While the COPPA Rule is going through a facelift – a final draft is expected to be published in 2012 – the FTC continues its enforcement actions against websites with lax COPPA practices. On November 8, 2011, the FTC announced a proposed settlement with the social networking site, www.skidekids.com, which collected personal information from children without obtaining prior parental consent, in violation of COPPA, and made false statements in its website privacy notice, in violation of the FTC Act.
What COPPA requires
The COPPA rule requires that websites that are directed to children and general audience websites that have actual knowledge that they are collecting children information:
- Place on the website a conspicuous link to its privacy statement;
- Provide specified information in the website privacy statement, describe in clear terms what personal information of children is collected, how it is used, and explain what rights children and parents have to review and delete this information;
- Provide a notice directly to the parents, which must include the website privacy statement, and inform the parents that their consent is required for the collection and use of the children’s information by the site, and how their consent can be obtained;
- Obtain verifiable consent from the parents before collecting or using the children’s information;
- Give parents the option to agree to the collection and use of the children’s information without agreeing to the disclosure of this information to third parties.
What went wrong
The social networking site Skid-e-kids targeted children ages 7-14 and allowed them to register, create and update profile information, create public posts, upload pictures and videos, and “friend” and send messages to other Skid-e-kids members.
According to the FTC complaint, the website owner – a sole proprietor – was prosecuted for: (a) failing to provide sufficient notice of its personal data handling practices on its website; (b) failing to provide direct notice to parents about these practices; and (c) failing to obtain verifiable parental consent. In addition, these practices were found to be misleading and deceptive, which in turn constitutes a violation of the FTC Act.
The site online privacy statement claimed that the site requires child users to provide a parent’s valid email address in order to register on the website and that it uses this information to send parents a message that can be used to activate the Skid-e-kids account, to notify the parent about its privacy practices, and that it can use the contact information to send the parent communications about features of the site.
According to the FTC, however, Skid-e-kids, actually registered children on the website without collecting a parent’s email address or obtaining permission for their children to participate. Children who registered were able to provide personal information, including their date of birth, email address, first and last name, and city.
The Proposed Settlement
The proposed Consent Decree and Settlement Order against Jones O. Godwin, sole owner of the site www.skidekids.comis available at http://www.ftc.gov/os/caselist/1123033/111108skidekidsorder.pdf. The proposed settlement would:
- Bar Skid-e-Kids from future violations of COPPA and misrepresentations about the collection and use of children’s information;
- Require the deletion of all information collected from children in violation of the COPPA Rule;
- Require that the site post a clear and conspicuous link to www.onguardonline.gov, the FTC site focusing on the protection of children privacy, and that the site privacy statement as well as the privacy notice for parents also contain a reference to the On Guard Online site;
- Require that, for 5 years, the company engage qualified privacy professionals to conduct annual assessments of the effectiveness of its privacy controls or become a member in good standing of a COPPA Safe Harbor program approved by the FTC;
- Require that, for 8 years, records be kept to demonstrate compliance with the above.
A lenient fine subject to probation
An interesting aspect of the proposed settlement is that the settlement, in effect, imposes only a $1,000 fine to the defendant. The fine is to be paid within five days of the entry of the order. However, if Skid-e-Kids fails to comply with some of the requirements of the Settlement, it will have to pay the full $100,000 fine that is provided in the settlement.
Specifically, a $100,000 fine will be assessed if:
- The defendant fails to (a) have initial and annual privacy assessment (for a total of 5 annual assessments) conducted by a qualified professional approved by the FTC and identifying the privacy controls that have been implemented, how they have been implemented and certifying that the controls are sufficiently effective; or (b) to become a member in good standing of a COPPA Safe Harbor program approved by the FTC for 5 years; or
- The disclosures made about the defendant’s financial condition are materially inaccurate or contain material misrepresentations.
This new case is a reminder that the COPPA Rule contains specific requirements that must be followed, no matter the size of the site, when intending to collect children personal information. The COPPA rule defines procedures and processes that must be followed rigorously.
In addition, per Skid-e-Kids and other cases, it is also prudent to include, clearly and conspicuously, (a) in the website privacy statement; (b) in the notice to parents; and (c) at each location where personal information is collected a notice that suggests to the user to visit the On Guard Online website of the Federal Trade Commission for tips on protecting children’s privacy online: www.onguardonline.gov/topics/kids-privacy.aspx.