Peter A Clarke

Protection of children’s privacy has been the subject of increasing focus by regulators worldwide. In Australia under the Privacy and Other Legislation Amendment Act 2024 the Office of the Australian Information Commissioner (OAIC) must develop a Children’s Online Privacy Code by 10 December 2026. The Code will specify how online services accessed by children must comply with the Australian Privacy Principles impose additional requirements provided they are not inconsistent with the existing principles. Legislation protecting children’s privacy has been in place in the United States for some time with legislation including the Children’s Online Privacy Protection Rule (“COPPA”). Recently the Federal Trade Commission (“FTC”) has taken action against Disney and Apitor, a robot toy maker, regarding unlawful collection of their personal information.

Complaint against Disney

Disney has entered into a settlement with the FTC to settle allegations that it enabled the unlawful collection of Children’s personal information in breach of COPPA.  The breach was Disney allowing the collection of children’s personal information while they watched kid directed videos on You Tube without parental consent.  

The media release provides:

Disney will pay $10 million to settle Federal Trade Commission allegations that the company allowed personal data to be collected from children who viewed kid-directed videos on YouTube without notifying parents or obtaining their consent as required by the Children’s Online Privacy Protection Rule (COPPA Rule).

The proposed order would transform how the entertainment behemoth designates videos on YouTube as “Made for Kids,” while encouraging adoption of age assurance technologies on YouTube.

A complaint, filed by the Department of Justice upon notification and referral from the FTC, alleged that Disney Worldwide Services, Inc. and Disney Entertainment Operations LLC (Disney) violated the COPPA Rule by failing to properly label some videos that it uploaded to YouTube as “Made for Kids.” The complaint says the mislabeling allowed Disney, through YouTube, to collect personal data from children under 13 viewing child-directed videos and use that data for targeted advertising to children. Disney receives a portion of the revenues that YouTube generates from advertising placed with Disney videos and revenues from advertising that Disney sells directly. The mislabeling also exposed children to age-inappropriate YouTube features like autoplay to videos not “Made for Kids.”

“This case underscores the FTC’s commitment to enforcing COPPA, which was enacted by Congress to ensure that parents, not companies like Disney, make decisions about the collection and use of their children’s personal information online,” said FTC Chairman Andrew N. Ferguson. “Our order penalizes Disney’s abuse of parents’ trust, and, through a mandated video-review program, makes room for the future of protecting kids online—age assurance technology.”

The COPPA Rule requires websites, apps and other online services that are directed to children under 13 to notify parents about what personal information they collect and obtain verifiable parental consent before collecting such information.

Following a 2019 settlement with the FTC over allegations it violated COPPA, YouTube began requiring content creators, including Disney, to indicate if the videos they upload to YouTube are “Made for Kids” (MFK) or “Not Made for Kids” (NMFK) in order to comply with COPPA. The designation ensures that some features on videos that are classified as MFK are disabled. For example, YouTube does not collect personal information or serve personalized ads to viewers watching videos marked as MFK and does not allow for comments to be posted to those videos, according to the Disney complaint.

To comply with YouTube’s policy, content creators can mark each individual video or mark a particular channel as MFK or NMFK. If a channel is MFK or NMFK, every video uploaded to that channel is marked the same way by default. YouTube, however, has warned content creators that they are responsible for ensuring that all the videos they post are accurately classified, according to the complaint.

According to the complaint, Disney chose to mark all of its videos uploaded to YouTube at the channel level and did not change the default to mark each video individually. The complaint alleged that Disney uploaded many videos directed to children to Disney channels labeled as NMFK, thereby labeling them by default as NMFK.

According to the complaint, even after being told by YouTube in mid-2020 that YouTube had changed designations on more than 300 Disney videos from NMFK to MFK, Disney did not change its policy of designating videos at the channel level and continued to fail to properly designate individual videos as MFK. These videos included child-directed subject matter, visual content, and music from The Incredibles, Coco, Toy Story, Frozen, and Mickey Mouse.

Under the proposed settlement, Disney will be required to:

• • Pay a $10 million civil penalty for allegedly violating the COPPA Rule;
  • Comply with the COPPA Rule, including by notifying parents before collecting personal information from children under 13 and obtaining verifiable parental consent for collection and use of that data; and
  • Establish and implement a program to review whether videos posted to YouTube should be designated as MFK—unless YouTube implements age assurance technologies that can determine the age, age range, or age category of all YouTube users or no longer allows content creators to label videos as MFK. This forward-looking provision reflects and anticipates the growing use of age assurance technologies to protect kids online.

The FTC will be taking action against Apitor, a robot toy maker for permitting a third party in China to use its app to collect geolocation information of children. 

The FTC’s media release provides:

The Federal Trade Commission is taking action against robot toy maker Apitor Technology over allegations that its app enabled a third party in China to collect geolocation information from children without parental consent.

A complaint, filed by the Department of Justice upon notification and referral from the FTC, alleges that despite claims in Apitor’s privacy policies that it complies with Children’s Online Privacy Protection Rule (COPPA Rule), Apitor failed to notify parents and obtain their consent before collecting, or causing a third party to collect, geolocation data from children as required by COPPA.

“Apitor allowed a Chinese third party to collect sensitive data from children using its product, in violation of COPPA,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection. “COPPA is clear: Companies that provide online services to kids must notify parents if they are collecting personal information from their kids and get parents’ consent—even if the data is collected by a third party.”

China-based Apitor sells robot toys targeted to children ages 6-14 and includes a free companion mobile app that allows users to program and control the toys. The complaint alleges that:

• • Users with Android devices are required to enable location sharing to use the Apitor app and connect their toy.
  • Apitor integrated a third-party software development kit called JPush into its app that allowed JPush’s developer to collect location data and use it for any purpose, including advertising.
  • After Android users download the Apitor app, it begins collecting and sharing users’ precise location data with JPush’s servers, unbeknownst to child users and their parents.
  • Throughout this process, Apitor failed to notify parents that a third party was collecting geolocation information and obtain parents’ consent before collecting this data from children under the age of 13, as required by COPPA.

As part of a proposed order settling the allegations, Apitor will be required to ensure that any third-party software it uses is in compliance with the COPPA Rule. Other provisions of the proposed order include a $500,000 penalty, which will be suspended because of the company’s inability to pay. Apitor will be required to pay the full amount if it is found to have lied about its finances. Apitor also will be required to delete any personal information the company collected in violation of COPPA unless it notifies parents and obtains their consent.

In addition, Apitor must comply with COPPA by:

• • notifying parents before Apitor collects, or permits collection on its behalf, of personal information from children under 13;
  • obtaining verifiable parental consent before Apitor, or another party acting on Apitor’s behalf, collects, uses, or discloses personal information of children under 13;
  • deleting a child’s personal information at the request of a parent; and
  • only retaining personal information collected from children for as long as it is reasonably necessary to fulfill the purpose for which the information was collected.