The Federal Trade Commission's (FTC) announcement in late October of a proposed settlement with Iconix serves as a reminder of the need for commercial websites to ensure that their registration processes fully comply with COPPA and the regulations adopted by the FTC under that law.

COPPA

The Children's Online Privacy Protection Act (COPPA), was enacted in 1998 to restrict the collection and use of personally identifiable information (PII) about children-under the age of 13. In general, an Internet website cannot collect, use or disclose PII from children under 13 unless the website first obtains verifiable parental consent, subject to certain limited exceptions. The Iconix case is the 15th enforcement action initiated by the FTC in the decade since the statute was enacted. The FTC has brought cases against companies large and small, with both obscure and well-known websites.

Iconix

Iconix operates several apparel brands that appeal to teenagers and younger children. The FTC charged that Iconix's brand-name websites collected from more than 1,000 children, each under the age of 13, substantial personal information, including names, email addresses, zip codes and sometimes postal addresses, gender and telephone numbers, all without providing notice to and obtaining verified consent from parents. One site, MyMuddWorld.com, allegedly also enabled girls to share personal stories and photographs online, likewise without notice to or consent from parents.

The FTC's Complaint

The FTC charged Iconix with violations of the statute and the FTC's regulations prohibiting the collection and use of personal information from underage children without providing notice to, and obtaining consent from, parents. The FTC also charged that Iconix falsely represented in its privacy policy that it would not collect personal information from children without obtaining prior parental consent.

In the proposed settlement, Iconix agreed to pay a $250,000 civil penalty. Additional provisions prohibit Iconix from violating COPPA requirements in the future and require the deletion of all information obtained in violation of COPPA. As usual in FTC settlements of privacy cases, the consent decree imposes on Iconix a number of compliance, reporting and recordkeeping requirements designed to help ensure that the company lives up to its commitments. The proposed consent decree was filed in the United States District Court for the Southern District of New York, where it was entered on November 5 by U.S. District Judge Miriam Goldman Cedarbaum.

What's Next?

The Iconix case serves as a useful reminder that COPPA, after a decade, remains the law of the land and that not all commercial websites have yet come into compliance. Adhering to the requirements of COPPA and other privacy laws is an ongoing obligation, not a one-time item on a checklist. Marketers eager to build an attractive website face a continual temptation to make registration easy, or to omit safeguards useful in preventing registration by underage children. Counsel should review their companies' websites not only at the time of a website's initial launch and major upgrades, but also from time to time to make sure no changes have occurred to a formerly compliant website.

Looking ahead, a review by the FTC of COPPA and its implementing regulations is due in 2010. Among the issues likely be to covered in that review are mobile marketing to teenagers and whether the current threshold age of 13 should be raised (particularly in light of efforts by states, such as Maine, to extend COPPA-like protections to older teens). This process could well extend COPPA-like requirements to at least some teenagers, which would likely affect many sites that currently are well outside the scope of COPPA. Stay tuned!