Attorneys See Third Parties as Focal Point for FTC Privacy Compliance
The FTC’s recent children’s privacy claims against Disney and Apitor suggest companies should carefully scrutinize third-party vendors and software development kits (SDKs), privacy experts told us in recent interviews. The focus on children’s privacy suggests Chairman Andrew Ferguson and Republican commissioner are following through on this administration’s promises to protect children, they said.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The FTC announced a $10 million settlement with Disney on Sept. 2 over Children’s Online Privacy Protection Act rule allegations (see 2509020069) and additional COPPA claims against Chinese toy maker Apitor on Sept. 3 (see 2509030057). The agency alleged Apitor, an Amazon seller, enabled a third-party software development kit (SDK) to collect location data from Android users and deploy it for any purpose, including advertising to children, without parental consent.
Privacy practitioners know cookies and tracking tools are “very much in the FTC’s crosshairs” and to the "extent they haven’t been clear about it before, now we know that SDKs are, too,” said Reed Freeman, an ArentFox privacy attorney. He noted the entire practicing privacy bar has been waiting to see how this administration might approach enforcement, and it’s not a surprise the first privacy cases are centered around COPPA, he said.
“There’s good reason for it,” he added. “It’s hard to find a stakeholder who” isn’t in favor of protecting child privacy. “The only question is why did it take so long to announce some cases?”
Companies need to be more aware of how third parties are processing data and interacting with SDKs, said Roy Hadley, a privacy attorney with Morris Manning. “SDKs haven’t specifically been called out before by the FTC,” he said, adding it’s clear that vendor oversight and compliance is going to be a focus, particularly when it comes to Chinese partners, he said. Hadley said vendor compliance is an issue that arises daily, and that companies are often rushing to meet goals without properly vetting their vendors’ data practices.
The Electronic Privacy Information Center generally sees the two cases as a “positive indication” the FTC is focused on using its COPPA authority, said EPIC Counsel Suzanne Bernstein. She encouraged the FTC to also use its Section 5 authority to signal a willingness to protect the privacy of the general population against unfair and deceptive trade practices that might impact privacy. These two announcements are “important” but smaller cases, and the FTC can do more to go after “big players” violating the privacy of children and adults, she said.
The SDK claims against Apitor hopefully signal a willingness to regulate largely unregulated entities doing business in targeted advertising and data brokerage, she said.
“Generally, it’s a positive indication that the FTC is interested in using their authority under COPPA to protect minors’ data online,” she said. It “gives the opportunity for the advocacy community and others that care about privacy to push the FTC to do even more.”
Attorneys at Mintz recently highlighted the FTC’s focus on third-party vendors, as well (see 2509080069).
The Apitor claims weren’t “egregious” beyond most practices occurring in the general marketplace, but SDKs are now “clearly” on the FTC’s radar, said Hadley. “The bigger takeaway" for companies is they need to more carefully scrutinize third-party vendors, particularly given this administration’s focus on China.