On December 11, the FTC announced a proposed settlement with Sony BMG Music Entertainment (Sony) of charges that Sony engaged in numerous violations of the Children's Online Privacy Protection Act of 1998 (COPPA). In the settlement, Sony agreed to pay $1 million—the largest civil penalty yet for COPPA violations—and to take specified additional steps to bring its websites into compliance with legal requirements and to promote the safety of children online.

COPPA

COPPA was enacted in 1998 to restrict the collection and use of personally identifiable information (PII) about children under the age of 13. In general, an Internet website cannot collect, use or disclose PII about children under 13 unless the website first obtains verifiable parental consent, subject to certain limited exceptions. The FTC has primary responsibility for enforcing the law. In the decade since its enactment, the Commission has brought 13 previous enforcement actions under COPPA. The Sony complaint, the 14th enforcement action, is the largest to date not only in terms of the amount of the fine but also because of the breadth of the alleged violations.

Sony Music

Sony Music operates more than 1,000 websites for its musical artists and labels. Those websites require persons interested in registering on those sites to provide a wide range of personal information, including date of birth. Many of those sites contain social networking features, enabling registrants to create personal fan pages, offer music reviews, upload photos, post comments and engage in private messaging.

The FTC's Complaint

The complaint avers that on 196 of its sites, Sony knowingly collected personal information from at least 30,000 children under 13 years of age without first obtaining the requisite parental consent. The FTC charged that, in so doing, Sony violated COPPA and the Commission's implementing regulations.

The FTC charged Sony with several types of violations. According to the complaint, Sony improperly allowed underage children to register and create online user profiles, failed to provide parents with direct notice of its practices before collecting, using or disclosing children's information, did not obtain verifiable parental consent to such collections and uses, and failed to provide parents with a way to review the information collected that pertained to their children. Although Sony represented that it used cookies to help restrict access to its sites by underage children, the complaint charged that Sony did not in fact so restrict the use of its sites, nor did it use cookies to ensure that any restriction persisted.

The FTC also challenged the adequacy of Sony's privacy statement. Among other claims, the FTC charged that Sony's privacy statement did not clearly explain the websites' privacy practices, and that it omitted required disclosures, including items as mundane as listing the telephone number and email addresses of all operators collecting personal information from children.

Finally, the FTC also charged Sony with violating the broad standard of Section 5 of the Federal Trade Commission Act by representing in its privacy policy that children under 13 could not provide PII without parental consent, and that this representation was, obviously, incorrect and therefore deceptive.

The Proposed Consent Decree

The FTC's complaint was filed in the U.S. District Court for the Southern District of New York, together with a proposed consent decree that it had negotiated with Sony in advance of the filing. In addition to the $1 million penalty, the consent decree contains provisions requiring Sony to delete all personal information collected and maintained in violation of COPPA, to improve the clarity and accuracy of its privacy statements, and otherwise to bring its operations fully into compliance with COPPA. Sony also agreed to a wide range of reporting and record-keeping requirements.

In addition, Sony agreed to implement specific consumer education steps. For example, for five years following entry of the consent decree, Sony will include in its privacy policy, in its notifications to parents and at each point on its websites at which personal information is collected, a prominent link to the FTC's webpage about protecting children's privacy online: www.ftc.gov/privacy/privacyinitiatives/childrens.

Also, for five years, Sony must place on any website that offers users the ability to create an online user profile a conspicuous notice on the homepage and in the privacy notice of a hyperlink to www.OnGuardOnline.gov, a government page presenting social networking tips. This is significant, as this case marks the first COPPA enforcement action against social networking aspects of a website.

The Need to Conform Practice and Policy

The disparity between the representations made by Sony's published privacy policy and the actual practices on 196 of its websites is striking. It illustrates the need to ensure that the actual operations of a business's website are consistent with the statements about those very operations that the business makes in a privacy statement. A reading of the complaint may make a reader conclude that the website designer and the author of the privacy statement never communicated with each other. Sony will now pay a steep price, both in cash and in ongoing operational reforms and monitoring, for that failure.

A privacy statement cannot be written without a full understanding of how the website to which it purportedly applies in fact operates. Conversely, the website designer must be thoroughly knowledgeable of the privacy goals and commitments of the company, and must create and manage the site in a manner that fully meets those goals and commitments. A disparity between stated policy and actual practice can, when detected, bring not only financial penalties and operational restrictions, but also reputational harm that can be difficult to overcome.

Accordingly, businesses would be well-advised to take some time to review the actual operational practices of their websites, and to compare those practices to the representations made in the business's privacy statement. Some may find changes are in order. For example, even if a website's initial design was fully consistent with the business's privacy statement, subsequent changes to the site—or to the privacy statement—could cause the two no longer to align.