Children's Privacy Violations Lead to $1 Million Penalty
December 17, 2008
On December 11, 2008, the Federal Trade Commission (FTC) announced the settlement of a case it filed the day before against Sony BMG Music Entertainment alleging violations of the Children's Online Privacy Protection Act (COPPA). COPPA regulates the online collection, use, and disclosure of personal information from children under 13 years of age and applies to websites that have actual knowledge that they have collected information from children or websites that are directed at children. In announcing the settlement, Sony BMG agreed to pay a fine of $1 million and implement various compliance measures. The result demonstrates the FTC's continuing attention to protecting consumers, especially children, online.
The settlement came shortly after the government filed a lawsuit in the U.S. District Court for the Southern District of New York alleging that the company had collected, used, and disclosed personal information from children in violation of COPPA. The suit alleged that Sony BMG, which operates over 1,100 music-related websites, collected personal information from at least 30,000 children in violation of COPPA. According to the government, these sites include information about artists that are popular with children and teenagers. According to the complaint, Sony BMG allowed children who disclosed that they were under 13 to register and use its websites without providing notice to parents or obtaining their consent. The government specifically alleged that Sony BMG had:
- failed to provide required notice to parents of its information practices;
- failed to obtain verifiable consent from parents prior to collecting, using, and disclosing personal information from children; and
- failed to provide parents with reasonable means to review collected personal information and to refuse to permit further use and collection of, and to require deletion of, personal information regarding their children.
Settlement Includes Penalty, Mandatory Compliance and Reporting, Consumer Education, and Deletion of Collected Information
The government sought and received several different kinds of relief in the settlement. In addition to the $1 million civil penalty for alleged unfair and deceptive trade practices, Sony BMG agreed to refrain from any further violations of COPPA. Sony BMG also agreed for a period of five years to implement several compliance measures directly aimed at consumer education, including:
- providing direct notice to parents of privacy practices relating to children;
- providing notice in website privacy policies of information practices relating to children and at all points where such information is collected on such websites; and
- making certain the content of the websites includes links to specific FTC educational materials regarding protecting children on online social networks and elsewhere online.1
Beyond making information available to parents, the settlement also requires Sony BMG to implement a specific COPPA compliance program. This program requires distribution of COPPA compliance-related materials, including an FTC guide on the subject, to all relevant individuals responsible for implementing the settlement and administering the websites. Sony BMG further is required to document the distribution and receipt of such materials by relevant personnel, to maintain records demonstrating COPPA compliance, and to prepare periodic reports as requested by the FTC that document and illustrate the steps taken by Sony BMG to ensure compliance.
Lastly, the settlement requires the company to delete any and all personal information collected from children in violation of COPPA.
The lawsuit and its settlement are important for businesses that operate websites and organizations that may work with such businesses. In particular, the settlement draws continuing attention to the government's willingness to aggressively prosecute companies that have actual knowledge that they collected information from children under 13 without ensuring COPPA compliance.
Sony BMG's terms and privacy policies allegedly prohibited kids under 13 from participating. However, the government alleged that children still did participate in activities on the websites and provided personal information through the websites. The FTC used its authority under Section 5 of its governing statute to pursue the company's practices on the basis that they were unfair and deceptive. The government contended that these practices were deceptive because the company said that it did not allow children under 13 to participate and yet it did in fact accept registrations from children who entered a date of birth indicating that they were under 13 without obtaining parental consent.
The Sony BMG case, coupled with a similar enforcement action against website operator Xanga, shows a willingness on the part of the FTC to aggressively hold operators responsible for what actually occurs on their websites. These two enforcement actions suggest that disclaiming responsibility for and prohibiting participation by children solely through website terms and conditions could be problematic for some website operators. The case is also very similar to a COPPA enforcement action against UMG Recordings, Inc., in 2004, in which UMG paid a $400,000 fine and agreed to similar compliance measures based on allegations of actual knowledge of underage use on general-audience websites, as well as alleged violations based on operation of a music website directed at children.
The Sony BMG lawsuit signals the continuing importance of "actual knowledge" in COPPA enforcement. The websites at issue were not alleged to be directed at children. Therefore, the violations resulted from the government's imputation that the websites knew that they had collected information from children under 13, by accepting registrations from children who entered a date of birth indicating that they were under 13.
The settlement highlights the ongoing importance and complications associated with the collection, use, and disclosure of personal information online by website operators, especially where children are involved. While most website operators now have policies posted on their websites that govern data collection and usage, the Sony BMG case suggests the value of periodically reviewing practices to evaluate how such policies are implemented, including training and assessment of compliance.
The FTC considers the online privacy of children one of its top priorities and, as this prosecution and settlement show, the agency seems intent on actively policing this area of privacy. Wilson Sonsini Goodrich & Rosati's media practice is uniquely positioned to assist clients in this highly complex and evolving area of the law. Our seasoned team brings to bear deep experience in the converging area of media and technology, including a diverse blend of backgrounds in entertainment law and the music and film industries. Our attorneys routinely counsel clients on the subtleties of COPPA and other rapidly changing domestic and international privacy issues. If you have questions in these areas, please contact Catherine Kirkman, Tonia Klausner, Gary Greenstein, Gerry Stegmaier, or Matthew Staples.
1 The relevant FTC educational materials, which include guidelines on how to protect kids online and materials on social networks and online safety, can be accessed respectively at: http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec08.shtm and http://www.onguardonline.gov/topics/social-networking-sites.aspx.