May 13, 2003

COPPA Turns Three: FTC Imposes Largest Civil Penalty Regarding Internet Privacy Violations

Holland & Knight Newsletter
James E. Long Jr.

With the technology-laden Nasdaq composite off approximately 70 percent from its 2000 peak, some commentators have questioned the role that technology will play in our economy.  While this season’s earnings reports indicate that a strong rebound in the technology sector is not in the immediate future, no one should discount the impact that technology has and will continue to have on our economy.  One needs to look no further than the regulatory activity of what some have characterized as the laissez-faire Federal Trade Commission to understand how technology has changed “traditional” businesses.

Traditional retailers in conventional lines of business now use the Internet to brand and sell their products.  Such e-commerce subjects businesses to various regulatory schemes, one of which concerns the privacy rights of all consumers and, in particular, children.

As a result, all organizations that conduct business over the Internet should review their Web policies and procedures to determine which privacy regulations apply to their operations and develop both their site and internal policies to ensure compliance.  The time and expense necessary to analyze and meet privacy policies can allow a company to avoid the time, expense and poor publicity associated with an investigation of privacy violations.

Three years ago this April, the FTC finalized privacy regulations implementing the Children’s Online Privacy Protection Act of 1998 (COPPA or the Act).  While the regulations specifically address enforcement of COPPA, the FTC rule incorporates four standards the FTC describes as “widely-accepted fair information practices,” and therefore applicable to any collection of data: notice, choice, access and security.

COPPA applies to a Web site operator who falls within two activities.  First, the Act applies to operators of online services that are directed at or knowingly servicing children under 13 years of age. The FTC considers several factors in determining whether a site is “directed” at children, including, but not limited to the site’s: subject matter, content, age of models, language, advertising, and the use of animated characters or other “child-oriented” features.  Second, COPPA applies to sites that collect personal information online.  Personal information is individually identifiable information that would allow a child to be identified and contacted, such as full name, address, e-mail, telephone number or any other personal information.

Under the FTC rule, the operator of a site subject to COPPA must: (1) provide notice as to how personal information is collected, used and disclosed; (2) notify parents and obtain their consent prior to collecting, using or disclosing information about a child; (3) refrain from conditioning participation in activities on the provision of personal information unnecessary for the activity; (4) allow parents to review and amend their child’s information as well as prohibit further collection; and (5) establish procedures to protect the security of personal information collected from children.

Since April of 2000, the FTC has brought eight cases and obtained agreements requiring payment of civil penalties totaling more than $350,000 for violations of COPPA.  In addition, the Commission conducts an annual survey of hundreds of Web sites and issues warning letters to those that it deems noncompliant.

Recently, the FTC recovered its largest fine to date.  According to the FTC’s complaint, Mrs. Fields Cookies violated COPPA by failing to obtain verifiable parental consent before collecting personal information from children under 13.  The company’s site allegedly offered birthday clubs for children 12 or under and provided birthday greetings and coupons for free products.  In addition, according to the FTC, the site failed to post adequate privacy policies, to provide direct notice to parents about the information they were collecting and how it would be used, and to provide a reasonable means for parents to review the personal information collected from their children and to refuse to permit its further use.  In settling the claims Mrs. Fields agreed to pay a $100,000 fine.

The FTC’s recent enforcement activity is a pointed reminder that any business that arguably targets children should carefully review their data gathering policies and practices. You can find more information regarding Internet privacy guidelines in general and COPPA, in particular, by visiting the FTC’s site at 

Related Insights