Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

To get online at www.skidekids.com, users must provide personal information such as their name, email address, date of birth and city. The site’s published privacy policy purported to require that child users provide a parent’s valid email address in order to activate their account and to facilitate communications between Skid-e-kids and parents concerning the site and their child’s account. But according to the FTC the site operator never collected any parent’s email address and failed to obtain verifiable parental consent to collect personal information from children under 13. In doing so, the FTC said, the site operator violated both the FTC Act (by misrepresenting its privacy practices in the privacy policy) and the COPPA Rule (by improperly collecting children’s personal information).

For Skid-e-kids, the FTC’s settlement means taking remedial measures such as destroying all of the information collected from children in violation of the COPPA Rule, providing links to online educational material, and retaining an online privacy professional or joining an approved COPPA safe harbor program to oversee applicable COPPA-covered websites; an injunction against future violations of COPPA and misrepresentations about the collection of children’s information; and a $100,000 civil penalty (all but $1,000 of which may be suspended if the operator demonstrates an inability to pay).

For the rest of us, the settlement is a good reminder that the FTC is staunchly committed to protecting children’s privacy. So when it comes to collecting personal information from children online, it’s important to do it right . . . or not at all.

It is worthy to note that Playdom took ownership of the websites when it acquired Acclaim Games, Inc. in May 2010 and Disney subsequently acquired Playdom in August 2010. Although most of the violations occurred when Acclaim Games was operating independently, its acquirers ended up getting stuck with the tab. 

The Act applies to two types of information:  (1) health-related information, which includes information related to health or physical condition, nutrition, medications, mental health, medical insurance coverage and similar data; and (2) personal information, which includes a last name with first name or first initial, home or other physical address, social security number, driver’s license or state identification card number, and information about a minor collected in combination with other personal information.  An email address or other online identifier is not expressly included, but it would be considered personal information if combined with other personal information of any of the other types included in this definition. 

Since Maine’s new law is intended to protect the privacy of minors, it can be compared to the federal Children’s Online Privacy Protection Act (“COPPA”).  However, the Maine law is broader than COPPA in many significant ways.  Among the other differences discussed below, under Maine law, a minor is someone under 18.  In contrast, COPPA only protects “children” who are under 13 years old. 

Maine’s new law can also be compared to some other state laws,  As an example, it can be compared to a law that has been in existence in California since 2004.  California’s Civ Code sec. 1798.91 also regulates the collection, use and disclosure of health related information for marketing purposes without notice and consent; however, California’s law is not limited in application to minors.

Maine’s new Act contains three separate prohibitions.

First, the Act makes it unlawful to knowingly collect or receive health-related or personal information for “marketing purposes” from a minor without prior “verifiable parental consent.”  The way the Act is written, it is unclear whether the requirement for “knowing” collection or receipt applies to the type of information or also to the fact that the information is collected from a minor.  The Act defines “marketing purposes” as “the purposes of marketing or advertising products, goods or services to individuals.”  This particular provision – unlike the provisions discussed below – appears to be limited to information collected “from” a minor. “Verifiable parental consent” is defined to mean reasonable efforts to give the parent notice of the collection, use and disclosure practices and to obtain parental authorization for such collection, use or disclosure “before that information is collected from that minor.”  Unlike COPPA, Maine’s Act is not limited to online collection.  Nor does the Act contain any exceptions permitting some collection of “personal information” from the minor, such as for the purpose of obtaining parental consent for additional collection. 

Second, the Act makes it unlawful to sell, offer for sale or otherwise transfer health-related or personal information about a minor if (A) it was collected in violation of the prohibition above; (B) it “individually identifies the minor”; or (B) it will be used for “predatory marketing” as described below.  This provision does not have a scienter requirement (although a “knowledge element is built into Subsection A).  Subsection B – which is not limited to uses “for marketing purposes” – apparently requires that any transfer of information “about a minor” be done on an aggregate basis. 

Third, the Act prohibits “predatory marketing,” which is defined as using health-related or personal information regarding a minor “for the purpose of marketing a product or service to that minor or promoting any course of action for the minor relating to a product.”  Again, there is no scienter requirement, nor any exception permitting a parent to sign up on behalf of a child, or to otherwise consent to such marketing.  

The Act provides for enforcement by the Maine Attorney General as an unfair trade practice, with penalties of $10,000-$20,000 for the first violation and at least $20,000 for subsequent violations.  The Act also provides for a private right of action in Maine state court, including recovery for the greater of actual damages or $250 per violation (with the potential for trebling for willful or knowing violation), plus attorney’s fees.

The potentially broad reach of this statute (particularly due to the lack of a scienter element in several of its provisions) makes it likely to be subject to challenge.  In the meantime, businesses should consider their approach to achieving compliance.  Given the breath of the Act, and the fact that some of its requirements apply regardless of a company’s knowledge of an individual’s age, complying with Maine’s new law will surely prove to be a challenge for essentially every enterprise.
 

The agreement is notable for its breadth. It goes well beyond the scope of the federal Children’s Online Privacy Protection Act (“COPPA”), which applies to the collection of personal information online from children 12 and under. The agreement includes some protections designed to protect teenagers under 18 with stronger protections for those under 16. Under the agreement, MySpace will take some readily achievable operational steps and work towards certain longer term goals such as developing new procedures and tools to protect children.

The more immediate steps include the following:

• continuing to dedicate resources to educate parents and educators on child safety online;
• using “best efforts” to acknowledge consumer complaints within 24 hours of receipt with a follow-up of the steps taken within 72 hours;
• retaining an “Independent Examiner” to evaluate and examine handling of complaints;
• continuing to cooperate with law enforcement on complaints, which includes continuing the law enforcement hotline number and creating a law enforcement liaison;
• implementing a series of operational changes including:
  • “age locking” to reduce the number of times a user can change their age above or below the 18 year old threshold;
  • age restrictions on certain website functions that make it harder for adults to contact children such as limiting the ability of users over 18 to search in school sections; limiting the ability of users under 18 to designate themselves as swingers; limiting being able to browse certain categories such as “body type”, “smoke” and “drink”; limiting group invites; and automatically designating profiles as private for those under 16;
  • an image monitoring policy with technology to hash inappropriate images;
  • limitations on tobacco and alcohol advertisements to those under 18 and 21 respectively;
  • expanded age specific classifications for events;
  • expanded reporting functionality for violations including a drop down for categories such as pornography, cyberbullying and unauthorized use;
  • enhancing safety tools for members such as the ability to set profiles to private, the ability to block others and requiring those under 18 to affirmatively consent to having reviewed posted safety tips before registration; and
  • enhanced tools for parents such as the ability to remove a child’s profile.

MySpace also has agreed to engage in the following longer term efforts:  

• organizing an industry-wide Internet Safety Technical Task Force to develop online safety tools – specifically, improved online identity authentication tools – with quarterly reports to the attorney generals’ task force;
• designating a senior executive to work with the task force;
• holding regular meetings with the attorney generals to discuss website design and functionality improvement to protect children;
• hiring a third party to build and host a database of email addresses for parents to register users under 18 (to prevent child registration at social networking sites);
• blocking access by those under 18 to profiles related to the entertainment industry;
• increasing staff for monitoring and increasing the use of textual searching and other technologies for monitoring.

The settlement is particularly noteworthy for its resulting “new model” to protect children. As set forth in the settlement agreement and settlement terms, Facebook will:

• Disclose the newly implemented safety procedures on its website as specified by the agreement and ensure that all other public statements made by Facebook about safety are consistent with the specified language.

• Accept complaints about nudity or pornography, harassment or unwelcome contact confidentially via hyperlinks placed throughout Facebook’s website as well as via an independent email to abuse@facebook.com.

• Respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.

• Report to the complainant the steps it has taken to address the complaint within 72 hours where the complaint has been submitted via an independent email to abuse@facebook.com.

• Allow Facebook’s complaint review process to be examined by an Independent Safety and Security Examiner (ISSE), a third party approved by the New York State Attorney General’s Office, to report on Facebook’s compliance with the agreement.

• Provide a prominent and easily accessible hyperlink to allow a Facebook user or their parent/guardian to give feedback to the Independent Safety and Security Examiner (ISSE) about Facebook’s performance in responding to complaints. 

• Submit to the Office reports prepared by the Independent Safety and Security Examiner (ISSE) evaluating Facebook’s performance in responding to complaints. The Examiner will report bi-annually and may recommend additional safety measures concerning complaint handling, as appropriate.

Both Attorney General Cuomo and Facebook are touting the agreement as setting new industry standards to protect children. Notably, Connecticut Attorney General Richard Blumenthal, co-chair of the national social networking task force of all 50 state Attorneys General, issued a press release stating the settlement terms were not strong enough. He is urging social networking sites to increase the use of filtering technology and monitors to screen content, identity and age verification for anyone 18 and older, parental consent for anyone under 18, the hiding of children’s profiles from adults, certain restrictions on advertising to children, and other measures. In light of the settlement, the likely continued interest by law enforcement, and the potential dangers to children, social networking sites should consider assessing their security practices and policies.           

These actions from New York and New Jersey are the latest steps by attorneys general from all 50 states to pressure social networking sites to enhance security protocols, specifically parental controls and age verification tools because of the vulnerability of children to online predators and inappropriate content. In particular, since early last year, Richard Blumenthal, the Connecticut Attorney General and Roy Cooper, the North Carolina Attorney General, have led a task force of the attorneys general calling on social networking sites to increase protections for children. Some of the steps the task force has urged of social networking sites have included enhanced age verification tools, restrictions on the ability of children increased parental consent to allow children to make profiles available to others in the absence of parental consent, increased staff and technology dedicated to screening inappropriate content, giving parents software to block the site, and raising the minimum age of participation to 16.       

This Spring, MySpace was in the news after receiving a letter from eight attorneys general demanding information concerning registered sex offenders on its site. After initially asserting it was unable to legally comply, MySpace struck an agreement with the attorneys general about the form of the requests. MySpace later announced it had removed more than 29,000 profiles of sex offenders from its site.

North Carolina and Connecticut are among states that introduced legislation requiring age verification measures on websites. Those bills have not passed but are expected to be introduced in future legislative sessions.