The FTC is much more aggressive in charging fines and penalties for noncompliance regulations than most of the other oversight agencies. Their dedication for upholding the FTC Act, the Children’s Online Privacy Protection Act (COPPA) and others should grab the attention of business leaders who think they can ignore data protection laws and not worry about any penalties.
This also demonstrates that as time goes on the penalties and fines for noncompliance and violations can increase dramatically. Consider the history of COPPA penalties and violations; just a few of them over a timeline shows that the FTC is clearly becoming more serious about making an impact with their penalties:
- $10,000: American Popcorn Company, 2002
- $30,000: GirlsLife.com, 2003
- $35,000: Looksmart, 2003
- $35,000: BigMailbox.com, 2003
- $85,000: Hershey Foods, Corp., 2003
- $100,000: Mrs. Fields Cookies, 2003
- $75,000: Bonzi Software, 2004
- $400,000: UMG Recordings, 2004
- $1,000,000: Xanga.com, August 2006
Xanga.com Inc becomes infamous as getting the largest penaly to date, $1,000,000.
What will be the next COPPA violator get? Potentially more, and perhaps additional requirements that the FTC has ordered for non-compliance with the FTC Act, such as implementation of a comprehensive information security program and bi-annual independent audits of their programs for the next 20 years? It’s all possible.
When other oversight agencies start enforcing their regulations in ways that impact businesses more, then all business leaders will have to take notice and respond with compliance efforts or end up finding their business pockets will have the hands of the government taking significant $$ out of them as a result.
For those of you leery of visiting government web sites (yes, some of you have told me you are!) at the bottom of this posting is the FTC press release regarding the Xanga.com penalty. Notice that the company appeared to have followed a few of the COPPA requirements, but then did not build in the controls within the website application to ensure all the compliance requirements were in place, and also did not create the required procedures for parental permissions. Another example of the importance of building information security and privacy into the applications and systems development lifecyle, from project birth to burial.
What is not in the press release, but contained within the consent decree and order, is that Xanga.com must also:
- Post the following notice conspicuously on their website: "NOTICE: Visit www.ftc.gov/privacy for information from the Federal Trade Commission about protecting children’s privacy online."
- Must conspicuously post the following on websites with blogs: "Visit www.OnGuardOnline.gov for social networking safety tips for parents and youth [“parents” must contain a hyperlink to < www.onguardonline.gov/socialnetworking.html > and “youth” must contain a hyperlink to < www.onguardonline.gov/socialnetworking_youth.html >"
- Must delete the personal information they have collected about children that was in violation of COPPA (basically all the children’s PII)
- Immediately implement awareness and training to all their personnel and managers about the requirements of COPPA and submit the names of all to the FTC, and continue to do this for at least the next 5 years.
- Submit to the FTC their detailed plans for complying with COPPA, including copies of the messages that will be sent to parents, methods of obtaining approval, etc.
- Maintain copies of all parental approvals for specified periods of time
So this will result in significant additional costs for ongoing years on top of the $1M penalty. Of course, they should have been doing the requirements for notice, retention and training and awareness to begin with.
Okay…on to the FTC press release:
"Xanga.com to Pay $1 Million for Violating Children’s Online Privacy Protection Rule
Civil Penalty Against Social Networking Site Is Largest Ever for a COPPA Violation
Social networking Web site operators Xanga.com, Inc. and its principals, Marc Ginsburg and John Hiler, will pay a $1 million civil penalty for allegedly violating the Children’s Online Privacy Protection Act (COPPA) and its implementing Rule, under the terms of a settlement with the Federal Trade Commission announced today.
According to the FTC, Xanga.com collected, used, and disclosed personal information from children under the age of 13 without first notifying parents and obtaining their consent. The penalty is the largest ever assessed by the FTC for a COPPA violation, and is more than twice the next largest penalty.
The complaint charges that the defendants had actual knowledge they were collecting and disclosing personal information from children. The Xanga site stated that children under 13 could not join, but then allowed visitors to create Xanga accounts even if they provided a birth date indicating they were under 13. Further, they failed to notify the children’s parents of their information practices or provide the parents with access to and control over their children’s information. The defendants created 1.7 million Xanga accounts over the past five years for users who submitted age information indicating they were under 13.
‚ÄúProtecting kids‚Äô privacy online is a top priority for America’s parents, and for the FTC,‚Äù said FTC Chairman Deborah Platt Majoras. ‚ÄúCOPPA requires all commercial Web sites, including operators of social networking sites like Xanga, to give parents notice and obtain their consent before collecting personal information from kids they know are under 13. A million-dollar penalty should make that obligation crystal clear.‚Äù
Xanga.com – Xanga.com is one of the most popular social networking sites on the Internet. After setting up a personal profile, users can post information about themselves for other users to read and respond to. On Xanga.com, users can create their own pages or Web logs (blogs) that contain profile information, online journals, text, hypertext images, as well as links to audio, video, and other files or sites. Information on the Xanga site is available to the general public through the use of global search engines such as Google and Yahoo.
Incorporated in 1999 and based in New York City, privately held Xanga.com, Inc. was founded by Ginsburg and Hiler. In 2005, Xanga had about 25 million registered accounts.
The Commission’s Complaint – According to the Commission’s complaint, the defendants violated COPPA, the COPPA Rule, and the FTC Act by collecting personal information from children with actual knowledge that they were under the age of 13, failing to post on their site sufficient notice of their information practices regarding children, failing to notify parents directly about their information practices regarding children, and failing to obtain verifiable parental consent before collecting, using, or disclosing children’s personal information. The complaint also alleges the defendants failed to provide parents with reasonable access to and control over their children’s information on the Xanga.com site.
The Consent Order- The consent order is designed to prohibit Xanga, Ginsburg, and Hiler from violating COPPA and the COPPA Rule in the future. Accordingly, it contains strong conduct provisions that will be monitored by the FTC. The order specifically prohibits the defendants from violating any provision of the Rule and requires them to delete all personal information collected and maintained by the site in violation of the Rule. The defendants further must distribute the order and the FTC’s How to Comply with the Children’s Online Privacy Protection Rule to certain company personnel. The order also contains standard compliance, reporting, and record keeping provisions to help ensure the defendants abide by its terms.
To provide resources to parents and their children about the risks associated with social networking sites, the order additionally requires the defendants to provide links on certain of their sites to FTC consumer education materials for the next five years. First, the defendants must include a link to the Children’s Privacy section of the Commission’s ftc.gov site on any site they operate that is subject to COPPA. Second, the defendants must include links to the Commission’s recently published safety tips for social networking on any of their social networking sites.
The order requires the defendants to pay a civil penalty of $1 million for violating the COPPA Rule, as detailed above.
The Commission vote approving the complaint and consent decree and order was 5-0. They were filed by the Department of Justice on the FTC’s behalf on September 7, 2006, in the U.S. District Court for the Southern District of New York.
NOTE: Stipulated final judgments are for settlement purposes only and do not necessarily constitute an admission by the defendants of a law violation. Stipulated judgments have the force of law when signed by the judge.
Copies of the complaint and consent decree and order are available from the FTC’s Web site at http://www.ftc.gov and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint in English or Spanish (bilingual counselors are available to take complaints), or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1-877-382-4357), or use the complaint form at http://www.ftc.gov/ftc/complaint.htm. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad."
Technorati Tags
information security
IT compliance
policies and procedures
corporate governance
COPPA
noncompliance penalty
FTC
Xanga
awareness and training
privacy