Almost a year to the day after a law limiting the ability of Web sites to collect personal data from children took effect, the Federal Trade Commission (FTC) today announced the first fines that it has levied against companies for violating the measure.
And the commission warned that the fines being paid by the operators of three Web sites aimed at children won't be the last ones. FTC spokeswoman Toby Levin said more civil penalty cases related to violations of the Children's Online Privacy Protection Act (COPPA) are due to be announced in the next several months.
Parry Aftab, a children's privacy advocate and an attorney at the New York-based intellectual property law firm Darby & Darby PC, said the fines totaling $100,000 should serve notice to companies that the FTC is serious about enforcing the requirements spelled out by COPPA.
"The FTC has been wonderfully patient, but maybe too patient," Aftab said. "But now, maybe Web sites which have extra money will put it into [getting into compliance with the law] rather than on design. These sites need to take [the law] seriously. It's not a game anymore."
The action by the FTC comes two days after the Center for Media Education (CME), a nonprofit watchdog group in Washington, released a report calling on the commission to more closely monitor Web site compliance with COPPA and to take appropriate regulatory action against companies that don't adhere to the law.
CME, which surveyed 153 commercial Web sites aimed at children, said in the report (download .pdf) that COPPA has brought about some positive changes. For example, the group said, more Web sites are posting privacy policies and limiting the amount of personal information they collect from children.
But most of the surveyed sites still don't display their privacy policies in a "clear and prominent" link, as required by COPPA, according to the report. CME also said a majority of the sites aren't properly getting parental permission before collecting a child's personal data. And in attempting to restrict children under the age of 13 from entering personal information, it added, some sites use methods that could encourage kids to lie about their ages.
The CME report is the second one issued in the past few weeks saying that companies need to do more to comply with the provisions of COPPA. Late last month, the Annenberg Public Policy Center of the University of Pennsylvania in Philadelphia charged that the 162 Web sites it examined "often did not live up to the spirit and sometimes even the letter behind the rules" (see story).
COPPA requires Web sites that get traffic from children who are under age 13 to post a privacy policy detailing the personally identifiable information they collect from young visitors. That includes information required to register as a user of a site or data that children may reveal in chat rooms or on posting services. The site also must have a parental notification-and-approval policy in place.
As part of the enforcement actions announced today, the FTC said, Monarch Services Inc. and Girls Life Inc. in Baltimore, operators of www.girlslife.com, agreed to pay a $30,000 penalty, while Nolan Quan, operator of BigMailBox.com Inc., and San Francisco-based LookSmart Ltd. will each pay $35,000. LookSmart's violations involved a Web site aimed at kids under the URL www.insidetheweb.com, which currently redirects visitors to a different site owned by the company.
According to the FTC, which monitors children's Web sites on an ongoing basis, the three sites illegally collected personal information from children without getting permission from their parents. The FTC also alleged that none of the three Web sites posted privacy policies as required by COPPA.
In addition to the monetary fines, the FTC said, the sites must delete all the personal information that they collected from children since COPPA became effective on April 21, 2000. They also have to post appropriate privacy policies and provide links to an FTC Web site that provides information about COPPA.
Aftab said the 12 months that have passed since COPPA took effect have been particularly difficult for children's Web sites. Because of the softening economy, the drying up of venture capital funding and the cost of complying with COPPA, the online industry targeted at children is only half the size it was a year ago, she said.
"I think most of the sites are good guys," Aftab said. "They're trying to comply, but they just don't always [understand the regulations]." But she warned that the Web sites named by the FTC today and others that may suffer a similar fate later on will be harmed even more from the bad publicity.
In a related matter, the FTC also announced that it has approved the Entertainment Software Rating Board, a privacy seal provider in New York, as a safe harbor program under COPPA. Safe harbors are industry self-regulatory guidelines that are considered to comply with the requirements set out by privacy laws such as COPPA.
Earlier this year, the FTC granted safe harbor status to a set of guidelines developed by the Children's Advertising Review Unit of the Council of the Better Business Bureaus (see story). That was the first COPPA-related safe harbor designation made by the commission.
Related stories:
- Bush makes key privacy decision, April 16, 2001
- Medical privacy rules to take effect, but changes could follow, April 12, 2001
- Financial services firms face uncertainty over European privacy rules, March 28, 2001
- Update: FTC warns Web sites to comply with children's privacy law, July 19, 2000