Written by Julia Siripurapu
As we predicted in our prior blog post reviewing the key children’s privacy developments of the past year, 2014 is turning out to be the year of enforcement of children’s privacy regulations! The first two requests for investigation under the Amended COPPA Rule have been filed with the FTC by the Center for Digital Democracy (“CDD”), a consumer rights organization. The CDD is claiming that two of the major players in the children’s online market place, Marvel Entertainment (“Marvel”) and Sanrio Co., Ltd. (“Sanrio”) failed to comply with the Amended COPPA Rule’s parental notice and verifiable consent requirements as well as with the requirement that the privacy policy is clearly written and accurate.
In its complaint against Sanrio (the “Sanrio Complaint”), the CDD asked the FTC to investigate Sanrio for operating its Hello Kitty Carnival mobile application in violation of the Amended COPPA Rule. Hello Kitty Carnival is a free mobile app for children that, as of the date of the Sanrio Complaint, has been downloaded more than a million times. The CDD alleged that Sanrio as well as several third-party advertising companies listed on Appendix A to the Sanrio Complaint access and collect via the Hello Kity Carnival app, and likely disclose, at least four categories of personal information from children under 13 (unique device identifiers, photos of children, geolocation information, and online contact information such as e-mail addresses) without providing COPPA-compliant notice to parents and obtaining verifiable parental consent in advance, as required by the Amended COPPA Rule. Further, the complaint alleges that Sanrio’s privacy policy does not accurately reflect Sanrio’s actual information collection and privacy practices contrary to the requirements of the Amended COPPA Rule and provides several examples of inconsistencies between the written policy and the Sanrio’s actual practices. The CDD used a mobile and web privacy expert to monitor and identify the data flow between various user devices (Motorola Droid 2 and Apple iPad 2) and the Hello Kitty Carnival app to determine compliance with the Amended COPPA Rule and attached the expert’s written declaration to the Sanrio Complaint.
In its complaint against Marvel (the “Marvel Complaint”), the CDD asked the FTC to investigate Marvel for operating its Marvelkids.com website in violation of the Amended COPPA Rule. The CDD also requested that the FTC investigate Marvel’s parent company, Disney Corporation, and several third parties collecting information on Marvelkids.com for violating the Amended COPPA Rule. Marvelkids.com (the “Site”) is a child-directed website where children can access content and videos about the Marvel superheroes and play games. The Site also contains ads for children’s toys and games. The Marvel Complaint alleges that Marvel and various third parties, including Google, BlueKai, DataXu, and Turn, collect via the Site and use and disclose personal information (including IP addresses and browsing history) of children under 13 through the use of various tracking technologies without providing notice and obtaining verifiable parental consent prior to engaging in such activities, as required by the Amended COPPA Rule. The Marvel Complaint also alleges that the privacy policy for the Site is inadequate, despite the fact that Marvel is a certified participant of the CARU ®Kid’s Privacy Safe Harbor Program since 2009. Lastly, the CDD urges the FTC in the Marvel Complaint to investigate the effectiveness of COPPA safe harbor programs. As with the Sanrio Complaint, the CDD used a mobile and web privacy expert to monitor and identify the data flow between a user’s computer and the Site to determine compliance with the Amended COPPA Rule and attached the expert’s written declaration to the Marvel Complaint.
Sanrio has not yet commented on the allegations, however, the Walt Disney Company issued a statement denying the allegations in the Marvel Complaint shortly after it was filed. If found to have violated the Amended COPPA Rule, the accused parties could face penalties of up to $16,000 per violation if found guilty. Is your COPPA compliance house in order? Your Mintz Levin privacy team is here to help!