Are You in Compliance with COPPA? Recent State Actions Raise the Stakes
Jacqueline Klosek and Dale Fulton
The Internet provides an environment through which information is gathered from children through a variety of seemingly innocuous mechanisms. For example, data can be collected from children when participating in online games, while engaged in discussion groups or chats, responding to research surveys, entering contests, and participating in other activities. The information collection features of many Web sites targeted to children are often designed to be fun and amusing. As a result, many young children may be unaware of how much personally identifiable information ("PII") they reveal, potentially exposing them to risk or exploitation.
When Congress enacted the Children's Online Privacy Protection Act ("COPPA"), the primary goal was to place parents in control of what PII was collected from their young children while online. COPPA sets forth a framework of practices that governs the collection, access to, and use of PII by Web sites that are directed toward children. COPPA mandates strict requirements concerning parental oversight and consent on behalf of their children.
Among other requirements, COPPA requires a commercial Web site operator to meet specific requirements prior to collecting, using, or disclosing PII from children. All of the requirements are to increase the level of parental involvement.
Specifically, under COPPA, the Web site operator must:
- provide clear, understandable and complete notice of its information practices, including specific disclosures, directly to the parent when required by COPPA;
- obtain verifiable parental consent prior to collecting, using and/or disclosing PII from children;
- give parents the option to consent to the collection and internal use of their children's PII without consenting to the disclosure of that information to third parties; and,
- provide a reasonable means for parents to review the information collected from their children and to prohibit the further use of such information.
There seems to be good cause for legislation such as COPPA. The Internet provides a setting in which strangers become familiar and may be in a position to misappropriate a child's PII to their own advantage. Social networking sites may raise particular concerns in this regard due to the high level of close interaction occurring through such sites. It is thus appropriate that they have been the recent focus of COPPA actions.
Children's social networking Web sites have recently become more popular than adult sites, resulting in some of the Internet's fastest growing businesses. The children's site Club Penguin attracted seven times the traffic in 2007 than the adult focused Second Life Web site. It is estimated by research firm eMarketer that 20 million children will be members of social networking virtual worlds by 2011, up from 8.2 million today.
It is well known that COPPA has been enforced vigorously at the federal level by the Federal Trade Commission (FTC), but COPPA also empowers the states' attorneys general to bring civil action on behalf of state residents. This power recently came to the forefront of public attention when the Texas Attorney General brought COPPA-related enforcement actions against three out-of-state companies. The three Web sites in the Texas actions had parental consent features that were easily manipulated and bypassed with relative ease by savvy children. While the Texas Attorney General elected to pursue enforcement actions against these three sites, arguably many sites are in the same position in that they are relying upon features that can be circumvented. Due to the lack of reasonable controls, children were allowed to access various features of these Web sites without parental knowledge.
Texas Attorney General Abbott claimed Santa.com collected a wide range of PII such as:
- first and last name;
- home or other physical address including street name and name of a city or town;
- e-mail address or other online contact information, including but not limited to an instant messaging user identifier or a screen name that reveals an individual's e-mail address;
- telephone number;
- Social Security number;
- persistent identifier such as a customer number held in a cookie;
- combination of a last name or photograph of an individual with other information such that the combination permits physical or online contacting; and/or,
- information concerning the child or the parents of that child.
The second Web site to receive attention from the Texas Attorney General was Gamesradar.com. Gamesradar.com is a Web site designed for people with an interest in video games. The Web site includes content or allows access to content inappropriate for children along with games clearly targeted to young children such as Disney's Chicken Little, Ice Age, and Cars. In order to access certain features, one must register by providing certain PII, including first and last name, e-mail address, physical address, gender, and date of birth chosen from a drop-down menu.
The menu however, only allows a selection from years prior to 1995, thereby not allowing the visitor to select an age that would make him/her younger than thirteen. Thus, if a ten year old child born in 1998 attempts to register, the closest birth year that could be selected would be 1994, indicating a current age of thirteen.
TheDollPalace.com also drew notice from the Texas Attorney General. At TheDollPalace.com Web site, children create and play with web-based dolls, including sexually explicit dolls. To use features or participate in activities of the Web site, children are required to register. Activities, such as participating in chat rooms, are encouraged by offering "doll points" which may then be used to purchase items on the Web site. Registering entails providing first and last name, e-mail address, date of birth, state, zip code, country, and gender.
Accessing additional Web site features require a profile be filled out which consists of a ten-page questionnaire including detailed PII such as height, weight, eye color, details about personal habits, and whether the child has their own computer or Internet access only in a public location. The child is asked questions about the type of person they are interested in meeting, for example, age importance, including the option of meeting someone older as well as those within five miles of their location.
This PII is easily accessed by other members of the Web site. The Web site's parental permission page requires only a click of OK for the child to register, allowing easy circumvention of COPPA consent requirements. Additionally, parental consent is requested after collection of the child's PII has already taken place. The permission page does not provide the parent with Web site operator contact information, the option to review and revoke consent, or specify the type of information collected.
While the Texas actions are notable as they represent the first state-based enforcements of COPPA, it is important to recognize that the federal authorities also remain active in investigating and enforcing COPPA violations. The recent FTC enforcement action against imbee.com, a social networking Web site directed to "kids ages 8 to 14," collects PII from children as defined in COPPA.
These recent cases emphasize the critical importance of ensuring that one's web operations comply with COPPA requirements. Companies that fail to comply with the requirements of COPPA risk not only fines but damage to their brand reputation and business. In the above cases, injunctions were sought against the defendants along with damages, restitution or other compensation.
A court can hold violators of COPPA liable for civil penalties of up to $11,000 per violation. The amount of the penalty may turn on a number of factors including the egregiousness of the violation, the number of children involved, the size of the company, the amount and type of PII collected, how the information was used and whether it was shared with third parties. Fines in FTC actions have been increasing steadily, beginning with injunctive relief in some of the earlier cases and progressing to the most recent fine of one million dollars in the Xanga.com case.