Bad Hello Kitty? App Accused of Collecting Too Much Data From Kids.

The Citizen's Guide to the Future
Dec. 18 2013 3:21 PM

Bad Hello Kitty? App Accused of Collecting Too Much Data From Kids.

Will curiosity about kid users kill the Hello Kitty app?

Photo by John Sciulli/Getty Images for Children Mending Hearts

Is Hello Kitty our kitteh NSA? The cultishly popular cartoon cat with the big red bow may be tracking kids on their smartphones, in contravention of federal privacy regulations.

A new filing from the Center for Digital Democracy requests that the Federal Trade Commission investigate both Tokyo-based Sanrio Co.’s Hello Kitty Carnival mobile app and the website, which is run by Disney subsidiary Marvel. The CDD believes that the site and app violate the Children’s Online Privacy Protection Act, which requires parental notice and consent before collecting and disseminating the information of children under the age of 13.

The Hello Kitty Carnival mobile app is a free downloadable game in which kids earn virtual coins by running carnival rides, and hosts shows and games about superheroes like Spider-Man and Wolverine. Both collect a whole host of personal, potentially identifying data. According to the CDD, collects personal details from visitors to the site, and tracks them before and after their visit. But the site does not obtain parental consent for this data gathering—required by COPPA for children under the age of 13. Neither does it explicitly notify parents before sharing information with ad and marketing companies like BlueKai, DataXu, Turn, and Google DoubleClick. The site asks rather that users “opt-out” of this sharing, but COPPA requires that this option be automatically turned off.


While Hello Kitty is (oddly?) popular with some adults, its Carnival app is deliberately directed at children, according to the CDD. It’s marketed in the “4+” category on iTunes and as “low maturity” on Google Play. Push notifications are used to remind kids to play, and the promise of coin rewards encourage kids to connect to Facebook through the app. They are also given coins for downloading other apps and for providing an email address—incentives that seem designed to maximize the amount of information children share. The app can even access the mobile devices' photos during the game, which could of course include photos of the kids.* Clueful, an online privacy monitoring service engaged by the CDD to examine the Hello Kitty app, described it as a “moderate privacy risk.”

The CDD’s filing also calls into question the effectiveness of the industry’s self-regulation standards. displays the Children's Advertising Review Unit Kid's Privacy Safe Harbor seal, a child-directed advertising and marketing industry self-regulation standard designed to ensure that sites are compliant with children’s privacy regulations. Clicking on the seal brings up the CARU site, which today states: “We were unable to find an active record for the seal number provided.” However the CDD filing says that in early December the same page declared that the information practices of Marvel Entertainment Inc. had been reviewed and met the standards of CARU Kid's Privacy Safe Harbor Program. CARU could not be reached for comment about the reversal.

To Kathryn Montgomery, a professor at American University and a leader in the original campaign to pass COPPA, the CARU’s change in stance suggests that the safe harbor seal was granted almost automatically, with no real oversight.

“Despite the recent update to COPPA, it seems like companies are continuing with business as usual and engaging in the kinds of data collecting and targeting that are state of the art for adult content,” she told me. She added that CARU may be either unwilling or simply unable to get companies like Marvel or Hello Kitty’s Sanrio to comply with new privacy rules designed to better protect children online.

Correction, Dec. 18, 2013: This blog post originally and incorrectly stated that the Hello Kitty Carnival app asks users to take photos of themselves. The app doesn't do that, but it is able to access mobile devices' photos while in use, which could of course include photos of kids.

Future Tense is a partnership of SlateNew America, and Arizona State University.


Medical Examiner

Here’s Where We Stand With Ebola

Even experienced international disaster responders are shocked at how bad it’s gotten.

It’s Not Easy for Me, but I Stand With Emma Watson on Women’s Rights

Divestment Is Fine but Mostly Symbolic. There’s a Better Way for Universities to Fight Climate Change.

Subprime Loans Are Back

And believe it or not, that’s a good thing.

It Is Very Stupid to Compare Hope Solo to Ray Rice

Building a Better Workplace

In Defense of HR

Startups and small businesses shouldn’t skip over a human resources department.

Why Are Lighter-Skinned Latinos and Asians More Likely to Vote Republican?

How Ted Cruz and Scott Brown Misunderstand What It Means to Be an American Citizen

  News & Politics
Sept. 22 2014 6:30 PM What Does It Mean to Be an American? Ted Cruz and Scott Brown think it’s about ideology. It’s really about culture.
Business Insider
Sept. 23 2014 10:03 AM Watch Steve Jobs Tell Michael Dell, "We're Coming After You"
The Vault
Sept. 23 2014 10:24 AM How Bad Are Your Drinking Habits? An 18th-Century Temperance Thermometer Has the Verdict
  Double X
The XX Factor
Sept. 22 2014 7:43 PM Emma Watson Threatened With Nude Photo Leak for Speaking Out About Women's Equality
  Slate Plus
Slate Plus
Sept. 22 2014 1:52 PM Tell Us What You Think About Slate Plus Help us improve our new membership program.
Brow Beat
Sept. 23 2014 9:42 AM Listen to the Surprising New Single From Kendrick Lamar
Future Tense
Sept. 23 2014 10:51 AM Is Apple Picking a Fight With the U.S. Government? Not exactly.
  Health & Science
Bad Astronomy
Sept. 23 2014 7:00 AM I Stand With Emma Watson
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.