FTC Announces Enforcement Actions Against Social Network and Online Advertiser

by Mehmet Munur

The Federal Trade Commission announced an enforcement action against Skid-e-kids and a separate enforcement action against online advertiser ScanScout. The enforcement action against ScanScout involved the violations of Section 5 and the use of Flash cookies without disclosing their use in its privacy policy. The enforcement action against Skid-e-kids involved violations of COPPA and the failure to obtain parental consent. Once again, these enforcement actions highlight the importance of drafting accurate privacy policies and following through on those promises.

The enforcement action against Skid-e-kids resembles the enforcement action against W3 Innovations, LLC due to its mobile application failing to pass muster under COPPA. According to the Skid-e-kids FTC complaint, Skid-e-kids promoted  itself as “Facebook and Myspace for kids” and permitted kids to register and create accounts, create public posts, upload posts, among other things. The registration process collected birth date, gender, username, password, and email address from the registrants. However, children were not required to provide parents’ email address to obtain consent. At the same time, Skid-e-kids’ privacy policy stated that it would require email addresses of parents that would be used to obtain consent and to notify them about Skid-e-kids’ privacy policy. In practice, Skid-e-kids never collected the email addresses of the parents, never contacted them to notify them of its privacy practices, and never obtained consent from the parents. As a result, the FTC alleges violations of COPPA and FTC Act.

The resulting consent order requires Skid-e-kids to refrain from violating COPPA, delete the personal information from the children, and place a notice on its website with links to the On Guard Online website. In addition, the FTC imposed a civil penalty of $100,000 but suspended all but a $1,000 of this penalty. The consent order requires Skid-e-kids to retain a privacy professional with COPPA experience to conduct assessments, retain records, and report its compliance with the consent order to the FTC.

The enforcement action against ScanScout, on the other hand, resembles the enforcement action against Chitika. According to the FTC ‘s ScanScout complaint, ScanScout acts as a intermediary between websites and advertisers and publishes advertising space on videos. ScanScout decides which video advertising should be delivered to which user. Unlike the Chitika enforcement action that used HTTP cookies, ScanScout used Flash Cookies from April 2007 to September 2009. At that time, deletion of browser’s HTTP cookies did not result in the deletion of Flash cookies—though since then Adobe and the major browsers have finalized APIs that result in the deletion of Flash cookies by the deletion of HTTP cookies. However, at the same time, ScanScout’s Privacy Policy stated that a user could opt out receiving a cookie by changing their browser settings. In practice, however, the users could not opt out receiving these cookies, and therefore, could not stop the tracking by ScanScout.

The resulting agreement and consent order requires ScanScout to provide a clear and prominent method to enable users to opt out of having their data that can be associated with a particular user collected by ScanScout. This opt-out must last at least 5 years and ScanScout must display links in the advertisements it serves for this opt-out mechanism. The agreement and consent order also comes with other compliance and reporting obligations and lasts for 20 years.

Together, these two enforcement actions, once again, highlight the importance of having accurate privacy policies in place. These two companies came under the FTC’s radar not just due to their actions, but also due to the statements regarding their privacy policies. ScanScout’s privacy policy had not been updated to show that it was using Flash cookies in order to track users. There was also a clear mismatch between what Skid-e-kids’s privacy policy stated and what it did in practice. Attorneys may draft the most intricate privacy policies; however, without processes to ensure that those policies are in place in operations, most businesses are open to FTC enforcement actions or lawsuit by their users. As a result, drafting and implementation of privacy policies must include not just the legal department, but all departments involved in the execution of actions outline in the privacy policy.