On December 11, 2008, the Federal Trade Commission (FTC) announced that Sony BMG Music Entertainment (Sony Music) agreed to pay a $1 million penalty and comply with various conduct requirements to settle the FTC’s charges that Sony Music’s music fan Web sites violated the Children’s Online Privacy Protection Act (COPPA) by collecting, using, and disclosing the personal information of more than 30,000 children under the age of 13. This settlement matches the FTC’s Xanga consent order for the highest penalty for alleged COPPA violations.1 The magnitude of the penalty appears to be related to the systemic nature of the violation coupled with the length of the violation (alleged to be since 2004).
Sony Music operates more than 1,100 music-related Web sites that collect personal information from users; these sites would almost exclusively be considered general audience sites under COPPA. Some of the Web sites offer users the ability to enter sweepstakes or receive electronic newsletters, others also allow users to participate on message boards, and many of the Web sites offer more extensive networking capabilities enabling users to create user profiles, upload photos and videos, post comments on message boards, and send messages to other users.
The registration process for the Sony Music Web sites requires users to enter personal information, including their date of birth, or alternatively, to choose their age from a pull-down menu. The FTC’s complaint charges that, based on the registration information, Sony Music had actual knowledge that many users were under the age of 13. It appears that when Sony Music learned that a registrant was under the age of 13, instead of blocking that user’s ability to register (usually via a notice denying registration and using a browser cookie that would not allow users to go back and change their registration age), children under 13 were able to provide their personal information and register with the site. Sony Music both used that personal information and permitted children to participate in the public interactive portions of the Web sites without the parental notice and consent required by COPPA.
In addition to the million dollar penalty, Sony Music has agreed to comply fully with COPPA, delete all personal information obtained from children under 13 in violation of COPPA, provide links to FTC consumer education Web sites for five years, and submit to monitoring by the FTC.
Companies that have general audience Web sites should confirm that their data collection practices are consistent with COPPA and industry best practices. In particular, companies should confirm that their Web sites are not collecting personal information from children under the age of 13 without obtaining verifiable parental consent.2 Furthermore, companies are encouraged to review their privacy policies to confirm that they provide an accurate representation of data collection and use practices.