Children’s app developer HyperBeard has agreed to pay $150,000 after being accused by the Federal Trade Commission (FTC) of illegally collecting children’s data without parental consent.
HyperBeard‘s website says it’s the largest mobile game developer and publisher in Mexico, with various games such as Axolochi, KleptoCats and NomNoms offered for both Android and iOS users. A recent complaint filed by the Department of Justice (DoJ) claims that the app developer allowed third-party ad networks to collect personal data from children using its apps – without notifying parents or obtaining verifiable parental consent.
“If your app or website is directed to kids, you’ve got to make sure parents are in the loop before you collect children’s personal information,” said Andrew Smith, director of the FTC’s Bureau of Consumer Protection, in a Thursday press release. “This includes allowing someone else, such as an ad network, to collect persistent identifiers, like advertising IDs or cookies, in order to serve behavioral advertising.”
In this case, said “persistent identifiers” were being used on HyperBeard’s apps by third-party ad networks to track online behaviors and consequently deliver targeted advertising to children. The ad networks in question were: AdColony, AdMob, AppLovin, Facebook Audience Network, Fyber, IronSource, Kiip, TapCore, TapJoy, Vungle and UnityAds.
The FTC claimed that this violates the Children’s Online Privacy Protection Act (COPPA), which requires child-directed websites, apps and online services to provide notice of their data-collection practices and obtain parental consent prior to collecting personal information from children under 13. That includes the use of persistent identifiers for targeted advertising.
The FTC alleges that HyperBeard was aware that children were using its kids’ apps and promoted those apps to children, including via kids’ entertainment website YayOMG, between early 2017 through 2019.
“These kids’ apps contain brightly colored, animated characters such as cats, dogs, bunnies, chicks, monkeys and other cartoon characters, and are described in child-friendly terms like ‘super cute’ and ‘silly,'” according to the FTC release. “For example, users of the KleptoCats apps send a cartoon cat out on a mission and the cat returns with surprises that users collect in a virtual room. The apps also allow users to pet, groom, feed and dress their virtual cats.”
Threatpost has reached out to HyperBeard for comment but did not hear back before publication. As of Friday, on its privacy-policy webpage, the company says it only works with ad networks that are fully COPPA compliant.
“Specifically, we have selected ad networks who respect the tag-for-child-directed (TFCD) parameter — aka the ‘COPPA flag’ — on a per-app or per-request basis, so that interest-based advertising is switched off, and personal data collection is restricted,” according to HyperBeard. “In addition, these ad networks are able to categorize and tag their ad creatives by age, so that the ads are appropriate content-wise.”
The settlement included a $4 million penalty – but that will be suspended upon payment of $150,000 by HyperBeard “due to its inability to pay the full amount,” said the FTC. In addition to this fine, HyperBeard must also delete any personal information it illegally collected from children under 13, as well as notify and obtain verifiable consent from parents for any child-directed app or website they offer that collects personal information from children under 13.
Other companies have found themselves in hot water for their collection of children’s data over the past year. TikTok was slapped with an FTC complaint earlier in May, which alleged that the platform failed to adequately protect children’s privacy. Meanwhile, in February, Google faced a lawsuit alleging that it has been covertly collecting data of students via its G Suite for Education program, which offers its productivity services to students for free.
“The FTC’s fine and requirement that unconsented data must be destroyed should be applauded, and a fulfillment of the basic expectations we should have around this topic,” Tim Wade, technical director with the CTO Team at Vectra, told Threatpost. “Collecting data isn’t harmless. The less we accept the passive collection of data without consent the more we can ensure a society that delivers both freedom and equality.”