other users' pictures and follow other accounts.5 To access the App's social media features, users were required to create an account in the App by providing an email address, an account screen name, and an optional user description and profile picture.
The complaint also alleges that the App allowed third-party advertising networks to collect persistent identifiers for targeted advertising.6 The App did not inform networks that a portion of the users were children and did not ask the networks to refrain from using data collected from the App for targeted advertising. While users could buy subscriptions to remove advertisements, a subscription was not necessary in order to use the App.7
The complaint further alleged that, notwithstanding the defendants' collection of personal information from children—including first and last name, photographs, content of comments, descriptions of artwork, and persistent identifiers—defendants did not provide a sufficient general COPPA notice and a direct COPPA notice to parents or obtain verifiable parental consent.8
The Consent Order
Compliance with COPPA
As is customary in all COPPA consent orders, the order enjoins defendants from violating COPPA in the future, including by failing to provide COPPA-required privacy notice to parents; failing to obtain verifiable parental consent prior to processing personal information from children; failing to delete a child's personal information at the request of a parent; or retaining children's personal information for longer than is reasonably necessary to fulfill the purpose for which the information was collected.9
Deletion Requirements
The order also requires defendants to delete all previously-collected personal information associated with children who created accounts on the App with a few exceptions, such as allowing the transfer of art from the platform to a device with the user's consent.10 Presumably because defendants do not have any way of reliably knowing whether an account was created by a child, the FTC included a proviso that allows defendants to comply with the deletion requirement by: (1) running search terms "or an equivalent method" approved by the FTC in order to identify child-created accounts, and delete information associated with those accounts; and (2) deleting personal information associated with a user's account where defendants have "actual knowledge" or "knowledge fairly implied on the basis of objective circumstances" that an account was created by a child. In addition, defendants must instruct third parties that received personal information from such accounts to delete personal information associated with those accounts.
Refunds to Users Under the Age of 13
If current users have a subscription and that subscription was purchased when the user was under the age of 13, the order allows the user or their parent to cancel the subscription and receive a refund.
In-App Notice to Users
Additionally, the order requires defendants to show an in-app pop-up alert and news feed post notifying users that, under the terms of defendants' settlement with the FTC: (1) if the user's child was under 13 when using the App, the user can ask defendants to delete personal information associated with the user account by contacting customer service; and (2) if the user's child was under 13 and signed up for a subscription, the user can cancel the subscription and submit a refund request through customer service.
Monetary Penalty
Finally, defendants must pay a $3,000,000 civil penalty, which will be suspended upon paying $100,000 due to their inability to pay the full amount, and undergo a 10-year period of compliance reporting.11
Key Takeaways
This consent order goes beyond the scope of previous FTC COPPA consent orders. Typically, where a general audience service contains a portion of the service that is child-directed, COPPA requires the operator to treat all data collected from that portion of the service as collected from a child. The operator can presume that data collected outside of that portion of the service belongs to an individual age 13 or older. Here, the FTC's order goes a step further and requires defendants to conduct an investigation to determine which accounts appear to belong to children, and to delete all information associated with those accounts. This order is also novel in that it requires defendants to issue refunds for subscriptions purchased by children, a remedy that has not previously appeared in COPPA settlements.
Finally, this is the first COPPA consent order to contain a notice provision, in that it requires defendants to display an in-app notice regarding the settlement for 180 days. These expansive remedies signal the FTC's continued focus on COPPA enforcement, with potentially far-reaching consequences for non-compliance.
To mitigate risks of an FTC COPPA enforcement action, online services such as mobile apps, both based in the United States and abroad, should determine whether their service risks falling within the scope of the COPPA Rule. Even if a service advertises itself as intended for adults, the service still faces risks if it contains features that are geared toward children—even if those features are just a portion of the service.
Companies that want to avoid COPPA's application should consider steps such as:
- designing their online services so that neither the service as a whole nor any specific feature or section stands out as appealing to children;
- explicitly prohibiting users under the age of 13 through the product's terms of service and through a neutral age screen where appropriate;
- assessing whether extrinsic evidence exists demonstrating that the service is used by kids; and
- creating policies for deleting user information and closing user accounts if the company receives a report or other indication that a user is under 13 years of age.
Companies that are COPPA-covered must comply either by avoiding collecting personal information unless an exception applies (online services with social media features often do not qualify for such exceptions) or by meeting COPPA's parental notice and consent requirements.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues and has assisted numerous clients regarding the COPPA Rule. For more information, please contact Tracy Shapiro, Chris Olsen, Libby Weingarten, Lydia Parnes, or another member of the firm's privacy and cybersecurity practice.
[1]See Online Coloring Book app Recolor Settles FTC Allegations It Illegally Collected Kids’ Personal Information (July 1, 2020), https://www.ftc.gov/news-events/press-releases/2021/07/online-coloring-book-app-recolor-settles-ftc-allegations-it.
[3] Complaint for Civil Penalties, Permanent Injunction, and Other Equitable Relief, Case Number 1:21-cv-01758 (6/30/21), https://www.ftc.gov/system/files/documents/cases/1823184recolorcomplaint.pdf at 5.
[9] Stipulated Order for Permanent Injunction and Civil Penalty Judgement, Case No. 21-cv-01758 (6/30/21), https://www.ftc.gov/system/files/documents/cases/1823184recolorstipulatedorder.pdf at 10.
