Bad Hello Kitty? App Accused of Collecting Too Much Data From Kids.

The Citizen's Guide to the Future
Dec. 18 2013 3:21 PM

Bad Hello Kitty? App Accused of Collecting Too Much Data From Kids.

Will curiosity about kid users kill the Hello Kitty app?

Photo by John Sciulli/Getty Images for Children Mending Hearts

Is Hello Kitty our kitteh NSA? The cultishly popular cartoon cat with the big red bow may be tracking kids on their smartphones, in contravention of federal privacy regulations.

A new filing from the Center for Digital Democracy requests that the Federal Trade Commission investigate both Tokyo-based Sanrio Co.’s Hello Kitty Carnival mobile app and the website, which is run by Disney subsidiary Marvel. The CDD believes that the site and app violate the Children’s Online Privacy Protection Act, which requires parental notice and consent before collecting and disseminating the information of children under the age of 13.

The Hello Kitty Carnival mobile app is a free downloadable game in which kids earn virtual coins by running carnival rides, and hosts shows and games about superheroes like Spider-Man and Wolverine. Both collect a whole host of personal, potentially identifying data. According to the CDD, collects personal details from visitors to the site, and tracks them before and after their visit. But the site does not obtain parental consent for this data gathering—required by COPPA for children under the age of 13. Neither does it explicitly notify parents before sharing information with ad and marketing companies like BlueKai, DataXu, Turn, and Google DoubleClick. The site asks rather that users “opt-out” of this sharing, but COPPA requires that this option be automatically turned off.


While Hello Kitty is (oddly?) popular with some adults, its Carnival app is deliberately directed at children, according to the CDD. It’s marketed in the “4+” category on iTunes and as “low maturity” on Google Play. Push notifications are used to remind kids to play, and the promise of coin rewards encourage kids to connect to Facebook through the app. They are also given coins for downloading other apps and for providing an email address—incentives that seem designed to maximize the amount of information children share. The app can even access the mobile devices' photos during the game, which could of course include photos of the kids.* Clueful, an online privacy monitoring service engaged by the CDD to examine the Hello Kitty app, described it as a “moderate privacy risk.”

The CDD’s filing also calls into question the effectiveness of the industry’s self-regulation standards. displays the Children's Advertising Review Unit Kid's Privacy Safe Harbor seal, a child-directed advertising and marketing industry self-regulation standard designed to ensure that sites are compliant with children’s privacy regulations. Clicking on the seal brings up the CARU site, which today states: “We were unable to find an active record for the seal number provided.” However the CDD filing says that in early December the same page declared that the information practices of Marvel Entertainment Inc. had been reviewed and met the standards of CARU Kid's Privacy Safe Harbor Program. CARU could not be reached for comment about the reversal.

To Kathryn Montgomery, a professor at American University and a leader in the original campaign to pass COPPA, the CARU’s change in stance suggests that the safe harbor seal was granted almost automatically, with no real oversight.

“Despite the recent update to COPPA, it seems like companies are continuing with business as usual and engaging in the kinds of data collecting and targeting that are state of the art for adult content,” she told me. She added that CARU may be either unwilling or simply unable to get companies like Marvel or Hello Kitty’s Sanrio to comply with new privacy rules designed to better protect children online.

Correction, Dec. 18, 2013: This blog post originally and incorrectly stated that the Hello Kitty Carnival app asks users to take photos of themselves. The app doesn't do that, but it is able to access mobile devices' photos while in use, which could of course include photos of kids.

Future Tense is a partnership of SlateNew America, and Arizona State University.


Medical Examiner

Here’s Where We Stand With Ebola

Even experienced international disaster responders are shocked at how bad it’s gotten.

It Is Very, Very Stupid to Compare Hope Solo to Ray Rice

The U.S. Is So, So Far Behind Europe on Clean Energy

Even if You Don’t Like Batman, You Might Like Gotham

Friends Was the Last Purely Pleasurable Sitcom

The Eye

This Whimsical Driverless Car Imagines Transportation in 2059


Meet the New Bosses

How the Republicans would run the Senate.

A Woman Who Escaped the Extreme Babymaking Christian Fundamentalism of Quiverfull

So, Apple Is Not Shuttering Beats, but the Streaming Service Will Probably Be Folded Into iTunes

  News & Politics
Sept. 22 2014 6:30 PM What Does It Mean to Be an American? Ted Cruz and Scott Brown think it’s about ideology. It’s really about culture.
Sept. 22 2014 5:38 PM Apple Won't Shut Down Beats Music After All (But Will Probably Rename It)
Sept. 22 2014 4:45 PM Why Can’t the Census Count Gay Couples Accurately?
  Double X
Sept. 22 2014 4:06 PM No, Women’s Soccer Does Not Have a Domestic Violence Problem Or, why it is very, very stupid to compare Hope Solo to Ray Rice.
  Slate Plus
Slate Plus
Sept. 22 2014 1:52 PM Tell Us What You Think About Slate Plus Help us improve our new membership program.
Brow Beat
Sept. 22 2014 5:45 PM The University of California Corrects “Injustice” by Making Its Rich Chancellors Even Richer
Future Tense
Sept. 22 2014 6:27 PM Should We All Be Learning How to Type in Virtual Reality?
  Health & Science
Medical Examiner
Sept. 22 2014 4:34 PM Here’s Where We Stand With Ebola Even experienced international disaster responders are shocked at how bad it’s gotten.
Sports Nut
Sept. 18 2014 11:42 AM Grandmaster Clash One of the most amazing feats in chess history just happened, and no one noticed.