The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

First State Attorney General to file action under COPPA

Leave a comment

On December 5, 2007, the Texas Attorney General, Greg Abbott, filed simultaneous law suits against two separate Web site operators, alleging violations of COPPA, the federal law protecting children’s privacy rights online (the Children’s Online Privacy Protection Act, 15 U.S.C. §§6501-6506 and the Federal Trade Commission’s implementing rule, 16 C.F.R. §312).

Recently, the Texas AG has been cracking down on companies’ data protection practices, in particular in the areas of data security and data disposal. In 2007 alone, the Texas AG filed about half a dozen lawsuits against companies for improper data disposal practices in violation of the Texas Deceptive Trade Practices-Consumer Protection Act and the Texas Identity Theft Enforcement & Protection Act.

The first of Abbott’s suits (against Future US Inc.) was filed by the AG’s Consumer Protection-Public Health Division (Texas v. Future US Inc., W.D. Tex., No A07CA-987LY, complaint filed 12/5/07). Future US Inc. is the owner of gamesradar.com. Gamesradar.com is a Web site that contains information and content relating to video games.

The complaint against Future US Inc. alleges that Gamesradar.com contains content that is targeted towards children under the age of 13, attracts children under the age of 13, and “includes content or allows access to content that is inappropriate for children” (e.g., violence and nudity). Among Gamesradar.com’s alleged COPPA violations, children under 13 are able to register at the site, during which they provide personal information such as first and last name, e-mail address, physical address, gender and date of birth. According to Abbott, the registration process does not include any screening process to exclude children under the age of 13 nor does it obtain any prior parental verified consent before collecting such information. In fact, according to Abbott’s complaint, when inputting an age, the drop down menu only allows the child to choose a birth year that would make them 13 years or older (i.e., the menu only includes years 1994 and earlier).  Thus, not only does this method of obtaining age allegedly invite falsification (e.g., forcing a 10-year old to identify herself as 13 years or older), but it allegedly enables children under the age of 13 to register with the site and participate in the site’s activities without obtaining the legally-required parental consent. Furthermore, according to Abbott’s complaint, the site’s privacy policy is not compliant with COPPA and does not contain the disclosures and information required by COPPA.

The second lawsuit filed by Abbott’s office is against The Doll Palace Corporation, which operates a commercial Web site called, “The Doll Palace,” located at www.thedollpalace.com (Texas v. The Doll Palace Corporation et al., W.D. Tex., No. A07CA-988SS, complaint filed 12/5/07). According to Abbott’s complaint, the website allows children to create and play with web-based dolls, as well as engage in various interactive activities with such dolls, such as message boards, chat rooms and other forums. According to the complaint, the users are required to register and provide personal information including first and last name, e-mail addresses, birth dates and postal address information. For certain features of the site, the complaint alleges that the users are required to complete an extensive profile, including information relating to personal habits, access to the Internet and other personal details. Unlike gamesradar.com, the Doll Palace does include a parental permission procedure in the registration process, but such procedure allegedly does not comply with COPPA. According to the complaint, when a potential member is registering on the site and indicates that he or she is under the age of 13, he or she is met with a message that states, “You need a parent’s permission to continue. Is a parent with you right now?” If the child selects “Yes”, he or she is directed to a permission page that allegedly (1) only requires a click on “OK” to complete registration and (2) fails to include any of the disclosures and information required by COPPA (e.g., contact information for the Doll Palace, and information regarding how a parent can revoke consent at a later time). If the child prompts “No” when asked whether a parent is with him/her, the child is asked to submit an e-mail address for the parent, and is able to submit any e-mail address including the one he/she already submitted for himself/herself earlier in the registration process. [1] The e-mail sent to the e-mail address allegedly does not contain the information or disclosures required by COPPA, contains a link that takes the child to a web page that only requires a click “OK” to complete registration and makes no other attempt to verify parental consent. Furthermore, among other alleged COPPA violations, according to the complaint, the Doll Palace’s privacy policy fails to include all of the required disclosures, and is neither clearly nor conspicuously posted on the site, and the link for the privacy policy is in “the same font style and size as other links found at the bottom of the screen.

Reportedly, the Texas AG’s COPPA suits mark the first time that a state has filed an enforcement action under COPPA since its enactment in 1998. Under Section 6504 of COPPA, state attorneys general are permitted to bring such actions, but must notify the FTC before doing so. Historically, the Federal Trade Commission has enforced COPPA, and according to the FTC’s website, the FTC has filed 12 enforcement actions under COPPA since 1998. Texas’ actions may be foretelling of a new trend of state AGs becoming more involved in enforcing federal laws that protect consumers from privacy and information security infringements.


[1]

It is interesting to note that the FTC might not interpret this to be a violation of COPPA. According to the FTC’s report that accompanied its final rule under COPPA, the FTC understood and accepted that many children under 13 share an e-mail address with a parent, and would not preclude a web site from accepting as verifiable parental consent an e-mail from the same address as the child. However, when a site may “disclose” a child’s information to third parties, for example, through interactive activities on the site such as chat rooms and message boards, a higher standard of verifiable parental consent (i.e., more than mere e-mail) is required. (64 Fed. Reg. 59888 et seq.)

Advertisements

Author: ABA Antitrust

Learn more about the ABA Section of Antitrust Law: http://ambar.org/antitrust

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s