Consumer Protection Alert

Date: Jan 15, 2014

Marvel and Sanrio Accused of Violating COPPA Regulations

On December 18, 2013, the Center for Digital Democracy (CDD) filed two complaints with the Federal Trade Commission (FTC) alleging that Marvel Entertainment LLC and Sanrio Digital were violating the Children’s Online Privacy Protection Act (COPPA). CDD claims that Marvel and Sanrio failed to update their online privacy policies to comply with new COPPA regulations that went into effect July 1, 2013. According to CDD, Marvel collects personal information from visitors accessing the Marvelkids.com website, collecting IP addresses, installing cookies to track users, and disclosing information to third-party users, all without obtaining parental consent or ensuring the users are over thirteen years old. Similar accusations were brought against Sanrio, which operates a Hello Kitty mobile app, along with claims that Sanrio released images containing children’s photos to third-party users.  The app privacy policy indicated that the app was for consumers 13+.

The complaints, in short, challenge the scope of permitted activities to promote personalization and support for web operations, an operator’s self-identified target audience, and also the effectiveness of safe harbors, suggesting that the scope of COPPA may be far-reaching indeed. 

New California Online Privacy Requirements in Effect in 2014

California’s updated Online Privacy Protection Act (see here, as amended by A.B. 370), which now requires website operators and online services to disclose whether they or any third party that collects personal information complies with “do not track” signals from Internet browsers, went into effect on January 1, 2014.  Additionally, modifications to California’s breach notification law (found at Cal. Civ. Code § 1798.80 and sometimes referred to as S.B. 1386), expanding the definition of sensitive data to include e-mail addresses or user names in combination with log-in passwords or security questions, also went into effect on January 1, 2014.

Holiday Hackers Affect Target, Neiman Marcus, Other Retailers

For more than two and a half weeks during the busiest shopping season of the year, hackers accessed payment card data from in-store customers at Target stores around the U.S. Target acknowledged the hacking on December 19, 2013, a day after reports surfaced in the media indicating that the federal Secret Service was investigating. Later, Target acknowledged that the PINs of customers’ bank ATM cards were stolen as part of the breach, but the third-largest U.S. retailer said it remained confident that the encrypted PINs were not accompanied by the key necessary to decrypt them. However, by Friday, January 10, the company acknowledged that a new group of up to 70 million customers, some of whom might have had their card data stolen, had their names, addresses, e-mail addresses, and phone numbers stolen. Further reports indicate that high-end retailer Neiman Marcus was the target of a similar operation, which it learned about January 1, 2014. Reuters reported that similar, smaller breaches occurred at three other unnamed but well-known U.S. retailers.

Target is facing over a dozen lawsuits, including some filed within 24 hours of the news of the hacking. The retailer has responded proactively, holding a conference call with numerous state officials (several state attorneys general, including those of California, Massachusetts, and New York, have asked the company to respond to information requests), and posting a prominent notice on its website that remains today. The CEO also wrote an open letter addressing the hacking. Banks such as JPMorgan Chase and entities such as the Virginia Department of Social Services (which handles child support payments and welfare benefits) have issued new bank cards to affected customers, and Target says it will pay for credit monitoring services for everyone affected. Given the apparent sophistication of the hacking here and its ability to affect even the largest companies, companies that use consumer’s personal information, including payment data, should not only take protective, precautionary measures but also develop plans to address breaches if and when they occur.

CPSC Likely to Propose Changes to Policy on Disclosing Business Information Soon

The Consumer Product Safety Commission (CPSC) is expected to receive soon amendments proposed by staff regarding the policy on the disclosure of information related to the safety of specific companies’ products. Under Section 6(b) of the Consumer Product Safety Act, the CPSC generally must give a company 15 days’ notice before releasing information about a product that would allow the public to identify the product’s manufacturer or private labeler. The rule has long been criticized by some consumer advocates and agency officials, including acting Chairman Robert Adler, and the Commission voted to direct staff to amend the regulations implementing the disclosure process in May 2013. Although CPSC staff was directed to submit proposed changes to the process before the end of the federal fiscal year (September 30, 2013), that deadline was not met. The specific contents of the proposal are not known, but in addition to the “modernizing” of the rule to account for technological changes, potential curtailments on companies’ ability to correct or refine agency disclosures may be in the offing.

For more information about privacy, data security, product safety, and other consumer protection–related issues, contact Sheila A. Millar at millar@khlaw.com or 202 434-4143; JC Walker at walker@khlaw.com or 202 434-4181; or Tracy P. Marshall at marshall@khlaw.com or 202 434-4234.