Federal Trade Commission Announces Settlement with Skidekids.com: Company Did Not
Obtain Verifiable Parental Consent before Collecting Children's Personal Information
November 14, 2011
On November 8, 2011, the Federal Trade Commission (FTC) announced a settlement with the operator of Skidekids.com resolving its investigation into alleged violations of the Children's Online Privacy Protection Act (COPPA). COPPA regulates the online collection of personal information from children under 13 years of age, as well as the use and disclosure of such information. COPPA applies to commercial websites and online services directed at children or that collect children's personal information with actual knowledge. The operators of these websites and online services may not collect, use, or disclose children's personal information without giving direct notice of their privacy policies to parents and obtaining verifiable consent from them.
Skidekids.com allegedly operates a social networking website targeted to children ages 7 to 14. Children may register by submitting information such as birth date, gender, username, password, and email address. After registering, children can then enter more data in their profiles, including their first and last name, city, and country, and they can type freely in an "About Me" field. Children also can upload pictures and videos and make friends and send messages with other users. The FTC alleged that Skidekids.com allowed children to register and use its website without attempting to provide a privacy notice to parents or obtaining their verifiable consent as required by COPPA. The FTC alleged specifically that Skidekids.com violated COPPA by failing to:
- provide on its website sufficient notice of its information collection, use, and disclosure practices;
- provide direct notice to parents of its information collection, use, and disclosure practices; and
- obtain verifiable consent from parents prior to collecting, using, and disclosing personal information from children.
The government sought and received several different kinds of relief in the settlement. Skidekids.com agreed to pay a $100,000 fine, delete children's personal information it collected in violation of COPPA, not commit future violations of COPPA and Section 5 of the FTC Act, and post conspicuous website links to the child safety website http://onguardonline.gov. In a first for COPPA-related settlements, Skidekids.com agreed either to hire an independent expert to assess its COPPA compliance each year or become a member of a COPPA safe-harbor program for five years. This aspect of the settlement reflects an ongoing trend toward retention of third-party experts and independent assessors to review privacy practices.
The lawsuit and its settlement are important for businesses operating websites that may collect information about children, and especially those directed at children. COPPA requires these businesses to publish and follow privacy policies that fully state how they collect, use, and disclose children's personal information. Collection of children's personal information prior to providing direct notice to parents and obtaining their verifiable consent may create significant liability.
Including privacy assessment requirements in settlements is consistent with the FTC's other recent privacy-related enforcement actions, and we anticipate they may be part of the FTC's future COPPA-related settlement requirements. Performing annual assessments of information collection, use, and disclosure practices or becoming a member of a COPPA safe-harbor program may mitigate COPPA-related risk.
Finally, the FTC has recently proposed significant revisions to its COPPA Rule, and businesses that collect information from children may consider now a good time to review their existing practices and consider participating in the FTC's rulemaking proceeding.
Wilson Sonsini Goodrich & Rosati's attorneys routinely help clients manage risks associated with protecting children online and related legal compliance, as well as other rapidly changing domestic and international privacy and data security issues. For more information, please contact: Lydia Parnes at firstname.lastname@example.org or (202) 973-8800; Gerry Stegmaier at email@example.com or (202) 973-8809; Matthew Staples at firstname.lastname@example.org or (206) 883-2583; Wendell Bartnick at email@example.com or (202) 973-8800; or any of the many members of our privacy and data security practice.