Texas Attorney General Settles One of First State COPPA Enforcement Actions
In December 2007, Texas became the first state to file COPPA enforcement actions, by separately suing the entities behind Gamesradar.com and TheDollPalace.com in the United States District Court for the Western District of Texas. The complaints are available as an attachment to the press release on the Texas Attorney General’s website. The defendants in those cases are California and New York – and not Texas – entities.
With little fanfare, Texas apparently settled its suit involving TheDollPalace.com ("where cartoon dolls live") in March 2008, and in doing so has imposed restrictions on content with no precedent in the COPPA consent decrees entered into by the Federal Trade Commission.
Because COPPA is not a safety statute, typically websites are allowed to post children’s personal information online if they get prior verifiable parental consent after full notice. That is, as long as the parent has been accurately and fully informed of the website’s data collection and disclosure practices and gives COPPA-compliant consent, COPPA is satisfied. By entering into an agreed judgment with the defendants, however, Texas has been able to impose conditions beyond those required by COPPA.
Texas and TheDollPalace.com defendants entered into an agreed final judgment and permanent injunction in March 2008. In addition to requiring the defendants to comply with COPPA and assessing $11,500 in civil penalties and fees, the judgment also imposes content restrictions.
Age Appropriate Content; "Reasonable Person" Standard. The agreed final judgment requires defendants "to ensure that all information displayed or collected on their Web sites is age appropriate based on the average users of those sites." They must review their sites at least semi-annually for this purpose, and delete "any information that a reasonable person would find inappropriate for the age of the average user at that time." The agreed judgment gives some examples, including "asking users with an average age of under eighteen about smoking habits" or "if they would like to meet older users, or what their Internet viewing habits are (including if they are able to access the Internet privately or if they access the Internet in a family room)"; or asking "users with an average age of under twenty-one about drinking habits."
Disclosure Limited. The agreed final judgment also enjoins the defendants from publicly displaying "any personal information solicited and collected by Defendants from children on any location on Defendants’ Web sites, including but not limited to user profiles." There is no exception, even for parental consent.
Other substantive changes from the standard consent decree employed by the FTC include (1) permitting the website to maintain information collected in violation of COPPA if they procure(d) COPPA compliant parental consent by April 1, 2008; (2) limiting defendants to collecting only the parent’s email address for the purpose of obtaining parental consent, rather than the broader COPPA allowance for obtaining the child’s or parent’s name and email address for that purpose; and (3) requiring that the privacy policy not simply recite compliance with security precautions, but also disclose "all methods and safeguards used by Defendants to protect and limit access to personal information by both internal Doll Place employees, agents, or affiliated entities, or third party individuals or entities."
