Marvel, Hello Kitty May Have Run Afoul Children’s Privacy Laws

Complaints filed with FTC are first since rules were updated

Marvel and Sanrio, two of the biggest brands in the kids online marketing space, may be in violation of online children's privacy laws. According to a watchdog group, Disney's and Sanrio's Hello Kitty Carnival app fail to obtain parental consent from kids under 13 prior to tracking and collecting personal information about them.

In filings today with the Federal Trade Commission, which enforces the Children's Online Privacy Protection Act, the Center for Digital Democracy urged the agency to investigate and bring action against the two companies.

The CDD's complaints are the first ones filed since the FTC updated and strengthened the Coppa rules in July.

"These two complaints reveal a pattern of disturbing practices that threaten children's privacy and undermine the ability of parents to control how information is collected and used," said Jeff Chester, the executive director of the CDD.

Marvel's privacy policy was last updated April 1, 2012, before the updated Coppa laws went into effect. Yet the site displays the industry's self-regulation safe harbor seal, "[raising] serious questions about the effectiveness of industry self-regulation," the CDD said in its filing. (Marvel is not listed on the Children's Advertising Review Unit website as one of its safe harbor recipients.)

Marvel is accused of sharing personal information with ad serving companies, which includes, according to CDD's research, Google DoubleClick.

In a statement, Disney said it is in compliance with the law. "Contrary to any suggestion in the press release and complaint filed by the Center for Digital Democracy, we are fully mindful of our obligations under Coppa and have robust processes in place to meet them. CDD never brought their concerns to us and instead issued an inflammatory and inaccurate release," the company said. 

In the case of the Hello Kitty Carnival app, the CDD discovered that third parties could access and collect a child's location and unique device identifier, and access a child's photos without obtaining permission from parents. 

Sanrio did not immediately return calls for comment.

"The new Coppa rules were put in place to curtail many of these practices and to establish more effective safeguards to children. But the evidence in these two cases suggests that the industry is failing to take seriously its responsibilities to young people in the big data era," said child privacy expert Kathryn Montgomery, a professor of communications at American University.

Since January 2012, Caru has brought 18 Coppa-related enforcement actions. "We appreciate the CDD raising these concerns," said Wayne Keeley, director of Caru, adding that the group had not seen the complaints. "The CDD's promise to examine other child-directed sites is an excellent reminder to companies that can expect a significant percentage of child visitors to review their privacy policies and practices in the light of Coppa revisions. Both CARU and public-interest groups are examining such sites for compliance."

The FTC does not comment on complaints.

Publish date: December 18, 2013 © 2020 Adweek, LLC. - All Rights Reserved and NOT FOR REPRINT