On this past Monday, a class action lawsuit was filed in Superior Court in Los Angeles against Mattel and ToyTalk in their active roles promulgating the safety and privacy aspects of Hello Barbie. kidSAFE is also named under their role of COPPA safe haven. The lawsuit alleges unfair competition, negligence, unjust enrichment, and invasion of privacy. The plaintiffs so far are two little girls (and their mothers) who state that Hello Barbie is an “inherently dangerous product” and the information she gathers is unlawful and and the collection is negligent.
Plaintiff C.H. received the doll as a gift on December 2, 2015 from her mother Ashley Archer-Hayes. Plaintiff A.P. is a friend of C.H. and played with the doll at C.H.’s birthday party as did other party-goers. C.H. and her mother, Charity Johnson were not registered with ToyTalk or Mattel while they played with the doll allegedly “triggering” voice recording and cloud storage and the A.I. routines based on the recorded voice.
Plaintiff’s lawyers propose the following questions of law for certification in California and nationally:
- Whether Defendants failed to satisfy the requirements of COPPA;
- Whether Defendants’ conduct is an unlawful business act or practice within the meaning of Cal. Bus. & Prof. Code § 17200, et seq.;
- Whether Defendants have collected, used, or maintained recordings of children under 13 whose parents have not consented;
- Whether Defendants failed to reasonably prevent or detect recordings of children under 13 whose parents have not consented;
- Whether recordings of children under 13 whose parents have not consented have bee shared or sold to third parties by Defendants;
- Whether Defendants failed to notify affected individuals that their children had been recorded without their consent;
- Whether Defendants notified purchasers that they may only use the doll outside the presence of other children under 13;
- Whether Defendants’ conduct violated the causes of action herein alleged;
- Whether, as a result of Defendants’ conduct in this case, Plaintiffs have suffered ascertainable loss; and
- Whether Plaintiffs are entitled to monetary damages and/or other remedies, and, if so, the nature of any such relief.
Copy of the lawsuit (warning, large file to do processing and OCR): HelloBarbieComplaint.pdf
I’m think COPPA won’t be the lynch pin here. I think the dodge is the Actual Knowledge standard. COPPA doesn’t kick in unless the online site or service is aware that someone under 13 is using the service. C.H. is under COPPA and verified parental consent was obtained from her mother. “Actual Knowledge” is a huge loophole though I haven’t seen it used when”incidental” PII is captured.
The COPPA angle seems to be against common sense. A 13 year old may upload a video to a COPPA compliant website of his 10 year old brother playing video games. The 13 year old isn’t a parent but I’m sure the 10 year old doesn’t have to have verified parental consent else the video service is in trouble. Another example is smart phone created for a child under 13 where the child’s parent provided verified consent. Lets say the child handed the phone to another preteen who then snaps a selfie of their self. Is it a violation that the phone manufacturer should have known that the phone would come into contact with other children? Did C.H.’s mom have enough information provided by Mattel that would make her responsible for understanding what the doll does and therefore how it might gather info from other girls that enter the house?
The other causes of action might have more merit and they definitely can survive if COPPA gets knocked out. They include:
Violation of the Unfair Competition Law
Unjust Enrichment (they made money on the doll where they shouldn’t have)
Invasion of Privacy
David vs. Goliath:
The attorneys for the proposed class are not ambulance chases (though this lawsuit came together in a few days). They are big time tort and class action practitioners. The primary law-firm is Kirtland & Packard with 4 attorneys appearing in the case. There are three more in California, two in Florida, and one in Wilmington N.C. That’s 10 attorneys total
But will Mattel be toppled? I’ve always been concerned with the fact that they didn’t do all of the heavy lifting themselves. They are exporting a lot of risk to a third party that they are ultimately responsible for. Did Mattel’s lawyers didn’t think of this? The main thing that has made me think that Mattel was COPPA compliant was because they have better lawyers than the F.T.C.
This would be a massive screw-up. Forget the money or removing the doll from the marketplace, good will is paramount for them.
What happens next:
Mattel has 30 calendar days to respond to the lawsuit starting from December 7, 2015. They will likely motion for additional time which the Plaintiff’s lawyers will agree to out of courtesy. No danger for a market upset this Christmas. There’s also a chance that the case will be removed to Federal court which will make it easier for court watchers to keep an eye on it. If that happens then the laws of California will still prevail.
The long-term solution would be to have a notice explaining what can happen if the doll interacts with other children. Maybe it should say that the parent is responsible for how their children play with the dolls. But isn’t that common sense?
Blame Mattel or blame mom?
The lawsuit states that kidSAFE’s list (seals) do not included Hello Barbie but the doll seems to be listed here: http://www.kidsafeseal.com/certifiedproducts/toytalk_hellobarbie_device.html
Leading US kids virtual world Roblox is now boasting 100% kid-safe advertising, thanks to a new partnership with SuperAwesome out of the UK. The incorporation of SuperAwesome’s platform into the digital game-building site will open up Roblox and its 15 million user-generated games to COPPA-compliant advertising opportunities and brand integrations in both the US and the UK.
CARU Conference to Share Best Practices for COPPA Compliance and Marketing to Children
Includes best practices for COPPA compliance relevant to all platforms and a keynote address from Federal Trade Commission (FTC) Commissioner Terrell McSweeny.
The FTC held meetings on the “Internet of Things” earlier this year. As government agencies often do, the Commission issued a report detailing different aspects of this new technological COPPA and the Internet of things compliance issuesrevolution that raise potential privacy concerns and how, for the purposes of this article, COPPA plays into the situation.
The Internet can seem like a place without adult supervision, but in a space where minors are a growing segment of the online audience, companies are subject to a complex landscape of laws, regulations, and codes of conduct attempting to protect young users. When combined with the speed that technology is changing, it can be near-impossible to keep up.
The Center for Digital Democracy CDD, in its ongoing efforts to monitor the Federal Trade Commission’s enforcement of the Children’s Online Privacy Protection Act COPPA, has filed a motion in the U.S. District Court of the District of Columbia challenging the FTC’s refusal to release important COPPA documentation. The case involves seven “safe harbor” programs, such as KidSAFE and TRUSTe, approved by the FTC to handle website compliance with COPPA regulations.
In 1998, the United States enacted the Children’s Online Privacy Protection Act, better known as “COPPA.” As the Internet is a worldwide medium, the question many businesses face is whether they should comply with COPPA if the company is not located in the United States?
The following is new. I am considering it “COPPA (Law) 3.0” not to be confused with the Rule update in 2013.
The following was introduced 02/24/2015 by Sen. Menendez, Robert [D-NJ].
COPPA (Law) 3.0 is dead. I hope I’m wrong but lots of words and no enforcement isn’t going to help children.
I challenge the FTC and Congress to prove me wrong.
I had a brief conversion with a high level official at the FTC who manages the COPPA team. I asked why there are so few enforcement actions. The simple answer is that education (that is the FTC educating services and websites on the Rule and not public school education) has been a higher priority than enforcement. The full answer is a bit more complicated than that.
The big answer is that there are more investigations that we don’t hear of because there aren’t enforcement actions in those cases. This means more companies may be whacked over the nose with a newspaper instead of be hauled up by Commission for a a public flogging (with clever prose in the FTC press releases).
The next thing that comes in to play is that responsibility for COPPA enforcement shifted from the advertising unit to the Division of Privacy and Identity Protection in 2013. Because of the common “Ps” we might see higher enforcement (or at least education :() in the future.
The division estimates that that there have been 24 enforcement actions since 1999 which is about 1.6 per year compared to my tally of 1.2.
The new division and leadership went with education first because the new Rule (2.0) went in to effect at about the same time. This makes sense, however the actions are moving at about the same pace we’ve seen since the the new team took over.
It’s hard to tell where this leaves us. Maybe they’ll get frustrated with the wise-guys that have had a long time to be educated and conform but didn’t. I would welcome this and so would the fledgling companies that want to help protect kids with their services and technologies but they are stuck because the infinitesimal chance a potential client would get caught. We’ve seen this in SEC filings. The risk is acknowledged but right now they think it’s cheaper to ignore it and pay a fine. There’s been much ballyhoo about a crack down (which apparently we are in according to sources /snark) but what we’ve seen is peanuts in fines for those that have been busted. The money is nothing (especially if you divided it by the number of kids affected). The damage, if any is public embarrassment by a spanking the FTC gives them. No one has really gone under since the early days when the Commission targeted mom and pop sites that consented to go out of business instead of pay a fine.
I would like to see more enforcement actions. I think my complaints against YouTube and Twitter were solid but I guess they get time to be educated too.
The count-up counter on this site is at 191 days since the last enforcement action at the time this was written. That looks like status quo to me. I have never seen the Commissioners give any more than lip service about COPPA and some congressmen are more interested in “improving” COPPA with a 2.0 version (2.0 Law) without apparently being aware of how the current Law/Rule is malfunctioning. I think Congress is key to getting things fixed but that’s a hard radar to get on.
Meanwhile, let’s hope we see a shift towards more enforcement actions from the Commission’s Division of Privacy and Identity Protection.
“If you are developing a website or a mobile app directed to children under the age of 13, you need to be familiar with The Children’s Online Privacy Protection Act (or COPPA.)”