Photo of Sheila MillarPhoto of JC Walker

On December 22, 2020, the Federal Trade Commission’s (FTC) announced adoption of a final rule requiring the use of the EnergyGuide labels on portable air conditioners (ACs). Effective October 1, 2022, portable AC manufacturers must attach yellow EnergyGuide labels on the principal display panel of their packaging and include an image of the required label on websites and catalogs advertising the product.

The FTC initially proposed that the labeling requirement would go into effect on January 10, 2025, the same day as new portable AC DOE efficiency standards. Given that these products are increasingly common in the marketplace, exhibit a wide range of energy efficiency and energy costs across similarly sized units, and sometimes consume more energy than currently labeled room air conditioners, the FTC decided that consumers would benefit from moving the effective date up to October 1, 2022.

The final amendments also update the energy efficiency ratings used at 10 C.F.R. Part 305 for central AC units from “Seasonal Energy Efficiency Ratio (SEER)” to “Seasonal Energy Efficiency Ratio 2 (SEER2).” A new ratings methodology goes into effect on January 1, 2023, and Part 305 will be consistent with this change. Manufacturers may begin to use the new terminology before then provided that the represented energy efficiencies comply with the minimum requirements going into effect in 2023.

The Commission considered but ultimately decided not to pursue broader changes to the Energy Label rule, such as a transition to electronic labeling, at this time. The FTC may seek further input on such changes on a later date after having had an opportunity to gather information sufficient to support significant changes to the entire rule. In the interim, the vote in favor of publishing the notice in the Federal Register was 4-1. Commissioner Christine S. Wilson voted no and issued a dissenting statement in which she expressed concern that the final changes to the Rule do not remove prescriptive aspects that she believed were an impediment to competition. Wilson called for a full review of the Rule “to consider removing all dated and prescriptive provisions, and to consider the recent comments suggesting changes. Nothing prevents the Commission from conducting this review now – we do not have to wait until the 10-year anniversary.”

Commissioner Rohit Chopra also issued a separate statement in which he commended the Commission for “finalizing a rule that will help to reduce the long-term burden of high energy bills on low-income families, promote greater energy efficiency, reduce carbon emissions from residential housing,” and for moving up the compliance date, which he believes would result in significant consumer savings in energy costs.

Photo of Sheila MillarPhoto of Tracy Marshall

Third-party service providers are vital to many companies and they handle a wide range of business activities essential for companies to deliver their own offerings. But a company is not adequately protecting consumers if it fails to perform proper due diligence on service providers and contractually require them to employ appropriate security measures to protect sensitive personal information, as Ascension Data & Analytics, LLC (Ascension) discovered. Ascension, a data analytics company serving the mortgage industry, recently settled with the Federal Trade Commission (FTC) over charges that it violated the Gramm-Leach-Bliley (GLB) Act Safeguards Rule, as well as its own policies, when it neglected to vet the data security practices of a service provider and require the vendor to adequately protect personal information of mortgage holders. While the settlement involves a financial institution subject to the GLB Act, it is instructive for all businesses that maintain consumers’ personal information and share it with third parties.

The GLB Act governs a range of business activities by “financial institutions” (a term that is broadly defined to include many types of companies), including lending, stockbroking and investing, banking, insuring, and providing financial advisory services. Under the GLB Act Safeguards Rule, all covered entities must develop, implement, and maintain a comprehensive, written information security program that contains administrative, technical, and physical safeguards appropriate to the size, complexity, nature, and scope of the company and the sensitivity of the personal information collected. In addition, they are required to ensure that third-party service providers can maintain appropriate safeguards to protect consumers’ personal information and are contractually bound to do so.

The FTC’s complaint alleged that Ascension hired a vendor, OpticsML, to process tens of thousands of  mortgage documents that contained personal information of more than 60,000 consumers, including names, dates of birth, Social Security numbers, loan information, credit and debit account numbers, drivers’ license numbers, credit files, and other financial information. According to the complaint, Ascension failed to review OpticsML’s security practices before providing OpticsML with documents containing sensitive personal information, which OpticsML stored on a cloud-based server without adequate security measures. As a result of such failure, sensitive personal information was accessible by unauthorized persons for about one year.

The proposed settlement requires Ascension to establish, implement, and maintain a comprehensive data security program overseen by a designated employee, undergo biennial security assessments by an independent entity, and provide an annual certification by a senior executive that the company is complying with the FTC’s order. The settlement serves as a reminder for businesses in all industries, and not just financial institutions, of the importance of (1) implementing and maintaining written security programs, (2) regularly reviewing the procedures and ensuring that appropriate personnel are aware of the requirements, and (3) ensuring that service providers have appropriate security programs and measures in place before sharing personal information with them. All businesses should keep abreast of the rapidly developing privacy and data security landscape and their obligations under federal and state laws.

Photo of Sheila MillarPhoto of JC Walker

For the second time since 2016, glue producer Chemence, Inc. (Chemence) has found itself adverse to the Federal Trade Commission (FTC) for making allegedly deceptive claims that its products are American made. And this time it cost them $1.2 million – the highest settlement amount ever paid in a “Made in USA” case.

In 2016, the FTC charged Chemence, among several other glue manufacturers,[1] with making unqualified, deceptive country-of-origin claims about their cyanoacrylate superglue products such as Kwifix, Krylex, and Hammer Tite, including labeling them “Made in USA,” “Proudly Made in USA,” and using images of the American flag on product packaging. According to the 2016 FTC complaint, a significant proportion of the costs of the chemical components in the glues came from imported chemicals. Further, the FTC alleged that Chemence induced sellers to deceive unwitting consumers by providing them with “Made in USA” promotional materials for the products. The Stipulated Court Order against Chemence fined the company $220,000 and prohibited it from representing, expressly or by implication (including in labelling and advertising) that its products were USA made unless it could show that the product’s final assembly or processing occurred in the United States, that all significant processing occurred in the United States, and that all or virtually all ingredients or components of the product were made and sourced in the United States. Otherwise, Chemence was required to make a “clear and conspicuous qualification [which] appears immediately adjacent to the representation that accurately conveys the extent to which the product contains foreign parts, ingredients, and/or processing.” The order also required the company to submit a compliance report to the FTC one year after the order.

But according to the FTC’s 2020 complaint, Chemence and its president, James Cooke, continued to sell the company’s glue products with “Made in USA” labels using the same foreign-sourced ingredients with no qualifying language, in violation of the 2016 Order. The FTC also asserts that in 2017 Cooke falsely claimed in the company’s annual compliance report that the company had relabeled its glue products to reflect that they are made with globally sourced materials.

The terms of the 2020 proposed settlement agreement bar Chemence and Cooke from making country-of-origin claims they cannot substantiate. Moreover, the agreement bans them from making any unqualified “Made in USA” claims unless they can show that the product’s final assembly and all significant processing occurs in the U.S. and that all or virtually all ingredients or components of the product are made and sourced in the United States. Qualified “Made in USA” claims must clearly and conspicuously disclose how much of a product contains foreign parts, ingredients or components, and/or processing. To support claims that a product is assembled in the U.S., they must demonstrate that the product is substantially transformed in the United States, with its principal assembly in the United States, and substantial U.S. assembly operations. The company must submit yearly compliance reports and inform all sellers that purchased the company’s glue products labeled as USA-made that the products contain imported materials.

The Commission vote to issue the complaint and accept the proposed consent order was 5-0. Commissioner Rohit Chopra issued a statement in which he applauded the Commission’s sanctions against Chemence and its president as “real consequences” and “another step forward in protecting the Made in USA brand and restoring the Commission’s law enforcement credibility.”

Many customers who want to support domestic industries look for “American Made” claims or symbols. Knowing this, the FTC continues to pursue “Made in USA” claims aggressively, and has a pending rulemaking on the topic. Those who are caught once making false U.S. origin claims and continue to make them face significant consequences, as the record-breaking penalty imposed on Chemence and Cooke demonstrates.

Many companies find the difference between country-of-origin rules imposed by Customs and Border Control and the FTC’s “Made in USA” guidance to be confusing, and, as we have previously noted, the landscape is complicated still more because of California’s law on U.S. origin claims.[2] But businesses wishing to advertise their products as American made would be well advised to familiarize themselves with the FTC’s Enforcement Policy Statement on U.S. Origin Claims guidance to avoid their “Made in USA” claims from coming unglued.

[1] See https://www.ftc.gov/news-events/blogs/business-blog/2016/02/ftc-challenges-companys-made-usa-claims.

[2] Cal. Bus. & Prof. Code § 17533.7

Photo of Sheila MillarPhoto of Tracy Marshall

Online opinions – and not just from celebrities – are big business. Consumer reviews can be highly influential in convincing other shoppers to buy a product. In fact, the founder and CEO of Sunday Riley Modern Skincare LLC (Sunday Riley Skincare) was so convinced about the power of those starred reviews on cosmetics chain Sephora’s website that she allegedly asked her employees to make up a few to boost the company’s ratings. The result? A complaint from the Federal Trade Commission (FTC) for false advertising.

The FTC’s complaint asserts that between November 2015 and August 2017, the company’s CEO, Sunday Riley, and her managers directed staff to post reviews of Sunday Riley Skincare products on Sephora’s website using false accounts. When Sephora caught on to the fake reviews and pulled them down, the company obtained a VPN IP address to mask its employees’ real identity from Sephora. The complaint goes on to assert that the CEO sent staff an email in which she told everyone to “create 3 accounts on Sephora.com, registered as different identities.” She then gave explicit instructions on how to set up the fake accounts and leave reviews, even going so far as to coach employees on how to make the reviews convincing. The FTC charged Sunday Riley Skincare and Sunday Riley individually with making false or misleading claims and with failure to disclose a material connection with endorsers, in violation of Section 5 of the FTC Act.

In a 3-2 vote, the FTC approved a final settlement with the company that bars it and the company’s CEO from misrepresenting the status of anyone reviewing the company’s products, including implying that employees of the company are ordinary customers. The company must also clearly and conspicuously disclose any unexpected material connection between endorsers and the company or CEO, and the order provides specific details on how to do so in various media.

Commissioners Rohit Chopra and Rebecca Kelly Slaughter voted no. Commissioner Chopra, joined by Commissioner Slaughter, published a statement in which he argues that Sunday Riley Skincare should be subject to monetary fines because of “egregious fake review fraud.” He also recommended that the FTC publish a Policy Statement on Equitable Monetary Remedies, restate legal precedent into rules, seek civil penalties against violators, and designate specific misconduct as penalty offenses under FTC authority.

FTC Chairman Joseph Simons and Commissioners Noah Phillips and Christine Wilson, voting yes, also issued a statement. Regarding the failure to impose monetary penalties, they note that “the expenditure of resources needed to develop an adequate evidentiary basis reasonably to approximate ill-gotten gains may substantially outweigh any benefits to consumers and the market.” Instead, they contend that the order is a sufficient deterrent against future unlawful behavior by the company and its CEO because it “holds Ms. Riley personally liable, prohibits both Ms. Riley and Sunday Riley Modern Skincare from making future misrepresentations (including through fake reviews), and requires them to instruct employees and agents about their legal responsibilities. Each violation of the order could result in a civil penalty of up to $42,530.”

Settlement agreements with the FTC – even where no monetary penalties are assessed – have real consequences for businesses. The Sunday Riley Skincare agreement is no exception, binding both the company and its CEO to adhere to specific requirements for 20 years, with the potential for fines for future violations. The company in this case was not simply careless in dealing with endorsers, but actively urged employees to post fake reviews and “dislike” negative reviews in an effort to get them removed. The Sunday Riley Skincare settlement demonstrates that fake reviews come with real legal consequences.

 

Photo of Sheila MillarPhoto of Tracy Marshall

The EU-U.S. Privacy Shield Framework, which provided a mechanism to legally transfer personal information from the EU to the United States, was invalidated on July 16, 2020, but the Federal Trade Commission (FTC) has made it clear that companies that claimed to be participants must still make good on their word. A case in point is the FTC’s recent settlement with NTT Global Data Centers Americas, Inc. (NTT) over charges that the company misrepresented its participation in the EU-U.S. Privacy Shield Framework after its certification had lapsed in January 2018. Businesses that transfer personal information from the EU to the United States rely on representations by service providers such as NTT that they comply with established privacy principles and that an approved adequacy mechanism is in place to facilitate such transfers.

The settlement terms bar NTT from misrepresenting in any way its participation in or adherence to any privacy or data security program. They also require NTT to apply Privacy Shield or equivalent protections to all personal information the company collected during its membership in the framework or return or delete that information. The FTC has taken similar action against other companies over the years, and this decision reaffirms the importance of ensuring that claims about participation in the Privacy Shield, or any other privacy program, are made only when an application has been approved and a certification is current. All references to certification must be promptly deleted from privacy policies and other materials if a certification has lapsed.

The Commission vote to finalize the settlement with NTT was 3-1-1. Commissioner Rebecca Kelly Slaughter did not take part, and Commissioner Rohit Chopra voted no and issued a statement in which he pressed the Commission to impose monetary fines on companies that mislead consumers about their participation in privacy programs.

Whether the FTC imposes heavier sanctions down the road or not, damage to reputation can cost a company dearly. The FTC’s settlement with NTT is also a reminder of the importance of “trust but verify.” The U.S. Department of Commerce’s Privacy Shield list provides a way to double check that an organization’s representations about compliance are true. The vast majority of Privacy Shield participants take their obligations seriously. The FTC’s focus on the few organizations that do not remain current in their Privacy Shield commitments enhances the reliability of the Privacy Shield even as discussions continue on possible alternative adequacy mechanisms to address data transfers from the EU to the United States.

Photo of Sheila MillarPhoto of Tracy Marshall

The Federal Trade Commission (FTC) recently announced settlements with two online companies for allegedly misleading customers about automatic membership renewal costs. On September 2, 2020, the FTC announced that Age of Learning, Inc., d/b/a ABCmouse, will pay $10 million to settle charges that the company enrolled thousands of consumers in a negative option scheme to which they did not consent, and also misrepresented its cancellation process. Fewer than three weeks later, on September 22, the FTC announced that online supplement manufacturer NutraClick LLC and two of its individual officers settled with the FTC for $1.04 million over allegations the company violated an earlier consent order that required it to fully disclose the terms of its negative option membership program to customers.

The FTC charged both companies (and the individual defendants in the NutraClick case) with violating two laws: (1) Section 5 of the FTC Act, which prohibits misleading or deceptive statements; and (2) Section 4 of the Restore Online Shoppers’ Confidence Act (ROSCA), which bans online negative options unless the seller (a) clearly discloses all material terms of the deal before obtaining a consumer’s billing information, (b) gets the consumer’s express informed consent before making the charge, and (c) provides a simple mechanism for stopping recurring charges. The FTC also charged NutraClick with violating the Telemarketing Sales Rule, which prohibits deceptive telemarketing acts (the company advertised its “free trials” via text as well as online).

ABCmouse is a membership-based online educational company that offers reading, math, and other scholastic content for children two to eight. According to the FTC’s complaint, from 2015 through at least 2018, the company failed to adequately disclose key terms of its membership program, as required by ROSCA. The company also allegedly neglected to inform customers that their yearly membership, priced at $59.95, would automatically renew for another year at the same price unless users cancelled. And, while the company promised “easy cancellation” in its ads, the reality was anything but. Not only was the cancellation process overly complicated, hundreds of thousands of consumers who had purchased a membership and attempted to cancel later learned they were still enrolled.

The FTC 2020 complaint against NutraClick alleged that the company violated a 2016 order that required the company to disclose the material terms of its membership programs to customers. According to the FTC’s 2016 complaint, NutraClick advertised “free” samples of beauty products and nutritional supplements, but by ordering these samples, customers were unwittingly enrolled in a membership program and charged recurring monthly fees ranging from $29.99 to $79.99 unless they cancelled within 18 days. The FTC claimed that while NutraClick’s websites did contain statements about the monthly membership fee, the statements were not “clear and conspicuous,” as required by ROSCA. Because it was not upfront with its customers about its billing practices, more than 70,000 consumers reportedly complained about NutraClick’s practices.

In addition to the $10 million monetary judgment, the ABCmouse stipulated final order requires the company to disclose all information related to its negative option plans and clearly explain key terms, obtain consumers’ informed consent before enrolling them in automatic billing, and provide an easy means of cancellation. The stipulated final order against NutraClick permanently bans the company from engaging in any negative option marketing. NutraClick was also ordered to pay $1.04 million in a separate proposed contempt order.

The Commission voted 4-0-1 to authorize staff to file the complaint and proposed order against ABCmouse. Commissioner Rebecca Slaughter did not participate, and Commissioner Chopra issued a separate statement in which he pointed to ABCmouse’s “unlawful dark patterns” of deceptive negative options and “unethical” and “illegal” behavior, characterizing the company as a “roach motel.” Commissioner Chopra mentioned a number of tools at the FTC’s disposal to “root out the kinds of tricks and traps” employed by ABCmouse, including ROSCA, the FTC Act, and the CAN-SPAM Act, which prohibits deceptive headers and requires marketers to give consumers an easy way to opt out of future emails.

The FTC continues to pay close attention to online negative option schemes. Brands should be careful to adhere to the terms of ROSCA before enrolling customers in membership programs and charging recurring membership fees.

Photo of Sheila Millar

Interested in environmental marketing? Do you make and sell plastic products? Partner Sheila Millar and Counsel Boaz Green discuss a bill likely to become law in California that further restricts environmental marketing claims for plastic products sold in California. AB 2287 would expand restrictions on plastic degradability claims by effectively banning marine degradable claims. Read the full article.

Photo of Sheila MillarPhoto of Tracy Marshall

More than 160 million Americans play video games. Originally designed as single-use purchases for consoles or computers, video games are now downloadable, making them more accessible to consumers than ever. One important development for the video game industry has been the creation of “micro purchases” – in-game transactions such as “loot boxes” that players can either buy for a small fee or win through playing. Micro purchases have become a multibillion-dollar market and make up a substantial portion of video game profits. The Federal Trade Commission (FTC) discussed loot boxes and other issues related to in-game purchases in a new staff perspective paper, which offers key takeaways from the FTC’s August 2019 “Inside the Game” workshop and subsequent public comment period.

The purpose of the workshop was to bring a variety of stakeholders together to discuss emerging research on the potential pitfalls of microtransactions, including how they affect children and teens and people with addictive behaviors, disclosure issues, and marketing and monetization techniques. The paper points out that in the United States the video game industry is largely self-regulated through disclosures, including the Entertainment Software Rating Board (ESRB) rating system, parental game controls, and consumer education. However, some panelists at the workshop voiced concern over how microtransactions affect children, who are “vulnerable to manipulation and social pressure, or may not fully understand the cost of the transaction,” despite self-regulatory controls. Following the workshop, in April of 2020, ESRB announced a new disclosure regarding in-game purchases for any game “where the player does not know which specific digital good or premium they will receive at the time of purchase, such as loot boxes and mystery rewards.” The ESRB designation for loot boxes is “In-Game Purchase (Includes Random Items).”

Key issues the FTC identified include:

  • Disclosures: Loot box monetization techniques can mask the real costs to players through confusing details or visuals designed to keep players invested in gameplay.
  • Pressure to spend: Interactive games may pressure players to spend money to avoid letting teammates down or to appear more competitive. Players can get sucked into greater spending than they are perhaps aware. Some video games use pay-to-win tactics, while other games promote loot box purchases that, according to the FTC, may yield disappointing, low-value items. Free games appear to have some of the more problematic microtransactions and loot boxes.
  • Children: Some panelists felt it is difficult for parents to understand how their children interact with video games.
  • In-game spending: Some games use their own made-up currencies rather than real money, which can make it hard for players to keep track of the real cost of every transaction, and “even when a real money cost is disclosed, it may not adequately explain how much a player can expect to pay after the initial transaction.”
  • Content Creators/influencers: There is a growing trend of game players with millions of fans who follow their gaming online. The staff report raised a question of whether content creators may be given better odds by the publisher for promotional purposes than odds given to the general public.

Panelist and commenter recommendations include:

  • Improved industry self-regulation, particularly more detailed disclosures for both players and parents.
  • Possible modification of the ESRB rating for games with loot boxes or creation of a new rating.
  • Disclosure of loot box odds, particularly if a game uses odds that can vary by player or time.
    • Some participants suggested creating in-game purchase disclosures that detail in-game micrtransactions
  • Disclosure by content creators of material connections between themselves and the products they recommend, per the FTC’s Endorsement Guides (recognizing that livestream formats and an inability of content creators to control platforms may be an impediment).
  • Improved consumer education.
  • Additional self-regulatory measures such as a website detailing types of microtransactions, displaying in-game spending in real currency, and making loot box items available for direct purchase.

Industry is looking at the issues the FTC raised, and the fact that ESRB has acted quickly to expand its rating system to address in-game purchases and loot boxes illustrates the ability of self-regulatory organization to respond quickly to challenges raised by new technologies.

Photo of Sheila MillarPhoto of JC Walker

Marketing products as environmentally friendly can induce customers to pay higher prices than they would for other goods. But when promises of lower emissions or higher insultation ratings prove false, that hurts consumers, and the Federal Trade Commission (FTC) steps in. The FTC recently concluded its four-year long false advertising case against Volkswagen and Porsche – the biggest in FTC history – for making deceptive claims about the air emissions levels of their vehicles when they were, in fact, fitting them with illegal devices designed to cover up the real level of emissions. The FTC’s Final Status Report, filed with the U.S. District Court for the Northern District of California on July 27, 2020, stated that, under FTC orders, Volkswagen and Porsche paid out some $9.5 billion to compensate affected customers.

Two days later, on July 29, the FTC filed complaints against Superior Products International II, Inc., SPM Thermo-Shield, Inc., F & G International Group Holdings, LLC and FG International, LLC, and SuperTherm, Inc. in federal court for making unsubstantiated and/or deceptive claims about their paint coatings’ R-values. Because the companies referred to R-values, the complaints referred to the FTC Trade Regulation Rule Concerning the Labeling and Advertising of Home Insulation (commonly referred to as the R-value Rule). The R-value Rule sets out detailed standards and test methods for calculating a product’s R-value and lays out requirements for making energy savings claims. The greater the R-value, the greater the potential energy bill savings to consumers – assuming the stated R-value is real.

In each complaint, the FTC alleges the companies made claims that their coating products had high R-values they could not substantiate. Superior Products and principal Joseph E. Pritchett made statements dating back at least to 2008 in their brochure as well as on their website, in ads, and in a patent application to the U.S. government that the company’s coatings would save consumers “between 40% and 70% on their energy bills,” when the products actually had an R-value considerably lower than advertised. Similarly, SPM Thermo-Shield, Inc., and its principals Peter J. Spiska, and George P. Spiska, marketed Thermo-Shield Roof Coat, Thermo-Shield Exterior Wall Coating, and Thermo-Shield Interior Wall Coating with false R-values, claiming their coating products offered significant energy savings for consumers when the actual R-value was less than one. F & G International Group Holdings, LLC, FG International, LLC, and their principal J. Glenn Davis, also claimed that their FGI-4440 Insulation Coating had a high R-value when, again, the true R-value number was less than one.

The FTC is seeking a permanent injunction against the paint companies to prevent future violations, plus other equitable relief as the court sees fit. This is a far less punitive approach from the Commission’s settlement orders in the Volkswagen-Porsche case, which required the companies to pay consumers the full retail value of their cars plus all other losses they suffered due to the companies’ deceptive advertising, and likely reflects the scale of the deception and number of consumers affected.

Photo of Sheila MillarPhoto of Tracy Marshall

Protecting the online privacy of children by enforcing the Children’s Online Privacy Protection Act (COPPA) continues to be of paramount importance to federal and state regulators. In addition to the Federal Trade Commission (FTC), several state attorneys general (AGs) have brought COPPA actions recently, including the New Mexico and California AGs, and, most notably, the New York AG, who in 2019 worked in concert with the FTC to obtain a record civil penalty against YouTube for alleged COPPA violations. The latest COPPA enforcement action comes from Washington State AG Bob Ferguson, who announced a $100,000 settlement with California-based technology company Super Basic LLC and its parent company, Maple Media LLC, on June 24, 2020.

COPPA applies to operators of websites and online services that collect personal information from children, defined as under 13. Operators may not collect personal information from children without first obtaining verifiable parental consent. AG Ferguson charged that the social media platform We Heart It, operated by Super Basic and Maple Media, collected and disclosed children’s personal information without parental consent, in violation of COPPA. The complaint also asserted that the conduct amounted to an unfair or deceptive business practice under the Washington Consumer Protection Act.

According to the AG’s complaint, We Heart It, which has some 500,000 active monthly users across the United States, hosts a number of channels whose content is designed to appeal to children, such as fan pages for Disney, Harry Potter, DC Comics, and Pokemon. The platform also has its own website where users can create an account and profile, and the default setting on the platform meant that user profiles, including those of children, were public and could be seen by any user. When an account was created, We Heart It collected an email address, name, and username, as well as persistent identifiers, including cookies, IP address, iOS advertising ID, and Android advertising ID. It also permitted third party advertising networks to collect persistent identifiers. In addition, We Heart It collected metadata from uploaded photos that sometimes included geolocation data. The AG contended that the platform did not implement an age gate or obtain parental consent prior to the collection of children’s personal information.

In addition to the $100,000 settlement, Super Basic and Maple Media will be subject to $400,000 in penalties if the companies violate the terms of the consent decree. On top of the fine, the consent decree mandates that the companies set up an age gate to prevent children under 13 from creating accounts without parental consent, and the companies must delete or remove any information collected from children under 13 immediately upon learning that an age gate has been breached. The consent decree requires that the companies operate within the rules of COPPA, including by providing direct notice to parents of the companies’ data collection and disclosure practices; obtaining verifiable parental consent prior to collecting personal information from children under 13; deleting children’s personal information upon request from a parent; and retaining children’s personal information no longer than necessary to achieve the purpose for which it was collected. In addition, the companies must audit users’ profiles, tags, posts, and activity where content is relevant to or directed to children or where the companies have actual knowledge of use by children. Super Basic and Maple Media must also submit a detailed compliance report to the AG’s Office within 15 months.

The FTC’s determination in the FTC-YouTube settlement that a general audience platform has responsibilities under COPPA if content channels are directed to children has obviously caught the attention of regulators at both the national and state level. Protecting the online privacy of children by enforcing COPPA continues to garner intense interest in the age of COVID-19, particularly when many children are engaging more than ever with digital media. It is therefore unsurprising that state AGs are watching closely whether platforms that may attract children are complying with COPPA.