Earlier this summer, we highlighted a settlement where the FTC
proposed its largest fine to date under the Children's Online
Privacy Protection Act (COPPA) against software maker InMobi. The
InMobi settlement attracted attention since it was the first high
profile enforcement action where the FTC relied on its rarely
invoked COPPA authority. FTC's preferred enforcement tool is
Section 5 of the FTC Act, which gives it authority to regulate
unfair and deceptive trade practices. In InMobi's case,
the FTC combined its Section 5 authority with action under
At the time, we predicted the InMobi settlement appeared to
signal a renewed commitment to enforcing COPPA restrictions
shielding children from data collection. And indeed, the
predictions have come to pass. The twist? This time states are
getting in on the game.
In September, the New York Attorney general settled with four major online publishers
- Viacom, Mattel, Hasbro, and JumpStart Games – for
alleged COPPA violations. The companies online presence include
high profile pages, such as Internet sites affiliated with TV
channels Nick Jr. and Nickelodeon (Viacom); Barbie, Hot Wheels, and
American Girl (Mattel); Neopets (JumpStart); and My Little Pony,
Littlest Pet Shop, and Nerf (Hasbro).
The companies were not accused of active wrong doing.
Nevertheless, New York claimed the challenged websites hosted
tracking technology allowing third parties to track
children's online activities without obtaining the requisite
parental consented mandated by COPPA. As part of the settlement,
the companies agreed to enhanced COPPA monitoring and compliance,
including third-party verification. All the companies except Hasbro
also paid hundreds of thousands of dollars in fines; Hasbro was
exempted from the financial penalty since it participated in an FTC
COPPA safe harbor program.
Texas followed suit in October with a $30,000
settlement with mobile app developer Juxta. The Texas Attorney
General alleged that Jexta violated Texas consumer protection law
by engaging in false, deceptive or misleading acts or practices
regarding collection of childrens' data. This information,
collected from software bundled with apps, allegedly included
location data. As part of the settlement, Juxta agreed to confine
its data collection practices to comply with COPPA.
The settlements reflect the difficulties that online content
providers must contend with in negotiating tension between
data collection which drives revenue on one hand,
and strictures of privacy laws, particularly COPPA with its
strict liability provisions, on the other. They yield three
First, regulators are increasingly inclined to elevating
privacy, particularly childrens' privacy, to an enforcement
priority rather than a post-script to other allegations. Recent
high profile incidents such as the Yahoo leaks are likely to
intensify regulator action on this front.
Second, COPPA's strict liability means internal compliance
is no longer enough. Where products incorporate third party
software - an almost universal phenomena – the third party
should be carefully vetted.
Finally, companies should internally audit their own sites and
data collection practices on a consistent basis to
ensure compliance with COPPA requirements.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
In a span of a few weeks in early January 2017, the U.S. Department of Health and Human Services' Office for Civil Rights ("OCR") announced two major settlements under the Health Insurance Portability and Accountability Act ("HIPAA") relating to the breach of protected health information ("PHI").
The European Commission recently published a proposed Regulation on Privacy and Electronic Communications (the "Regulation"). The Regulation aims to update and broaden the scope of current rules under the ePrivacy Directive (2002/58/EC) on confidentiality of electronic communications ...
Earlier in February, the Executive Office of Management and Budget ("OMB") issued Memorandum M-17-12 to federal agencies to set out guidelines and procedures for preparing for or responding to a breach involving the release of personally identifiable information ("PII").
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).