Two recent high profile settlements signal that the Federal Trade Commission (“FTC”) will continue to aggressively enforce violations of the Children’s Online Privacy Protection Act (“COPPA”). In a particularly high-profile settlement, Disney agrees to pay $10 million, and Apitor, a toy manufacturer, agrees to make substantive changes to its privacy program.

Disney

Disney Worldwide Services and Disney Entertainment Operations (“Disney”) has agreed to pay $10 million and make substantive changes to how it manages its YouTube channel to resolve the FTC’s allegations (which led to a complaint filed by the Department of Justice upon referral from the FTC) that Disney violated COPPA.

What went wrong

The FTC alleged that Disney failed to properly designate certain child-directed videos uploaded to its YouTube channel as “Made for Kids.” This resulted in Disney collecting personal information from children under age 13 who viewed those videos, which Disney then used to serve targeted ads in violation of COPPA. The mislabeling also exposed children to age-inappropriate YouTube features like autoplay of videos not tagged as “Made for Kids.”

For context, COPPA requires websites, apps, and other online services that collect personal information from children under age 13, or that are directed to children under age 13, to among other things, notify parents about personal information collected from children, and to obtain verifiable parental consent before such collection (which is typically a high-friction process) – which the FTC alleged Disney failed to do.

Repercussions

Pursuant to the proposed settlement with the FTC, Disney will be required to:

• pay a $10 million civil penalty;
• commit to comply with COPPA, including COPPA’s obligations to notify parents prior to collection of personal information children under age 13, and obtain verifiable parent consent prior to such collection; and
• establish and implement a program to review and determine whether videos that Disney posts to its YouTube channel should be designed as “Made for Kids” where required (unless YouTube implements other future technological changes that introduce alternative methods and processes).

Apitor

Apitor Technology Co., Ltd. (“Apitor”), a Chinese maker of robotic toys for children, reached a settlement with the FTC following the FTC’s allegations that Apitor violated COPPA by allowing third-party software to collect personal information children under age 13.

What went wrong

To program Apitor’s robot toys, users were required to download Apitor’s free companion app, which incorporated a third party’s software development kit (“SDK”) to enable app functionalities such as push notifications and usage tracking. According to the FTC, the SDK allowed the third party to collect geolocation data from children playing with the robot toys without providing notification to parents or obtaining verifiable parental consent.

Repercussions

Under the proposed settlement, Apitor will be required to:

• pay a $500,000 penalty (suspended until Apitor’s financial condition permits it to do so);
• ensure any third-party software it uses is in compliance with COPPA;
• delete any personal information collected in violation of COPPA unless it takes steps to cure non-compliance with respect to such information; and
• commit to complying with COPPA requirements.

Key Takeaways:

• FTC enforcement of COPPA is alive and well under the new Trump administration;
• Parental notice and verifiable parental consent are critical elements of COPPA compliance that cannot be overlooked;
• Closely review COPPA compliance requirements, including how they may apply in the context of various technological platforms such as YouTube; and
• Be careful about potential inadvertent targeting of children under age 13; and
• Carefully scrutinize data collection of third-party vendors (and their data processing) to ensure compliance alignment.