U.S.A. v. Iconix: A Website's False Disclaimer that It Collects Personal Information from Children under Age 13 Can Lead to Doubled Penalties from the FTC
The FTC's recent settlement against soft goods marketer Iconix Brand Group, Inc. shows the hazards of trying to skirt the hassles of compliance with the Childrens' Online Privacy Protection Act (COPPA). 15 U.S.C. §§ 6501-6506. If your website privacy policy disclaims an intent to collect information from kids and asks kids not to submit personal information on your site, but you have reason to know that these policies are being ignored, you may actually set yourself up for double penalties -- for failure to comply with COPPA and for engaging in deceptive acts.
COPPA prohibits an operator of a website "directed to children" or who has "actual knowledge" that he is collecting personal information from a child under age 13 from collecting, using or disclosing such information without parental consent. Getting this consent is often no easy task. A website operator is prohibited from simply asking parents to provide consent via an online form. Instead the operator must provide the parent with a notice specifying the information collected and its use, and then get parental consent via telephone, fax, email or similar method.
The operator also must post a privacy policy detailing each type of information it collects and how its uses this information. It must maintain a security system to protect the "confidentiality, integrity and security" of personal information collected from a child.
Some website operators believe that they can avoid the cost and hassle of COPPA by officially not marketing themselves to children under age 13 and by including a specific disclaimer of any intent to collect information from children under age 13 in their website privacy policy. For example, Iconix's privacy policy contained the following disclaimer:
We do not seek to collect personally identifiable information from persons under the age of 13 without prior verifiable parental consent. If we become aware that we have inadvertently received such information online from a child under the age of 13, we will delete it from our records. If you are under the age of 13, please do not submit personally identifiable information to us . . .
Unfortunately, this type of policy and disclaimer can actually expose a website operator to greater liability under COPPA and the FTC Act. Here's why:
First, the FTC, which enforces COPPA violations, has very broad rules for determining whether a website is directed to children. The FTC doesn't just look at the operator's stated policy or intent, but at the overall character of the site. The FTC focuses on objective factors such as the site's subject matter, its visual or audio content, the age of its models, the language it uses, the advertising appearing on or promoting the site, the intended and actual audience composition, and the use of animated characters or child oriented activities and incentives. 16 C.F.R. §312.2.
The FTC believed that a number of these factors suggested that several of Iconix's websites were directed towards children under age 13, including: the use of cartoon graphics, website domain names such as "Candies.com", "Mudd girls", the use of photos of young girls, and the fact that over 1,000 girls under the age of 13 allegedly had registered on Iconix's websites between 2006-2009.
Second, under the FTC rules, "actual knowledge" that information is being collected from a child can be gained from many sources. An operator can gain actual knowledge if a child provides a birth date or school grade indicating that she is under age 13 in response to an online query. Actual knowledge can be gained through responses to more general age-related questions, such as a question asking what type of school the user attends: "(a) elementary, (b) middle, (c) high school, (d) knowledge." According to the FTC, actual knowledge can also be gained if the website operator monitors a chat room or interactive website in which the child posts information revealing her age. Final Rule Notice, 64 Fed. Reg. at 59,892, FTC Press Release, In re. U.S. v. Zanga.com (Sept. 7, 2006).
Third, the FTC's definition of "personal information" is also very broad, and includes even the most basic categories of information, such as the user's first and last name, the user's address (even just the name of the town she lives in), her email address or other contact information, her telephone number, her social security number, a combination of the user's last name and photo, and other information about the user and her parents. 16 C.F.R. § 312.2. The use of a persistent identifier, such as a customer number in a cookie that is associated with personally identifiable information, can also constitute personal information.
In the case of Iconix, the FTC alleged that Iconix had gained actual knowledge that it was collecting personal information from kids because over 1000 children had provided birthdates indicating they were under age 13 in responses to Iconix online queries.
Because the FTC concluded that Iconix had directed certain of its websites to children and had actual knowledge that it was collecting personal information from children, the FTC concluded that Iconix should have been complying with the full panoply of COPPA regulations. Iconix's failure to do this subjected it to fines of up to $11,000 for each violation.
Iconix's statements in its privacy policy made matters worse. Iconix's privacy policy stated that it would not seek to collect personal information from children without verifiable parental consent. Because the FTC believed that Iconix had collected such personal information with "actual knowledge" (as defined by FTC rules) that it was doing so, the FTC also charged Iconix with engaging in "deceptive acts."
The FTC ultimately chose to settle this matter, via consent decree, in exchange for a fine of $250,000. Iconix also agreed to delete the offending data, to comply with COPPA regulations in the future, to provide annual written reports proving its compliance for the succeeding five years and to other provisions to ensure its compliance. While $250,000 is real money, it could have been worse, if the FTC had been able to prove that Iconix had violated COPPA and the FTC Act for each of the 1,000 kids under age 13 that allegedly registered on its site.
What is the take-away? Don't ignore reality. If your site is attracting kids or if you have reason to know you have been collecting personal information from kids on your site, get COPPA-compliant. In such circumstances, disclaimers, like the one Iconix used here, are simply ineffective, and have the potential to make matters worse.
David D. Johnson is a business lawyer whose practice focuses on litigation and other issues relating to digital media and consumer electronics companies. David can be contacted at (310) 785-5371 or DJohnson@jmbm.com.
