Is everything COPPA-setic on your site?

Share This Page

For some businesses, virtual worlds aren’t on their radar screen.  They have their hands full with this one, thanks.  But for more and more people — including kids — online virtual worlds have become a central place for gaming and other activities.  As the FTC’s recent $3 million settlement with Playdom and Howard Marks demonstrates, companies with an online presence need to take care to comply with the Children’s Online Privacy Protection Act and the COPPA rule.

The defendants operated 20 virtual world sites, including 2 Moons, 9 Dragons, and My Diva Doll.  According to the FTC’s complaint, at least one of the sites, Pony Stars, was specifically directed to children.  Although the defendants’ other sites were intended for a general audience, the FTC charged that they, too, attracted a significant number of kids.  Between 2006 and 2010, more than 821,000 users registered on Pony Stars and over 400,000 children registered on the defendants’ general audience sites.

When people registered for the sites and input a birth year indicating they were under 13, pop-up text appeared that said “You are under 13 years old and we cannot ask you for your email address. In order to register, you must ask your Parent or Guardian to fill out this screen . . .”  Right below that was a field for the parent’s email address and a check box for the parent to authorize the site to send email directly to the child.  That was Problem #1 because under COPPA, that kind of simple check box won’t suffice.

But that wasn’t the end of it.  According to the FTC, once a user entered a parent’s email address (or what they claimed was a parent’s email) and clicked on the REGISTER button, the defendants automatically signed up the child, providing him or her with full access to all free areas within that virtual world.  At the same time, defendants sent an email, styled as a “welcome,” to any email address on the pop-up registration page.

Once kids were registered, they could create profiles loaded with personal information (their real name, location, email, instant messenger IDs, etc.), play online games, and participate in community forums.  All of this happened despite a promise in the privacy policy that “If a child under 13 years of age wants to post information on our website or chat with other players, we will require that they do not disclose any personal information such as the real name, address, phone number and anything that can be used to contact the child.”

Thus, the complaint alleged that contrary to the statements made in the privacy policy, defendants collected kids’ personal information and enabled them to publicly disclose their personal info through profile pages and in forums.  The FTC charged that the defendants’ practices made what they said in their privacy policy false, in violation of the FTC Act.

In addition, the FTC alleged the defendants violated the COPPA Rule by:

  • failing to provide notice on their sites about what information they collect from kids, how they use it, and their disclosure practices;
  • failing to provide direct notice to parents of what information they collect online from kids, how they use it, their disclosure practices, and notice of any material change in the collection, use, or disclosure practices; and
  • failing to get verifiable parental consent before collecting, using, or disclosing personal information from kids.

The upshot: a $3 million civil penalty — the highest ever in a COPPA case — and tough injunctive provisions in the order.

If your site is subject to COPPA, what messages should you take from the FTC’s action?  First, it’s not enough that privacy policies and COPPA statements talk the talk.  They have to walk the walk.  Make sure your real-world practices live up to the law and the protective promises you make on your website.  Second, as the complaint outlines in detail, the Playdom story was played out against a background of mergers, dissolutions, acquisitions, and subsidiaries.  Never let compliance obligations take a back seat, especially during times of corporate restructuring.

Looking for more on complying with COPPA?  Read Frequently Asked Questions about the Children’s Online Privacy Protection Rule.

Add new comment

Comment Policy

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.