COPPA

October 2016

Texas AG Settles With Child Tracking App Maker

Texas v. Justa Labs
Justa Labs allegedly collected personal information in child directed apps – apps offering free children’s games – that generated revenue from advertisements and in-app purchases. Juxta Labs also collected personal information through its Jott App – a peer-to-per messaging App that did not rely on WiFi or carrier networks. Personal information collected included e-mail addresses, instant messaging identifiers, screen names, cookies, internet protocol addresses, and GPS coordinates.

Under the terms of the Assurance of Voluntary Compliance (AVC), Juxta Labs Must:

  • Develop and maintain an up-to-date and accurate privacy policy that is clear, conspicuous, and understandable
    • must not misrepresent its data collection practices
  • Obtain Verifiable Parental Consent before collecting personal information from children
  • Implement measures to prevent children from reaching any parent-directed sections of its Apps
    • e.g., an age-gaiting mechanisms that discourages children from falsifying their age
  • Delete any previously collected personal information of children (within 30 days)
    • for its Jott App, Juxta Labs may seek parental consent before deleting
  • Develop, implement, and maintain procedures to ensure its Jott App does not contain networks that are likely to predominantly include Children (e.g., Elementary School networks)
  • Pay $30,000 in civil penalties
    • $15,000 to reimbursement the AG’s office
    • $15,000 to the Supreme Court Judicial Fund

[District Court of Travis County; D-1-GN-16-004940]
jbho: make sure you know what information your apps (or web pages) are collecting – including cookies – on anything that could be considered child-directed – no matter how small a portion of the audience children would actually be.

The order includes in the definition of personal information: “A persistent identifier that can be used to recognize a user over time and across different Web sites or online services. Such persistent identifier includes, but is not limited to, a customer number held in a cookie, an Internet Protocol (IP) address, a processor or device serial number, or unique device identifier.” (emphasis added)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s