• by Steve Smith , Staff Writer @popeyesm, January 2, 2009

In a settlement last month with the Federal Trade Commission, Sony BMG Music agreed to pay $1 million in fines for collecting data from children under 13 at music fan sites without the permission of their parents. According to privacy and digital media lawyers Andrew Lustigman, principal, The Lustigman Firm, and Jonathan Ezor, Lustigman counsel and law professor at the Touro Law Center, Sony BMG's violations were clear and instructive. In violation of the Children's Online Privacy Protection Act (COPPA), the company failed to get parental permission for collecting data for children under the age of 13. Moreover, Sony BMG had indicated in its own privacy policies it would not collect such data from children even though it did, Lustigman and Ezor contend. We asked both men to reflect on the implications of this settlement for all publishers.

 

Behavioral Insider: What stands out in this settlement that marketers should take to heart?

Andrew Lustigman: There is no allegation that Sony used the data in some way or did something improper with it. It related to the collection of the data. It highlights how seriously the FTC continues to take the obligations when collecting data from children. You have a million-dollar fine just based on the collection of data, not [even] marketing to children.

BI: How exactly are sites supposed to avoid Sony BMG's mistake?

Jonathan Ezor: First, if the site is targeted at children under 13, you must get verifiable parental consent before collecting the information from the children. Simply saying, as they do often on TV 'kids, ask your parent before you do this' is not enough and that will be a violation. The site has to directly ask the parents beforehand. Any site that collects age or birth date information, has to be watching for users under 13 and block that information from going into the database.

BI: How is the site supposed to identify and contact the parent given the anonymity of working online?

Ezor: The law itself does not say. The FTC has given some guidance but nothing definitive. It has to be done through a telephone call or a Fax or an email message with some other identifier or a credit card number, something that an under-13-year-old would not have. They have to make a good faith effort. Any personal information, a phone number, an address, triggers this obligation.

Lustigman: And it is not just if it was meant for under-13s. Even in the case of Sony, it wasn't meant for under-13. In law school you learn the concept of attractive nuisance, which is something that might drive someone to visit something like a swimming pool in a backyard or a Web site that would create a desire for children to visit, even if you aren't intending to have under-13 visitors. Then you also have to keep in mind COPPA. That is an important lesson people have to keep in mind.

BI: What are the implications of this ruling for the larger field of behavioral targeting and using BT? Much of the technology in BT is cookie and tracking pretty much anyone. Are there implications here for BT that also picks up under-aged users?

Lustigman: While the settlement is narrowly drawn to COPPA, the important thing that continues to follow online behavioral advertising is the importance of disclosing to users what you are doing in terms of data collection and giving users the opportunity to opt out. The FTC talks about it in their charging papers. By failing to follow COPPA they had a false representation as to what they were doing with data collection. And then you didn't give parents the opportunity to review the data that was collected about their children. In general online behavioral [targeting] there is a growing importance for marketers to disclose how they handle data collection and to give users a general ability to opt out.

BI: Because SMS marketing captures participants' phone numbers, this has implications for mobile marketers.

Ezor: You can no longer assume, as one could years ago, that a cell phone user is above the age of 13. The COPPA wording seems to apply equally to an SMS-based resource or a mobile Web site. SMS promotions tend to be instantaneous. I was at a baseball game not long ago and on the score board they asked people to vote in SMS responses. The team can collect the phone numbers for future marketing. Well, how many users in that stadium were under 13? There is no way to know. So marketers without intending to violate COPPA are violating COPPA every day in those sorts of promotions.

BI: Are they obliged to ask for age confirmation in those cases?

Ezor: If it is attractive to under-13s or targeted at under-13s, the answer is that one has to assume so. Otherwise, no, as long as you are not knowingly collecting the birthdates. But this is not a bright line test. This is going to depend on the likely audience and the type of promotion and the potential exposure of the marketer. The FTC has gone after the big names. Essentially marketers really have to think about COPPA in everything they are doing with SMS now because kids have cell phones. Also SMS itself has additional rules and restrictions that don't' exist on email because users pay per message. Any SMS-related marketing thing really needs legal involvement to make sure that is not unintentionally violating the law because those fines can get very high very quickly.

BI: Behavioral marketing is now clearly on the FTC's radar, so does this settlement tell us anything about the mood of the FTC in terms of enforcement overall?

Ezor: My take on this is that the U.S. is much behind the rest of the world in data protection. In most of the world, any kind of data collection must be registered with the government and is much more clearly disclosed, etc. We have taken a self-regulatory approach. What I am seeing from this and many other things like it is that the FTC is taking seriously its role as the protector of personal information on behalf of consumers. As with the original passage of COPPA, if marketers abuse the legal rights they have, whether it is in over-ambitious collection or in failing to protect the data once they are collected, and if there are any more large-scale data breaches, we are likely to see more law, which will make it more difficult for even anonymous targeted marketing. If marketers want to be able to continue to do the kinds of things they are able to do, they need to be responsible about disclosing what they are doing, being accurate, sticking to it, and making sure the data are safely stored.

Lustigman: Generally in this country for privacy issues we operate on an opt-out provision. For children, the FTC always took a different perspective of it being an opt-in. The FTC has always taken the position in any privacy context that you have to do what you say you will. Two things set this [case] off. They failed to get opt-in and they failed to follow what they said they were going to do. The overall lesson to marketers, in addition to focusing on children and the overall focus from FTC, is going to be, say what you do and do what you say. Otherwise, that is where you will see legislation coming down, and it may get onerous. Any time you deal with legislation, there is always the tendency of government politicians and the like to say let's change the paradigm to an opt-in, which from a marketer's perspective is going to be a disaster.