McDonald's, Viacom Websites Violate Child Privacy, Groups Say (Law360)

By Alison Grande

Nearly 20 consumer groups on Wednesday urged the Federal Trade Commission to investigate possible privacy violations by child-targeted websites run by McDonald's Corp., Viacom Inc., General Mills Inc. and two others, a move that attorneys say could prompt the commission to address friend-referral requests in upcoming revisions to its online protections for children.

In five separate complaints filed with the regulator, the Center for Digital Democracy, Children Now, Consumer Federation of America, Center for Science in the Public Interest, the Privacy Rights Clearinghouse and a dozen others focus on the "refer-a-friend" campaigns used on McDonald's Happymeal.com, Viacom Inc.'s Nick.com, Doctor's Associates Inc.'s Subwaykids.com, Turner Broadcasting System Inc.'s Cartoonnetwork.com, and General Mills' Reesespuff.com and Trixworld.com.

The complaints contend that the viral marketing technique — which encourages children who are playing in brand or product-related Web games to provide their own personal information as well as the personal information, including email addresses, of their friends — is a "clear violation" of the Children's Online Privacy Protection Act because the companies fail to obtain express and verifiable consent from the parents of both the referring children and their friends under age 13.

"Nothing in COPPA permits a website directed to children to collect the email address of a child from another child without verifiable consent of the parents of both children," the groups said. "Using children to virally market products to other children online unfairly takes advantage of children's trust and lack of experience."

General Mills spokesman Tom Forsythe told Law360 Wednesday that the company follows COPPA-approved procedures, specifically the provision that allows companies to use "send to friend" emails as long as the friend's email address or full name is never collected and the recipient's email address is deleted following the sending of the message.

McDonald's spokeswoman Danya Proud also said that the company "makes every effort to be in compliance with all government regulations," and that it was "currently examining the complaint to better understand the allegations."

But in a cover letter that accompanied the complaints, the consumer groups urged the FTC to revise its nonbinding guidance on the provision that General Mills cited, which provides for a "one-time contact" exemption to the parental consent requirement in the case of sending "electronic postcards" that don't retain personal information.

"While none of the websites named in the complaints complied with those conditions, we believe that even if they had, they would still violate COPPA," the groups said. "Because the FTC's guidance could be read to suggest otherwise, it should be restricted or clarified."

An FTC spokeswoman confirmed Wednesday that the agency had received the complaints and would "be viewing [them] carefully."

The agency's evaluation of the allegations could lead not only to enforcement action, but additions to the agency's pending effort to expand and strengthen the 12-year-old COPPA rule, according to attorneys.

"There does seem to be some ambiguity about whether the [existing] rule is talking about information collected from a child about him or herself or whether it contemplates information collected from a child about another child," Reed Smith LLP partner John Feldman said. "While the FTC is constrained by the COPPA statute, it does have some wiggle room to clear up ambiguity in the statute, so the question is going to be whether the FTC has the desire to find some ambiguity with this issue and clarify it."

Clarification could come either through a revision to the rule or to the agency's nonbinding guidance in one of its FAQs that supplement the regulation, which allows the regulators to reveal their interpretation of certain provisions without changing the substance of the rule, Feldman noted.

Regardless of the approach they take, any action is likely to be based on the agency's desire to strike a balance between companies' legitimate needs to collect certain information without parental consent and the safety of children, according to Cooley LLP privacy practice group co-chair Susan Lyon.

"If the agency feels that the potential risk to the safety and needs of children outweigh the benefit to companies, then they are likely to revisit this issue," she said.

Despite the attention being given to Wednesday's complaints, Hogan Lovells privacy and information management practice group director Christopher Wolf expressed doubt that the FTC would take action.

"The COPPA issues raised by the recent submission may or may not be looked into by the FTC," he said. "There are much larger, and more significant, COPPA issues currently pending before the FTC than the ‘refer-a-friend' issues raised by the submission."

Contrary to the general misconception that filing an FTC complaint triggers an automatic probe, there is "no obligation on the FTC to do anything, including to advise on whether it believes the so-called ‘complaint' has any merit at all," Wolf added.

But Lyon noted that the FTC has been generally receptive to feedback regarding COPPA, citing the agency's recent decision to reopen public comment on its proposed revisions after making several changes to clarify the scope of the rule, after it received 350 comments on its original proposal to update the regulation in September.

"It's not very common, but the FTC could certainly delay the launch of its proposed rules if it feels that there are legitimate open questions that need to be addressed," she said, although she added that the industry is "pretty anxious" to receive clarity after more than a year of review and public input regarding the changes.

In its first batch of proposed revisions, the agency suggested expanding the definition of personal information to make it clear that persistent identifiers, such as IP addresses and tracking cookies, as well as photographs, are considered information for which websites need to gain express parental consent.

The consumer groups that filed Wednesday's complaint encouraged the FTC to move forward with this proposal, saying they found companies are using the disputed "refer-a-friend" technique to collect and store children's photographs without parental notice and consent, and to place third-party cookies on children's computers to facilitate targeted advertising.

In the second round of revisions released Aug. 1, the agency proposed placing stringent requirements on services that choose to integrate with child-directed websites, but it did not address the friend-referral issue.

"That's probably the reason that these groups presented this issue in a complaint rather than in comments to the agency's most recent revisions," Feldman said, adding that he didn't believe the agency had ever looked at the issue before.

While the consumer groups' complaints may spur rule changes, the previously proposed revisions could prompt more complaints, according to Holland & Knight LLP data privacy and security team co-chair Steven Roosa.

"The proposed revisions broaden the scope of what type of information and companies are being regulated and to what extent companies will need to go to achieve compliance," he said. "Because of this, there is likely to be an increase in the number of regulatory actions or investigations as well as private complaints if the new rule comes into effect."

The consumer groups that submitted Wednesday's complaint are represented by Angela J. Campbell and Laura M. Moy of the Institute for Public Representation at Georgetown Law.

All Content © 2003-2012, Portfolio Media, Inc.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.