The FTC meant what it said about aggressively targeting COPPA violators. It announced on Thursday that celebrity fan website operator, Artist Arena, will pay a $1 million penalty for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). This penalty is significantly more than the $250,000 fine in last March’s settlement against RockYou, and demonstrates the FTC’s increasing commitment toward COPPA compliance.
This is the first of likely many high-stakes enforcement actions for alleged COPPA violators. In fact, the FTC is pushing to expand the liability of operators for third-party violations. Back in August, the FTC issued a Notice of Proposed Rulemaking seeking comments on proposed changes to COPPA. In pertinent part, the FTC wants to expand the definition of “operator” under the rule to include personal information “collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.” The FTC believes that a website operator that uses a third-party service to collect personal information from children under 13 – without itself engaging in such collection – should be considered a covered operator under the Rule. In this instance, although the operator does not own, control, or have access to the information collected, the data is collected on its behalf and for its benefit.
Given the FTC’s demonstrated commitment to prosecute alleged COPPA violators and its push for expanded liability under the rule, operators of websites directed to children under 13 that collect children’s personal information, either by itself or through a third-party service, should align its collection and use practices in accordance with COPPA to avoid being the next FTC enforcement target.