CONGRESS IS eyeing a federal privacy framework for 2019. But what about the laws already on the books? Demands for an investigation into Google’s marketing of children’s apps in its mobile store could offer legislators some lessons.
Comprehensive privacy rules for the United States are necessary precisely because the current rules cover only information or populations deemed especially sensitive. One of those populations is children, and the Children’s Online Protection Privacy Act was passed in 1998 to prohibit sites from collecting their identifying data without parental consent. But according to a filing to the Federal Trade Commission by 22 children’s and consumer organizations, many apps gather that data anyway — from ID numbers, to addresses, to location, to the photos on a game-player’s smartphone.
Google is not responsible under COPPA for the actions of untrustworthy apps; the apps themselves are the only ones breaking that law. (The tracking of children on YouTube, which is owned by Google, is another question.) But the complainants allege that, by labeling a section of its store child-friendly and then allowing COPPA violators to appear there, Google is misleading consumers. They want the FTC to step in, and three Democratic senators have joined in the call. Google says it has removed thousands of noncompliant apps in the past year and has already begun removing those listed in last week’s filing.
This debate should be particularly interesting to lawmakers seeking to craft broader regulations for consumer protection. First, there is the question of Google’s role as a gatekeeper, particularly when its own ad platform is integrated with many of the apps in its stores. Making Google and other software companies, such as Apple, liable for all of the content they host would hurt more than help. But the companies’ conflicting interests are an argument for increased oversight of app stores. And companies should be held to account when they are demonstrably negligent in enforcing their standards.
Last week’s complaint also presents an enforcement issue. The FTC has taken some action against developers in the past for sharing children’s information with advertisers, but the problem persists, and at scale: A study in April found that a majority of the popular apps that researchers surveyed were potentially in violation of COPPA. The FTC has been granted the fining and rulemaking authority under COPPA that many legislators presumably would grant it under a federal privacy law. Still, its efforts so far have not been an effective deterrent, and Congress will have to ask why.
COPPA is two decades old, and it requires modernization that ought to occur alongside Congress’s broader privacy efforts next term. But its provisions nonetheless should remind lawmakers of an important reality: How companies are held to account for violating a law is as important as the law itself.