Wiley Rein LLP


Publications | Newsletters | Privacy In Focus®

The Children’s Online Privacy Protection Act – The First Year

May 2001 | Privacy In Focus

On the one-year anniversary of the Children’s Online Privacy Protection Act ("COPPA"), the Federal Trade Commission ("FTC") settled complaints with three companies regarding COPPA violations. At the same time, two recent reports suggest that, while COPPA has had an impact, shortcomings remain in how web sites collect information from children.

Since COPPA took effect on April 21, 2000, the FTC has held compliance workshops and sent numerous warning notices to web sites. The FTC’s first formal charge for violation of COPPA was leveled against Toysmart for gathering personal information on children through a "dinosaur trivia contest" without notice or parental consent. The FTC also challenged Toysmart under the FTC Act for attempting to sell its customer lists (contrary to its privacy statement) as part of a bankruptcy. In January 2001, Walt Disney Co., a majority owner of Toysmart, paid $50,000 to have the lists destroyed.

New Enforcement Actions
The FTC’s most recent actions targeted three web sites which allegedly had not posted COPPA-compliance privacy statements and had collected children’s information without prior parental consent. The implicated companies were Monarch Services, Inc. and Girls’ Life, Inc. (operators of www.girlslife.com), Bigmailbox.com, Inc. (operator of www.bigmailbox.com), and Looksmart Ltd. (operator of www.insidetheweb.com). Under the consent decrees announced with the complaints, on April 19, these companies will pay a total of $100,000 in civil penalties and must delete any personally identifiable information collected from children under 13 since COPPA’s April 21, 2000, effective date.

The FTC charged that BigMailbox obtained personal information from children without obtaining parental consent and posted a privacy policy that contained false or misleading statements. Looksmart, which collected the full names and e-mail addresses of children registering for its bulletin boards and had actual knowledge of their ages, also failed to obtain parental consent. Girls’ Life was faulted partly because of relationships with BigMailbox and Looksmart. The Girls’ Life site was seamlessly tied to the sites of BigMailbox and Looksmart so that those companies could provide services to Girls’ Life’s visitors, thereby making their violations attributable to Girls’ Life.

Compliance Implications
As the referenced actions highlight, companies must be vigilant in monitoring their own compliance and must ensure that their web partners are in compliance with relevant COPPA requirements. Companies may wish to review their Internet agreements with other businesses, such as joint venture, co-branding and outsourcing agreements, to review their potential liability and/or recourse with regard to privacy law violations.

Web site "operators" subject to regulation under COPPA:

  • Must have a conspicuously placed privacy policy that fully discloses the information practices of the company. Failure to comply with this requirement is the easiest way to become an FTC target.
  • Must obtain verifiable parental consent before collecting personal information from children. There are generally accepted methods for obtaining such consent (e.g., a printed consent form to be mailed/faxed back to the company by the parent).

  • Must ensure that the practices of their web partners, or companies they outsource functions to (e.g., e-mail accounts), are in compliance with COPPA.

  • Should collect as little information as possible. In fact, many children’s sites are utilizing an anonymous user account system, thereby avoiding consent requirements.

Compliance Criticized
Two recent studies of COPPA compliance released by the University of Pennsylvania’s Annenburg Public Policy Center and by the Center for Media Education each reported mixed findings about web site operator compliance with COPPA thus far. Most of the sites reviewed had a privacy policy, and limit the information collected from children. However, the surveys also determined that many of the privacy statements did not include required disclosures about privacy practices and parental rights. The studies also noted that the language of many of the privacy notices was difficult to understand. The researchers remained hopeful, however, that with continued monitoring and intervention by the FTC, these issues could be addressed.

While COPPA appears to have already had an impact on the way web sites deal with children’s information, the recent enforcement actions, coupled with reports encouraging further FTC activity, could make COPPA enforcement an even more prominent feature of the FTC’s agenda in the future.

For additional information, please contact John Kamp (202.719.7216 or ) or Christopher Mills (703.905.2810 or ).

Table of Contents | Next Article | Previous Article


TOOLS


RELATED PRACTICES
& RESOURCES




RECENT NEWS

Wiley Rein Helps Solar Client With Important Antidumping Trade Victory Before U.S. Department of Commerce
Read More

Second Circuit Ruling Rejects Challenge to Display of World Trade Center Cross at 9/11 Memorial Museum
Read More

DOE Seeks Input on Potential Efficiency Rules for Computer and Battery Backup Systems
Read More