Here in the UK there is limited enforcement of requirements for verifiable, parental consent before processing under 12s data. In the US, they do it differently. We report on two recent cases where the federal regulatory piano wire has been applied firmly to the tackle of transgressors.
Topic: Marketing to children
Who: The Federal Trade Commission (FTC) v Bonzi Software, Inc and UMG Recordings, Inc
Where: Washington DC
When: February 2004
The FTC announced that it had settled charges against two website operators for violations of the Children's Online Privacy Protection Act ("COPPA") for the largest penalty levied to date for breaches of COPPA.
UMG Recordings was an operator of music-related websites offering adult and children's music and music related information. One of the more popular entertainers on the site was a 13 year old pop singer, Lil-Romeo.
The other defendant, Bonzi Software, distributes Bonzi Buddy, a free downloadable programme that interacts with users while they are online.
It was alleged that both companies, through their sites, collected personal information from children under the age of 13 without parental consent, in violation of COPPA.
To resolve the complaints by the FTC, UMG paid an unprecedented fine of $400,000 whilst Bonzi paid a penalty of $75,000, in what has been described as the first case "to challenge the information collection practices of an online service in connection with a software product."
In addition to paying the civil fines, both companies are required to delete all personal information they had collected from children since April 2000, when COPPA was enacted and post a specific notice on their sites directing users to the FTC website for more information on protecting children's privacy.
Why this matters:
US Congress passed COPPA in 1998 to give parents more control over the personal information their children may be asked to divulge over the internet. The Act applies to websites or online services directed at children under 13 years old, or general websites or online services that obtain actual knowledge that the information collected is from a child of 13 or younger. It was this latter arm of the statute that caught both the defendants in these cases.
Wherever website operators are likely to come by personal data relating to individuals under 13, for instance, by asking questions such as "what age are you?" or "what grade are you in?" they must post COPPA-specific privacy polices on their sites and provide direct parental notice stating that children's personal information is collected, obtaining in advance verifiable consent, off-line, from a parent or guardian. In both these cases, the sites allegedly failed to adhere to these conditions.
In these cases, the FTC is sending a clear signal that it will continue to take all necessary steps to enforce this legislation. It is interesting to contrast this very strict approach to the processing online of children's data with the relatively relaxed attitude to this issue here in the UK, where there is extremely limited compliance with OIC guidelines recommending that verifiable parental consent be obtained off-line before processing data collected on-line which relates to under 12s.
One suspects that particularly with pressures in other related areas such as the marketing of food to children, impetus might grow for more enforcement in this area.