On December 11, the FTC announced a proposed settlement with Sony BMG Music Entertainment (Sony) of charges that Sony engaged in numerous violations of the Children's Online Privacy Protection Act of 1998 (COPPA). In the settlement, Sony agreed to pay $1 million—the largest civil penalty yet for COPPA violations—and to take specified additional steps to bring its websites into compliance with legal requirements and to promote the safety of children online.
COPPA was enacted in 1998 to restrict the collection and use of personally identifiable information (PII) about children under the age of 13. In general, an Internet website cannot collect, use or disclose PII about children under 13 unless the website first obtains verifiable parental consent, subject to certain limited exceptions. The FTC has primary responsibility for enforcing the law. In the decade since its enactment, the Commission has brought 13 previous enforcement actions under COPPA. The Sony complaint, the 14th enforcement action, is the largest to date not only in terms of the amount of the fine but also because of the breadth of the alleged violations.
Sony Music operates more than 1,000 websites for its musical artists and labels. Those websites require persons interested in registering on those sites to provide a wide range of personal information, including date of birth. Many of those sites contain social networking features, enabling registrants to create personal fan pages, offer music reviews, upload photos, post comments and engage in private messaging.
The FTC's Complaint
The complaint avers that on 196 of its sites, Sony knowingly collected personal information from at least 30,000 children under 13 years of age without first obtaining the requisite parental consent. The FTC charged that, in so doing, Sony violated COPPA and the Commission's implementing regulations.
The FTC also challenged the adequacy of Sony's privacy statement. Among other claims, the FTC charged that Sony's privacy statement did not clearly explain the websites' privacy practices, and that it omitted required disclosures, including items as mundane as listing the telephone number and email addresses of all operators collecting personal information from children.
The Proposed Consent Decree
The FTC's complaint was filed in the U.S. District Court for the Southern District of New York, together with a proposed consent decree that it had negotiated with Sony in advance of the filing. In addition to the $1 million penalty, the consent decree contains provisions requiring Sony to delete all personal information collected and maintained in violation of COPPA, to improve the clarity and accuracy of its privacy statements, and otherwise to bring its operations fully into compliance with COPPA. Sony also agreed to a wide range of reporting and record-keeping requirements.
Also, for five years, Sony must place on any website that offers users the ability to create an online user profile a conspicuous notice on the homepage and in the privacy notice of a hyperlink to www.OnGuardOnline.gov, a government page presenting social networking tips. This is significant, as this case marks the first COPPA enforcement action against social networking aspects of a website.
The Need to Conform Practice and Policy
A privacy statement cannot be written without a full understanding of how the website to which it purportedly applies in fact operates. Conversely, the website designer must be thoroughly knowledgeable of the privacy goals and commitments of the company, and must create and manage the site in a manner that fully meets those goals and commitments. A disparity between stated policy and actual practice can, when detected, bring not only financial penalties and operational restrictions, but also reputational harm that can be difficult to overcome.
Accordingly, businesses would be well-advised to take some time to review the actual operational practices of their websites, and to compare those practices to the representations made in the business's privacy statement. Some may find changes are in order. For example, even if a website's initial design was fully consistent with the business's privacy statement, subsequent changes to the site—or to the privacy statement—could cause the two no longer to align.