On December 5, 2007, the Texas Attorney General, Greg Abbott, filed simultaneous law suits against two separate Web site operators, alleging violations of COPPA, the federal law protecting children’s privacy rights online (the Children’s Online Privacy Protection Act, 15 U.S.C. §§6501-6506 and the Federal Trade Commission’s implementing rule, 16 C.F.R. §312).
Recently, the Texas AG has been cracking down on companies’ data protection practices, in particular in the areas of data security and data disposal. In 2007 alone, the Texas AG filed about half a dozen lawsuits against companies for improper data disposal practices in violation of the Texas Deceptive Trade Practices-Consumer Protection Act and the Texas Identity Theft Enforcement & Protection Act.
The first of Abbott’s suits (against Future US Inc.) was filed by the AG’s Consumer Protection-Public Health Division (Texas v. Future US Inc., W.D. Tex., No A07CA-987LY, complaint filed 12/5/07). Future US Inc. is the owner of gamesradar.com. Gamesradar.com is a Web site that contains information and content relating to video games.
Reportedly, the Texas AG’s COPPA suits mark the first time that a state has filed an enforcement action under COPPA since its enactment in 1998. Under Section 6504 of COPPA, state attorneys general are permitted to bring such actions, but must notify the FTC before doing so. Historically, the Federal Trade Commission has enforced COPPA, and according to the FTC’s website, the FTC has filed 12 enforcement actions under COPPA since 1998. Texas’ actions may be foretelling of a new trend of state AGs becoming more involved in enforcing federal laws that protect consumers from privacy and information security infringements.
It is interesting to note that the FTC might not interpret this to be a violation of COPPA. According to the FTC’s report that accompanied its final rule under COPPA, the FTC understood and accepted that many children under 13 share an e-mail address with a parent, and would not preclude a web site from accepting as verifiable parental consent an e-mail from the same address as the child. However, when a site may “disclose” a child’s information to third parties, for example, through interactive activities on the site such as chat rooms and message boards, a higher standard of verifiable parental consent (i.e., more than mere e-mail) is required. (64 Fed. Reg. 59888 et seq.)