The FTC announced today that Sony BMG Music has agreed to pay a $1 million fine to settle charges that it violated the Children’s Online Privacy Protection Act (COPPA).

COPPA requires website operators to meet specific requirements prior to collecting children’s personal information, including:
•posting a privacy policy with a notice of what information it collects from children and how it uses such information;
•obtaining verifiable parental consent prior to collecting, using or disclosing children’s information; and
•providing parents with the option to consent to the collection and internal use of their children’s information without consenting to disclosure to third parties.

The Act applies to any website that has actual knowledge it collects, uses and disclosed personal information from children. 

The FTC’s complaint alleges, among other things, that Sony BMG’s  over 1,100 music-related websites collect certain personal information upon registration, including e-mail addresses, birthdate, zip code and country.  Some of the sites also collected names, mobile phone numbers and full street addresses.  The sites offered a variety of features and functions including enabling registered users to create profile pages, post comments on message boards and receive e-mail notices.

The FTC found that, despite the sites’ privacy policy advising children under 13 not to provide personally identifiable information and a representation that those under 13 would be restricted from certain features and functions, Sony BMG accepted registrations from users of all ages, including those indicating they were under 13, and enabled those users to freely use the sites.  The sites also enabled children under 13 to create user profile pages through which the children were able to interact with others, including adults.

The FTC alleged that Sony BMG violated COPPA by not clearly and accurately setting forth its policies for disclosing and using children’s information; failing to provide parents with notice of the information practices prior to collecting information; and failing to take steps to obtain verifiable consent from parents prior to collecting children’s information.

In addition to the fine, Sony BMG agreed to ensure future compliance with the COPPA provisions, as well as to include links to the FTC’s children’s privacy policy information page at www.ftc.gov/privacy/privacyinitiatives/childrens and the page containing social networking tips for parents at www.onguardonline.gov/socialnetorking.html.

The case is a reminder to all website operators of the importance of carefully crafting a comprehensive and thorough privacy policy.