The operator of a website called Skid-e-Kids, a self-described “Facebook and MySpace for kids,” has learned that it is not enough merely to have a privacy policy that requires parental consent prior to obtaining personal information online from children under the age of 13. Such website operators must actually abide by that policy as well. The Federal Trade Commission (FTC) reinforced that lesson via an enforcement action and settlement with the company this week.

Skid-e-Kids (skidekids.com) advertises itself as “Safe, Fun and very educational.” Their target group is children ages 7-14. The Children’s Online Privacy Protection Act of 1998 (COPPA) and corresponding FTC rule require parental consent before children under the age of 13 can be requested or required to provide personal information online.

Skid-e-Kids had a Privacy Policy that “requires child users to provide a parent’s valid email address in order to register on the website.” In practice, however, that was not the case. Children were required to provide a birth date, gender, user name, password and email address prior to using the website. Once that information was provided, the child was automatically registered on the website. Worse still, Skid-e-Kids did not even request a parent’s email address and made no attempt to notify parents or obtain parental consent.

This week, Jones O. Godwin, operator of the Skid-e-Kids website, entered into a Consent Decree, agreeing to comply with COPPA and to delete personal information obtained from children without parental consent. Godwin was also required to pay a civil penalty of $100,000, all but $1,000 of which was suspended pending compliance with COPPA and the Consent Decree for the next ten years. The Consent Decree also requires Godwin to retain an independent third party to assess the site’s compliance with COPPA for the next five years.

This case acts as a reminder that posting a COPPA-compliant policy is not enough. Stations that maintain websites or web pages directed to children under age 13 must actually obtain the necessary parental consent before proceeding to collect personal information from children.

Davis Wright Tremaine's Privacy and Security blog features a summary of this consent decree and explains the ramifications of the decision.  Broadcasters and other website owners should learn from this decision that they should not blindly copy a privacy policy that they find on some other website and adopt it as their own.  Instead, they need to carefully craft a privacy disclosure that honestly discloses their policies and practices.  In this case, the website owner promised that personal information would be maintained in a secure fashion, yet the FTC found that simple hacking techniques were able to get access to that information.  For website owners who are collecting private information, and promising privacy and security, to avoid legal issues in the future, make sure that you are living up to your promises.