Marvel, Sanrio accused of ignoring privacy rules meant to protect children


Complaints filed with the Federal Trade Commission say some companies, including Sanrio, the Japanese creator of Hello Kitty, ignore privacy rules for children by collecting personal information from users without verifying that they’re older than 13. (GARY HERSHORN/REUTERS)
December 18, 2013

Iron Man, Captain America and Spider-Man greet visitors to Disney’s MarvelKids.com Web site, but parents may be surprised to learn that these superheroes may also open the door to tools that track their children’s activities across the Web, according to federal complaints to be filed Wednesday.

The filings with the Federal Trade Commission accuseDisney’s Marvel subsidiary, as well as the Japanese firm Sanrio, of flouting new privacy rules for children by collecting personal information from users without verifying that they’re older than 13.

Marvel declined to comment on the complaint. Sanrio — known for its Hello Kitty character — did not immediately respond to a request for comment.

Under the privacy rules, which went into effect in July, parents must sign off before sites can track a child’s Internet activities or collect personal information such as photos, videos and location data. The Center for Digital Democracy, the privacy and consumer rights organization that filed the complaints, said the potential violations show that major companies are flouting the new regulations, which updated the Children’s Online Privacy Protection Act (COPPA).

“The new COPPA rules approved one year ago were designed to protect children from contemporary data-collection practices that track consumers 24/7 — on mobile phones and ‘apps,’ on social media and when playing online games,” said Jeffrey Chester, the center’s executive director. “But what we discovered is that the same powerful and pervasive data-gathering digital complex is at work on leading kids’ sites.”

According to the filings, an independent researcher hired by the center found evidence that the Sanrio app and MarvelKids.com were able to collect a user’s location data and were placing persistent identifiers — cookies or similar pieces of code that can track users’ activity across sites — without asking for visitors’ ages.

The researcher, Ian Davey, said he identified several instances in which the app and the site collected personal information and disclosed it to third parties such as advertisers. Sanrio can also access photos on users’ phones and asks Apple users to submit their e-mail addresses in some cases — another practice that requires parental consent under the new rules.

The advertising and Internet tracking practices of these firms, the privacy group said, call into question whether the current process, which allows the industry to set its own guidelines, is strong enough. Marvel, for example, bears a seal of approval from the Better Business Bureau’s Children’s Advertising Review Unit, indicating that it is in compliance with privacy guidelines. But the MarvelKids.com privacy policy, which says it was last updated in April 2012, still includes some provisions that break the new rules, said Eric Null, an attorney for the privacy group.

“What they’ve described are COPPA violations,” he said, noting that the policy says users must opt out of having their information shared with third parties. The new regulations say that, for children, this option must be turned off automatically.

These are the first complaints the group has filed under the new rules, but Chester said more are likely.

Marvel and Sanrio could face fines if found to have violated the rules.

The FTC, which traditionally does not comment on such complaints, has said enforcing COPPA is a top priority.

Related stories:

Follow The Post’s new tech blog, The Switch, where technology and policy connect.

Hayley Tsukayama covers consumer technology for The Washington Post.
Comments
Show Comments
Most Read Business