The FTC Settles Violations of the Children’s Online Privacy Protection Act for $3M

The FTC announced on May 12, 2011 that it has reached the largest civil penalty settlement of the Children’s Online Privacy Protection Act (COPPA) with Playdom (now owned by Disney) for $3M.  Playdom, an online game developer, was accused of collecting and disclosing the information about hundreds of thousands of children under 13 without the parental consent.  The websites were previously owned and developed by Acclaim Games, Inc. which was purchased by Playdom in May, 2010.  Playdom later became a subsidiary of Disney in August, 2010.

COPPA prohibits owners of websites and online services directed to children (including general audience websites) from collecting or maintaining personal information about children under 13 without verifiable parental consent. Personal information includes:

  • First and last name
  • Physical address
  • Email address
  • Telephone number
  • SSN
  • Other identifier that the FTC determines permits the physical or online contacting of a specific individual
  • Information concerning the child or the child’s parents that the website collects online and combines with one of the above identifiers

Penalties for violations are up to $11,000 per violation.  In determining the amount of the penalty, the following factors are considered:

  • Level of egregiousness
  • Number of children involved
  • Amount and type of personal information
  • Disclosure of the information
  • Size of the company

The FTC has online resources for those interested in learning more about COPPA.  Additionally, the FTC has provided several recommendations to remain compliant with COPPA, including:

  • Post a clear and comprehensive privacy policy on the website that describes information practices regarding children’s personal information.
  • Provide direct notice to parents and obtain verifiable parental consent before collecting personal information from children.
  • Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties.
  • Provide parents access to their child’s personal information to review and/or have the information deleted.
  • Give parents the opportunity to prevent further use or online collection of a child’s personal information.
  • Maintain the confidentiality, security, and integrity of information they collect from children.

The FTC is not the only regulator who can enforce COPPA.  Other federal and state agencies can seek enforcement as well.  In 2008, the Texas Attorney General settled a COPPA claim for $11,500.