U.S. lawmakers and regulators have long expressed an interest in protecting children online. Passed over 10 years ago, the federal Children’s Online Privacy Protection Act of 1998 (“COPPA”), establishes strong privacy protections that extend to children under 13. Over the years, the Federal Trade Commission (“FTC”) has enforced COPPA vigorously, bringing a number of enforcement actions against a range of different companies. While initial actions resulted in relatively moderate fines, recent cases have resulted in settlements in the $1 million range.
With concerns about the safety and privacy of children online and off continuing to grow, many states are taking their own steps that supplement and, in some cases, go further than federal requirements. For example, in December 2007, the Texas Attorney General filed three actions against companies that had violated COPPA, marking the first state-based enforcement actions brought under COPPA. More recently, in June 2009, the state of Maine enacted new legislation that goes further than COPPA in several significant ways. The new law, An Act to Prevent Predatory Marketing Practices Against Minors (the “Act”),1 which became effective September 12, 2009, established very strict rules on the collection, receipt and use of personal or health-related information from Maine residents under the age of 18 (“minors”) and/or the marketing of goods or services to minors. The Act, however, has been challenged on a number of fronts and faces an uncertain future. On September 9, 2009, the U.S. District Court for the District of Maine dismissed a lawsuit challenging the statute without prejudice (and entering a stipulated dismissal among the parties) in light of the state government’s representation that Maine will not enforce the statute and the Legislature will reconsider the measure when it reconvenes in January 2010.2
The Act has incredibly broad reach. It establishes that no entity may collect, receive or use personal or health-related information from a minor for marketing purposes, without first obtaining verifiable parental consent.3 It prohibits the use of any health-related or personal information regarding a minor for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product.4 Such use would constitute predatory marketing under the Act. In addition, the Act also prohibits anyone from selling, offering for sale or otherwise transferring to another person health-related or personal information about a minor if that information (i) was unlawfully collected pursuant to the Act, (ii) individually identifies the minor, or (iii) will be used in connection with predatory marketing practices as defined by the Act.5
The Act defines personal and health-related information rather broadly. Under the Act, “personal information” means individually identifiable information, including: (i) an individual's first name, or first initial, and last name; (ii) a home or other physical address; (iii) a social security number; (iv) a driver’s license number or state identification card number; and (v) information concerning a minor that is collected in combination with any of the foregoing identifiers.6 “Health-related information” is defined as “any information about an individual or a member of the individual’s family relating to health, nutrition, drug or medication use, physical or bodily condition, mental health, medical history, medical insurance coverage or claims, or other similar data.”7
The Act goes further than COPPA in many important ways. First, it applies to children under the age of 18, where COPPA’s coverage is limited to children under 13. Second, unlike COPPA, which is limited to online activities, the Act applies to the collection, receipt or use of information from a minor whether online or offline. In addition, and quite significantly, the Act prohibits companies from using personal and/or health-related information of minors to market products or services to minors, even where verifiable parental consent is obtained.
Potential consequences of violations are significant. However, given recent developments, the enforcement of the Act remains uncertain. The Act provides for civil fines of (i) no less than $10,000 and no more than $20,000 for a first violation, and (ii) no less than $20,000 for a second or subsequent violation.8
Quite significantly, the Act also authorizes civil actions by affected individuals. Specifically, a person about whom information is unlawfully collected or who is the object of predatory marketing in violation of the Act may bring an action in an appropriate state court for either or both of the following: (i) an injunction to stop the unlawful collection or predatory marketing, and (ii) recovery of actual damages from each violation or up to $250 in statutory damages for each violation, whichever is greater.9 The Act also directs the court to award reasonable attorney’s fees and costs. Similar to the unfair trade practices statutes of many states, for willful or knowing violations, the court may award treble damages.
A number of commentators have questioned the constitutionality of the Act. Concerned about the implications of the Act, in late August, a group of online and offline companies, filed a lawsuit alleging that the Act violates the First Amendment and the Commerce Clause of the Constitution, as well as 42 U.S.C. § 1983, and is also preempted by COPPA.10 Meanwhile, citing constitutional concerns, Maine’s own Attorney General committed not to enforce the Act.11 The stance of the state’s AG was not viewed as sufficient to assuage all concerns, however. Because the Act does provide for a private right of action, there could still be a risk of civil lawsuits by private parties, including potential class action lawsuits. In the district court’s Stipulated Order of Dismissal on September 9, 2009, Chief Judge John A. Woodcock Jr. warned that private lawsuits could likely face dismissal, cautioning that “third parties are on notice that a private cause of action under Chapter 230 could suffer from the same constitutional infirmities.”12As noted, Maine’s legislature does not reconvene until January 2010. Upon the completion of the legislative process, it is quite likely that lawmakers will generate a revised piece of legislation that differs considerably from the Act in its present form. However, despite the Maine Attorney General’s position and that the district court’s order, the Act remains in effect as written, and, however impractical implementation may be, companies must consider whether their marketing practices are compliant.
1 An Act to Prevent Predatory Marketing Practices Against Minors, Public Law, Ch. 230 (Maine).
2 Me. Indep. Colls. Ass'n v. Baldacci, (D. Me., September 9, 2009), No. 1:09-cv-00396-JAW, stipulated order of dismissal stating: “The Court finds that the Plaintiffs have met their burden of establishing a likelihood of success on the merits of their claims that Chapter 230 is overbroad and violates the First Amendment. The Attorney General has acknowledged her concerns over the substantial overbreadth of the statute and the implications of Chapter 230 on the exercise of First Amendment rights and accordingly has committed not to enforce it. She has also represented that the Legislature will be reconsidering the statute when it reconvenes. As a result, third parties are on notice that a private cause of action under Chapter 230 could suffer from the same constitutional infirmities. In light of these considerations, the parties have agreed to a dismissal of this action without prejudice and the Court hereby SO ORDERS.”
3 Act, supra note 2, at §9551(2).
4 Id. at §9551(1).
5 Id. at §9552.
6 Id. at §9551(4).
7 Id. at §9551(1).
8 Id. at §9554(3).
9 Id. at §9554(2).
10 Me. Indep. Colls. Ass’n v. Baldacci, (D. Me.), No. 1:09-cv-00396-JAW, complaint filed 8/26/09.
11 See, Motion to Dismiss of Attorney General Janet T. Mills, dated September 3, 2009, in Me. Indep. Colls. Ass’n v. Baldacci, (D. Me.), No. 1:09-cv-00396-JAW.