A recent Federal Trade Commission (FTC) settlement with an online game company that allegedly tracked children illegally highlights some important questions, namely, how should the FTC assess the penalties it imposes for privacy violations, and what is the most effective way to both deter and punish companies for such violations?
The complaint in question was filed by the Department of Justice (DOJ) on behalf of the FTC. It charged mobile game developer Hyperbeard, Inc. and its principals with allowing third-party ad trackers to collect children’s personal information without first obtaining verifiable parental consent, in violation of the Children’s Online Privacy Protection Act Rule (COPPA Rule). The COPPA Rule requires that websites and online service providers obtain verifiable parental consent before collecting personal information from children under 13. The FTC alleged that Hyperbeard not only knew that children were using its apps, which used animated animal cartoon characters and child-friendly language, but also created products specifically for kids based on the characters. Hyperbeard also neglected to tell its ad networks that the apps were often child-directed and therefore subject to COPPA, according to the complaint.
The proposed settlement, which bars Hyperbeard and its officers from collecting, benefitting from, or using personal information from children under 13, included a civil penalty of $4 million, which was reduced to $150,000 because of Hyperbeard’s inability to pay. This amount is less than 4% of the stated civil penalty. While the FTC voted 4-1 in favor of the stipulated final order, the outcome sparked a disagreement between FTC Chair Joe Simons and Commissioner Noah Phillips over penalties. Commissioner Phillips and Chairman Simons both issued statements outlining considerations that should underpin the FTC’s approach to remedying and deterring privacy violations.
In his dissent, Commissioner Phillips took a harms-based stance, arguing that the initial $4 million penalty was excessive in relation to the extent of consumer harm caused by Hyperbeard’s violations of the COPPA Rule. Phillips decried what he described as a “recent push to heighten financial penalties even where the law permits only equitable relief, without clear direction other than to maximize the amount in every case,” which he views as potentially unfair and counterproductive – a position he also took regarding YouTube’s settlement with the FTC last September. Chairman Simons addressed Commissioner Phillip’s criticisms directly with a statement of disagreement. Simons expressed the view that the $4 million fine was appropriate because, while harm was an important factor, deterrence was the key priority. “If our goal is to make compliance more attractive than violation, we should also consider the cost and effect of the other sanctions imposed in the context of an enforcement action,” he wrote.
Protecting privacy and safeguarding sensitive information – particularly where children are concerned – are vital goals of the FTC, and those goals are shared by responsible businesses. But in crafting public policy, it is equally important that penalties for alleged privacy violations are appropriate and consistent. The debate over whether a harms-based or deterrent approach should prevail is not likely to be resolved soon, and is part of a larger conversation about how to balance competing public policy considerations where privacy violations are concerned that is likely to play out in continued legislative discussions as well as within the FTC.