On May 12, 2011, the Federal Trade Commission announced that the operators of 20 online virtual worlds have agreed to pay $3 million to settle charges that they violated the Children's Online Privacy Protection (COPPA) Rule by collecting and disclosing personal information from hundreds of thousands of children under age 13 without their parents' prior consent. The FTC noted that this settlement is the largest civil penalty for a violation of the FTC's COPPA Rule.
On May 3, 2011, the Federal Trade Commission announced that Ceridian Corporation and Lookout Services, Inc. agreed to settle the FTC's allegations that the companies failed to safeguard their business customers' employee personal information. Ceridian's services include payroll processing, payroll-related tax filing, benefits administration and other human resource services for business customers. Lookout provides a web-based computer product that is designed to help employers comply with their obligations under federal law to complete and maintain a U.S. Citizenship and Immigration Services Form I-9 about each employee in order to verify that the employee is eligible to work in the United States.
As we have previously reported on our blog, 2011 has seen a whirlwind of privacy enforcement activity. The FTC, NLRB, EEOC, HHS and FINRA have all taken privacy enforcement actions this year. This March, the FTC has announced privacy settlements with Chitika and Twitter.
This month, federal agencies and FINRA have announced significant privacy enforcement actions that have resulted in millions of dollars in fines. The U.S. Department of Health and Human Services (HHS) imposed a $4.3M fine on a health plan for violations of the HIPAA Privacy Rule; the Federal Trade Commission (FTC) settled with several resellers of consumer reports allegations that the resellers failed to adequately safeguard consumer information; and FINRA imposed a $600K fine on two securities firms for failure to safeguard access to customer records. Here are the details:
On November 30, 2010, the Federal Trade Commission announced a settlement with EchoMetrix, Inc. with respect to charges that the company failed to adequately disclose its privacy practices. EchoMetrix sells software that allows parents to monitor their children's online activities. The FTC alleged that the company engaged in a deceptive act or practice in violation of Section 5 of the FTC Act by failing to inform parents that the information the software collected about their children would be disclosed to third parties for marketing purposes.