CDD Alleges Marvel Website, Hello Kitty App Violate COPPA Rule, Asks FTC to Investigate

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Katie W. Johnson

Dec. 18 --The website and a Hello Kitty mobile application fail to comply with the notice and parental consent requirements of the Children's Online Privacy Protection Act prior to collecting children's personal information, the Center for Digital Democracy alleged in Dec. 18 requests for investigation to the Federal Trade Commission.

One year ago, the FTC released the final amendments to the COPPA Rule . The rule imposes notice and parental consent requirements on websites and online services collecting information from children younger than 13. The FTC's amendments took effect July 1 .

In addition to requesting that the FTC investigate the companies operating the website and the mobile app, the CDD asked the commission to investigate two industry self-regulatory programs--the Children's Advertising Review Unit (CARU) of the Council of Better Business Bureaus and TRUSTe Inc.--to determine whether their programs are misleading.

"These two complaints reveal a pattern of disturbing practices that threaten children's privacy and undermine the ability of parents to control how information is collected and used," CDD Executive Director Jeff Chester said in a Dec. 18 CDD statement.

Lack of Age-Screening Mechanisms?

Marvel Entertainment LLC, a subsidiary of the Walt Disney Co., operates the website, according to the CDD's request for investigation. The website is a portal to shows, games, comics and activities related to Marvel superheroes. Among the information collected by the site are internet protocol addresses and information concerning the pages visited before and after visiting the site, according to the CDD.

Sanrio Digital, a joint venture between Sanrio Co. and Typhoon Games (HK) Ltd., operates the Hello Kitty Carnival mobile app. The app, which features Sanrio characters like Hello Kitty, allows users to drag characters to carnival activities. As of Dec. 4, the app, which is available for free from Google Play and the iTunes App Store--has been downloaded over 1 million times, according to the CDD.The app encourages children to connect to Facebook to earn rewards and connect with friends, the CDD said.

The Hello Kitty app allows Sanrio and third parties to access and collect children's personal information, such as mobile device identifiers, geolocation information and images of children, the CDD said.

The CDD alleged that neither nor the Hello Kitty app provide direct notice to parents or obtain their consent prior to collecting children's personal information. In addition, both of their privacy policies are unclear and contradictory. For example, although the policies indicate that the companies will comply with COPPA, neither the website nor the app use age-screening mechanisms, the CDD said.

"Contrary to any suggestion in the press release and complaint filed by the Center for Digital Democracy, we are fully mindful of our obligations under COPPA and have robust processes in place to met them," Disney said in a Dec. 18 statement provided to Bloomberg BNA. "CDD never brought their concerns to us and instead issued an inflammatory and inaccurate release."

Marvel Entertainment and Sanrio Digital did not immediately respond to Bloomberg BNA's Dec. 18 requests for comment.

Self-Regulatory Programs.

The CDD said the "case raises serious questions about the effectiveness of industry self-regulation." Both CARU and TRUSTe are COPPA safe harbor programs.

According to the CDD, still displays CARU's "Kid's Privacy Safe Harbor" seal even though it is not in compliance with the COPPA Rule.

In addition, Disney is a member of TRUSTe, which aids companies in complying with guidelines such as the Digital Advertising Alliance's Self-Regulatory Principles for Online Behavioral Advertising, according to the request for investigation.

"We take our responsibility to ensure COPPA compliance seriously," Wayne Keeley, director of CARU, said in a statement provided Dec. 19 to Bloomberg BNA. "Since January 2012, we have brought 18 COPPA-related enforcement actions."

"We appreciate the CDD raising these concerns," Keeley added. "However, we have not seen copies of the complaint and we do not have details about the CDD's allegations. The CDD's promise to examine other child-directed sites is an excellent reminder to companies that can expect a significant percentage of child visitors to review their privacy policies and practices in the light of COPPA revisions, which were effective July 1, 2013. Both CARU and public-interest groups are examining such sites for compliance."

Melissa Pereira, a spokeswoman for TRUSTe, told Bloomberg BNA Dec. 18 that the company does not have comments at this time.

Eric G. Null and Angela J. Campbell, of the Georgetown University Law Center Institute for Public Representation, in Washington, and Hudson Kingston, of the CDD, in Washington, represented the CDD. Richard Bahrenburg and Yena Kwon, students at Georgetown Law, were of counsel on the requests for investigation.

By Katie W. Johnson

To contact the reporter on this story: Katie W. Johnson in Washington at

To contact the editor responsible for this story: Donald G. Aplin at

The CDD's request for investigation of is available at

The CDD's request for investigation of the Hello Kitty mobile app is available at

Request Bloomberg Law Privacy and Data Security