Skip to content

Attorney General Enforcing Privacy Policies

Texas AG getting out the big guns
According to ARS Technica, Texas Attorney General Gregg Abbott is suing two website owners for violations of the Children’s Online Privacy Protection Act (COPPA). COPPA requires the Federal Trade Commissioner to issue and enforce regulations that regulate the ability of online entities to collect personal information from children under the age of 13.

What is COPPA?
Congress passed COPPA on October 21, 1998, to cover any personal information collected online after April 21, 2000. COPPA applies to web sites and online services targeted to or knowingly collecting data from children under 13 years of age. COPPA requires such organizations, such as cereal or toy manufacturers who have an internet site, to post a conspicuous privacy policy, detailing the data collected and its usage. COPPA also requires the officials responsible for the web site to obtaining verifiable consent from a child’s parent before the collection of any data, and to obtaining a new consent upon a change of the collection or usage policy. COPPA also requires an option to revoke the consent and, review the data collected, and as well as policies and procedures to secure the integrity of the collected information.

Excerpt taken from the book Cyber Law.

The laws have not changed, only the enforcement
According to the complaint filed in the Western District of Texas, the Texas Attorney General accuses Future US, Inc. aka of several COPPA violations:

a) failing to provide notice on its website of what information it collects from children, how it uses the information and its disclosure practices.
b) (curiously there is no “b” in the pleading; it might be interesting to find out what was removed at the last minute)
c) failing to notice parents as to what informatioin was collected, how the information is used and the disclosure practices.
d) Failing to obtain verifiable parental consent.
e) conditioning use of portions of the website on providing more personal information.

First, but certainly not the last
These lawsuits against Future US and the Doll Palace are the first cases in the United States brought under COPPA. They represent merely the tip of the iceberg with regard to COPPA violations and the inevitable onslaught of federal enforcement of online privacy laws. Merely asking a visitor to confirm their age is not enough. Any website, that collects any type of information from online visitors needs a clearly drafted privacy policy, outlining exactly what information is collected, how it is used and how providers of that information can correct of delete that information.

Put away the cookie cutter
Privacy policies are not cookie cutter templates. Cutting and pasting someone else’s privacy policy onto your website can get you in more trouble than if you had no policy at all. Your policy should cover how your website collects and uses information collected online. No two companies collect or use online information in the same manner. If your privacy policy says you hide all personally identifiable information in a coffee can in a deep hole in your back yard, but you actually exchange the information with your affiliate partners, you may find the Attorney General knocking at your door (right before he or she shuts down your entire operation).

Sooner, rather than later
Getting your privacy protocols and policies in proper order is something you need to do sooner, rather than later. By the time you get sued, it is far too late. Your state’s Attorney General is the last plaintiff you want to see on the other side of a lawsuit.

Hat tip to Matt Krigbaum for the story.

Brett Trout

Related posts

Posted in General. Tagged with , .