The Center for Digital Democracy (CDD), a nonprofit advocacy group, filed a formal complaint with the Federal Trade Commission on Monday saying the app uses "deceptive" mobile marketing and violates the Children's Online Privacy Protection Act (COPPA) by collecting the email addresses of its users without parental consent. Nickelodeon released a statement saying it removed the app from iTunes temporarily while the investigation continues.
In the formal complaint, the CDD asks the FTC to investigate app developer PlayFirst's privacy practices, as well as Nickelodeon's parent company Viacom.
This comes at a time when updates to COPPA, online privacy rules made in 1998, are set to be unveiled on Wednesday. COPPA requires websites directed at children to obtain parental consent in order to collect information such as names, email addresses and phone numbers. And Gizmodo points out that since COPPA only applies to children under 13, Nickelodeon and the developer might have some wiggle room here if they say the app is intended for older users.
The SpongeBob Diner Dash app description in iTunes states it complies with federal privacy protections for children online. But in the advocacy group's complaint to the FTC, it says the app neither provided the kind of notice required by COPPA, “nor makes any attempt to obtain prior, verifiable parental consent required by the law.”
Both privacy policies of the app developer and Nickelodean don't state exactly what information is
collected in the app, according to the complaint.
The app is free to download and play. It has been downloaded more than 10 million times, according to PlayFirst's blog. The objective of the game is to earn points by directing SpongeBob to serve customers in a variety of colorful restaurants. Players are periodically encouraged to purchase an upgraded version of the game that costs money. The app also assigns every users a unique device identifier "which enable companies to send custom messages to individual children in the form of 'push notifications,'" the complaint states.
An article on the New York Times website about the app points out that it does not tell children to ask their parent's permission before entering their personal information. The app also has messages that appear on screen asking for the user's email address to receive a newsletter. A reporter at the Times who entered their email address in the app never received the newsletter, which raises questions about what exactly the information is used for.
This same developer also came under fire earlier this month when the CDD filed a complaint with the F.T.C. about another one of its apps. Mobbles, an in-app game with virtual pets, collected information about users without parents' consent. The app was also pulled from iTunes.
On Dec. 10, the FTC released its second report looking into the privacy of apps marketed at children and found there's been little progress in companies addressing privacy concerns since its first report in 2011.
"While we think most companies have the best intentions when it comes to protecting kids’ privacy, we haven’t seen any progress when it comes to making sure parents have the information they need to make informed choices about apps for their kids. In fact, our study shows that kids' apps siphon an alarming amount of information from mobile devices without disclosing this fact to parents," FTC Chairman Jon Leibowitz said in a statement. "All of the companies in the mobile app space, especially the gatekeepers of the app stores, need to do a better job."
The FTC report found that nearly 60% of the apps surveyed transmit data from a user's device back to the app developer or, more commonly, to an advertising network, analytics company, or other third party.