Take a lesson from Yelp. It applies to you too. Yelp is an online service where people can read and create reviews about businesses and connect with others online and at local events. Many users post profiles with photos and detailed information about themselves. Yelp's "check in" feature lets users announce their presence at a certain business. The problem with Yelp apps is how the age-screening mechanism works – or more accurately, doesn’t work. People who registered on the app were asked for a date of birth, but regardless of what they entered, the Yelp app allowed them to sign up and gave them full access to all features.
Yelp also collected certain information automatically from the phones of registered Yelp users. For example, to get metrics about its mobile user base, Yelp grabbed their Mobile Device ID, the unique identifier assigned to each phone. Furthermore, if people let Yelp offer them location-based services, the company used the device’s GPS to collect the user’s precise location. Given the flaw in the app’s age-screening mechanism, that meant Yelp was collecting personal information from users who said they were under 13 without parental notice and consent. According to the FTC, that went on from April 2009 to April 2013 on both the iOS and Android versions of the Yelp app – and in violation of the COPPA Rule.
The FTC’s complaint charges that Yelp failed to comply with COPPA even though it knew, based on registrants’ birth dates, that kids under 13 were registering via the company’s mobile apps. The lawsuit also alleges that Yelp didn’t adequately test its apps to ensure that users under the age of 13 were prohibited from registering
The settlement imposes a $450,000 civil penalty, requires the company to comply with COPPA in the future, and mandates a report to the FTC a year from now describing what Yelp is doing to comply. In addition, Yelp has to delete information it collected from consumers who said they were under 13 years when they registered.
Keeping your financial institution up to date on regulatory issues and your employees educated can be a daunting task. TRC can help. To learn more, contact us at email@example.com or (800) 222-9909. The COPPA rules are covered in TRC Interactive’s Information Security course along with other important privacy and security information of which every financial institution needs to be aware.