Since the Children's Online Privacy Protection Act (COPPA) entered into force, the Federal Trade Commission has commenced a number of enforcement actions against entities for collecting and/or using personal data from children in a manner that violates the requirements of COPPA. Recently, the FTC imposed the largest COPPA civil penalties to date, fining Mrs. Fields Cookies $100,000 and Hershey Foods $85,000.
In the case of Mrs. Fields, the FTC focused on claims that the company had collected personal information from children without having first obtained parental consent. Hershey, on the other hand, did obtain parental consent before it collected information from children. However, the FTC found that the company's method of obtaining consent did not comply with the requirements of COPPA. These recent enforcement actions highlight the importance of ensuring that information collection practices are compliant with COPPA.
The stated goals of COPPA, which was signed into law on October 21, 1998, are to: (i) enhance parental involvement in order to protect the privacy of children in the online environment; (ii) help protect the safety of children in online forums such as chat rooms, home pages, and pen-pal services in which children may make public postings of identifying information collected online; and (iii) limit the collection of personal information from children without parental consent.
Pursuant to COPPA, operators of Web sites directed to children under the age of 13 or operators who knowingly collect personal information on the Internet from children under 13 must provide parents notice of their information practices. Subject to very limited exceptions, such operators must also obtain prior, verifiable parental consent for the collection, use and/or disclosure of personal information from children. Furthermore, upon request, operators must provide a parent with the ability to review the personal information collected from his/her child. The legislation also compels operators to provide parents with the opportunity to prevent: (i) further use of personal information that has already been collected, and/or (ii) future collection of personal information. In addition, Web site operators must also limit collection of personal information from a child's online participation in a game, prize offer, or other activity to information that is reasonably necessary for the activity. Finally, COPPA also mandates the establishment and maintenance of reasonable procedures to protect the confidentiality, security and integrity of the personal information collected.
In the aforementioned cases, both Mrs. Fields and Hershey were alleged to have collected personal information from children under 13 years of age without first obtaining the requisite verifiable parental consent in the manner required by COPPA. Furthermore, the FTC also alleged that each company failed to: (i) post adequate privacy policies, (ii) provide direct notice to parents about the information they were collecting and how it would be used, and (iii) provide a reasonable means for parents to review the personal information collected from their children and to refuse to permit further use of such information.
Neither Mrs. Fields nor Hershey was alleged to have disclosed the information that was collected from children. Mrs. Fields was alleged to have collected personal information Â– including names, home addresses, e-mail addresses and birth dates Â– from more than 84,000 children without first having had obtained parental consent. In the Hershey case, the company required children to obtain parental consent prior to providing information to their Web sites, but the FTC alleged that Hershey's method of obtaining parental consent did not meet the standard under COPPA. As such, the Hershey case is the first in which the FTC challenged a company's method of obtaining parental consent.
Other Significant Cases
The cases against Hershey and Mrs. Fields are not the first to be brought against entities for violating COPPA. Since the legislation's enactment, the FTC has commenced several enforcement actions against entities alleged to have been in violation of COPPA. In 2001, the FTC announced the settlement of its first three COPPA cases, which involved four companies, Monarch Services, Inc., Girls Life, Inc., Nolan Quan and Looksmart, Ltd. charged with illegally collecting personally identifying information from children under 13 years of age without parental consent. To settle the FTC charges, the companies together agreed to pay a total of $100,000 in civil penalties. They also agreed to comply with COPPA in connection with any future online data collection and to delete all personally identifying information collected from children online at any time since the effective date of COPPA. The FTC has also commenced and settled enforcement actions against The Ohio Art Company, the American Pop Corn Company and Lisa Frank, Inc. In addition, it has recently sent notices to more than 50 Web site operators warning them to bring their sites into compliance with COPPA.
The FTC has demonstrated particular vigilance with respect to the protection of children's privacy, and additional enforcement actions against COPPA violators seem likely at this time. The FTC's two most recent COPPA settlements serve as a reminder of the importance of complying with the parental consent requirements of the law. In each case, the company incurred a substantial fine as a result of failure to obtain verifiable parental consent in a manner consistent with the requirements of COPPA before collecting personally identifiable information from children.
For further information about COPPA and its potential implications for your business, please contact:
|Mary J. Hildebrand||[email protected]||973.994.7848|
|Jacqueline Klosek||[email protected]||973.994.7895|
Full access to articles on IP law prepared by Goodwin Procter is available at: http://www.goodwinprocter.com/pubpc.asp?pcID=5
Full access to all articles prepared by Goodwin Procter is available at: http://www.goodwinprocter.com/publications.asp