The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

FTC Aggressively Enforcing COPPA Compliance

Leave a comment

The FTC meant what it said about aggressively targeting COPPA violators. It announced on Thursday that celebrity fan website operator, Artist Arena, will pay a $1 million penalty for alleged violations of the Children’s Online Privacy Protection Act (“COPPA”). This penalty is significantly more than the $250,000 fine in last March’s settlement against RockYou, and demonstrates the FTC’s increasing commitment toward COPPA compliance.

COPPA regulates operators of commercial websites or online services directed to children under the age of 13 that collect, use, and/or disclose children’s personal information. Among other things, the rule requires that these operators post a privacy policy outlining its data collection and use practices, provide notice of these practices directly to parents, and obtain verifiable parental consent prior to collecting data from children under 13.

Artist Arena operates fan websites for teen and “tween” pop-star celebrities such as,,, and http://www.SelenaGomez. Members can create profiles, “friend” other members, and post comments on members’ walls. To register, users must provide their personal information, including their names, addresses, email addresses, birthdates, and gender. According to the FTC’s complaint, Artist Arena represented in its privacy policy that it would not collect children’s personal information or activate their registration without verifiable parental consent. Despite these representations, Artist Arena allegedly registered over 25,000 children under 13 without parental notice and consent, and collected and maintained the personal information from almost 75,000 additional children who began, but did not complete the registration process.

This is the first of likely many high-stakes enforcement actions for alleged COPPA violators. In fact, the FTC is pushing to expand the liability of operators for third-party violations. Back in August, the FTC issued a Notice of Proposed Rulemaking seeking comments on proposed changes to COPPA. In pertinent part, the FTC wants to expand the definition of “operator” under the rule to include personal information “collected or maintained on behalf of an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator.” The FTC believes that a website operator that uses a third-party service to collect personal information from children under 13 – without itself engaging in such collection – should be considered a covered operator under the Rule. In this instance, although the operator does not own, control, or have access to the information collected, the data is collected on its behalf and for its benefit.

Given the FTC’s demonstrated commitment to prosecute alleged COPPA violators and its push for expanded liability under the rule, operators of websites directed to children under 13 that collect children’s personal information, either by itself or through a third-party service, should align its collection and use practices in accordance with COPPA to avoid being the next FTC enforcement target.

Author: ABA Antitrust

Learn more about the ABA Section of Antitrust Law:

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s