IPR Asks FTC to Investigate Violations of COPPA Rule by Marvel and Sanrio

This morning, IPR filed two complaints with the FTC, on behalf of our client Center for Digital Democracy (press release, Washington Post article), alleging COPPA violations by two significant players in the children’s industry: Marvel and Disney, which operate the children’s website Marvelkids.com, and Sanrio, which markets the children’s mobile app Hello Kitty Carnival. The complaints come on the eve of the one-year anniversary of the passage of the revised Children’s Online Privacy Protection Act Rule (COPPA Rule). IPR students Yena Kwon and Richard Bahrenburg were largely responsible for conducting the research and drafting these complaints.

Marvelkids.com, the target of one complaint, is a child-directed website that fails to comply with the COPPA Rule in several respects. Even though the COPPA Rule was amended in December 2012 and took effect in July 2013, the site’s privacy policy has not been updated since April 2012.

As a result, the Marvelkids.com privacy policy describes many troubling practices that constitute COPPA Rule violations. For example, the privacy statement says that “Marvel may sell, rent, or give a visitor’s personal information to any third party so long as sildenafil 20 mg price the visitor has not . . . specifically opted out.” The revised COPPA Rule does not allow for the disclosure of children’s  personal information to third parties without providing direct notice to and obtaining advance, verifiable consent from parents. Thus, Marvelkid.com’s practice is directly contrary to both the letter of the COPPA rule and the purpose to ensure that parents get to decide whether and how their children’s information is used.

This case also raises serious questions about the effectiveness of industry self-regulation. As detailed in our request, Marvelkids.com violates the COPPA Rule in many respects, yet nonetheless displays the BBB CARU safe harbor seal, falsely indicating that it satisfies the COPPA Rule. Further, the site is not even in compliance with the industry guidelines that prohibit online behavioral advertising without first obtaining parental consent.

Sanrio’s Hello Kitty Carnival (HKC) is the subject of the other complaint. Sanrio and third parties collect personal information from children playing the game without seeking prior parental consent. For example, Hello Kitty Carnival’s privacy policy states that it “mainly collect[s] persistent identifier [sic] (such as an IP address, mobile device id, or a unique device identifier from the child.” Under the revised COPPA Rule, identifiers such as these are considered personal information except in few limited circumstances not applicable here. The app also collects geolocation information and may collect photographs of children. Because the app fails to provide direct notice to parents and obtain advance verifiable consent for its collection of personal information, it also violates the COPPA Rule.

CDD urged the FTC to investigate and take enforcement action against Sanrio, Disney/Marvel, and the many third parties involved in the collection, use or disclosure of children’s information. The FTC should also investigate the BBB CARU safe harbor and the industry self-regulation regime in general.

UPDATE: CARU appears to have revoked Marvel’s certification in response to the complaints filed.

This entry was posted in Uncategorized. Bookmark the permalink.

Comments are closed.