How Mickey Mouse Makes Friends And Why It Landed Him In Some Legal Trouble
There is truth behind the saying that the bigger the tree the harder the fall. Unfortunately (or maybe fortunately, depending on how you look at it??) for all of us “Mouse” lovers, Disney is experiencing this metaphor in realtime and real life. The Walt Disney Company, together with some of its tech-oriented subsidiaries are the latest example of why compliance with privacy laws, namely those which apply to children, is vital.
Long story short, Disney is subject to a massive class action lawsuit for the manner in which it collects personal data of its website and application users.
Yes, I have read the complaint, yes it is dry (that’s law after all), but what you can take away from it is this — the complaint alleges that Disney and its subsidiaries have violated provisions of COPPA (Children Online Privacy Protection Act), by permitting access to and collection of children’s personal data. The most intriguing part of this complaint, however, is that the data compiled in what the plaintiffs are alleging is a violation of COPPA, was not through voluntary means (i.e. email address, first name and last name, opt-in, etc.). Instead, it was through “persistent identifiers”, which in essence means user behavior while using applications or websites. The application or those with access to the application were able to track the behavior of users and accordingly craft ‘behavioral advertising’ campaigns that suited the users activity. Pretty crazy stuff, huh? The fact of the matter for Disney is that they are allowing access to this information all the while knowing that they are targeting persons who are under 13 without parental consent.
Here’s a snippet from the complaint to show you how this argument ties together with COPPA:
“With the increasing use of new tracking and targeting techniques, any meaningful distinction between personal and so-called non-personal information have disappeared. This is particular the case with the proliferation of personal digital devices such as smart phones and Internet-based game consoles, which are increasingly associated with individual users, rather than families. This means that marketers do not need to know the name, address or email of a user in order to identify, target and contact that particular user.”
Rushing v. Walt Disney Company, et al., 17-cv-4419 (2017)
How Do I Know if COPPA Applies to My Business?
COPPA states that a business which directs its website or applications toward children who are under the age of 13, that collect or maintain personal data, along with websites which have actual knowledge they are collecting and maintaining personal data of children under 13 will be required to abide by the standards set forth in the COPPA regulations. Yes, this includes these ‘persistent identifiers’ that form the basis for the complaint against Disney. So, if you have cookies on your website, a Facebook pixel code, or other forms of code or software that can track and identify particular users through their online or application activity, you are in privacy regulation world. Obviously, if your target demographic is under 13 years of age, COPPA will apply.
Clearly, in Disney’s case, they are targeting children who are in all likelihood under 13, but is this the case for you? That depends on a number factors, but here is what you can do to set up your COPPA compliance procedures and protocols.
1. Conduct a deep dive assessment of your marketing.
Have a business attorney run through your marketing with you to determine whether it runs the risk of violating COPPA or any other privacy laws.
2. Create a privacy policy and implement parental consent mechanisms.
You might have one of these already, but ensuring that it properly addresses applicable privacy laws could mean the difference between a costly lawsuit or a clean bill of legal health. Disney finds itself on the short end of this stick due, in large part, to its lack of parental consent protocols. They were obtaining information on children under 13 without requesting consent from the parents prior to doing so. Big, no-no under COPPA. Don’t be like Disney and get your privacy policy checked out.
3. Determine the level of access to personal and non-personal information you provide to third parties.
As the Disney complaint suggests, even the ability to collect data about behavioral usage of an application, geographic location of the device with which the user accesses the application, and even the time of day they are online, may create a profile that marketers can exploit. This, I would argue, flies directly in the face of COPPA’s purpose, even if it is not expressly stated personal information.
The Disney case sets a serious tone with regard online privacy and the legal system’s attempt to catch up to the sophisticated nature of modern-day marketing.
I don’t think I need to emphasize the importance of proper privacy compliance anymore than I already have. What I will say is this, the penalties for violations of privacy laws are substantial. Take another subsidiary of The Walt Disney Company, Playdom, Inc. who paid over $3 million due to violations of COPPA in 2011.
A simple discovery session will help determine what side of the fence you are on. Plus, if you are on the wrong side, it will help you get back over to the right one. Schedule a discovery session with The Reel Law Firm, LLC today. Schedule now.
This blog post is strictly intended for educational purposes only. None of the information within this blog post is intended to offer any legal advice of any kind to any person or persons. While The Reel Law Firm, LLC would appreciate the opportunity to represent you, this blog post does not create an attorney-client relationship between you and The Reel Law Firm, LLC. No such attorney-client relationship shall be formed between you and The Reel Law Firm, LLC without the signing of an engagement agreement between both. Thank you for your understanding and I hope you enjoyed the read!
