Children’s app developer HyperBeard has become the latest company to settle with the Federal Trade Commission for illegally collecting children’s personal data without adequate disclosure and parental authorization, reaching a watered-down $150,000 agreement announced Thursday.

In the United States, the main privacy law governing the online collection, use, or disclosure of children’s personal information is the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule. COPPA and the COPPA Rule require that commercial Websites, online services, and mobile apps directed to children under age 13, or with actual knowledge that a user is under 13, must obtain verifiable parental consent before collecting, using, or disclosing personal information from children. HyperBeard failed to do so, according to regulators.

On Wednesday, the Department of Justice filed a complaint in the U.S. District Court for the Northern District of California on behalf of the FTC. In the complaint, the FTC alleged HyperBeard violated the COPPA Rule by allowing third-party ad networks to collect personal information in the form of persistent identifiers to track users of the company’s child-directed apps, without notifying parents or obtaining verifiable parental consent. The ad networks used the identifiers to target ads to children using HyperBeard’s apps.

“If your app or website is directed to kids, you’ve got to make sure parents are in the loop before you collect children’s personal information,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “This includes allowing someone else, such as an ad network, to collect persistent identifiers, like advertising IDs or cookies, in order to serve behavioral advertising.”

Many of the apps HyperBeard offers are directed to children, including Axolochi, BunnyBuns, Chichens, Claberta, Clawbert, KleptoCats, KleptoCats 2, KleptoDogs, MonkeyNauts, and NomNoms. The apps “contain brightly colored, animated characters—such as cats, dogs, bunnies, chicks, monkeys, and other cartoon characters,” the complaint states. Users of these apps can pet, groom, feed, and dress virtual animals, for example.

The FTC alleges HyperBeard knew children were using its apps and further promoted those same apps to children. From early 2017 through 2019, it promoted its apps on the kids’ entertainment website YayOMG. It also published children’s books and licensed other products, including stuffed animals and block construction sets, based on its apps’ characters, the FTC said.

Controversial penalty amount

The original proposed penalty was $4 million, but the FTC said the amount will be suspended upon payment of $150,000 by HyperBeard “due to its inability to pay the full amount.” The FTC added, however, that the full $4 million penalty would be due if either HyperBeard or its CEO Alexander Kozachenko, who is also named in the complaint, “are found to have misrepresented their finances.” The FTC complaint additionally names HyperBeard Managing Director Antonio Uribe.

The Commission voted 4-1 to authorize the Department of Justice to file the complaint and stipulated final order. In a dissenting statement, FTC Commissioner Noah Joshua Phillips argued the $4 million penalty was too high, given the minimal amount of harm that was caused.

“As I said in the YouTube case, Congress should pay attention to how the FTC is approaching monetary relief, including civil penalties, especially in privacy cases,” Phillips wrote. “In this case, at least, I fear we got it wrong, and so I respectfully dissent.”

In a statement, FTC Chairman Joe Simons countered that “the goal of the civil penalty should be to make compliance more attractive than violation. Said another way, violation should not be more profitable than compliance.” He added that “civil penalties will be an ongoing discussion here at the FTC as we attempt to do justice and achieve meaningful relief for consumers.”

Also under the proposed settlement, HyperBeard, Kozachenko, and Uribe must notify and obtain verifiable consent from parents for any child-directed app or Website they offer that collects personal information from children under 13. They are also prohibited from using or benefitting from personal data they collected from children under 13 in violation of COPPA and must destroy that data.

COPPA enforcement trend

As Compliance Week has previously reported, regulators are stepping up their oversight of children’s online privacy violations during a time when minors are learning remotely, surfing the Web, and socializing online more than ever before due to the coronavirus pandemic. Thus, compliance officers at companies that handle the personal data of minors should reassess their privacy practices accordingly.

Afterall, Hyperbeard is just the latest children’s app developer to get into hot water with the FTC. In May, Swiss-based digital game maker Miniclip reached a settlement for lying about its participation in a children’s privacy self-regulatory program. TikTok is also under greater scrutiny for its children’s privacy practices. And last year, Google and its subsidiary YouTube reached a groundbreaking $170 million settlement to resolve allegations by the FTC and the New York Attorney General that the YouTube video-sharing service illegally collected personal information from children without parental consent.

Hyperbeard’s settlement with the FTC is just the latest reminder that compliance officers in the digital advertising space should review recent enforcement and litigation activity concerning violations of the COPPA Rule and use them as a compliance framework, if necessary, to enhance policies and procedures regarding the collection of children’s data. Companies should also review the FTC’s six-step compliance plan regarding the COPPA Rule.