Alert January 28, 2009

FTC No Longer the Lone COPPA Watchdog As States Bring Enforcement Actions of Their Own

Three lawsuits filed in December 2007 by the Texas Attorney General mark the first state-based enforcement actions under the Children’s Online Privacy Protection Act (as implemented by the Children’s Online Privacy Protection Rule, collectively “COPPA”). The Federal Trade Commission (“FTC”) had been enforcing COPPA vigorously at the federal level since 1998 and recently renewed its pledge to protect collection of personally identifiable information (“PII”) from children. However, the Texas suits against three websites – Gamesradar.com and Santa.com, both California-based, and TheDollPalace.com, a New York-based site – highlight a previously unused provision empowering state attorneys general to bring COPPA enforcement actions on behalf of the residents of their states.

Background on COPPA

Pursuant to COPPA, operators of websites directed to children under the age of 13 or website operators that knowingly collect personal information from children under 13 on the Internet must provide parents with notice of their information practices. Subject to certain very limited exceptions, such operators must also obtain prior, verifiable parental consent for the collection, use and/or disclosure of personal information from children. Furthermore, upon request, operators must provide parents with the ability to review the personal information collected from their child. COPPA also compels operators to provide parents with the opportunity to prevent the further use of personal information that has already been collected, or the future collection of personal information from that child. In addition, operators must also limit collection of personal information for a child’s online participation in a game, prize offer or other activity to information that is reasonably necessary for the activity. Finally, COPPA also mandates the establishment and maintenance of reasonable procedures to protect the confidentiality, security and integrity of the personal information collected.

The FTC has brought 12 COPPA enforcement actions through 2007, assessing more than $1.8 million in civil penalties for alleged violations. Courts can hold companies failing to comply with the requirements of COPPA liable for civil penalties of up to $11,000 per violation. The amount of the penalty may reflect a number of factors involved, including the egregiousness of the violation, the number of children involved, the size of the company, the amount and type of PII collected, how the information was used and whether it was shared with third parties. The FTC discloses that its largest fine to date from a COPPA enforcement action is for $1 million against Xanga.com in 2006.

Texas Cases

In a settlement of the Texas action with Santa.com, the company agreed, among other things, to obtain verifiable parental consent before collecting PII from children and to disclose its intended uses for the PII. In addition, Santa.com agreed to refrain from collecting excessive personal information from children in order to play games on the website and use other features of Santa.com.

The Texas action against Gamesradar.com alleged that the site provided content inappropriate for young children through games clearly targeted to young children. The Texas AG alleged that to access certain features of the website, users were required to register by providing PII including date of birth chosen from a drop-down menu. The choices on the drop-down menu, however, only allowed a selection from years prior to 1995, thereby not allowing the visitor to select an age that would make the child younger than 13. Thus, if a 10-year-old child born in 1998 attempted to register, the closest birth year that could be selected would be 1994, indicating a current age of 13.

In the enforcement action against TheDollPlace.com, the Texas Attorney General once again alleged easily circumvented COPPA consent requirements. The AG’s complaint alleged that TheDollPlace.com is a website allowing children to create and play with web-based dolls, including sexually explicit dolls. To use features or participate in activities of the website, children were required to register – a procedure allegedly entailing the collection of PII. Accessing additional website features required that users fill out a profile consisting of a 10-page questionnaire including detailed PII – all of which would be easily accessible by other members of the website. Texas alleged that the website’s parental permission page required only a “click OK” for the child to register, and, furthermore, only requested the parental consent after the collection of the child’s PII had taken place. The permission page neither provided the parent with website operator contact information, the option to review and revoke consent, nor did it specify the type of information collected.

Other State Activities

While Texas is the first state to publicize filing a COPPA enforcement action, many other states are watching closely. Other states have yet to bring lawsuits under COPPA, but some have already taken action under applicable state law. In October 2007, New York Attorney General Andrew Cuomo settled an action against Facebook for deceptive acts and practices and false advertising in violation of New York consumer protection laws and failing to protect minors. New Jersey Attorney General Anne Milgram sent letters to Facebook and 11 other social networking sites requesting they compare their registrants against the New Jersey’s sex offender list, citing safety concerns for children. North Carolina and Connecticut have introduced legislation requiring age verification measures on websites.

Most recently, in mid-January 2008, 49 state attorneys general joined an agreement with MySpace to better protect children. Agreement highlights included: (i) working toward the development of age and identity verification technology; (ii) making private profiles for children under the age of seventeen; (iii) developing an email registry allowing parents to prohibit their child from creating a MySpace profile; (iv) responding within 72 hours to inappropriate content complaints; and (v) free parental monitoring software. Texas did not join in the agreement.

Conclusion

The Texas actions against Santa.com, Gamesradar.com and TheDollPlace.com all included an allegation that, due to a lack of reasonable controls, children were able to access various features of the websites without parental knowledge. Furthermore, all three of the cases were against out-of-state corporations, highlighting that companies throughout the United States must now take notice of all state enforcement actions.

The recent Texas cases – compounded by steps other states are taking to protect the collection of PII from children and the renewed FTC pledge to continue its COPPA law enforcement efforts and seek increased civil penalties – emphasize the need for companies with online presences to evaluate existing policies and procedures and verify that their information collection practices are in compliance with COPPA and other applicable laws.