Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Because COPPA is not a safety statute, typically websites are allowed to post children’s personal information online if they get prior verifiable parental consent after full notice. That is, as long as the parent has been accurately and fully informed of the website’s data collection and disclosure practices and gives COPPA-compliant consent, COPPA is satisfied. By entering into an agreed judgment with the defendants, however, Texas has been able to impose conditions beyond those required by COPPA.

Texas and TheDollPalace.com defendants entered into an agreed final judgment and permanent injunction in March 2008. In addition to requiring the defendants to comply with COPPA and assessing $11,500 in civil penalties and fees, the judgment also imposes content restrictions.

Age Appropriate Content; "Reasonable Person" Standard. The agreed final judgment requires defendants "to ensure that all information displayed or collected on their Web sites is age appropriate based on the average users of those sites." They must review their sites at least semi-annually for this purpose, and delete "any information that a reasonable person would find inappropriate for the age of the average user at that time." The agreed judgment gives some examples, including "asking users with an average age of under eighteen about smoking habits" or "if they would like to meet older users, or what their Internet viewing habits are (including if they are able to access the Internet privately or if they access the Internet in a family room)"; or asking "users with an average age of under twenty-one about drinking habits."

Disclosure Limited. The agreed final judgment also enjoins the defendants from publicly displaying "any personal information solicited and collected by Defendants from children on any location on Defendants’ Web sites, including but not limited to user profiles." There is no exception, even for parental consent.

Other substantive changes from the standard consent decree employed by the FTC include (1) permitting the website to maintain information collected in violation of COPPA if they procure(d) COPPA compliant parental consent by April 1, 2008; (2) limiting defendants to collecting only the parent’s email address for the purpose of obtaining parental consent, rather than the broader COPPA allowance for obtaining the child’s or parent’s name and email address for that purpose; and (3) requiring that the privacy policy not simply recite compliance with security precautions, but also disclose "all methods and safeguards used by Defendants to protect and limit access to personal information by both internal Doll Place employees, agents, or affiliated entities, or third party individuals or entities."

The Federal Trade Commission has quietly changed its position on the level of parental consent required under the Children’s Online Privacy Protection Act (“COPPA”) for e-cards sent from a website directed to children.

Under COPPA, websites directed to children under 13 are required to obtain parental consent prior to the collection of personal information – including an email address or a first and last name – from children under 13. There are certain exceptions to this requirement, including the so-called “one-time use” exception, which permits websites directed to children to collect an email address to respond once to a child’s specific request, provided that the website deletes that email address after doing so. The FTC had taken the position that an e-card – which typically permits a child to send a message to a friend’s email account – fell under this exception. Thus, no parental consent was required.

At the end of last year, however, the FTC amended its “Frequently Asked Questions about the Children’s Online Privacy Protection Rule,” available at http://www.ftc.gov/privacy/coppafaqs.shtm, and specifically noted in response to the FAQ concerning e-cards (FAQ 44) that “where an operator’s e-card or forward-to-a-friend system discloses the sender’s email address or first and last name in the message, the operator must obtain verifiable parental consent before such collection and disclosure.” Accordingly, operators of websites directed to children must now comply with COPPA’s verifiable parental consent provisions before permitting children under 13 to send e-cards that disclose their email addresses or full names.

The agreement is notable for its breadth. It goes well beyond the scope of the federal Children’s Online Privacy Protection Act (“COPPA”), which applies to the collection of personal information online from children 12 and under. The agreement includes some protections designed to protect teenagers under 18 with stronger protections for those under 16. Under the agreement, MySpace will take some readily achievable operational steps and work towards certain longer term goals such as developing new procedures and tools to protect children.

The more immediate steps include the following:

• continuing to dedicate resources to educate parents and educators on child safety online;
• using “best efforts” to acknowledge consumer complaints within 24 hours of receipt with a follow-up of the steps taken within 72 hours;
• retaining an “Independent Examiner” to evaluate and examine handling of complaints;
• continuing to cooperate with law enforcement on complaints, which includes continuing the law enforcement hotline number and creating a law enforcement liaison;
• implementing a series of operational changes including:
  • “age locking” to reduce the number of times a user can change their age above or below the 18 year old threshold;
  • age restrictions on certain website functions that make it harder for adults to contact children such as limiting the ability of users over 18 to search in school sections; limiting the ability of users under 18 to designate themselves as swingers; limiting being able to browse certain categories such as “body type”, “smoke” and “drink”; limiting group invites; and automatically designating profiles as private for those under 16;
  • an image monitoring policy with technology to hash inappropriate images;
  • limitations on tobacco and alcohol advertisements to those under 18 and 21 respectively;
  • expanded age specific classifications for events;
  • expanded reporting functionality for violations including a drop down for categories such as pornography, cyberbullying and unauthorized use;
  • enhancing safety tools for members such as the ability to set profiles to private, the ability to block others and requiring those under 18 to affirmatively consent to having reviewed posted safety tips before registration; and
  • enhanced tools for parents such as the ability to remove a child’s profile.

MySpace also has agreed to engage in the following longer term efforts:  

• organizing an industry-wide Internet Safety Technical Task Force to develop online safety tools – specifically, improved online identity authentication tools – with quarterly reports to the attorney generals’ task force;
• designating a senior executive to work with the task force;
• holding regular meetings with the attorney generals to discuss website design and functionality improvement to protect children;
• hiring a third party to build and host a database of email addresses for parents to register users under 18 (to prevent child registration at social networking sites);
• blocking access by those under 18 to profiles related to the entertainment industry;
• increasing staff for monitoring and increasing the use of textual searching and other technologies for monitoring.

The settlement is particularly noteworthy for its resulting “new model” to protect children. As set forth in the settlement agreement and settlement terms, Facebook will:

• Disclose the newly implemented safety procedures on its website as specified by the agreement and ensure that all other public statements made by Facebook about safety are consistent with the specified language.

• Accept complaints about nudity or pornography, harassment or unwelcome contact confidentially via hyperlinks placed throughout Facebook’s website as well as via an independent email to abuse@facebook.com.

• Respond to and begin addressing complaints about nudity or pornography, harassment or unwelcome contact within 24 hours.

• Report to the complainant the steps it has taken to address the complaint within 72 hours where the complaint has been submitted via an independent email to abuse@facebook.com.

• Allow Facebook’s complaint review process to be examined by an Independent Safety and Security Examiner (ISSE), a third party approved by the New York State Attorney General’s Office, to report on Facebook’s compliance with the agreement.

• Provide a prominent and easily accessible hyperlink to allow a Facebook user or their parent/guardian to give feedback to the Independent Safety and Security Examiner (ISSE) about Facebook’s performance in responding to complaints. 

• Submit to the Office reports prepared by the Independent Safety and Security Examiner (ISSE) evaluating Facebook’s performance in responding to complaints. The Examiner will report bi-annually and may recommend additional safety measures concerning complaint handling, as appropriate.

Both Attorney General Cuomo and Facebook are touting the agreement as setting new industry standards to protect children. Notably, Connecticut Attorney General Richard Blumenthal, co-chair of the national social networking task force of all 50 state Attorneys General, issued a press release stating the settlement terms were not strong enough. He is urging social networking sites to increase the use of filtering technology and monitors to screen content, identity and age verification for anyone 18 and older, parental consent for anyone under 18, the hiding of children’s profiles from adults, certain restrictions on advertising to children, and other measures. In light of the settlement, the likely continued interest by law enforcement, and the potential dangers to children, social networking sites should consider assessing their security practices and policies.           

These actions from New York and New Jersey are the latest steps by attorneys general from all 50 states to pressure social networking sites to enhance security protocols, specifically parental controls and age verification tools because of the vulnerability of children to online predators and inappropriate content. In particular, since early last year, Richard Blumenthal, the Connecticut Attorney General and Roy Cooper, the North Carolina Attorney General, have led a task force of the attorneys general calling on social networking sites to increase protections for children. Some of the steps the task force has urged of social networking sites have included enhanced age verification tools, restrictions on the ability of children increased parental consent to allow children to make profiles available to others in the absence of parental consent, increased staff and technology dedicated to screening inappropriate content, giving parents software to block the site, and raising the minimum age of participation to 16.       

This Spring, MySpace was in the news after receiving a letter from eight attorneys general demanding information concerning registered sex offenders on its site. After initially asserting it was unable to legally comply, MySpace struck an agreement with the attorneys general about the form of the requests. MySpace later announced it had removed more than 29,000 profiles of sex offenders from its site.

North Carolina and Connecticut are among states that introduced legislation requiring age verification measures on websites. Those bills have not passed but are expected to be introduced in future legislative sessions.