Skip to main content

Two Sites Pay COPPA Violation Settlements

UMG Recordings, Inc. and Bonzi Software, Inc. each have agreed to settle Federal Trade Commission charges that they violated the Children’s Online Privacy Protection Act (COPPA) by knowingly collecting personal information from children online without first obtaining parental consent. UMG Recordings, which operates several hundred music-related Web sites, will pay civil penalties of $400,000, the largest civil penalty to date for a COPPA violation. Bonzi Software, distributor of the BonziBUDDY software, will pay civil penalties of $75,000. The Bonzi Software case is the first COPPA case to challenge the information collection practices of an online service in connection with a software product. Previous FTC COPPA cases have addressed Web site operators’ information collection practices.

The COPPA Rule applies to operators of commercial Web sites and online services directed to children under the age of 13 and to general audience Web sites and online services that have actual knowledgethat they are collecting personal information from children under the age of 13. Among other things, the Rule requires that these Web site operators post privacy policies, provide parental notice, and obtain verifiable consent from a parent or guardian before collecting personal information from children.

According to the FTC complaints, UMG and Bonzi each violated the COPPA Rule when they failed to obtain verifiable parental consent before collecting extensive personal information from children under the age of 13. The companies each collected birth date information through their online registration processes, and thus had actual knowledge that they were collecting and maintaining personal information from thousands of children under the age of 13. In addition, the complaints allege that the two companies failed to post clear and complete privacy notices or to provide adequate direct notices to parents of what personal information they sought to collect from children. The separate settlements represent the ninth and tenth COPPA settlements the FTC has obtained since the Rule went into effect on April 21, 2000.

In conjunction with the announcement of these two cases, the FTC also is releasing a Business Alert on the actual knowledge standard of the COPPA Rule to assist Web site operators and online service providers in complying with the Rule’s requirements. The alert is available at www.ftc.gov/bcp/conline/pubs/alerts/coppabizalrt.htm.

UMG Recordings, Inc.

According to the FTC, UMG Recordings operates hundreds of general audience Web sites that advertise and promote its numerous music labels and recording artists, many of whom are popular with children. UMG’s Web sites offer activities such as e-mail newsletters and updates, fan clubs, and bulletin boards. The complaint charges that UMG’s Web site registration forms collected extensive personal information including full name, birth date, e-mail address, home address, phone number, gender, and other information such as visitors’ preferences in music, sports, and apparel. UMG gained actual knowledge that a child was registering on the site whenever a child entered a birth date indicating he was under the age of 13. Yet, UMG collected this personal information from children without first notifying parents and obtaining verifiable parental consent. Also, according to the FTC, at least one of UMG’s Web sites, www.lilromeo.com, is also a Web site “directed to children” under the Rule. The Web site, which promotes 13-year-old pop star “Lil’ Romeo,” and hosts child-oriented games and activities, used the same registration forms as other UMG sites. The complaint alleges that www.lilromeo.com violated the Rule as both a “Web site directed to children” and an “actual knowledge” Web site.

In some instances, UMG sent notices to parents after collecting their children’s personal information. The complaint alleges that these notices violated the Rule’s parental consent requirement because they were sent after thecollection of personal information and were deficient in other regards. The complaint also alleges that, in some instances, UMG used the children’s personal information to e-mail them marketing materials on other musicians and Web sites. The Children’s Advertising Review Unit (CARU) of the Council of Better Business Bureaus brought UMG’s practices to the FTC’s attention.

Bonzi Software, Inc.

Bonzi Software markets software products including the BonziBUDDY, a free downloadable software that displays an interactive, animated purple gorilla on users’ computers. According to the FTC, the BonziBUDDY interacts with users while they are online, providing shopping advice, jokes, and trivia.

The BonziBUDDY online registration form requires users to provide a birth date and several other types of personal information. Like UMG, Bonzi Software had actual knowledge, as a result of collecting birth date information,that thousands of children were registering for BonziBUDDY. The FTC complaint alleges that Bonzi Software failed to provide direct notice to parents of what information it sought to collect from children or obtain verifiable parental consent before collecting such information. It also alleges that Bonzi software failed to post a clear and complete privacy notice for its online service or to provide a reasonable means for parents to review the personal information collected from their children.

The settlements prohibit future COPPA violations, require that the companies delete any information collected in violation of COPPA, require civil penalty payments of $400,000 and $75,000, respectively, and contain certain record-keeping requirements to allow the FTC to monitor the companies’ compliance with the orders.

The Commission vote to approve the complaints and consent decrees was 5-0. The U.S. Department of Justice filed both the UMG Recordings complaint and consent decree and the Bonzi Software complaint and consent decree in the U.S. District Court for the Central District of California, Western Division, on February 17, 2004 at the request of the FTC.

The FTC Web site at http://www.ftc.gov/privacyiniatives/childrens.html contains information to educate Web site operators and online service providers about their responsibilities under the COPPA Rule and to inform parents and teachers about how the Rule protects children’s privacy.

NOTE: A consent decree is for settlement purposes only and does not constitute an admission by the defendant of a law violation. Consent decrees have the force of law when signed by the judge.

Copies of the settlement agreements are available from the FTC’s Web site at http://www.ftc.gov/ and also from the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, D.C. 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them. To file a complaint, or to get free information on any of 150 consumer topics, call toll-free, 1-877-FTC-HELP (1 877-382-4357), or use the complaint form at http://www.ftc.gov/. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to hundreds of civil and criminal law enforcement agencies in the U.S. and abroad.

Digital Trends Staff
Digital Trends has a simple mission: to help readers easily understand how tech affects the way they live. We are your…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more