International Lawyers – Bukh Global Partners

U.S.A. v. Iconix: A Website’s False Disclaimer that It Collects Personal Information from Children under Age 13 Can Lead to Doubled Penalties from the FTC

The FTC’s recent settlement against soft goods marketer Iconix Brand Group, Inc. shows the hazards of trying to skirt the hassles of compliance with the Childrens’ Online Privacy Protection Act (COPPA). 15 U.S.C. §§ 6501-6506. If your website privacy policy disclaims an intent to collect information from kids and asks kids not to submit personal information on your site, but you have reason to know that these policies are being ignored, you may actually set yourself up for double penalties — for failure to comply with COPPA and for engaging in deceptive acts. COPPA prohibits an operator of a website “directed to children” or who has “actual knowledge” that he is collecting personal information from a child under age 13 from collecting, using or disclosing such information without parental consent. Getting this consent is often no easy task. A website operator is prohibited from simply asking parents to provide consent via an online form. Instead the operator must provide the parent with a notice specifying the information collected and its use, and then get parental consent via telephone, fax, email or similar method. The operator also must post a privacy policy detailing each type of information it collects and how its uses this information. It must maintain a security system to protect the “confidentiality, integrity and security” of personal information collected from a child. Some website operators believe that they can avoid the cost and hassle of COPPA by officially not marketing themselves to children under age 13 and by including a specific disclaimer of any intent to collect information from children under age 13 in their website privacy policy. For example, Iconix’s privacy policy contained the following disclaimer: We do not seek to collect personally identifiable information from persons under the age of 13 without prior verifiable parental consent. If we become aware that we have inadvertently received such information online from a child under the age of 13, we will delete it from our records. If you are under the age of 13, please do not submit personally identifiable information to us . . . Unfortunately, this type of policy and disclaimer can actually expose a website operator to greater liability under COPPA and the FTC Act. Here’s why: First, the FTC, which enforces COPPA violations, has very broad rules for determining whether a website is directed to children. The FTC doesn’t just look at the operator’s stated policy or intent, but at the overall character of the site. The FTC focuses on objective factors such as the site’s subject matter, its visual or audio content, the age of its models, the language it uses, the advertising appearing on or promoting the site, the intended and actual audience composition, and the use of animated characters or child oriented activities and incentives. 16 C.F.R. §312.2. The FTC believed that a number of these factors suggested that several of Iconix’s websites were directed towards children under age 13, including: the use of cartoon graphics, website domain names such as “Candies.com”, “Mudd girls”, the use of photos of young girls, and the fact that over 1,000 girls under the age of 13 allegedly had registered on Iconix’s websites between 2006-2009.