The Office of Maryland Attorney General Douglas Gansler announced this week that it reached a settlement with SnapChat over allegations including violations of the Children’s Online Privacy Protection Act of 1998. The settlement is notable in that it continues a trend of companies offering apps running into COPPA legal difficulties.
SnapChat is an app that extremely popular with kids of all ages. The app allows a user to take a picture, create a video or write text and then send it to other people. Most smartphones have this functionality, but SnapChat offers a twist. The content sent by the user is automatically deleted between 1 to 10 seconds after being viewed by the recipient.
Or is it?
SnapChat relies heavily on its claim that the content sent by one user to another is “deleted forever.” This claim is very attractive since it eliminates the concern many people have that things they say or send online might come back to bite them in the future.
Unfortunately, the “delete forever” claim does not hold water. The problem is recipients of “snaps” can copy and save the snaps and redistribute the content before the deletion period of one to 10 seconds runs out. Instead of “delete forever”, SnapChat marketing should suggest it “might delete” the content sent by users. The FTC apparently agrees with this position since it recently charged SnapChat with deceptive practices in relation to the delete forever claim, a charge the company settled.
As previously mentioned, SnapChat is incredibly popular with kids of all ages. In pursuing SnapChat, Attorney General Gansler alleged company executives and employees knew kids under 13 were using the app, but failed to obtain verified parental consent from parents before collecting the personal information of the kids in question.
In settling the claims, SnapChat did not admit to any COPPA violations. A closer look at the settlement terms, however, suggests the law was central to the settlement process since SnapChat agreed to:
- Take specific steps mandated in the settlement agreement to prevent kids under 13 from opening accounts for a period of 10 years;
- Obtain affirmative consent from users prior to collecting and saving any personal information; and
- Pay a fine of $100,000 to the State of Maryland.
The first lesson to take from this enforcement action is it doesn’t really matter if your site or app is directed at kids when determining if COPPA applies. If you know or should know kids under 13 years are opening accounts, then compliance is a must.
The second lesson is the FTC is not the only agency you need to be concerned about with children’s privacy issues. More states are bringing enforcement actions against businesses each year, a trend that will surely continue in the future.
As for SnapChat, the company hardly had devious motives when it came to collecting personal information from kids under 13. This is more of a situation where the management was naïve regarding the law. Unfortunately, naivety is not a defense to an enforcement action and the company is lucky it only had to pay a $100,000 fine and undertake a specific COPPA compliance protocol.