Thursday, February 12, 2009

One million dollars: The largest civil penalty paid in a Children’s Online Privacy Protection Act case

A global recorded music company agreed to pay 1 million dollars to settle the Federal Trade Commission (FTC) charges that it violated the Children’s Online Privacy Protection Act (COPPA) and the Commission’s implementing rule. The FTC’s complaint alleged that the music company, through its website, improperly collected, maintained, and disclosed personally identifiable information from thousands of children under the age of 13, without their parent’s consent.

To protect your company and its website from such a fate, you must first determine if the COPPA Rule applies to your company’s website by asking:
  • Do we direct our commercial website and online services to children under 13? If so, do we collect personal information from children under 13?
  • Do we knowingly collect personal information from children under 13 on our general audience website?
  • Does our general audience website have a separate children’s area? If so, do we collect personal information from children under 13 in this separate area?

If you answer “yes” to these questions, then your company likely falls under one of the categories of website operators who must comply with COPPA. If in doubt, compliance with the COPPA Rules is the safest bet.

Good records management is one COPPA requirement. The Rule requires that personal information collected from children is managed to maintain the confidentiality, security and integrity of the information. Your company will need good information management policies and practices to comply. Good records management practice also includes managing the privacy of those submitting their information. To comply, your company will need good privacy policies and procedures. To maintain goods records management in the long-term, your company should perform audits to confirm that the information collected from children on your website is being properly managed under these policies and procedures, including your record retention schedule.

Another COPPA requirement is the clear and conspicuous posting of a privacy policy on the homepage of your website and a link to this policy on any page where a child’s personal information is being collected. Take a look at your company’s website: if no privacy policy exists on it, you may want to bring this to the attention of your corporate counsel or CEO/CIO (if your company does not have a privacy officer).

The FTC takes privacy seriously, and so should your company.

To read about the more about these and the other COPPA Rule requirements, and the entire one million dollar penalty story, go to: http://www.ftc.gov/privacy/.

No comments: