Continuing on the theme of issues relating to information collection and use (I will have another installment tomorrow on data breach obligations), my colleague in Washington, D.C., has put together a little something on COPPA and the CAN-SPAM Act. I know, these sound like the fixings for a sandwich. But truly, these are laws that can actually get you into real trouble if you don’t pay close attention. And, that’s not always easy. COPPA was well intentioned, but is not a model of clarity and the hoops you have to jump through to comply, well let’s just say, it is probably not the most efficient use of resources. Anyway, check out Jim’s report below and tune in tomorrow for a brief guide on your obligations if any of the information you collect gets into the wrong hands. Scott G. Warner (sgwarner@gsblaw.com) .
Hey Sony! Leave Those Kids Alone!: How Sony Managed to Run Afoul of the U.S.’s COPPA regulations to the tune of $1 million
Canadian game companies wanting to do business in the United States, whether it be offering games and gaming services to U.S. customers, or providing software or development services to U.S. publishers, need to be aware of several sets of U.S. laws related to privacy, and especially the private information related to children under the age of 13. Two of these, the Children’s Online Privacy and Protection Act of 1998 (COPPA), and the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), have been in the news lately. What gets real interesting, which I’ll discuss below, is what happens when COPPA and CAN-SPAM run into each other headlong – think alphabet pea soup (or your own least favorite soup with random letters floating in it).
First, if you’re having problems wrapping your head around the concept of hashing e-mail addresses and building multiple layers of security systems into your website flow to make sure you don’t collect information you are not supposed to, take heart, even the giants stumble, and stumble badly.
Demonstrating that even the biggest companies can run afoul of privacy protection laws, Sony BMG Music has agreed in January, 2009, to pay the largest fine ever levied COPPA. The case makes clear that COPPA applies not only to Web sites that specifically cater to children under the age of 13, but also to Web sites that knowingly collect personal identifiable information (PII) from children under 13.
The United States Federal Trade Commission (FTC), delegated the authority to enforce COPPA in the United States, filed both a Complaint and a Consent Decree in the U.S. District Court in New York on December 11, 2008, charging that Sony operated some 1,100 Web sites promoting its music and recording artists, and of those websites, close to 200 collected visitors’ e-mail addresses, date of birth, gender, zip code, country, user names, and in some cases, street addresses (examples of PII). The FTC determined that over 30,000 children under the age of 13 registered on the Web sites, and Sony had actual knowledge that it had collected PII, without first obtaining parental consent as required by COPPA. Sony’s own Privacy Policy warned children under 13 not to provide such PII, but the offending Web sites required a visitor to enter the information in order to gain access to the Web site. Sony also allowed children under 13 to create their own fan pages, including posting their age and picture, without first receiving parental consent. The FTC summarized its charges as follows:
In at least 30,000 instances, Sony Music collected, used, and/or disclosed personal information from children without first providing their parents with notice of its information practices, either on the defendant’s Web sites or directly, without obtaining verifiable consent from the parents prior to the collection, use, or disclosure and without providing parents with reasonable procedures to access their children’s information and to refuse to permit its further use or maintenance.
Rather than fight the FTC, Sony entered into a Consent Decree agreeing to abide by COPPA and paying a $1 million fine.
Meanwhile, the Children’s Advertising Review Unit (CARU), has recommended that AOL modify its websites http://www.aol.com/ and http://www.kids.aol.com/ because, according to CARU, they may not comply with COPPA. It seems that when registering for an AOL e-mail address, potential registrants are asked to provide various forms of PII, including their first and last name and desired e-mail address. They are also asked for their date of birth. If a prospective member enters a birthday corresponding to an age below 13, a message appears stating, “You must be over 13 years of age to register for this service.” The registrant is then able to change the previously entered birthday to one indicating an age above 13 in the same window and complete the registration. There is no session cookie in place to prevent users from circumventing the age screening. As Homer Simpson would say: “D’OH!” Prohibiting kids from changing their ages to above 13, or backing out so they can reregister as a 12-plus are fundamental to COPPA compliance.
There’s even a wonderful website out there that collects up COPPA stories, and specifically the excuses people give to try and argue that they’re 13 or older. A few are listed below, but visit http://www.coppakids.com/ for a good laugh:
“i am 15 years old,DUH!,if you don’t let me sign up, i am going to make a big fuss about it.”
“I cannot sign up. I was 13 yesterday and just got into the habbit of smoking. Hope that does not effect the was I sigh up.”
“hey [company name] people can you erase the thing on my computer that says you are under the age of 13 because im 20. p.s. you are all bitch for doing that.”
“i cant register :) i have 14 years but this web show tat i have only 12 or under! i need a Girl Friend”
The fact that COPPA was enacted more than ten (10) years ago, and large companies still can’t seem to get it right should make smaller game developers shudder (or better yet, run to engage competent counsel who can help navigate the COPPA waters).
So, in a nutshell, here is what you need to do to be COPPA-compliant for all websites and online communities (including game communities):
You can’t collect “Personally Identifiable Information” (“PII”) of children under 13 years old unless you get prior parental consent. “PII” equals any information that can be used to identify and contact a child. This includes first and last name, street address, e-mail address, AND IM screen name if identified with a particular IM service
COPPA applies where: You host a site that can reasonably expect to be visited by a large number of children under 13, or you have actual knowledge, however acquired, that a particular visitor/subscriber is under 13. Special attention needs to be paid if you’ve got a game or website that’s got chat rooms where kids can blab PII around, especially if you (according to your Privacy Policy and Terms of Service) say that you are monitoring the chat.
In signing up subscribers you must be careful not to set up your site to allow under 13 visitors to lie about their age by asking questions that encourage a child to lie, or that allow a child to back out of a sign up process and then reenter an older age when it is clear that they can’t sign up if they are under 13 (see the discussion of American Online above).
In addition, COPPA requires that you:
Post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected
Give parents the choice to consent to the collection and use of a child's personal information for internal use by the website, and give them the chance to choose not to have that personal information disclosed to third parties.
Provide parents with access to their child's information, and the opportunity to delete the information and opt out of the future collection or use of the information.
Not condition a child's participation in an activity on the disclosure of more personal information than is reasonably necessary for the activity.
Maintain the confidentiality, security and integrity of the personal information collected from children.
We’ll visit CAN-SPAM in more depth in a future blog, but there is an interesting conflict brewing between COPPA and CAN-SPAM. CAN-SPAM requires that any advertising e-mail clearly identify itself as being advertising, contain a valid e-mail return address, contain a real world “snail mail” address, clearly identify the sender of the e-mail, and provide the recipient an opportunity to opt out of future advertising.
Last year, the FTC revised its CAN-SPAM rules to specifically say that “forward to a friend” promotional e-mails had to abide by both CAN-SPAM and COPPA. Here’s an example. Suppose hypothetical toy manufacturer WikiDolls has an online community that consists of children under 13. It runs a promotion whereby it invites its subscribers to send an e-mail to their friends inviting them to join. Little Janie is registered and her parents have agreed to WikiDolls collecting PII from her. Little Janie now enters her under-13 BFFL Suzy’s e-mail address in the forward to a friend e-mail form provided by WikiDolls. According to the FTC’s interpretation of CAN-SPAM and COPPA, WikiDolls can’t save Suzy’s e-mail address, because her parents have not consented to the retention of the PII. Further, the disclosure of Janie’s e-mail address to Suzy, even if wrapped in a CAN-SPAM proper wrapper, might itself violate WikiDoll’s Privacy Policy. The end result – WikiDolls is going to have a difficult time marketing its site in this manner. Again, quiver in terror, or get a good lawyer who can help you with this and understands all the nuances of hashing e-mail addresses.
I’ll close with one final anecdote. I had a client recently who complained bitterly that I was being too conservative in my approach to CAN-SPAM and COPPA, finally saying IN ALL CAPS in an e-mail, “Well XXXXXXXX doesn’t do it that way!” As it turns out, XXXXXXX was a Canadian company. When I pointed that out to the client, their response (in the moral equivalent of a very small font) was “never mind.” Funny thing is that the Canadian company sold out to a U.S. company that continues to fail to comply with CAN-SPAM and COPPA. But given the stories above, I guess that shouldn’t surprise anyone.
If you have any other questions about COPPA or CAN-SPAM compliance, please contact Jim Dunstan at (202) 298-2534 or jdunstan@gsblaw.com.
Hey Sony! Leave Those Kids Alone!: How Sony Managed to Run Afoul of the U.S.’s COPPA regulations to the tune of $1 million
Canadian game companies wanting to do business in the United States, whether it be offering games and gaming services to U.S. customers, or providing software or development services to U.S. publishers, need to be aware of several sets of U.S. laws related to privacy, and especially the private information related to children under the age of 13. Two of these, the Children’s Online Privacy and Protection Act of 1998 (COPPA), and the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act), have been in the news lately. What gets real interesting, which I’ll discuss below, is what happens when COPPA and CAN-SPAM run into each other headlong – think alphabet pea soup (or your own least favorite soup with random letters floating in it).
First, if you’re having problems wrapping your head around the concept of hashing e-mail addresses and building multiple layers of security systems into your website flow to make sure you don’t collect information you are not supposed to, take heart, even the giants stumble, and stumble badly.
Demonstrating that even the biggest companies can run afoul of privacy protection laws, Sony BMG Music has agreed in January, 2009, to pay the largest fine ever levied COPPA. The case makes clear that COPPA applies not only to Web sites that specifically cater to children under the age of 13, but also to Web sites that knowingly collect personal identifiable information (PII) from children under 13.
The United States Federal Trade Commission (FTC), delegated the authority to enforce COPPA in the United States, filed both a Complaint and a Consent Decree in the U.S. District Court in New York on December 11, 2008, charging that Sony operated some 1,100 Web sites promoting its music and recording artists, and of those websites, close to 200 collected visitors’ e-mail addresses, date of birth, gender, zip code, country, user names, and in some cases, street addresses (examples of PII). The FTC determined that over 30,000 children under the age of 13 registered on the Web sites, and Sony had actual knowledge that it had collected PII, without first obtaining parental consent as required by COPPA. Sony’s own Privacy Policy warned children under 13 not to provide such PII, but the offending Web sites required a visitor to enter the information in order to gain access to the Web site. Sony also allowed children under 13 to create their own fan pages, including posting their age and picture, without first receiving parental consent. The FTC summarized its charges as follows:
In at least 30,000 instances, Sony Music collected, used, and/or disclosed personal information from children without first providing their parents with notice of its information practices, either on the defendant’s Web sites or directly, without obtaining verifiable consent from the parents prior to the collection, use, or disclosure and without providing parents with reasonable procedures to access their children’s information and to refuse to permit its further use or maintenance.
Rather than fight the FTC, Sony entered into a Consent Decree agreeing to abide by COPPA and paying a $1 million fine.
Meanwhile, the Children’s Advertising Review Unit (CARU), has recommended that AOL modify its websites http://www.aol.com/ and http://www.kids.aol.com/ because, according to CARU, they may not comply with COPPA. It seems that when registering for an AOL e-mail address, potential registrants are asked to provide various forms of PII, including their first and last name and desired e-mail address. They are also asked for their date of birth. If a prospective member enters a birthday corresponding to an age below 13, a message appears stating, “You must be over 13 years of age to register for this service.” The registrant is then able to change the previously entered birthday to one indicating an age above 13 in the same window and complete the registration. There is no session cookie in place to prevent users from circumventing the age screening. As Homer Simpson would say: “D’OH!” Prohibiting kids from changing their ages to above 13, or backing out so they can reregister as a 12-plus are fundamental to COPPA compliance.
There’s even a wonderful website out there that collects up COPPA stories, and specifically the excuses people give to try and argue that they’re 13 or older. A few are listed below, but visit http://www.coppakids.com/ for a good laugh:
“i am 15 years old,DUH!,if you don’t let me sign up, i am going to make a big fuss about it.”
“I cannot sign up. I was 13 yesterday and just got into the habbit of smoking. Hope that does not effect the was I sigh up.”
“hey [company name] people can you erase the thing on my computer that says you are under the age of 13 because im 20. p.s. you are all bitch for doing that.”
“i cant register :) i have 14 years but this web show tat i have only 12 or under! i need a Girl Friend”
The fact that COPPA was enacted more than ten (10) years ago, and large companies still can’t seem to get it right should make smaller game developers shudder (or better yet, run to engage competent counsel who can help navigate the COPPA waters).
So, in a nutshell, here is what you need to do to be COPPA-compliant for all websites and online communities (including game communities):
You can’t collect “Personally Identifiable Information” (“PII”) of children under 13 years old unless you get prior parental consent. “PII” equals any information that can be used to identify and contact a child. This includes first and last name, street address, e-mail address, AND IM screen name if identified with a particular IM service
COPPA applies where: You host a site that can reasonably expect to be visited by a large number of children under 13, or you have actual knowledge, however acquired, that a particular visitor/subscriber is under 13. Special attention needs to be paid if you’ve got a game or website that’s got chat rooms where kids can blab PII around, especially if you (according to your Privacy Policy and Terms of Service) say that you are monitoring the chat.
In signing up subscribers you must be careful not to set up your site to allow under 13 visitors to lie about their age by asking questions that encourage a child to lie, or that allow a child to back out of a sign up process and then reenter an older age when it is clear that they can’t sign up if they are under 13 (see the discussion of American Online above).
In addition, COPPA requires that you:
Post a privacy policy on the homepage of the website and link to the privacy policy everywhere personal information is collected
Give parents the choice to consent to the collection and use of a child's personal information for internal use by the website, and give them the chance to choose not to have that personal information disclosed to third parties.
Provide parents with access to their child's information, and the opportunity to delete the information and opt out of the future collection or use of the information.
Not condition a child's participation in an activity on the disclosure of more personal information than is reasonably necessary for the activity.
Maintain the confidentiality, security and integrity of the personal information collected from children.
We’ll visit CAN-SPAM in more depth in a future blog, but there is an interesting conflict brewing between COPPA and CAN-SPAM. CAN-SPAM requires that any advertising e-mail clearly identify itself as being advertising, contain a valid e-mail return address, contain a real world “snail mail” address, clearly identify the sender of the e-mail, and provide the recipient an opportunity to opt out of future advertising.
Last year, the FTC revised its CAN-SPAM rules to specifically say that “forward to a friend” promotional e-mails had to abide by both CAN-SPAM and COPPA. Here’s an example. Suppose hypothetical toy manufacturer WikiDolls has an online community that consists of children under 13. It runs a promotion whereby it invites its subscribers to send an e-mail to their friends inviting them to join. Little Janie is registered and her parents have agreed to WikiDolls collecting PII from her. Little Janie now enters her under-13 BFFL Suzy’s e-mail address in the forward to a friend e-mail form provided by WikiDolls. According to the FTC’s interpretation of CAN-SPAM and COPPA, WikiDolls can’t save Suzy’s e-mail address, because her parents have not consented to the retention of the PII. Further, the disclosure of Janie’s e-mail address to Suzy, even if wrapped in a CAN-SPAM proper wrapper, might itself violate WikiDoll’s Privacy Policy. The end result – WikiDolls is going to have a difficult time marketing its site in this manner. Again, quiver in terror, or get a good lawyer who can help you with this and understands all the nuances of hashing e-mail addresses.
I’ll close with one final anecdote. I had a client recently who complained bitterly that I was being too conservative in my approach to CAN-SPAM and COPPA, finally saying IN ALL CAPS in an e-mail, “Well XXXXXXXX doesn’t do it that way!” As it turns out, XXXXXXX was a Canadian company. When I pointed that out to the client, their response (in the moral equivalent of a very small font) was “never mind.” Funny thing is that the Canadian company sold out to a U.S. company that continues to fail to comply with CAN-SPAM and COPPA. But given the stories above, I guess that shouldn’t surprise anyone.
If you have any other questions about COPPA or CAN-SPAM compliance, please contact Jim Dunstan at (202) 298-2534 or jdunstan@gsblaw.com.
Posts
No comments:
Post a Comment