By Lesley Fair

Whether studying, shopping, surfing or chatting, today’s kids take advantage of everything the Internet has to offer.  But when it comes to their personal information, who’s in the driver’s seat?  Parents, according to the Children’s Online Privacy Protection Act (COPPA) and regulations enforced by the Federal Trade Commission.
 
If you operate a website directed to children under 13 that collects personal information – or if you operate a website directed to a general audience and have actual knowledge you’re collecting personal information from kids – you must comply with COPPA’s two main requirements.  First, you must prominently post your information security practices on your homepage and wherever you collect information from kids, including the kinds of information you collect; how you collect it (for example, directly from the child or passively, say, through cookies); how you use the information; whether you disclose it to third parties; and the procedures parents can follow to exercise their right to review their child’s personal information, refuse to allow its further collection or use, or have it deleted.  Second, before collecting, using, or disclosing a child’s personal information, COPPA requires you to notify parents and get their verifiable consent.

The FTC’s settlement with Sony BMG Music Entertainment shows the importance of COPPA compliance.  Sony Music operates websites dedicated to their entertainers, including numerous artists popular with children and teenagers.  Many of these sites allow users to create personal fan pages, review artists’ music, upload photos or videos, post comments on message boards and in online forums, and engage in private messaging.  To register, Sony Music requires users to submit a broad range of personal information, including their date of birth. According to the FTC, Sony Music knowingly collected personal information from at least 30,000 underage children without first getting their parents’ consent.  As a result, children were able to interact with Sony Music fans of all ages, including adults.

The FTC’s complaint alleges that Sony Music violated COPPA by failing to provide sufficient notice on its websites of what information the company collects online from children, how it uses the information, and its disclosure practices.  According to the FTC, the company also failed to provide parents with direct notice of its information practices and failed to get verifiable parental consent before collecting personal information from kids.  The FTC’s complaint also charges that Sony Music violated the law by falsely stating in its privacy policy that users under 13 would not be allowed to participate in interactive webpage activities.  The upshot?  A $1 million civil penalty for violations of COPPA.

Looking for step-by-step guidance on fulfilling your obligations under COPPA? Visit the Children’s Privacy page at business.ftc.gov.

Lesley Fair is an attorney in the FTC’s Bureau of Consumer Protection who specializes in business compliance.