History of COPPA Violations

privo_coppa-seal.svg
COPPA was enacted by the United States Congress in 1998, and became effective on April 21, 2000.  The FTC enforces violations concerning children’s online privacy. Below is a list of significant violations to date.
privo-headerkid-12

Websites, apps, games and other online services that interact with kids online are covered by COPPA. The regulation requires sites to have proper privacy policies, provide parents with direct notice of their information practices, and get verifiable consent from a parent or guardian before collecting personal information from a child.

Below is a timeline of COPPA violations, and a brief overview of important details that got companies into trouble. Check out our quick tips on how to comply with COPPA, or contact us for more information on getting your organization in compliance.

COPPA was implemented to protect children online, and fines for failing to comply with the law were recently increased to up to $41,484 per privacy violation per child.

Timeline of Violations

First COPPA FineAsset 1@4x
$500,000
October 4, 2001

Monarch Services, Inc., Girls Life, Inc. & Looksmart Ltd.

The companies are required to comply with COPPA in connection with any future online collection of personally identifying information from children under 13. The settlement also requires the operators to delete all personally identifying information collected from children online at any time since the Rule's effective date. These cases mark the first civil penalty cases the FTC has brought under the COPPA Rule.

Kid AccountsAsset 2@4x
$30,000
October 4, 2001

Lisa Frank, Inc.

The Lisa Frank website was directed towards children and asked girls to register before they accessed many areas of the site, including the "club" and "shop" areas. The site asked girls for their first and last names, street addresses, phone numbers, e-mail addresses and birth dates, as well as their favorite color and season without parent permission.

Kids ClubAsset 3@4x
$10,000
February 14, 2002

American Pop Corn Company

The company’s website featured a “Kids Club" section that features games, crafts, contests, and jokes directed to children under the age of 13. The company collected personal information without parent consent.

Kid Birthday ClubAsset 4@4x
$35,000
April 22, 2002

Ohio Art Company (Etch-a-Sketch)

The Ohio Art Company was found collecting personal information from children registering for "Etchy's Birthday Club." The site collected the names, mailing addresses, e-mail addresses, age, and date of birth from children who wanted to qualify to win an Etch-A-Sketch toy on their birthday without parent permission.

CookieAsset 5@4x
$100,000
February 22, 2003

Mrs. Fields Cookies

Portions' of Mrs. Fields web sites were directed to children. The company allegedly collected personal information from more than 84,000 children, without first obtaining parental consent.

Child Directed SiteAsset 6@4x
$85,000
February 22, 2003

Hershey

Hershey operates more than 30 Web sites - many of which are candy-related sites directed to children. On a number of these sites, the company allegedly employed a method of obtaining parental consent that does not meet the standard delineated under the COPPA Rule.

Kids Music Asset 7@4x
$400,000
February 18, 2004

UMG Recordings, Inc.

UMG Recordings operates hundreds of general audience Web sites that advertise and promote its music and artists, many of whom are popular with children.

UMG gained actual knowledge that a child was registering on the site whenever a child entered a birth date indicating he was under the age of 13. Yet, UMG collected this personal information from children without first notifying parents and obtaining verifiable parental consent.

SoftwareAsset 8@4x
$75,000
February 18, 2004

Bonzi Software

The Bonzi Software case is the first COPPA case to challenge the information collection practices of an online service in connection with a software product.

COPPA FineAsset 9@4x
$1,000,000
September 7, 2006

Xanga

Xanga is a social networking site that collected, used and disclosed information from children under 13. This is the first million-dollar penalty since COPPA was enacted.

BlogAsset 10@4x
$130,000
January 30, 2008

Industrious Kid, Inc.

The web site in the violation was advertised as a “free, secure, social networking and blogging destination specifically designed for kids ages 8 to 14.” however collected and maintained personal information from children under the age of 13 without first notifying parents and obtaining their consent.

FormAsset 11@4x
$1,000,000
December 11, 2008

Sony BMG Music

The Commission’s complaint alleges that, through its music fan Web sites, Sony Music improperly collected, maintained and disclosed personal information from thousands of children under the age of 13, without their parents’ consent.

ProfileAsset 12@4x
$250,000
October 20, 2009

Iconix Brand Group

Iconix required consumers on many of its brand-specific Web sites to provide personal information, such as full name, e-mail address, zip code, and in some cases mailing address, gender, and phone number – as well as date of birth – in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other Web site features.

AppsAsset 13@4x
$300,000
September 17, 2014

Tiny Co

Tiny Co runs many games and applications including Tiny Pets, Tiny Zoo, Tiny Village, Tiny Monsters and more. In exchange for in-app currency to buy game enhancements, TinyCo encouraged kids to turn over their email addresses, but the company didn't get parental permission as required by COPPA.

KidsAsset 14@4x
$450,000
September 17, 2014

Yelp

The lawsuit also alleged that Yelp didn’t adequately test its apps to ensure that users under the age of 13 were prohibited from registering.

LocationAsset 15@4x
$950,000
June 22, 2016

InMobi

The FTC charged the company for deceptively tracking the locations of hundreds of millions of consumers – including children – without their knowledge or consent to serve them geo-targeted advertising.

TrackAsset 16@4x
September 13, 2016

Operation Child Tracker

Operation Child Tracker was a two-year investigation by the NY Attorney General’s office, discovered that websites operated by Mattel, Viacom, Hasbro and Jumpstart were home to tracking technology that illegally enabled third-party vendors, such as marketers or advertising companies, to track children’s online activity in violation of COPPA.

Mattel
$250,000

Viacom
$500,000

Hasbro
No fine

Jumpstart
$85,000

Photo SharingAsset 17@4x
$500,000
February 5, 2018

Explore Talent

Along with collecting names, contact information and age, the company also asked users for their mailing address, weight, “body type,” and measurements for waist, hips, bust, shirt, etc. In addition, they urged users to upload a photo because “agents & casting directors choose only serious candidates with pictures. All of this was done without collecting parent permission.

InternetAsset 18@4x
$650,000
February 5, 2018

 Vtech

The company was found collecting information from children without parents permission through connected toys violating children's privacy.

Not SecureAsset 19@4x
$35,000
August 3, 2018

Unixiz Inc. (i-Dressup)

i-Dressup collected and retained personal information from children without parental consent. In addition to violating COPPA’s parental consent provisions, i-Dressup violated COPPA’s data security requirements.

RecordAsset 20@4x
$5,000,000
December 1, 2018

Oath (AOL)

TechCrunch’s Verizon-owned parent, Oath, an ad tech division made from the merging of AOL and Yahoo, has agreed to pay around $5 million to settle charges that it violated a federal children’s privacy law.

The penalty was the largest ever issued under COPPA.

VideoAsset 21@4x
$5,700,000
Feb. 27, 2019

Musical.ly (TikTok)

The video social networking company illegally collected personal information from children.

This is the largest civil penalty ever issued in a children’s privacy case.

Significance

The Oath (AOL) and Muscial.ly (TikTok) violations were record shattering fines, making children's online privacy a priority in 2018 and 2019. Understanding COPPA can be complicated, however by looking at previous violations you can find important takeaways. Here are some important points from the list of violations above:

  • Websites, apps, or online services collecting information from children must obtain verifiable parental consent.
  • General audience websites that have actual knowledge of children entering the site, must notify parents and get consent.
  • Common features that involve kids must get parent consent including:
    • Birthday clubs
    • Wish lists
    • Email subscriptions
    • Accounts with personal information
    • Multi-player chat
    • User generated content (photos/videos)
    • Third-party tracking

To get a better understanding of COPPA, view our COPPA Resource or "What is COPPA?" blog. If you are bringing children into your website, app, or game, there's a good chance COPPA applies to your organization.


Comply with COPPA

Throughout COPPA's lifetime the fines for violating children's privacy online have become larger and larger. Simply paying a fine is not the beginning of the set back companies face. It takes years and years to build a positive brand relationship, and only seconds for parents around the world to see your organization as an unsafe place for child users.

Complying with COPPA not only protects your organization from legal trouble, but shows that you are willing to go the extra mile to keep kids safe online. Learn more about the COPPA Regulation or our COPPA Safe Harbor Certification, and see how we can help your organization safely engage with children and their families online.

Want to receive our biweekly industry newsletter?

Sign Up