Earlier this week, I posed some questions to readers about tracking/monitoring your children, and the privacy of children who communicate with your child when they don’t know that you’re monitoring/seeing every private message or image. I asked you all to think about this question:
So it’s okay with you if some other child’s parents are reading your child’s messages to their child, right? Even if your child is telling their friend sensitive information and nothing stops those parents from sharing what they’re reading with your child’s school or the community?
Then I asked you to take your thinking one step further and to consider what happens if it’s not you directly monitoring or tracking your child, but an online business or service that you hire:
But to help you monitor your child, the business shows you other children’s communications to your child, which they collect and compile. Is that okay with you? It probably is, but turn the situation around: a business is now collecting and compiling non-public private communications from your child and displaying them to another child’s parent who hired them to help monitor their child. Is that okay with you?
What started me thinking about this was a recent security incident involving uKnowKids, which I initially reported on over on DataBreaches.net. In following up on the incident, I started reading more about their service and looking at their demo. That’s when I started thinking about what they appeared to be doing with private communications of children whose parents were not subscribers and had not given consent to the collection or storage of their children’s information. I contacted uKnowKids to ask them about the consent issue, and pretty much got blown off several times with answers that simply pointed me to what I had already read and found a bit concerning.
So I took another look at COPPA, the federal law, which regulates commercial entities that collect information from minor children. I read the statute a few times, and tried to figure out what COPPA requires of a company/entity that is displaying children’s private non-public communications to the parent of another child. Is the entity required to get the consent of that child’s parent if the entity is compiling the child’s communications and storing them in a cloud database?
So this past weekend, I formally asked the FTC to investigate uKnowKids for possible violations of COPPA and possible violations of Section 5 of the FTC Act. Specifically, I put the following questions to them:
- Under COPPA, can a commercial service collect and share non-public personal information on minor children whose parents have NOT consented to the collection and sharing of their children’s information? If COPPA aims to protect all minor children, then uKnowKids should not collect and share information on other children incidentally. Are they? And if so, shouldn’t they be required to obtain their parents’ consent?
- Under COPPA, can uKnowKids or any other commercial service store non-public personal information on minor children whose parents have NOT consented to the collection or storage of their children’s information? Are uKnowKids storing such information?
- Is uKnow.com’s Terms of Services making their customers solely responsible for compliance with all laws regarding monitoring enforceable, when COPPA’s legislative intent and language makes them responsible?
- Under Section 5 of the FTC Act, does the collection, sharing, and/or storage of non-public communications of minor children without their parents’ consent constitute an unfair practice? For purposes of this question, the injury or harm is invasion of privacy.
- Is it an unfair practice under Section 5 of the FTC Act if uKnowKids is monitoring or tracking children or adolescents without the children’s knowledge or consent if the children actually own the devices that are being tracked? Does a parent’s “warrant and representation” of ownership of accounts absolve uKnowKids of any responsibility they might have in this regard under Section 5 if the parent lies?
- In the event of a data security breach, does uKnowKids.com have a duty to notify children or adolescents whose photos, iMessages or other personal info have been exposed, or is it sufficient to just notify their parents? Parents who never told their children they were being tracked will likely not tell them that their personal and sensitive info has been exposed (or may even be on the Dark Web somewhere in another scenario).
- In the event of a data security breach, does uKnowKids.com have an obligation to notify those whose data may have been collected and/or stored without their knowledge or consent by virtue of them interacting with a tracked/monitored child?
A copy of the full complaint and inquiry can be found here (pdf).
Excellent catch.
Great job.
Thanks!