The second, “KleptoCats,” operated by HyperBeard, Inc., is a children’s game in which the user controls a virtual pet cat. Although the app’s privacy statement excludes children under 13, CARU questioned whether the app nonetheless attracts a substantial number of children under 13, and thus is subject to COPPA regulations. CARU investigated whether KleptoCats collects personally identifiable information from users under 13, without first obtaining parental consent. CARU attempted to engage HyperBeard in its investigation, but the game operator failed to respond. Accordingly, CARU referred the case to the FTC for a full federal investigation.
PUTTING IT INTO PRACTICE: These cases are a reminder that companies receiving a CARU inquiry should take the matter seriously. CARU regularly refers to the FTC those who refuse to cooperate, and the FTC reviews such cases with priority.
Cyber Concerns Lead to EU Recall of a Connected Kids Devices
Posted on February 13, 2019
Citing cybersecurity concerns with a children’s smartwatch, the European Commission recently issued a recall of the device. The Safe-KID-One is a smartwatch that gives parents the ability to track and communicate with their children. According to the European Commission, security issues with the device could allow a hacker to access a user’s data, including location history, phone numbers and serial number. Additionally, the hacker could use the watch to “call another number of his choosing, can communicate with the child wearing the device or locate the child through GPS.” This is one of the first recalls of an internet of things device by the European Commission and puts device makers on notice that they should take cybersecurity seriously when designing new devices.
PUTTING IT INTO PRACTICE: This decision shows the EU’s concerns about security, technology devices, and children. Devices makers should ensure that they have appropriate security measures for their products, especially when directing them to the youth market.
CONSUMER PRIVACY
Is Your Privacy Policy Ready for 2020?
Posted on December 19, 2019
Many organizations are currently focused on updating their privacy policy to include content required by CCPA. While making those edits, now is a good time to take a step back and think more broadly about privacy program and operations generally, and in particular about the non-CCPA parts of your privacy policy.
Under CCPA and general privacy laws, companies want to think about the accuracy of their privacy representations. One area that might be overlooked right now in our focus on CCPA is other statements in the privacy policy, like those companies might make about the US-EU Privacy Shield. Companies participating in that Framework should review the statements they are making about compliance with that program. As we have written about previously, organizations participating in Privacy Shield for data transfer must annually recertify compliance to the Department of Commerce. If your certification has lapsed, or you are not maintaining the underlying compliance required to participate in the program, certain statements in your privacy policy may be viewed as deceptive by the FTC.
  11 Eye on Privacy 2019 Year in Review