Iron Man, Captain America and Spider-Man greet visitors to Disney’s MarvelKids.com Web site, but parents may be surprised to learn that these superheroes may also open the door to tools that track their children’s activities across the Web, according to federal complaints to be filed Wednesday.
The filings with the Federal Trade Commission accuse Disney’s Marvel subsidiary, as well as the Japanese firm Sanrio, of flouting new privacy rules for children by collecting personal information from users without verifying that they’re older than 13.
Marvel declined to comment on the complaint. Sanrio — known for its Hello Kitty character — did not immediately respond to a request for comment.
Under the privacy rules, which went into effect in July, parents must sign off before sites can track a child’s Internet activities or collect personal information such as photos, videos and location data. The Center for Digital Democracy, the privacy and consumer rights organization that filed the complaints, said the potential violations show that major companies are flouting the new regulations, which updated the Children’s Online Privacy Protection Act (COPPA).
“The new COPPA rules approved one year ago were designed to protect children from contemporary data-collection practices that track consumers 24/7 — on mobile phones and ‘apps,’ on social media and when playing online games,” said Jeffrey Chester, the center’s executive director. “But what we discovered is that the same powerful and pervasive data-gathering digital complex is at work on leading kids’ sites.”
According to the filings, an independent researcher hired by the center found evidence that the Sanrio app and MarvelKids.com were able to collect a user’s location data and were placing persistent identifiers — cookies or similar pieces of code that can track users’ activity across sites — without asking for visitors’ ages.
The researcher, Ian Davey, said he identified several instances in which the app and the site collected personal information and disclosed it to third parties such as advertisers. Sanrio can also access photos on users’ phones and asks Apple users to submit their e-mail addresses in some cases — another practice that requires parental consent under the new rules.
“What they’ve described are COPPA violations,” he said, noting that the policy says users must opt out of having their information shared with third parties. The new regulations say that, for children, this option must be turned off automatically.
These are the first complaints the group has filed under the new rules, but Chester said more are likely.
Marvel and Sanrio could face fines if found to have violated the rules.
The FTC, which traditionally does not comment on such complaints, has said enforcing COPPA is a top priority.
Follow The Post’s new tech blog, The Switch, where technology and policy connect.