The Federal Trade Commission (FTC) reached a record $3 million agreement with the online game developer Playdom Inc. and Senior Vice President Howard Marks to settle charges that the Walt Disney Co. subsidiary violated the Children’s Online Privacy Protection Act of 1998 (COPPA) by collecting and disclosing the personal information of children under the age of 13 without proper parental consent.

COPPA requires commercial website operators and providers of online services directed at children to meet specific guidelines when collecting, using, or disclosing children’s personal information. Personal information includes first and last name, home address, email address, telephone number, and Social Security number. Also, other information that the online service providers collect and associate with any of the specified identifier information qualifies as personal information. To avoid COPPA violations, a website operator must post a clear, understandable, and complete privacy policy, provide notice of the website’s information practices directly to parents, obtain parental consent prior to collecting any personal information, give parents the opportunity to consent to data collection without consenting to information disclosure, and allow reasonable means for parents to review collected data. 

Playdom is a developer of social games available on Facebook, MySpace, and other global social networks.  Since 2006, it has allowed users to access and play games in more than 20 virtual online worlds. For example, Playdom users can create a Stone Age civilization one minute and run a virtual NBA basketball team the next.  Playdom requires online registration of all users prior to entering any of Playdom’s online worlds. Although most of the online worlds are directed to a general audience, they reportedly attract children as well. One of the online worlds, Pony Stars, was specifically directed at children. As part of the registration process, Playdom required child users to provide information including an email address and birth year. If the user self-reported being less than 13 years of age, a disclaimer popped up and required entry of a parent or guardian’s email address. After entering the email address, the child was fully registered and could create an online profile that included real name, location, and email address, among other identifying information.

The FTC alleged that Playdom violated COPPA in three significant ways. First, Playdom did not provide sufficient general notice on its website of what personal information the website collected, used, and distributed. Second, Playdom did not provide direct notice to the parents of child users about the information collected.  Third, Playdom did not obtain appropriate parental consent prior to collecting child user information.

In addition to the $3 million penalty agreed to in the settlement, Playdom is also prohibited from violating COPPA in the future and from misrepresenting its personal information collection practices on its site. Playdom must delete all of the personal information collected in violation of COPPA and update its privacy policy to educate consumers on how to protect children’s privacy online.

The chairman of the FTC said that this settlement, the largest civil penalty for a violation of COPPA, should make it clear to operators of child-directed interactive sites that nothing short of proper parental notice and consent are required. Operators of websites directly or indirectly targeting children must be diligent in ensuring that their websites allow parents of child visitors ample opportunity to review and consent to all categories of personal information collected.

All advertisers operating websites that attract children should be aware of this FTC action and COPPA.