Marvelkids.com and Sanrio, two companies that produce popular children’s characters such as the Hulk and Hello Kitty, have been accused of violating privacy laws by collecting personal information from children without giving notice or receiving parental consent. Several advertising companies may also be held liable for knowingly collecting personal information from children, as well.
The Center for Digital Democracy, a consumer rights organization, filed two complaints with the Federal Trade Commission on Wednesday, claiming that the Marvelkids.com website, a subsidiary of Disney-owned Marvel Entertainment, shared personal information with ad serving companies. In a separate filing, it claimed that the Hello Kitty Carnival app allowed third parties to collect information about a child's location, photos and the unique device identifier.
Under the Children’s Online Privacy Protection Act (COPPA), website operators whose content is aimed at users below age 13 are required to get a guardian’s consent before collecting personal information from users for advertising purposes. The law's definition of "personal information" was updated in July to include photos, location data, videos, and persistent identifiers like cookies and mobile device ID numbers.
The Center for Digital Democracy described its complaints as revealing a “pattern of disturbing practice that threaten children’s privacy.” The new COPPA rules were “designed to protect children from contemporary data collection practices that track consumers 24/7 on mobile phones and apps,” said CDD executive director Jeff Chester in a statement. “But what we discovered is that the same powerful and pervasive data gathering digital complex is at work on leading kids sites.”
According to the filings, an independent researcher and Clueful, an online privacy monitoring service, found several instances when Marvelkids.com and the Sanrio app collected personal information from users and disclosed it to third parties without getting parental consent.
The Sanrio report listed Tapjoy, MoPub and Flurry as operators that collect children’s personal information from the app. The report acknowledged that the technologists were unable to determine how these third parties use the information, but noted that they could also be held liable for violations if they have actual knowledge of collecting information on a child-directed app.