The Children’s Online Privacy Protection Act – The First YearMay 2001 | Privacy In Focus
On the one-year anniversary of the Children’s Online Privacy Protection Act ("COPPA"), the Federal Trade Commission ("FTC") settled complaints with three companies regarding COPPA violations. At the same time, two recent reports suggest that, while COPPA has had an impact, shortcomings remain in how web sites collect information from children.
Since COPPA took effect on April 21, 2000, the FTC has held compliance workshops and sent numerous warning notices to web sites. The FTC’s first formal charge for violation of COPPA was leveled against Toysmart for gathering personal information on children through a "dinosaur trivia contest" without notice or parental consent. The FTC also challenged Toysmart under the FTC Act for attempting to sell its customer lists (contrary to its privacy statement) as part of a bankruptcy. In January 2001, Walt Disney Co., a majority owner of Toysmart, paid $50,000 to have the lists destroyed.
New Enforcement Actions
The FTC’s most recent actions targeted three web sites which allegedly had not posted COPPA-compliance privacy statements and had collected children’s information without prior parental consent. The implicated companies were Monarch Services, Inc. and Girls’ Life, Inc. (operators of www.girlslife.com), Bigmailbox.com, Inc. (operator of www.bigmailbox.com), and Looksmart Ltd. (operator of www.insidetheweb.com). Under the consent decrees announced with the complaints, on April 19, these companies will pay a total of $100,000 in civil penalties and must delete any personally identifiable information collected from children under 13 since COPPA’s April 21, 2000, effective date.
As the referenced actions highlight, companies must be vigilant in monitoring their own compliance and must ensure that their web partners are in compliance with relevant COPPA requirements. Companies may wish to review their Internet agreements with other businesses, such as joint venture, co-branding and outsourcing agreements, to review their potential liability and/or recourse with regard to privacy law violations.
Web site "operators" subject to regulation under COPPA:
Must obtain verifiable parental consent before collecting personal information from children. There are generally accepted methods for obtaining such consent (e.g., a printed consent form to be mailed/faxed back to the company by the parent).
Must ensure that the practices of their web partners, or companies they outsource functions to (e.g., e-mail accounts), are in compliance with COPPA.
Should collect as little information as possible. In fact, many children’s sites are utilizing an anonymous user account system, thereby avoiding consent requirements.
While COPPA appears to have already had an impact on the way web sites deal with children’s information, the recent enforcement actions, coupled with reports encouraging further FTC activity, could make COPPA enforcement an even more prominent feature of the FTC’s agenda in the future.
RECENT NEWSWiley Rein's Preeminent Media Practice Launches Law Blog
Bert Rein Authors Pharmaceutical Executive Column Proposing Modernization of Post-Approval Prescription Drug Regulation
Opportunity to Comment on Proposal to Increase CPSC Powers Regarding Voluntary Product Safety Recalls