The FTC enforces COPPA violations. A court can hold operators who violate the Rule liable for civil penalties of up to $50,120 per violation. COPPA gives states and certain federal agencies authority to enforce compliance with respect to entities over which they have jurisdiction. For example, New York has brought several COPPA enforcement actions (see below). In addition, some federal agencies, such as the Office of the Comptroller of the Currency and the Department of Transportation, are responsible for handling COPPA compliance for the specific industries they regulate.
Who is covered by COPPA?
The Rule applies to operators of commercial websites and online services (including mobile apps and IoT devices) directed to children under 13 that collect, use, or disclose personal information from children. It also applies to operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. Although nonprofit entities generally are not subject to COPPA, the Federal Trade Commission (FTC) encourages such entities to post privacy policies online and to provide COPPA’s protections to their child visitors.
Below is a timeline of COPPA violations, and a brief overview of important details that got companies into trouble. Check out our quick tips on how to comply with COPPA, or contact us for more information on getting your organization in compliance.
Monarch Services, Inc., Girls Life, Inc. & Looksmart Ltd.
October 4, 2001
$100,000
The companies are required to comply with COPPA in connection with any future online collection of personally identifying information from children under 13. The settlement also requires the operators to delete all personally identifying information collected from children online at any time since the Rule's effective date. These cases mark the first civil penalty cases the FTC has brought under the COPPA Rule.
Lisa Frank, Inc.
October 4, 2001
$30,000
American Pop Corn Company
February 14, 2002
$10,000
Ohio Art Company (Etch-a-Sketch)
April 22, 2002
$35,000
The Ohio Art Company was found collecting personal information from children registering for "Etchy's Birthday Club." The site collected the names, mailing addresses, e-mail addresses, age, and date of birth from children who wanted to qualify to win an Etch-A-Sketch toy on their birthday without parent permission.
Mrs. Fields Cookies
February 22, 2003
$100,000
Portions' of Mrs. Fields web sites were directed to children. The company allegedly collected personal information from more than 84,000 children, without first obtaining parental consent.
Hershey
February 22, 2003
$85,000
Hershey operates more than 30 Web sites - many of which are candy-related sites directed to children. On a number of these sites, the company allegedly employed a method of obtaining parental consent that does not meet the standard delineated under the COPPA Rule.
UMG Recordings, Inc.
February 18, 2004
$400,000
UMG Recordings operates hundreds of general audience Web sites that advertise and promote its music and artists, many of whom are popular with children.
UMG gained actual knowledge that a child was registering on the site whenever a child entered a birth date indicating he was under the age of 13. Yet, UMG collected this personal information from children without first notifying parents and obtaining verifiable parental consent.
Bonzi Software
February 18, 2004
$75,000
Xanga
September 7, 2006
$1,000,000
Xanga is a social networking site that collected, used and disclosed information from children under 13. This is the first million-dollar penalty since COPPA was enacted.
Industrious Kid, Inc.
January 30, 2008
$130,000
The web site in the violation was advertised as a “free, secure, social networking and blogging destination specifically designed for kids ages 8 to 14.” however collected and maintained personal information from children under the age of 13 without first notifying parents and obtaining their consent.
Sony BMG Music
December 11, 2008
$1,000,000
The Commission’s complaint alleges that, through its music fan Web sites, Sony Music improperly collected, maintained and disclosed personal information from thousands of children under the age of 13, without their parents’ consent.
Iconix Brand Group
$250,000
October 20, 2009
Tiny Co
September 17, 2014
$300,000
Tiny Co runs many games and applications including Tiny Pets, Tiny Zoo, Tiny Village, Tiny Monsters and more. In exchange for in-app currency to buy game enhancements, TinyCo encouraged kids to turn over their email addresses, but the company didn't get parental permission as required by COPPA.
Yelp
September 17, 2014
$450,000
The lawsuit also alleged that Yelp didn’t adequately test its apps to ensure that users under the age of 13 were prohibited from registering.
InMobi
June 22, 2016
$950,000
The FTC charged the company for deceptively tracking the locations of hundreds of millions of consumers – including children – without their knowledge or consent to serve them geo-targeted advertising.
Operation Child Tracker
September 13, 2016
Operation Child Tracker was a two-year investigation by the Attorney General’s office, discovered that websites operated by Mattel, Viacom, Hasbro and Jumpstart were home to tracking technology that illegally enabled third-party vendors, such as marketers or advertising companies, to track children’s online activity in violation of COPPA.
Mattel
$250,000
Viacom
$500,000
Hasbro
No fine
Jumpstart
$85,000
Explore Talent
February 5, 2018
$500,000
Along with collecting names, contact information and age, the company also asked users for their mailing address, weight, “body type,” and measurements for waist, hips, bust, shirt, etc. In addition, they urged users to upload a photo because “agents & casting directors choose only serious candidates with pictures. All of this was done without collecting parent permission.
Vtech
February 5, 2018
$650,000
The company was found collecting information from children without parents permission through connected toys violating children's privacy.
Unixiz Inc. (i-Dressup)
August 3, 2018
$35,000
Oath (AOL)
December 1, 2018
$5,000,000
TechCrunch’s Verizon-owned parent, Oath, an ad tech division made from the merging of AOL and Yahoo, has agreed to pay around $5 million to settle charges that it violated a federal children’s privacy law.
The penalty was the largest ever issued under COPPA.
Musical.ly (TikTok)
Feb. 27, 2019
$5,700,000
The video social networking company illegally collected personal information from children.
This is the largest civil penalty ever issued in a children’s privacy case.
Epic will pay a $275 million penalty for violating children’s privacy law, change default privacy settings, and pay $245 million in refunds for tricking users into making unwanted charges.
read more...
WW International — previously Weight Watchers — has agreed to pay $1.5 million to resolve claims from the Federal Trade Commission (FTC) that it illegally gathered the data of underage users of its Kurbo program.
California-based online advertising platform OpenX Technologies, Inc. will be required to pay $2 million to settle Federal Trade Commission allegations that the company collected personal information from children under 13 without parental consent,read more....
In its complaint, the FTC alleged that the Recolor app collected personal information from children under the age of 13 who used the app’s social media features and allowed third-party advertising networks to collect personal information from users in the form of persistent identifiers, also known as cookies, for targeted ads. The companies failed to instruct the ad networks to refrain from using children’s persistent identifiers for behavioral advertising, according to the complaint.
Miniclip falsely claimed from 2015 through mid-2019 that it was a member of the Children’s Advertising Review Unit’s (CARU) COPPA safe harbor program even though Miniclip’s membership had been terminated in 2015. Miniclip is prohibited from misrepresenting its participation or certification in any privacy or security program sponsored by a government or any self-regulatory organization, including the CARU COPPA safe harbor program. Miniclip is also subject to compliance and record keeping requirements.
The Washington AG alleged that We Heart It, which has approximately 500,000 monthly active U.S. users, allowed children under the age of 13 to create accounts, collected U13 users’ personal information, and allowed third-party advertisers to collect data from U13 users, all without obtaining COPPA-compliant verifiable parental consent.
The app developer violated COPPA by allowing third-party ad networks to collect personal information in the form of persistent identifiers to track users of the company’s child-directed apps, without notifying parents or obtaining verifiable parental consent.
HyperBeard has an array of children's apps including Axolochi, BunnyBuns, Chichens, Claberta, Clawbert, KleptoCats, KleptoCats 2, KleptoDogs, MonkeyNauts, and NomNoms.
The apps—MobileSpy, PhoneSheriff and TeenShield—referred to as "stalking apps", allowed purchasers to monitor the mobile devices on which they were installed, without the knowledge or permission of the device’s user.
Retina-X violated the COPPA by failing to take reasonable measures to secure the personal information it collected from children.
To see the Decision and Order, click here.
Google LLC and its subsidiary YouTube, LLC will pay a record $170 million to settle allegations by the Federal Trade Commission and the New York Attorney General that the YouTube video sharing service illegally collected personal information from children without their parents’ consent.
The settlement requires Google and YouTube to pay $136 million to the FTC and $34 million to New York for allegedly violating the COPPA.
More information read the press release by clicking here.
Musical.ly, now known as TikTok, has agreed to pay $5.7 million to settle FTC allegations that the company illegally collected personal information from children. The operators knew many children were using the app but they still failed to seek parental consent before collecting names, email addresses, and other personal information from users under the age of 13,
At the time, it was the largest civil penalty ever obtained by the Commission in a children’s privacy case.
TechCrunch’s Verizon-owned parent, Oath, an ad tech division made from the merging of AOL and Yahoo, has agreed to pay $4.95 Million – and adopt comprehensive reforms to protect children from improper tracking. The company conducted billions of auctions for targeted ads on hundreds of children’s websites in violation of COPPA.
View the NY Attorney General Press Release by clicking here.
i-Dressup collected and retained personal information from children without parental consent. In addition to violating COPPA’s parental consent provisions, i-Dressup violated COPPA’s data security requirements.
Along with collecting names, contact information and age, the company also asked users for their mailing address, weight, “body type,” and measurements for waist, hips, bust, shirt, etc. In addition, they urged users to upload a photo because “agents & casting directors choose only serious candidates with pictures. All of this was done without collecting parent permission.
The company was found collecting information from children without parents permission through connected toys violating children's privacy.
Operation Child Tracker was a two-year investigation by the NY Attorney General’s office, discovered that websites operated by Mattel, Viacom, Hasbro and Jumpstart were home to tracking technology that illegally enabled third-party vendors, such as marketers or advertising companies, to track children’s online activity in violation of COPPA.
Mattel $250,000 Viacom $500,000
Hasbro No fine. Jumpstart $85,000.
The FTC charged the company for deceptively tracking the locations of hundreds of millions of consumers – including children – without their knowledge or consent to serve them geo-targeted advertising.
Tiny Co runs many games and applications including Tiny Pets, Tiny Zoo, Tiny Village, Tiny Monsters and more. In exchange for in-app currency to buy game enhancements, TinyCo encouraged kids to turn over their email addresses, but the company didn't get parental permission as required by COPPA.
The lawsuit also alleged that Yelp didn’t adequately test its apps to ensure that users under the age of 13 were prohibited from registering
The Path social networking app was charged for deceiving users by collecting personal information from their mobile device address books without their knowledge and consent. In addition to the civil penalty, the settlement requires Path, Inc. to establish a comprehensive privacy program and to obtain independent privacy assessments every other year for the next 20 years. For more information read the press release by clicking here.
The operator of fan websites for music stars Justin Bieber, Rihanna, Demi Lovato, and Selena Gomez violated COPPA by improperly collecting personal information from children under 13 letting them register to join the fan clubs, create profiles and post on members’ walls without their parents’ consent.
For more information read the press release by clicking here.
While touting its security features, RockYou failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users and violated COPPA in collecting information from approximately 179,000 children. As part of settlement, the FTC required RockYou to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay fine.
The operator of www.skidekids.com(link is external), a website that advertises itself as the “Facebook and Myspace for Kids,” targeted children ages 7-14 to register, create and update profile information, create public posts, upload pictures and videos, and “friend” and send messages to other Skid-e-kids members.
This was the Commission’s first case involving mobile applications, known as apps, collecting children's information.
The operators of 20 online virtual worlds have agreed to pay $3 million to settle Federal Trade Commission charges that they violated COPPA by illegally collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents’ prior consent.
Iconix required consumers on many of its brand-specific Web sites to provide personal information, such as full name, e-mail address, zip code, and in some cases mailing address, gender, and phone number – as well as date of birth – in order to receive brand updates, enter sweepstakes contests, and participate in interactive brand-awareness campaigns and other Web site features.
The Commission’s complaint alleges that, through its music fan Web sites, Sony Music improperly collected, maintained and disclosed personal information from thousands of children under the age of 13, without their parents’ consent.
The web site in the violation was advertised as a “free, secure, social networking and blogging destination specifically designed for kids ages 8 to 14.” however collected and maintained personal information from children under the age of 13 without first notifying parents and obtaining their consent.
In December 2007, Texas became the first state to file COPPA enforcement actions, by separately suing the entities behind Gamesradar.com and TheDollPalace.com.
In December 2007, Texas became the first state to file COPPA enforcement actions, by separately suing the entities behind Gamesradar.com and TheDollPalace.com.
Xanga is a social networking site that collected, used and disclosed information from children under 13. This is the first million-dollar penalty since COPPA was enacted.
UMG Recordings operates hundreds of general audience Web sites that advertise and promote its music and artists, many of whom are popular with children.
UMG gained actual knowledge that a child was registering on the site whenever a child entered a birth date indicating he was under the age of 13. Yet, UMG collected this personal information from children without first notifying parents and obtaining verifiable parental consent.
The Bonzi Software case is the first COPPA case to challenge the information collection practices of an online service in connection with a software product
Hershey operates more than 30 Web sites - many of which are candy-related sites directed to children. On a number of these sites, the company allegedly employed a method of obtaining parental consent that does not meet the standard delineated under the COPPA Rule.
Portions' of Mrs. Fields web sites were directed to children. The company allegedly collected personal information from more than 84,000 children, without first obtaining parental consent.
The Ohio Art Company was found collecting personal information from children registering for "Etchy's Birthday Club." The site collected the names, mailing addresses, e-mail addresses, age, and date of birth from children who wanted to qualify to win an Etch-A-Sketch toy on their birthday without parent permission
The company’s website featured a “Kids Club" section that features games, crafts, contests, and jokes directed to children under the age of 13. The company collected personal information without parent consent.
The Lisa Frank website was directed towards children and asked girls to register before they accessed many areas of the site, including the "club" and "shop" areas. The site asked girls for their first and last names, street addresses, phone numbers, e-mail addresses and birth dates, as well as their favorite color and season without parent permission.
Marking the first anniversary of COPPA, the FTC announced settlements with three Web operators for illegally collecting personally identifying information from children under 13 years of age without parental consent. The companies together will pay a total of $100,000 in civil penalties and are required to comply with COPPA in connection with any future online collection of personally identifying information from children under 13. The settlement also requires the operators to delete all personally identifying information collected from children online at any time since the Rule's effective date.
More information read the press release by clicking here.
This was the first complaint the Commission filed alleging a violation of COPPA. Toysmart collected detailed personal information about its visitors, including name, address, billing information, shopping preferences, and family profiles -- which included the names and birthdates of children. When it ran into financial difficulties, it attempted to sell all of its assets, including its detailed customer databases. Agreement enforces privacy promises, prohibits sale of customer lists except under very restricted circumstances.
Read the press release here.
GeoCities, agreed to settle FTC charges that it misrepresented the purposes for which it was collecting personal identifying information from children and adults. This was the first FTC case involving Internet privacy.
The Oath (AOL) and Muscial.ly (TikTok) violations were record shattering fines, making children's online privacy a priority in 2018 and 2019. Understanding COPPA can be complicated, however by looking at previous violations you can find important takeaways. Here are some important points from the list of violations above:
To get a better understanding of COPPA, view our COPPA Resource or "What is COPPA?" blog. If you are bringing children into your website, app, or game, there's a good chance COPPA applies to your organization.
Since COPPA came into force, fines for violating children's privacy online have become greater and greater. However, paying the fine is just the start of the process to repair brand damage. It takes years to build a positive brand relationship and just seconds for parents around the world to see your organization as unsafe for their children.
Understanding COPPA is complex to navigate. Each violation highlights a key lesson. Here are some important points from the list of violations above:
To get a better understanding of COPPA, view our COPPA Resource or "What is COPPA?" blog. If you are bringing children into your website, app, or game, there's a good chance COPPA applies to your organization.
Complying with COPPA not only protects your organization from legal trouble, but shows that you are willing to go the extra mile to keep kids safe online. Learn more about the COPPA Regulation or our COPPA Safe Harbor Certification, and see how we can help your organization safely engage with children and their families online.
703.569.0504 Phone
email: info@privo.com
Stay on top of the digital kids industry- looking at online privacy, data security & latest trends
Terms of use | PRIVACY POLICY | Kids' Privacy Notice | Cookie Policy
Legal Stuff
© 2023 PRIVO®. All Rights Reserved