Xanga.com Busted for COPPA Violation

By Eric Goldman

The FTC announced today that Xanga.com had settled charges that it violated the Children’s Online Privacy Protection Act (COPPA). The settlement includes, among other remedies, a payment of $1 million–by far the largest fine in a COPPA case to date.

Xanga.com’s transgression can be easily summarized, as stated in the FTC’s press release:

The Xanga site stated that children under 13 could not join, but then allowed visitors to create Xanga accounts even if they provided a birth date indicating they were under 13. … The defendants created 1.7 million Xanga accounts over the past five years for users who submitted age information indicating they were under 13.

Two practical observations:

1) Statements in EULAs/user agreements saying that users should not sign up if they are underage (or in the wrong geography, or whatever) are worthless from a risk management/legal compliance standpoint. The complaint also indicated that Xanga.com required users to check a box certifying that they were over 13. This might have been slightly more helpful, except when Xanga.com got conflicting data and didn’t cross-check it against the certification.

2) Collecting birthdates is a well-known and paradigmatic way to violate COPPA. For years, I’ve been saying that one simple way to mitigate COPPA exposure is simply not to collect birthdates. (COPPA also covers sites that target kids 12 and under, so avoiding birthdates isn’t a complete solution). Or, if birthdates are collected, simply refuse to register underage users. Here, according to the FTC, Xanga.com violated these well-known and basic approaches–1.7 million times!

FWIW, when COPPA became effective in 2000, Epinions had a field where users could self-report their age. We ran a script and found a few dozen users 12 and under. We promptly kicked those users off the site (they were ticked about being evicted–I told them to take it up with Congress and the FTC). We then disabled the ability of users to self-report their age.