There has been talk with a lot of re-tweets about an impending COPPA crackdown by the FTC. A lot of the “news” around this crackdown warns of $16K fines for COPPA violations per download. I do not know if there’s a crackdown coming but I do know we aren’t too far off to the 2nd anniversary of the last COPPA action. At this rate we might not hit any enforcment actions for two years. That’s not much of a crackdown but it’s always possible that some day there might be.
I don’t know what the future holds for COPPA enforcement but I do believe that no one knows outside the FTC. As far as the $16K figure, I have contacted the same FTC official that is quoted in the original article (but not quoted saying there’s a crackdown coming or to expect $16K fines) and this is what he said:
The Commission had announced, in denying the request to move the effective date, that we’d give an additional month or two for smaller developers to come into compliance.
Our civil penalty authority takes into account a number of factors, not just the number of violations.
The first line is in response to the grace period that the FTC gave after the debut of the revised COPPA Rule. A month or two means September 2013 at the latest and there have been exactly zero enforcement actions made public since then. The second line is vague but basically says they look a lot more than just the number of violations which is enforced by one of the COPPA FAQs.
Section B of the Complying With COPPA FAQ says the following:
(B)2. What are the penalties for violating the Rule?
A court can hold operators who violate the Rule liable for civil penalties of up to $16,000 per violation. The amount of civil penalties a court assesses may turn on a number of factors, including the egregiousness of the violations, whether the operator has previously violated the Rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company. Information about the FTC’s COPPA enforcement actions, including the amounts of civil penalties obtained, can be found by clicking on the Case Highlights link in the FTC’s Business Center.
Looking back on past enforcements we see that for the most part the fines per child have been pretty low. Even with settlements greater than a million dollars, the per child fine isn’t that much. It all adds up but these figures are not counting individual infractions such as multiple logins or downloads.
The following chart outlines published fines and the reach in number of children reported. This allows us to extrapolate an average fine per child. For the sake of absurdity, I’ve included a column of how much the fines could have been if the total fine was taxed at $16K for each. This would have brought the Treasury department more than $56 billion dollars if enforced by the max that the FTC Act allows.
I have not included cases where the fine was revealed but not the reach and older cases typically did not care about reach or at least did not disclose the formula that was used. You can read about all the cases made public on the FTC website by clicking on the Case Highlights listed in the above FAQ answer.
|Name||Date||Fine||Reach||Cost Per||16K Per||Notes|
|Mrs. Fields Famous Brands||2/27/2003||$100,000||84,000||$1.19||$1,344,000,000|
|Sony BMG Music Entertainment||10/11/2008||$1,000,000||30,000||$33.33||$480,000,000||9|
|Iconix Brand Group||10/20/2009||$250,000||1,000||$250.00||$16,000,000|
|W3 Innovations, LLC||9/8/2011||$50,000||50,000||$1.00||$800,000,000||5,6|
|Artist Arena LLC||10/4/2012||$1,000,000||75,000||$13.33||$1,200,000,000||1|
|1: The FTC alleged that an additional 25K kids registered but an additional 50K had info collected but did not|
|finish the registration. When only counting the 25K kids the fine per child is $40.|
|2: FTC complaint against Skidekids.com and Jones O. Godwin.|
|3: All but 1% of the fine was dismissed under stipulation. For 1000 kids the fine would be 18 cents.|
|4: Website offline.|
|5: FTC complaint against Broken Thumbs Apps, and Justin Maples.|
|6: FTC states more than 50,000 downloads of apps “directed to children”.|
|7: Against Playdom, Inc. and Howard Marks.|
|8: 403,000 children were alleged to have registered for general interest sites with 821,000 on child directed sites ($3.65 per head without the general sites).|
|9: Over 196 sites.|
|10. Also captioned under Industrious Kid, Inc.|
|11. Announced on same day in same press release. No documents listed on FTC website state how many children’s information was collected.|
|12: Number of children not stated by FTC.|
|13: FTC sued company while in bankruptcy. Cash settlemnet not listed.|
|14: No cash penalty listed and no estimate of number of children effected.|