The Walt Disney Company ended up on the wrong end of a lawsuit over violations of the Children’s Online Privacy Protection Act (COPPA). The class action suit alleges violations related to embedded software collecting children’s personal information from Disney’s apps.
COPPA rules are regulated by the Federal Trade Commission. They require operators of commercial websites and online services directed at children under the age of 13 to comply with certain privacy standards. For example, COPPA rules require applicable organizations to post privacy policies, notify parents about their information practices, and obtain parental consent before collecting, using, or disclosing children’s personal information.
Ad tech companies provide the software development kits that Disney uses to track behavior across various apps and devices. This class action complaint makes several allegations and claims about Disney’s potential violations:
- Tracking children’s online behavior to facilitate behavioral advertising or marketing analysis
- Creating online profiles for child users with data elements like location, browsing history, and app usage
- Failing to obtain verifiable parental consent, and never providing a mechanism for consent to be given
Disney released a statement, “Disney has a robust COPPA compliance program, and we maintain strict data collection and use policies for Disney apps created for children and families. The complaint is based on a fundamental misunderstanding of COPPA principles, and we look forward to defending this action in Court.”
Disney has been involved in alleged COPPA violations in the past, when a subsidiary company was given a $3 million penalty in 2011 for collecting and disclosing children’s personal information without parental consent.
Safe Harbor Update
The FTC made news in regards to COPPA by approving TRUSTe’s modifications to its safe harbor program. Organizations in an approved safe harbor program – like TRUSTe’s – are subject to program-regulated guidelines rather than COPPA’s formal FTC investigation and enforcement process.
Organizations covered under TRUSTe’s safe harbor program should review the approved updates.
Increasing Regulatory Requirements for IoT
The COPPA update is part of a larger regulatory wave to address the expanding privacy and security issues surrounding the Internet of Things (IoT).
While the FTC update focuses on ‘smart toys,’ the overall trend will require all organizations to analyze the privacy and security implications stemming from the emerging ‘smart’ business models.
The security industry expects to see much more action in the near future (including legislation making its way through Congress) related to shifting regulation and new vulnerabilities for the Internet of Things.