By Andrew B. Lustigman and Jonathan I. Ezor

With tweens and elementary school kids increasingly carrying smartphones with Web access, many marketers are looking to reach those audiences through SMS and mobile-friendly Web applications.

Marketers seeking to attract those age groups must, however, remain vigilant about privacy compliance.

As a recent Federal Trade Commission settlement with Sony BMG Music Entertainment (Sony Music) illustrates, interacting with the under-13 crowd remains a precarious marketing activity that must be vigilantly monitored.

This is the latest in a series of COPPA actions by the FTC. Under the terms of this settlement, Sony Music agreed to pay the government a $1 million fine -- tying the largest such penalty -- for violations of the Children's Online Privacy Protection Act ("COPPA").

The FTC's latest action and the size of the fine shows that the FTC is still actively looking to enforce COPPA and its requirements of prior verifiable parental consent.

Coping with COPPA
COPPA was passed by Congress in 1998 in response to a number of FTC surveys of Web sites which showed that site owners were collecting personal information and showing advertising to children without disclosing what they were doing.

Under COPPA, any online resource that is either directed to children under 13 or knowingly collects personal information from children under 13 must get verifiable parental consent before any such collection.

The "knowingly collects" piece can include any Web site that asks a user's age or date of birth, and will therefore "know" when an under-13 user enters information.

COPPA itself does not specify what method(s) would be acceptable for obtaining that consent, but the FTC's rule implementing COPPA (found online at http://www.ftc.gov/os/1999/10/64fr59888.pdf) states:

"An operator must make reasonable efforts to obtain verifiable parental consent, taking into consideration available technology. Any method to obtain verifiable parental consent must be reasonably calculated, in light of available technology, to ensure that the person providing consent is the child's parent."

The rule lists possible methods as including:

"[P]roviding a consent form to be signed by the parent and returned to the operator by postal mail or facsimile; requiring a parent to use a credit card in connection with a transaction; having a parent call a toll-free telephone number staffed by trained personnel; using a digital certificate that uses public key technology; and using email accompanied by a PIN or password obtained through one of the verification methods listed in this paragraph."

The rule also describes a "sliding scale" of additional methods:

"[M]ethods to obtain verifiable parental consent for uses of informationâ?¦may also include use of email coupled with additional steps to provide assurances that the person providing the consent is the parent. Such additional steps include: sending a confirmatory email to the parent following receipt of consent; or obtaining a postal address or telephone number from the parent and confirming the parent's consent by letter or telephone call. Operators who use such methods must provide notice that the parent can revoke any consent given in response to the earlier email."

"Verifiable parental consent," however, does not mean that a site owner may rely on the children to ask their parents before providing the data; the site owner must obtain the consent itself, which can be time consuming and certainly impedes the "instant gratification" and automation for which the Internet is so prized by consumers and marketers alike.

According to the FTC's press release (which may be found online at http://ftc.gov/opa/2008/12/sonymusic.shtm), Sony Music failed to get the required verifiable parental consent before collecting personal information (including birth dates) from at least 30,000 children under 13 registering for 196 of its music artist and label Web sites.

Under the settlement, Sony Music will also delete all personal information it collected from children, publicize the FTC's educational materials and link to the social networking section of the FTC's http://www.onguardonline.gov Web site.

By agreeing to the settlement (although not admitting any wrongdoing), Sony Music follows in the footsteps of Universal Music, Hershey Foods, Mrs. Fields Cookies and other major marketers who have been caught by the FTC violating COPPA with their Web sites.

Mobile Web leads to exposure
The FTC's latest action and the size of the fine shows it is still actively looking to enforce COPPA and its requirements of prior verifiable parental consent.

The fact that communications with mobile phones will automatically capture telephone numbers -- one of the specific categories of personal information covered by COPPA -- only enhances the risk of accidental and expensive violations by mobile marketers.

Since COPPA includes both wired and wireless networks in its rules, mobile marketers need to ensure that they have built COPPA enforcement into both their technology and their business models.

In addition to COPPA, mobile marketers should consider the other ways a company can fall afoul of U.S. law with regard to online data collection practices.

Even when a company is not violating any law (such as COPPA), posting an inaccurate privacy policy can itself lead to liability.

For that reason, it is critical that every company with an online presence both fully understand and fully disclose its data practices regarding children and adults alike.

Andrew B. Lustigman is attorney and principal and Jonathan I. Ezor is special counsel at The Lustigman Firm, New York. Reach them at and .