Operators of Online "Virtual Worlds" Agree to Largest Civil Settlement of COPPA Complaint to Date

By Micah Ratner While over on the Hill the question was whether the Children’s Online Privacy Protection Act (“COPPA”) could be a springboard to “bigger and better” regulatory things, the Federal Trade Commission made news by enforcing the existing statute to elicit the largest civil settlement under the FTC COPPA Rule to date. On May 11, 2011, Playdom, Inc., an operator of over 20 online “virtual online worlds, agreed to pay $3 million to settle FTC claims that it violated COPPA by collecting and disclosing personal information from hundreds of thousands of children under 13 without prior parental consent. Playdom’s websites were geared toward general audiences but also attracted children, and one of the online worlds called “Pony Stars” was specifically directed at children. The complaint also alleged that Playdom’s privacy policy violated the FTC Act (related to unfair or deceptive acts or practices) by misrepresenting that it would prevent children from posting personal information on its sites. The FTC noted that by summer’s end 2010, Playdom had terminated most of the online worlds at issue, though some continued in operation for several months by non-U.S. based providers, before shutting down as well. The Playdom complaint reads like a list of “what not to do.” First, the sites allegedly violated the FTC Act by allowing children to post their names, email addresses, instant messenger screen names, and locations on online profile pages and forums, even though the sites’ privacy policy said Playdom would prevent children from posting personal information. Second, the FTC alleged that Playdom asked the child’s age and email address during registration for the sites, from which it knew the child was under 13 years old. It then asked for a parent’s email address. Playdom nonetheless allowed children to fully access the websites and disclose personal information after the child entered a parent’s email address, without any notice to the parent other than a “welcome” email (if the email address the child provided even was, in fact, one used by his or her parent). Playdom did not obtain consent from the parent to collect, use or disclose their child’s personal information. In addition, Playdom did not properly disclose all of its information collection, use, and disclosure practices for children. If the FTC’s complaint is a blueprint for COPPA violations, its consent order might be viewed as a roadmap to compliance. As highlighted in the settlement, any website or online service directed to children, or where the operator has actual knowledge that it collects, uses, or discloses personal information from children should:

• Provide clear and complete notice to parents of information the site collects online from children, and how it uses and discloses the information.
• Obtain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children
• Allow parents to review the personal information collected from their children and to refuse to permit its further use or maintenance.
• Make sure that each type of information collected from a child is reasonably necessary for the provision of the particular related activity.
• Use procedures to protect the confidentiality, security, and integrity of personal information collected from children.
• Link to the FTC’s website to provide tips on protecting children’s privacy online: www.OnGuardOnline.gov.

The Playdom case is a powerful reminder that failure to comply with the FTC’s COPPA Rule can lead to expensive consequences. Jon Leibowitz, Chairman of the FTC warned: “Whether you are a virtual world, a social network, or any other interactive site that appeals to kids,” operators must “provide proper notice and get proper consent” from parents. In addition, as the FTC is currently engaged in a rule review to determine how it should update COPPA, that some in the industry may still be having trouble complying with “the basics” is hardly reassuring for regulators.