September 07, 2006
Xanga.com Busted for COPPA Violation
By Eric Goldman
The FTC announced today that Xanga.com had settled charges that it violated the Children's Online Privacy Protection Act (COPPA). The settlement includes, among other remedies, a payment of $1 million--by far the largest fine in a COPPA case to date.
Xanga.com's transgression can be easily summarized, as stated in the FTC's press release:
The Xanga site stated that children under 13 could not join, but then allowed visitors to create Xanga accounts even if they provided a birth date indicating they were under 13. ... The defendants created 1.7 million Xanga accounts over the past five years for users who submitted age information indicating they were under 13.
Two practical observations:
1) Statements in EULAs/user agreements saying that users should not sign up if they are underage (or in the wrong geography, or whatever) are worthless from a risk management/legal compliance standpoint. The complaint also indicated that Xanga.com required users to check a box certifying that they were over 13. This might have been slightly more helpful, except when Xanga.com got conflicting data and didn't cross-check it against the certification.
2) Collecting birthdates is a well-known and paradigmatic way to violate COPPA. For years, I've been saying that one simple way to mitigate COPPA exposure is simply not to collect birthdates. (COPPA also covers sites that target kids 12 and under, so avoiding birthdates isn't a complete solution). Or, if birthdates are collected, simply refuse to register underage users. Here, according to the FTC, Xanga.com violated these well-known and basic approaches--1.7 million times!
FWIW, when COPPA became effective in 2000, Epinions had a field where users could self-report their age. We ran a script and found a few dozen users 12 and under. We promptly kicked those users off the site (they were ticked about being evicted--I told them to take it up with Congress and the FTC). We then disabled the ability of users to self-report their age.
Posted by Eric at September 7, 2006 12:39 PM | Privacy/Security
TrackBack URL for this entry:
It seems like it would be easier to require self reporting of birthdate, and then disallow membership if the date puts the user under 13. Is that difficult to implement in practice?
Posted by: Michael Risch at September 7, 2006 05:15 PM
In theory, no. But if there are multiple self-reporting options, all of them must be coded to bounce underage users. Proper diligence should take care of this, but perhaps it's easy to overlook. Eric.
Posted by: Eric Goldman at September 7, 2006 05:34 PM