Marvelkids.com And Sanrio Accused Of COPPA Violations; Ad Tech Vendors May Be Liable, Too

Marvelkids.com and Sanrio, two companies that produce popular children’s characters such as the Hulk and Hello Kitty, have been accused of violating privacy laws by collecting personal information from children without giving notice or receiving parental consent. Several advertising companies may also be held liable for knowingly collecting personal information from children, as well.

The Center for Digital Democracy, a consumer rights organization, filed two complaints with the Federal Trade Commission on Wednesday, claiming that the Marvelkids.com website, a subsidiary of Disney-owned Marvel Entertainment, shared personal information with ad serving companies. In a separate filing, it claimed that the Hello Kitty Carnival app allowed third parties to collect information about a child’s location, photos and the unique device identifier.

Under the Children’s Online Privacy Protection Act (COPPA), website operators whose content is aimed at users below age 13 are required to get a guardian’s consent before collecting personal information from users for advertising purposes. The law’s definition of “personal information” was updated in July to include photos, location data, videos, and persistent identifiers like cookies and mobile device ID numbers.

The Center for Digital Democracy described its complaints as revealing a “pattern of disturbing practice that threaten children’s privacy.” The new COPPA rules were “designed to protect children from contemporary data collection practices that track consumers 24/7 on mobile phones and apps,” said CDD executive director Jeff Chester in a statement. “But what we discovered is that the same powerful and pervasive data gathering digital complex is at work on leading kids sites.”

According to the filings, an independent researcher and Clueful, an online privacy monitoring service, found several instances when Marvelkids.com and the Sanrio app collected personal information from users and disclosed it to third parties without getting parental consent.

The Sanrio report listed Tapjoy, MoPub and Flurry as operators that collect children’s personal information from the app. The report acknowledged that the technologists were unable to determine how these third parties use the information, but noted that they could also be held liable for violations if they have actual knowledge of collecting information on a child-directed app.

As for Marvelkids.com, the report noted that the site’s privacy policy states that Marvel “may use third-party advertising companies to serve ads . . . [that] may employ cookies and clear gifs to measure advertising effectiveness” and that Marvel identifies DoubleClick as one such third party. Both reports recommended that the FTC investigate the role that third-parties play within Marvelkids.com and the Hello Kitty app.

In response to the report, Flurry provided the following statement: “Flurry’s terms prohibit the use of Flurry Analytics, AppCircle or AppSpot in conjunction with apps directed to kids under 13. Earlier this year Flurry developed a restricted version of Flurry Analytics to help developers who wish to limit data use for whatever reason, and Flurry permits the use of the restricted version of Analytics in apps directed to kids. If an application is directed at children under the age of 13, a developer may only use the restricted version of our Analytics product in connection with that app.”

Tagged in: