On December 11, 2008, the Federal Trade Commission (FTC) announced that Sony BMG Music Entertainment (Sony Music) agreed to pay a $1 million penalty and comply with various conduct requirements to settle the FTC’s charges that Sony Music’s music fan Web sites violated the Children’s Online Privacy Protection Act (COPPA) by collecting, using, and disclosing the personal information of more than 30,000 children under the age of 13. This settlement matches the FTC’s Xanga consent order for the highest penalty for alleged COPPA violations.1 The magnitude of the penalty appears to be related to the systemic nature of the violation coupled with the length of the violation (alleged to be since 2004).

COPPA and its implementing regulation apply to operators of Web sites that collect personal information from users when the Web site is targeted to children under 13 or the operator has actual knowledge that users are under 13. If COPPA applies, the Web site must include a privacy policy detailing what personal information it collects and how that information is used. To collect personal information from children under 13, the operator must first notify the child’s parent, and to use or disclose the child’s personal information, the operator must obtain verifiable parental consent. The FTC uses a “sliding scale” approach to parental consent whereby the required method of consent varies based on how the Web site operator uses or discloses the child’s personal information. A COPPA violation may also constitute a violation of Section 5 of the FTC Act.

Sony Music operates more than 1,100 music-related Web sites that collect personal information from users; these sites would almost exclusively be considered general audience sites under COPPA. Some of the Web sites offer users the ability to enter sweepstakes or receive electronic newsletters, others also allow users to participate on message boards, and many of the Web sites offer more extensive networking capabilities enabling users to create user profiles, upload photos and videos, post comments on message boards, and send messages to other users.

The registration process for the Sony Music Web sites requires users to enter personal information, including their date of birth, or alternatively, to choose their age from a pull-down menu. The FTC’s complaint charges that, based on the registration information, Sony Music had actual knowledge that many users were under the age of 13. It appears that when Sony Music learned that a registrant was under the age of 13, instead of blocking that user’s ability to register (usually via a notice denying registration and using a browser cookie that would not allow users to go back and change their registration age), children under 13 were able to provide their personal information and register with the site. Sony Music both used that personal information and permitted children to participate in the public interactive portions of the Web sites without the parental notice and consent required by COPPA.

The complaint further charges that Sony Music’s online privacy policy contains false and misleading statements, in violation of Section 5 of the FTC Act. The privacy policy states that children under 13 cannot participate without a parent’s permission and that users under 13 will be prohibited from participating in Sony Music Web site activities through the use of persistent cookies. However, the FTC alleges that despite Sony Music’s representations in its privacy policy, Sony Music did not utilize such cookies and children who provided a date of birth indicating they were under 13 were able to freely register.

In addition to the million dollar penalty, Sony Music has agreed to comply fully with COPPA, delete all personal information obtained from children under 13 in violation of COPPA, provide links to FTC consumer education Web sites for five years, and submit to monitoring by the FTC.

Companies that have general audience Web sites should confirm that their data collection practices are consistent with COPPA and industry best practices. In particular, companies should confirm that their Web sites are not collecting personal information from children under the age of 13 without obtaining verifiable parental consent.2 Furthermore, companies are encouraged to review their privacy policies to confirm that they provide an accurate representation of data collection and use practices.

The complaint and consent decree can be found here and more information on COPPA compliance is available here.