The Federal Trade Commission announced a proposed settlement today with Playdom, Inc., a developer of online virtual world multi-player games, and an executive of the company. The $3 million settlement is the largest civil penalty imposed under the FTC’s COPPA Rule.
The FTC asserts that between 2006 and 2010 the defendants operated approximately 20 online virtual worlds through which users accessed and played online games and other activities. Although most of the sites were general audience sites, at least one of the sites, Ponystars, was a website or online service directed towards children. Registration was required in order to play in the online virtual worlds, and the registration process for all of defendants’ online games required registrants to provide an email address, birth year and gender. If a user entered a birth year indicating that the user was under 13, a screen popped up stating: “You are under 13 years old and we cannot ask you for your email address. In order to register, you must have your Parent or Guardian fill out this screen.” The pop-up screen asked for a parent or guardian’s email address, and the sites would allow registration to be completed by merely providing an email address. Once this address was entered, the defendants automatically provided that child with full access to the free areas within the online virtual world, including the ability to create a personal profile and participate in community forums. A child’s personal profile page could contain his real name, location, website, email, and various instant messenger IDs.
As a result of collecting birth year, but failing to properly obtain verifiable parental consent from users who indicated they were under 13, Playdom registered approximately 821,000 children on the Ponystar site directed towards children and an additional 403,000 children on the general audience online virtual games. Playdom faced a maximum penalty of $11,000 per violation of the COPPA Rule prior to February 10, 2009, and up to $16,000 per violation since.
In addition to the $3 million civil penalty, the proposed settlement would prohibit the defendants from violating the COPPA Rule and misrepresenting their practices regarding the collection, use, disclosure or deletion of children’s personal information. Additionally, the defendants would also be subject to compliance monitoring and reporting obligations for four years, and they have to delete all personal information collected and maintained in violation of the COPPA Rule from April 2000 through the date of the settlement.
The case serves as a good reminder that COPPA applies to websites or online services which are directed to children and general audience sites which acquire actual knowledge that a user is under 13. If a general audience site is going to collect age information and knows users are under 13, the site must take steps to ensure it prevents such users from providing personal information, it must obtain verifiable parental consent before collecting personal information from such users, or the collection must fall under one of the narrow exceptions to the COPPA Rule (e.g., the one-time contact exception to reply to an inquiry, so long as the contact information is deleted after responding). In this case, since access to the online virtual worlds allowed children to post personal information online, consent should have been obtained by one of the “robust” parental consent mechanisms under COPPA, including requiring a parent to mail in a signed consent form, requiring the parent to use a credit card in connection with a transaction, or requiring the parent to call a toll-free number staffed by trained professionals. Consent obtained through the “email plus” mechanism would not have been sufficient (see COPPA FAQs 31 and 32 from the FTC).