Is everything COPPA-setic on your site?
For some businesses, virtual worlds aren’t on their radar screen. They have their hands full with this one, thanks. But for more and more people — including kids — online virtual worlds have become a central place for gaming and other activities. As the FTC’s recent $3 million settlement with Playdom and Howard Marks demonstrates, companies with an online presence need to take care to comply with the Children’s Online Privacy Protection Act and the COPPA rule.
The defendants operated 20 virtual world sites, including 2 Moons, 9 Dragons, and My Diva Doll. According to the FTC’s complaint, at least one of the sites, Pony Stars, was specifically directed to children. Although the defendants’ other sites were intended for a general audience, the FTC charged that they, too, attracted a significant number of kids. Between 2006 and 2010, more than 821,000 users registered on Pony Stars and over 400,000 children registered on the defendants’ general audience sites.
When people registered for the sites and input a birth year indicating they were under 13, pop-up text appeared that said “You are under 13 years old and we cannot ask you for your email address. In order to register, you must ask your Parent or Guardian to fill out this screen . . .” Right below that was a field for the parent’s email address and a check box for the parent to authorize the site to send email directly to the child. That was Problem #1 because under COPPA, that kind of simple check box won’t suffice.
But that wasn’t the end of it. According to the FTC, once a user entered a parent’s email address (or what they claimed was a parent’s email) and clicked on the REGISTER button, the defendants automatically signed up the child, providing him or her with full access to all free areas within that virtual world. At the same time, defendants sent an email, styled as a “welcome,” to any email address on the pop-up registration page.
In addition, the FTC alleged the defendants violated the COPPA Rule by:
- failing to provide notice on their sites about what information they collect from kids, how they use it, and their disclosure practices;
- failing to provide direct notice to parents of what information they collect online from kids, how they use it, their disclosure practices, and notice of any material change in the collection, use, or disclosure practices; and
- failing to get verifiable parental consent before collecting, using, or disclosing personal information from kids.
The upshot: a $3 million civil penalty — the highest ever in a COPPA case — and tough injunctive provisions in the order.
If your site is subject to COPPA, what messages should you take from the FTC’s action? First, it’s not enough that privacy policies and COPPA statements talk the talk. They have to walk the walk. Make sure your real-world practices live up to the law and the protective promises you make on your website. Second, as the complaint outlines in detail, the Playdom story was played out against a background of mergers, dissolutions, acquisitions, and subsidiaries. Never let compliance obligations take a back seat, especially during times of corporate restructuring.
Looking for more on complying with COPPA? Read Frequently Asked Questions about the Children’s Online Privacy Protection Rule.