Snack companies fined $185,000 for violating kids' online privacy

Hershey Foods and Mrs Fields Cookies taken to task by FTC

American snack companies Hershey Foods and Mrs Fields Cookies have been fined $85,000 and $100,000 respectively for violating children's privacy on their websites.

The hefty fines were issued by the Federal Trade Commission after it decided both companies had broken the Children's Online Privacy Protection Act (COPPA) by collecting personal information from children without first obtaining parental consent.

The penalties are the largest since the Act became law in April 2000 and show that the US government is serious about protecting kids' privacy on the Internet. Director of the FTC's Bureau of Consumer Protection, Howard Beales warned: "If your website collects personal information from children, comply with the law or face the consequences."

The law itself is tough and applies to operators of commercial websites and online services that are either aimed at children under 13 or knowingly collect personal information from children under 13. That information includes not only includes things like full name, home address, email address and telephone number but also hobbies, interests and any information collected through cookies or other tracking mechanisms if this information is in any way tied to an individual.

Mrs. Fields' sites mrsfields.com, pretzeltime.com, and pretzelmaker.com provided birthday greetings and free cookie coupons to kids and recorded the full name, address, email address and birth date from over 84,000 children as part of the service. However, while it did not disclose the information to any third parties, it didn't obtain parental consent before picking up the information.

Hershey - famous for its Hershey bar - has over 30 websites, many of which are aimed at kids. It did have an online consent form which it asked kids to get their parents to fill in. However, the FTC alleges, the company collected personal data from the child whether or not the form was actually filled in. By fining it, the FTC extended COPPA for the first time into the method that a company uses for consent.

The sites were also done for not posting adequate privacy policies about what information was collected and how it would be used, as well as not providing "reasonable means" for parents to review the information collected from their kids, delete it if they wish and refuse any future use of it.

Both companies have been ordered to delete the information they collected, promise no future violations and, significantly, keep records that will allow the FTC to monitor their sites' compliance.

Kids protection groups are, naturally, delighted. Ms Parry Aftab, a lawyer and executive director of WiredSafety.org and its kids version, WiredKids.org, put out a press release stating: "COPPA is a powerful tool in the online safety and privacy arsenal. There is no excuse for large corporations not to comply with COPPA. In the three years since its effective date, parents have learned to rely on this law to help them oversee how and with whom their children's personal information is shared, as well as how it will be used and protected. Our children's privacy is key to their safety."

It is safe to assume that most people will be in favour of protecting kids' privacy online, especially since many children will unwittingly give away identifiable information, and the FTC has certainly given this a huge boost by choosing to make an example of two companies with household names. Good news all round. ®

Related Links
The FTC decision
How to comply with COPPA (dull version)
How to comply with COPPA (kool version)

Sponsored: 10 ways wire data helps conquer IT complexity