Bad Hello Kitty? App Accused of Collecting Too Much Data From Kids.

Will curiosity about kid users kill the Hello Kitty app?

Photo by John Sciulli/Getty Images for Children Mending Hearts

Is Hello Kitty our kitteh NSA? The cultishly popular cartoon cat with the big red bow may be tracking kids on their smartphones, in contravention of federal privacy regulations.

A new filing from the Center for Digital Democracy requests that the Federal Trade Commission investigate both Tokyo-based Sanrio Co.’s Hello Kitty Carnival mobile app and the website, which is run by Disney subsidiary Marvel. The CDD believes that the site and app violate the Children’s Online Privacy Protection Act, which requires parental notice and consent before collecting and disseminating the information of children under the age of 13.

The Hello Kitty Carnival mobile app is a free downloadable game in which kids earn virtual coins by running carnival rides, and hosts shows and games about superheroes like Spider-Man and Wolverine. Both collect a whole host of personal, potentially identifying data. According to the CDD, collects personal details from visitors to the site, and tracks them before and after their visit. But the site does not obtain parental consent for this data gathering—required by COPPA for children under the age of 13. Neither does it explicitly notify parents before sharing information with ad and marketing companies like BlueKai, DataXu, Turn, and Google DoubleClick. The site asks rather that users “opt-out” of this sharing, but COPPA requires that this option be automatically turned off.

While Hello Kitty is (oddly?) popular with some adults, its Carnival app is deliberately directed at children, according to the CDD. It’s marketed in the “4+” category on iTunes and as “low maturity” on Google Play. Push notifications are used to remind kids to play, and the promise of coin rewards encourage kids to connect to Facebook through the app. They are also given coins for downloading other apps and for providing an email address—incentives that seem designed to maximize the amount of information children share. The app can even access the mobile devices’ photos during the game, which could of course include photos of the kids.* Clueful, an online privacy monitoring service engaged by the CDD to examine the Hello Kitty app, described it as a “moderate privacy risk.”

The CDD’s filing also calls into question the effectiveness of the industry’s self-regulation standards. displays the Children’s Advertising Review Unit Kid’s Privacy Safe Harbor seal, a child-directed advertising and marketing industry self-regulation standard designed to ensure that sites are compliant with children’s privacy regulations. Clicking on the seal brings up the CARU site, which today states: “We were unable to find an active record for the seal number provided.” However the CDD filing says that in early December the same page declared that the information practices of Marvel Entertainment Inc. had been reviewed and met the standards of CARU Kid’s Privacy Safe Harbor Program. CARU could not be reached for comment about the reversal.

To Kathryn Montgomery, a professor at American University and a leader in the original campaign to pass COPPA, the CARU’s change in stance suggests that the safe harbor seal was granted almost automatically, with no real oversight.

“Despite the recent update to COPPA, it seems like companies are continuing with business as usual and engaging in the kinds of data collecting and targeting that are state of the art for adult content,” she told me. She added that CARU may be either unwilling or simply unable to get companies like Marvel or Hello Kitty’s Sanrio to comply with new privacy rules designed to better protect children online.

Correction, Dec. 18, 2013: This blog post originally and incorrectly stated that the Hello Kitty Carnival app asks users to take photos of themselves. The app doesn’t do that, but it is able to access mobile devices’ photos while in use, which could of course include photos of kids.