Earlier this summer, we highlighted a settlement where the FTC proposed its largest fine to date under the Children’s Online Privacy Protection Act (COPPA) against software maker InMobi. The InMobi settlement attracted attention since it was the first high profile enforcement action where the FTC relied on its rarely invoked COPPA authority. FTC’s preferred enforcement tool is Section 5 of the FTC Act, which gives it authority to regulate unfair and deceptive trade practices. In InMobi’s case, the FTC combined its Section 5 authority with action under COPPA.
At the time, we predicted the InMobi settlement appeared to signal a renewed commitment to enforcing COPPA restrictions shielding children from data collection. And indeed, the predictions have come to pass. The twist? This time states are getting in on the game.
In September, the New York Attorney general settled with four major online publishers - Viacom, Mattel, Hasbro, and JumpStart Games – for alleged COPPA violations. The companies online presence include high profile pages, such as Internet sites affiliated with TV channels Nick Jr. and Nickelodeon (Viacom); Barbie, Hot Wheels, and American Girl (Mattel); Neopets (JumpStart); and My Little Pony, Littlest Pet Shop, and Nerf (Hasbro).
The companies were not accused of active wrong doing. Nevertheless, New York claimed the challenged websites hosted tracking technology allowing third parties to track children’s online activities without obtaining the requisite parental consented mandated by COPPA. As part of the settlement, the companies agreed to enhanced COPPA monitoring and compliance, including third-party verification. All the companies except Hasbro also paid hundreds of thousands of dollars in fines; Hasbro was exempted from the financial penalty since it participated in an FTC COPPA safe harbor program.
Texas followed suit in October with a $30,000 settlement with mobile app developer Juxta. The Texas Attorney General alleged that Jexta violated Texas consumer protection law by engaging in false, deceptive or misleading acts or practices regarding collection of childrens’ data. This information, collected from software bundled with apps, allegedly included location data. As part of the settlement, Juxta agreed to confine its data collection practices to comply with COPPA.
The settlements reflect the difficulties that online content providers must contend with in negotiating tension between data collection which drives revenue on one hand, and strictures of privacy laws, particularly COPPA with its strict liability provisions, on the other. They yield three lessons:
- First, regulators are increasingly inclined to elevating privacy, particularly childrens’ privacy, to an enforcement priority rather than a post-script to other allegations. Recent high profile incidents such as the Yahoo leaks are likely to intensify regulator action on this front.
- Second, COPPA’s strict liability means internal compliance is no longer enough. Where products incorporate third party software - an almost universal phenomena – the third party should be carefully vetted.
- Finally, companies should internally audit their own sites and data collection practices on a consistent basis to ensure compliance with COPPA requirements.